Clause-By-Clause Interpretation: Transitioning To ISO 9001:2015

We’re committed to helping you and your organization
understand the updated requirements. This guidance

document identifies the steps you should take to achieve
compliance to ISO 9001:2015, and more importantly; what you
don’t need to do!
Clause-by-
clause
Interpretation
Transitioning to ISO 9001:2015
Clause-by-clause Interpretation
Clauses that Promote Risk-based Thinking................................................ 11

Table of Contents
Risk Evaluation Process ...................................................................................... 12
CLAUSE-BY-CLAUSE INTERPRETATION ...................................................... 3 6.2 Quality Objectives and Planning to Achieve Them ........................ 15
4.0 CONTEXT OF THE ORGANIZATION ......................................................................... 3 Training & Communication .............................................................................. 16
4.1 The Organization and its Context ........................................................... 3 6.3 Planning of Changes .................................................................................. 16
4.2 The needs and Expectations of Interested Parties ........................... 3 7.0 SUPPORT................................................................................................................. 16
4.3 Determining the Scope of the QMS ...................................................... 3 7.1 Resources........................................................................................................ 16
4.4 The QMS and its Processes ....................................................................... 3 7.1.1 General ........................................................................................................ 17
Identifying Key Processes .................................................................................... 4 7.1.2 People.......................................................................................................... 17
Sequence and Interaction ................................................................................... 5 7.1.3 Infrastructure ............................................................................................ 17
5.0 LEADERSHIP .............................................................................................................. 6 7.1.4 Environment for the operation of processes ............................... 17
5.1 Leadership and Commitment ................................................................... 6 7.1.5 Monitoring and Measuring ................................................................. 17
5.1.1 General .......................................................................................................... 6 7.1.6 Organizational Knowledge.................................................................. 17
5.1.2 Customer Focus ......................................................................................... 6 7.2 Competence .................................................................................................. 18
5.2 Policy .................................................................................................................. 7 7.3 Awareness ...................................................................................................... 18
5.2.1 Establishing the Quality Policy ............................................................ 7 7.4 Communication ............................................................................................ 19
5.2.2 Communicating the Quality Policy .................................................... 7 Internal Communications .................................................................................. 19
5.3 Organizational Roles, Responsibilities and Authorities .................. 7 External Communications .................................................................................. 20
6.0 PLANNING ................................................................................................................ 7 7.5 Documented Information ........................................................................ 20
6.1 Actions to Address Risks and Opportunities ...................................... 7 7.5.1 General ........................................................................................................ 20
Why is Risk Management Important? ............................................................ 8 7.5.2 Creating & Updating ............................................................................. 20
Risk Management Methodology ...................................................................... 9 7.5.3 Control of Documented Information .............................................. 20
Risk Management Information ....................................................................... 10 8.0 OPERATION ............................................................................................................ 22
Communication of Risks .................................................................................... 10 8.1 Operational Planning and Control........................................................ 22
Outsourced Processes ........................................................................................ 10 8.2 Requirements for Products and Services ........................................... 23
Design & Development...................................................................................... 10 8.2.1 Customer Communication .................................................................. 23
Risk Registers ......................................................................................................... 11 8.2.2 Determination of Requirements for Products & Services ...... 23
Auditing Risk Management .............................................................................. 11 8.2.3 Review of the Requirements for Products & Services .............. 23
Copyright © 2016 Endeavour Technical Ltd Page 1 of 42

8.2.4 Changes to Requirements for Products & Services .................. 24 9.2 Internal Audit ................................................................................................ 32
8.3 Design and Development of Products & Services ......................... 24 9.3 Management Review ................................................................................. 33
8.3.1 General ........................................................................................................ 24 9.3.1 General ........................................................................................................ 33
8.3.2 Design and Development Planning ................................................. 24 9.3.2 Management Review Inputs ............................................................... 34
8.3.3 Design and Development Inputs ...................................................... 24 9.3.3 Management Review Outputs ........................................................... 34
8.3.4 Design and Development Controls ................................................. 24 10.0 IMPROVEMENT ....................................................................................................... 35
8.3.5 Design and Development Outputs .................................................. 24 10.1 General ............................................................................................................ 35
8.3.6 Design and Development Changes ................................................. 25 10.2 Nonconformity and Corrective Action ................................................ 35
8.4 Externally Provided Processes, Products & Services ..................... 25 Dealing with Corrective Action........................................................................ 35
8.4.1 General ........................................................................................................ 25 Define the Problem .............................................................................................. 36
8.4.2 Type and Extent of Control ................................................................. 25 Select an Interim Containment Action ......................................................... 36
8.4.3 Information for External Providers ................................................... 25 Verify an Interim Containment Action.......................................................... 36
8.5 Production and service provision ......................................................... 25 Implement an ICA ................................................................................................. 37
8.5.1 Control of Production and Service Provision............................... 25 Identifying the Root-Cause............................................................................... 37
8.5.2 Identification and Traceability ........................................................... 26 Complete a Comparative Analysis ................................................................. 37
8.5.3 Property Belonging to Customers or External Providers ........ 26 Develop Root-cause Theories.......................................................................... 38
8.5.4 Preservation .............................................................................................. 26 Test the Theories ................................................................................................... 38
8.5.5 Post-delivery Activities ......................................................................... 27 Verify the Root-Cause ......................................................................................... 39
8.5.6 Control of Changes ................................................................................ 27 Determine and Verify the Escape Point ....................................................... 39
8.6 Release of Products and Services ......................................................... 27 Implementing & Validating Permanent Corrective Actions ................ 40
8.7 Non-conforming Process Outputs, Products & Services ............ 28 Preventing Recurrence ....................................................................................... 40
Controlling Product and Process Non-conformities .............................. 28 10.3 Continual Improvement ............................................................................ 41
Controlling Service-based Non-conformities ........................................... 29
9.0 PERFORMANCE EVALUATION ............................................................................... 30
9.1 Monitoring, Measurement, Analysis and Evaluation ..................... 30
9.1.1 General ........................................................................................................ 30
9.1.2 Customer Satisfaction ........................................................................... 31
9.1.3 Analysis and Evaluation ........................................................................ 32

relevant interested parties that impact the QMS. If this differs from the
Clause-by-Clause Interpretation
perception, you should be prepared to challenge this. Look for evidence
4.0 Context of the Organization that the organization has undergone a process to initially identify these
groups, and then to identify any of their requirements that are relevant to
4.1 The Organization and its Context
your organization’s quality management system.
The ‘Context of the Organization’ is a new requirement. You should allow
additional time to prepare for each audit in order to establish a suitable You should also determine whether these groups’ requirements are
understanding of the circumstances, and the market in which your reviewed and updated as changes in their requirements occur, or when
organization operates. To be compliant, evidence should be obtained that changes to your organization’s QMS are planned.
proves that your organization is reviewing all pertinent internal and 4.3 Determining the Scope of the QMS
external issues at periodic intervals. This requirement is comparable to ISO 9001:2008 Clause 4.2.2 – Quality
Although there is no requirement for documented information to define Manual. You will need to verify that your organization’s scope exists as
the context of the organization, your organization will find it helpful to documented information (which may be in the form of a Quality Manual)
retain the types of documented information listed below to help justify in accordance with Clause 7.5.1a. Look for confirmation that your
compliance: organization has determined the boundaries and applicability of the QMS
to establish its scope with reference to any external and internal issues
1. Business plans and strategy reviews;
referred to in 4.1 and the requirements of relevant interested parties
2. Competitor analysis; referred to in 4.2.
3. Economic reports from business sectors or consultant’s reports;
Check that this has been done in consideration of your organization’s
4. SWOT analysis; context and your products. You should review any exclusions previously
5. Minutes of meetings (Management and design review minutes); noted under ISO 9001:2008 for ongoing suitability. Check that legacy
issues which limited scope and omitted activities do not affect product
6. Process maps, tables, spreadsheets, mind mapping diagrams;
conformity. Check that they are recorded and that the rationale for the
4.2 The needs and Expectations of Interested Parties
exclusion is stated and justified.
‘Understanding the Needs and Expectations of Interested Parties’ is a new
4.4 The QMS and its Processes
requirement. You should allow additional time to prepare for each audit
in order to establish a suitable understanding of the relevant interests of This requirement is comparable to ISO 9001:2008 Clause 4 - Quality
Management System and Clause 4.1 – General Requirements. You should

review how your organization has designed its process-based Identifying Key Processes
management system. Key processes are steps that you go through to give the customer what
Existing operational procedures, work instructions and flow charts are valid they want, e.g. from order acceptance to design through to delivery.
examples of documented information and can be used to evidence the Whereas support processes do not contribute directly to what the
requirement for ‘documented information to support the operation of customer wants but do help the key processes to achieve it. Support
processes is being met’. processes include often human resources, finance, document control,
training and facilities maintenance, etc.
Check that process inputs and outputs are defined and review how each of
the processes are sequenced and how they interact. Look for evidence that A good way to do this is to think about how workflows through your
your organization has: organization. Consider how the inputs and outputs to the key processes
flow from one process to the next, what sub-processes might exist within it
1. Assigned duties/process owners; (Clause 5.3)
and how the support processes link in. For now, ignore the standard, in
2. Assessed risks and opportunities; (Clause 6.1) fact put it in a draw and forget it exists. Instead focus on your key
3. Provided resources; (Clause 7.1) processes and how the departments interface with each other.
4. Maintained and retained documented information. (Clause 7.5.1) Once you have defined the processes and interfaces; go back to the
5. Implemented measurement criteria; (Clause 9.0) standard and determine which processes are responsible for meeting
which requirements. When defining your organization’s processes, think
6. Improved its processes and the QMS; (Clause 10.0)
about each process and department and assign try to define those
Most of the requirements from Clause 4.4 are comparable to those found processes around the current organizational model and not around the
in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause requirements of the standard.
8.2.3 - Monitoring and Measurement of Processes.
Certification auditors will expect to see a process model that explains the
Based upon the extent of your organization’s QMS and processes, you key processes of the business and how each relates and links to the others.
should seek and record evidence that your organization has maintained The depth of process explanation may be as detailed as the company
documented information to support the operation of its processes; and chooses, but should be based on its customer and applicable regulations
that it has retained documented information to provide confidence that or statutory requirements, the nature of its activities and its overall
the processes are being carried out as planned. corporate strategy. In determining which processes should be determined
and documented the organization may wish to consider factors such as:

 Effect on quality;  Management review;

 Risk of customer dissatisfaction;  Customer satisfaction review;
 Statutory and/or regulatory requirements;  Strengths, weaknesses, threat and opportunities;
 Economic risk;  Budgets.
 Effectiveness and efficiency; Assessment oriented processes help provide data to determine compliance
 Competence of personnel; and process performance:
 Complexity of processes.  Auditing;
Customer oriented processes affect or interact with the customer:  Data analysis;
 Marketing, sales and purchasing;  Corrective action;
 Customer service;  Non-conformities.
 Design and development; You should expect to see evidence that your organization has determined
their processes and interactions. If your organization calls it a ‘process’, it
 Storage and dispatch.
must be monitored for effectiveness and improved.
Support oriented processes support other process:
Sequence and Interaction
 Calibration;
The auditor must see evidence that the organization has determined their
 Maintenance; processes and that the interactions are also defined, all within the IMS
 I.T. and document control,; manual. Subsequently, this includes the actual and technical inputs and
 Finance and accounts; outputs of the processes to show their inter-relationship. This requires the
description of the interactions between the processes and should include
 Human resources and training.
process names, process inputs and process outputs in order define their
Management oriented processes are normally conducted by Top interactions. Interaction means how one influences the other. Auditors
management: commonly agree that the description of the interactions of the processes
 Business, operational and resource planning; cannot be done if the processes are not determined (names).
 Goals, targets and objective setting;

The organization is not required to produce system maps, flow charts, lists your customer’s requirements, statutory and regulatory requirements, or
of processes etc. as evidence to demonstrate that the processes and their those which might adversely affect customer satisfaction, are identified
sequence and interactions were determined. Such documents may be used and addressed.
by organizations should they deem them useful, but they are not
You are likely to find that there is a good focus on risk, which may even be
mandatory. Graphical representation such as flow-charting is perhaps the
formally documented via risk assessments, but you should also ensure that
most easily understandable method for describing the interaction between
opportunities are also considered.
processes.
We suggest that you use the familiar Plan-Do-Check-Act (PDCA)
5.0 Leadership methodology to manage your organization’s transition from the old to the
5.1 Leadership and Commitment new requirements using the PDCA approach:
5.1.1 General •Act: Agree changes •Plan: Understand

and improvements, the your context.
This is a new requirement. You should seek and record evidence that Top maintain the Establish strategy &
management is taking a ‘hands-on’ approach to the management of the integirty of the QMS. objectives. Assess
QMS. Be prepared to constructively challenge Top management’s applicable statutory/
regulatory issues.
commitment to the QMS. Auditing this tier of management is likely to be a
new experience for many people, so it is important that you have a good
understanding of management activities in order to effectively engage
Act Plan
with them.
5.1.2 Customer Focus
This requirement is comparable to the requirements of ISO 9001:2008 Check Do

Clause 5.2 but now requires that Top management ensure that risks and
opportunities that affect product conformity or which could affect •Check: Review •Do: Establish your
customer satisfaction are identified and addressed. system performance. policy, communicate
ensure alignment policy & objectives.
You should seek and record evidence that Top management are ensuring with strategy and Provide resources,
context. Review the allocate process
that the impact of any risks and opportunities, that have the potential to
policy. owners, promote
affect your organization’s ability to deliver products which comply with improvement.

5.2 Policy Note that there is no longer a requirement for your organization to have a
5.2.1 Establishing the Quality Policy Management Representative; you should determine how Top management
has assigned the responsibility and authority for preserving the integrity of
This requirement is comparable to the requirements of ISO 9001:2008
the organization’s QMS during revisions or updates. Determine whether
Clause 5.1 – Quality Policy. You should check that there is evidence that
Top management has assigned the responsibility and authority for
Top management have participated in the creation of the quality policy,
determining opportunities for improvement, refer to Clause 10.1.
and are reviewing and maintaining it.
You should review the quality policy to determine whether the quality 6.0 Planning
policy is appropriate to the context of the organization and its purpose, 6.1 Actions to Address Risks and Opportunities
that there is a commitment to continually improving the QMS, and the
Clause 6.1.1 is a new requirement, so you should allow additional time to
quality objectives are consistent with the quality policy. Top management
prepare for each audit in order to establish a suitable understanding of the
should demonstrate that the quality policy is compatible with the strategic
new requirements and how it should be implemented. You should seek
direction and context of the organization, as required by Clause 5.1.1b.
and record evidence that your organization has planned and implemented
5.2.2 Communicating the Quality Policy a process to effectively identify risks and opportunities with respect to
This is a new requirement. ISO 9001:2015 requires the policy to be QMS planning. Reference to risk-based thinking is present in the following
maintained as documented information, refer to Clause 7.5.1a. You should clauses:
check whether the quality policy has been applied throughout the 1. Determine and address risks (Clause 4.4.1);
organization and that the quality policy is available to any relevant
2. Promote risk-based thinking (Clause 5.1.1);
interested parties.
3. Ensure risks determined and addressed (Clause 5.1.2);
5.3 Organizational Roles, Responsibilities and Authorities
4. Determine risks that need to be addressed to achieve intended
This requirement is comparable to the requirements of ISO 9001:2008 results (Clause 6.1.1);
Clause 5.5 – Responsibility, Authority and Communication. You should seek
5. Plan actions to address risks; integrate into processes; evaluate
and record evidence that your organization’s personnel have not only
effectiveness of actions (Clause 6.1.2);
been advised of their QMS duties and authorities but that they also
6. Control those risks identified (Clause 8.1);
understand their duties and authorities in the context of what the QMS is
intended to achieve. 7. Evaluate effectiveness of actions on risks (Clause 9.1.3);

8. Review effectiveness of actions on risks (Clause 9.3.2); 1. Meeting minutes;

9. Improve the QMS responding to risk (Clause 10.3); 2. SWOT analysis;
The risks and opportunities should be relevant to the context of the 3. Reports on customer feedback;
organization (Clause 4.1), as well as, any interested parties (Clause 4.2). You 4. Competitor analysis;
should ensure that your organization has applied this risk identification
5. Brain-storming activities;
methodology consistently and effectively.
6. Planning, analysis and evaluation activities;
You should seek and record evidence of the following types of input that
7. Strategic planning documents;
might be used by your organization for risk and opportunity
determination: 8. Design and development reviews;
1. Analysis of external and internal issues; 9. Marketing and sales data;
2. Strategic direction of the organization; 10. Production inspections and service reviews;
3. Interested parties, related to its QMS, and their requirements; 11. Corrective actions;
4. The scope of QMS of the organization; 12. Non-conformance reports;
5. The processes of the organization. 13. Management review minutes;
Clause 6.1.2 is a new requirement, so you should allow additional time to 14. Risk determination or evaluation records.
prepare for each audit in order to establish a suitable understanding of the Why is Risk Management Important?
new requirement and how it should be implemented. The concept of risk in the context of ISO 9001:2015 relates to the
You should seek and record evidence that your organization has taken a uncertainty in achieving these objectives. Risk will influence every aspect of
planned approach to addressing risks and accomplishing opportunities to your organization’s operations and by understanding the risks you face,
the benefit of the QMS and the organization. Check that any actions taken managing them appropriately will enhance your ability to make better
to address the risks and opportunities are recorded, and ensure that the decisions and to achieve your objectives.
effectiveness of each action was effective at addressing the issue, and that Your organization should begin to view the management of risks to its
the action taken was proportionate to the risk or opportunity. Objective people, assets and all aspects of its operations as an important
evidence could be in the following various forms:

responsibility. Implement and maintain a risk management process to 2. Assure consistency of quality of goods and services;
protect and support your organization’s responsibilities. 3. Establishes a proactive culture of prevention and improvement;
An effective risk management approach is not only good business practice 4. Intuitively take a risk-based approach.
but provides organizational resilience, confidence and benefits, including:
We suggest that you use the familiar Plan-Do-Check-Act (PDCA)
1. Provides a rigorous decision-making and planning process; methodology to manage your organization’s transition to risk-based
2. Provides the flexibility to respond to unexpected threats; thinking; using this approach:
3. Takes advantage of opportunities and provides competitive •Act: Implement any •Plan: Gain
advantage; changes to your leadership
approach, commitment,
4. Equips managers with tools to anticipate changes and threats, and continually review identify and assess
to allocate appropriate resources; opportunities for risks. Create a plan
improvement to address risks and
5. Provides assurance to Top management and stakeholders that opportunities.
critical risks are being managed appropriately;
6. Enables better business resilience and compliance management.
Act Plan
Risk Management Methodology
Risk will influence every aspect of your organization’s operations.

Understanding the risks and managing them appropriately will enhance Check Do
your organization’s ability to make better decisions, safeguard assets, and
enhance your ability to provide products and services and to achieve your •Check: Monitor your •Do: Implement your
mission and goals. risk management plan to mitigate risks
plans using through
By considering risk throughout your organization the likelihood of measurements and communication,
internal audit training and control.
achieving stated objectives is improved, output is more consistent and
reporting.
customers can be confident that they will receive the expected product or
service. Risk-based thinking therefore helps to:
1. Improve customer confidence and satisfaction;

Risk Management Information Outsourced Processes
Documented information resulting from risk management activities such Your organization might outsource the provision of some processes or the
as risk management processes, plans and reports, etc. should be manufacture of components, subassemblies or entire units. In order to
maintained or referenced in either a risk management file or other maintain control over the processes, your organization should incorporate
appropriate sources: appropriate risk management activities for these processes and products
by planning and by ensuring risk control measures are appropriately
1. Design history file;
applied.
2. Technical file/documentation;
Before the approval and implementation of a change to any outsourced
3. Device master record;
process or product, your organization should:
4. Device history record;
1. Review the change;
5. Process validation files.
2. Assess if new risks have been discovered; and,
Your organization should consider the benefits of integrating the risk
3. Determine if current and/or new individual residual risks and/or
management processes, documents and records directly into your quality
the overall risk is acceptable according to the predetermined
management system. The advantage of this could be a single document
existing acceptability criteria.
control system, ease of use and review, accessibility, retention, etc.
If risk control measures are applied to outsourced process or products, the
Document controls, including document change controls, for risk risk control measures and their importance should be documented within
management system documentation should be the same as the controls the purchasing data or information and clearly communicated to the
for quality management system documentation. This documentation can supplier.
be in any form or type of medium.
Design & Development
Communication of Risks
Risk management activities should begin as early as possible in the design
Within your quality management system, consideration needs to be given and development phase, when it is easier to prevent problems rather than
to internal and external communication of risk. Internal communication is correcting them later.
necessary for all appropriate personnel to be aware of the remaining risks
For each identified hazard, the risk in both normal and fault conditions is
even after implementing risk control measures.
estimated. In risk evaluation, you should decide whether risk reduction is

needed. The results from this risk evaluation such as the need for risk 4. Severity of effect which provides an assessment of the impact that
control measures then become part of the design input. the occurrence of this risk would have on the project;
Risk Registers 5. Countermeasures and actions taken to prevent, reduce, or transfer

the risk. This may include production of contingency plans;
While not mandated by ISO 9001:2015, risk registers can help identify and
6. Risk owner who is responsible for ensuring that risks are
record the risks and opportunities facing different areas of the business
appropriately engaged with countermeasures undertaken;
and identifying risk is a critical step in managing it. Risk registers will allow
your organization to assess the risk in context with the overall context of 7. Current status of whether this is a current risk or if risk can no
longer arise and impact;
your organization, and will help to record the controls and treatments of
those risks. Risk registers can be developed in tiers: 8. Other columns such as quantitative value can also be added.
Auditing Risk Management
1. Strategic level;
2. Operational level; The primary objective of auditing the risk management process is to
provide an assurance framework that underpins the risk management
3. Process level.
process. This should include reviews of processes and controls over high
The risk register or risk log becomes essential as it records identified risks, risks as determined through the risk planning process.
their severity, and the actions steps to be taken. It can be a simple
The internal audit function provides independent appraisal of the
document, spreadsheet, or a database system, but the most effective
adequacy and effectiveness of internal controls. Recommendations should
format is a table. A table presents a great deal of information in just a few
be provided, where applicable, for improvements to controls, efficiency
pages. Some of the most widely used components are:
and effectiveness of processes.
As the register is a living document, it is important to record the date that
Clauses that Promote Risk-based Thinking
risks are identified or modified. Optional dates to include are the target
and completion dates. Risk-based thinking is probably already part of your organization’s process
approach as it forms a key part of preventive action routines. Risk is often
1. Description of the risk;
thought of only in the negative sense but risk-based thinking can also help
2. Risk Type (business, project, stage); to identify opportunities and advantages, this is the positive aspect of risk
3. Likelihood of occurrence which provides an assessment on how management. There are six clauses in ISO 9001:2015 that require your
likely it is that this risk will occur; organization to consider risk:

1. Clause 4.4.1 requires your organization to determine the risks effective manner to manage opportunities and threats. Risk evaluation can
which can affect its ability to meet the system objectives. Risk- be represented as a seven step, cyclical process:
based thinking means considering risk quantitatively as well as
qualitatively, depending on the business context.
2. Clauses 5.1.1 and 5.1.2 require Top management demonstrate Plan Identify
leadership and commit to ensuring that risks and opportunities
that can affect the conformity of a product or service are
determined and addressed.
3. Clauses 6.1.1 and 6.1.2 require your organization take action to
identify risks and opportunities, and plan how to address the
identified risks and opportunities.
Monitor Risk Assess
4. Clause 8 requires your organization to plan, implement and Evaluation

control its processes to address the actions identified in Clause 6.
5. Clause 9 requires your organization to monitor, measure, analyze
Cycle
and evaluate the risks and opportunities.
6. Clause 10 requires your organization to improve by responding to
changes in risk. Report Repsond
The adoption of risk-based thinking will, over time, improve customer
confidence and satisfaction by assuring the consistency of the quality of
Review
goods and services brought on by establishing a culture of prevention and
improvement.
Risk Evaluation Process Step 1: Planning
Risk evaluation should become embedded into your organization’s day-to- Your organization should develop and document a plan that briefly
day operations and should be undertaken at all levels throughout your describes how and when risk, in the form of strengths, weaknesses,
organization. The overall aim of risk evaluation is to ensure that opportunities and threats, will be assessed, and who will be involved. This
organizational capabilities and resources are employed in an efficient and should reflect the scope (including its complexity, interfaces, etc.), policies
and objectives.

Step 2: Identification 5. Objectives and key performance indicators;

In this step, your organization should systematically identify those risks 6. Business resilience vulnerabilities;
associated with the scope of the process that could significantly affect the 7. Relevant issues relating to recent change management risk,
achievement of objectives and product conformity. performance or audit reviews;
Risk identification should be carried out with the full involvement of the 8. Relevant stakeholder community concerns or requirements;
relevant parties to ensure the relevant perspectives and expertise should 9. Regulatory and contractual requirements and constraints; and
be represented (e.g. appropriately qualified representatives from various
10. Quality management systems.
functions, contractors, stakeholders, suppliers and specialists as
appropriate. Step 3: Assessment
Having identified all hazards and associated risks which could impact on
Risk identification involves the relationship between your organization and
occupational health and safety, the process of rating the risks for
the broader, external environment or community. A range of issues should
significance can be carried out. This crucial process, together with a
be considered in examining the strategic content, including:
thorough knowledge of legal and other similar requirements, provide the
1. Opportunities and threats associated with the local, regional, state foundations of the management system.
and global economic, social, political, cultural, environmental,
regulatory and competitive environments; This assessment process is vital in determining the need for controls aimed
at either reducing risk to levels deemed to be tolerable, or meeting the
2. Key thrusts of stakeholder strategies;
requirements of legislation. The significance level (or risk rating) should
3. Strengths and weaknesses of in attaining objectives.
then be used to prioritise actions. Remember that the importance of this
Operational risk identification involves gaining an understanding of the process cannot be overestimated. If you get this process wrong, the whole
organisation’s capabilities, goals, objectives, strengths and weaknesses by system will be suspect.
considering:
The assessment of the severity of a risk should drive management
1. Organisational structure and culture; attention and supports the planning for risk mitigation. Quantitative risk
2. Geographical/demographical; assessments (QRA) can be undertaken to provide an improved
understanding of the risk profile and derive a more detailed understanding
3. The identity and nature of interaction with key internal or external
stakeholders; of certain cost and time risks. The output of QRA can also support decision
making and monitoring of risk management activities.
4. The existence of any operational constraints;

Probability Evaluation Score Impact Quality
Risk Quantification – Risks should be assessed in terms of their probability Quality of a product on critical path does not meet
to impact on objectives: 4 Major quality criteria for product acceptance, and specified
quality is not achievable.
Score Likelihood Description Percentage Probability Quality of more than one product on critical path does
Catastroph
May only occur in 5 not meet quality criteria for product acceptance, and
1 Rare <0.1% 1 in 1,000 ic
exceptional circumstances specified quality is not achievable.
Could occur during a
2 Unlikely 1% 1 in 100 Risk Exposure & Control Action
specified time period
Might occur within a given The purpose of prioritising the risk is to determine the level of action
3 Possible 10% 1 in 10
time period needed for the identified and assessed risks.
Will probably occur in most
4 Likely 50% 1 in 2 Score Colour Management Control Action (MCA)
circumstances
No mitigation or action is required, the risk is considered
Almost Expected to occur in most
5 >95% 1 in 1 1 to 4 Very Low ALARP. Monitor to ensure that the risk remains tolerable
Certain circumstances
at this level.
Impact & Consequence Criteria Maintain assurance that risk remains tolerable. Monitor
Risk Quantification – Risks should be assessed in terms of the consequence 5 to 8 Low and manage by routine procedures, unlikely to need
specific application of resources (managers and key staff).
of their impact on objectives:
Tolerable if the cost of reduction would exceed the
Score Impact Quality 9 to
Medium improvement gained. Mitigate by managing specific
12
Quality of one or more products not on critical path does reviews and ensuring regular monitoring occurs.
1 Negligible not meet quality criteria for product acceptance, but Tolerable only if risk reduction is impractical or if cost is
specified quality is achievable. disproportionate to the improvement. Mitigate by
13 to
Quality of a product on critical path does not meet High implementing controls to reduce the risk so far as is
15
2 Minor quality criteria for product acceptance, but specified reasonably practicable. Where this cannot happen,
quality is achievable. continual monitoring should occur.
Quality of more than one product on critical path does Intolerable, the risk cannot be justified, expect in
16 to
3 Moderate not meet quality criteria for product acceptance, but Very High extraordinary circumstances. Mitigate by ceasing all
25
specified quality is achievable. related activities.

Step 4: Response indicators to ensure process compliance and effectiveness. Monitoring

For each risk, the risk owner must establish an appropriate level of may take a variety of forms and range from self-assessment and internal
mitigation. Control measures in addition to those already existing may be audit to detailed reviews by independent external experts.
needed to achieve this level of mitigation. When a response action is 6.2 Quality Objectives and Planning to Achieve Them
completed, the risk should be reassessed (i.e. repeat Step 3) to reflect any
The requirements of Clause 6.2.1 and Clause 6.2.2 are comparable with
newly introduced existing control measure.
the requirements of ISO 9001:2008 Clause 5.4.1 – Quality Objectives. You
Step 5: Review should seek and record evidence that your organization’s quality
Regular review and challenge is essential to ensure that risks are being objectives are consistent with the quality policy, and that they are relevant
appropriately managed, and that the risk data remains accurate and to product and service conformity, and the enhancement of customer
reliable, reflecting any changes in circumstances or management activities. satisfaction.
Step 6: Reporting Quality objectives should be measurable and are likely to have their own
metrics by which levels of attainment can be ascertained. Check that the
Regular reports are necessary to inform and provide assurance to Top
quality objectives are communicated throughout the organization and that
management and other key stakeholders, that risks are being appropriately
they are updated to ensure relevance to changing business needs.
managed. Reporting must be based on current process data, which must
be updated and reviewed in good time for the reporting cycle (see Step 5 You should seek and record evidence that effective planning was
above). undertaken in support of the organization’s quality objectives and their
achievement. You should ensure that this planning activity takes into
On occasion, it may be appropriate to escalate a risk to ensure it is
considerations of Clause 6.2.1, as well as the following points:
assessed and/or managed by the person or party best placed to do so
(able and with appropriate authority). For example where a more 1. Identification of processes, resources, and skills needed to achieve
substantial or coordinated response is required than the current owner can quality;
authorise or implement, or where the risk severity or its effects on the 2. Identification of suitable verification criteria at appropriate stages;
wider project justify higher level assessment and/or management. 3. Compatibility of design, production, inspection and testing;
Step 7: Monitoring 4. The confirmation of criteria of acceptability for all features and
Continuous systematic and formal monitoring of implementation of the requirements;
risk process and outputs will take place against appropriate performance

5. Details of calibration of any special measuring or test equipment 1. Risk management policy;
to be used.
2. Job/position descriptions;
Training & Communication
3. Internet/intranet;
Your organization should ensure that it has documented and clarified the
4. Project/process/product/service documentation;
roles, responsibilities, accountabilities and authorities at all levels of the
5. Performance planning and review documentation;
business to address risk management. This ensures that a risk
management approach is embedded your operations through a number of 6. Risk registers.
communication, training and support systems, including: 6.3 Planning of Changes
Training This is a new requirement. You should seek and record evidence that your
To ensure that adequate risk management competency levels are achieved organization has retained documented information relating to planning
and maintained, your organization should provide training in the risk and implementing changes that impact upon the QMS.
management process and their application. Specific risk management Ensure that the organization has planned how to integrate and implement
training sessions should be held on an annual basis, aimed at providing an the changes into their QMS processes. Check that your organization has
overview of the risk management process. Instruments providing training considered:
on appropriate controls include:
1. The purpose of the changes and their potential consequences;
1. Job descriptions, contracts;
2. The integrity of the quality management system;
2. Inductions;
3. The availability of resources;
3. Policies;
4. The allocation or reallocation of responsibilities and authorities.
4. Procedures, process maps;
5. Terms of reference;
7.0 Support
7.1 Resources
6. Performance planning;
There requirements in Clause 7.1 are comparable to ISO 9001:2008 Clause
Communication of Responsibilities & Accountabilities
6.0 - Resource Management, Clause 6.1 - Provision of Resources, Clause
Risk management responsibilities, accountabilities and authorities should 6.3 - Infrastructure and Clause 6.4 - Work Environment.
be set out in the following documented information:

7.1.1 General 1. Devices are calibrated at intervals or prior to use, based on

recognized standards;
You should seek and record evidence conforming that your organization
has considered the need for external resources in addition to the need for 2. Devices are adjusted as necessary in accordance with
internal resources. Most organizations determine resource requirements manufacturer’s instructions;
during management review meetings; you should review the management 3. Devices are identified to enable calibration status to be
review minutes for evidence of resource allocation. determined;
7.1.2 People 4. Devices are safeguarded from adjustment, which may invalidate
results;
You should seek and record evidence to confirm that your organization
5. Devices are protected from damage during handling, maintenance
has provided the staff necessary for the effective implementation of the
or storage;
QMS and for the operation and control of its processes.
6. The validity of results from a non-confirming device are re-
7.1.3 Infrastructure checked with a conforming device;
You should seek and record evidence to confirm that your organization 7. Devices are calibrated by external providers certified to ISO 17025;
has provided the infrastructure necessary for the effective implementation
8. Records of calibration and verification are maintained;
of the QMS and for the operation and control of its processes.
9. Computer software which is used for monitoring/measuring is
7.1.4 Environment for the operation of processes
validated prior to initial use;
You should seek and record evidence to confirm that your organization 10. Computer software used for monitoring and measuring is re-
has identified, provided and maintained the infrastructure necessary for validated where necessary;
achieving product conformance.
If measurement traceability is not required, verify that those monitoring
7.1.5 Monitoring and Measuring and measuring resources used by your organization are suitable. You
This requirement is comparable to ISO 9001:2008 Clause 7.6 - Control of should ensure that documented information is maintained in order to
Monitoring and Measuring Equipment. You should seek and record demonstrate suitability of monitoring and measuring equipment.
evidence to confirm that where measurement traceability is a requirement 7.1.6 Organizational Knowledge
that instruments used for measurement are subject to the following
‘Organizational Knowledge’ is a new requirement. You should seek and
controls:
record evidence that your organization has taken steps to identify the

internal and external knowledge necessary to ensure the continued 5. Sharing organizational knowledge with relevant interested parties
product conformity. to ensure sustainability of the organization;
Check that organizational knowledge is communicated as necessary and 6. Updating the necessary organizational knowledge based on the
results of improvement;
that it is maintained and retained in accordance with Clause 7.5. Check that
organizational knowledge is reviewed before changes to QMS are made in 7. Knowledge from conferences, attending trade fairs, networking
when responding to change. seminars, or other external events.
7.2 Competence
Sources of internal knowledge often include the organization’s intellectual
property; knowledge gained from experience; lessons learned from failures This requirement is comparable to ISO 9001:2008 Clause 6.2.1 - Human
and successes; capturing and sharing undocumented knowledge and Resources and Clause 6.2.2 - Competence, training and awareness but
experience; the results of improvements in processes, products and additionally, you should check whether your organization takes action to
services. Sources of external knowledge often include other ISO standards; address competency issues whilst checking that they were effective.
research papers; conferences; or knowledge gathered from customers or Your organization should establish a process for assessing existing staff
external parties. competencies against changing business needs and prevailing trends.
You should seek to evidence to confirm how your organization has Check for evidence that all staff which work under your organization’s
determined and made available the knowledge needed to keep up to date control are competent, and that evidence continuing competence is
with changing situations and knowledge related to new products and maintained as documented information in accordance Clause 7.5.
services. You determine whether your organization has considered internal 7.3 Awareness
and external sources, such as:
This requirement is comparable to ISO 9001:2008 Clause 6.2.2 -
1. Lesson learnt from non-conformities and corrective actions, near Competence, training and awareness which was limited to the
miss situations and successes; organization’s own personnel. You seek evidence to confirm that this
2. Gathering knowledge from customers, suppliers and partners; requirement has been applied by your organization to ensure that the
people who need to be made aware now include all the people who work
3. Capturing knowledge that exists within the organization, e.g.
through mentoring, succession planning; on your organization’s behalf that affect the conformity of your
organization’s QMS or products. You ensure that these people are aware
4. Benchmarking against competitors;
of:
1. The quality policy;

2. Relevant quality objectives; Internal Communications
3. Their contribution to the effectiveness of the quality management All well as briefing employees during introductory presentations, try using
system, including the benefits of improved performance; a combination of other methods to promote awareness, such as posters
4. New requirement. The implications of not conforming to the placed on notice boards and leaflets with pay-slips, etc. Use training
quality management system requirements. sessions to inform employees of the plan, how they will be expected to
The awareness training does not need to follow the format of long contribute. Issues pertaining to the quality management system that could
classroom sessions. Training techniques can include short training be communicated include:
segments supplemented with videos and hands-on demonstrations that  Day-to-day operations and general awareness;
address key elements of the QMS.
 Information on achieving objectives and targets;
Other methods to promote and reinforce the environmental awareness  Risk and opportunities.
training sessions include communication via electronic bulletin boards,
Auditors will wish to determine if the policies meet the intent and are
posters, newsletters and informational meetings.
understood, by interviewing personnel at all levels. Although the exact
7.4 Communication content of the policies does not need to be recited by interviewees, the
This requirement is comparable to ISO 9001:2008 Clause 5.5.3 – awareness of the policies and how their job affects the company objectives
Communication but it now includes the new requirement to also should be determined. This does not require your employees to memorize
communicate with external parties, e.g. those previously defined in Clause the policies but it does mean they should be aware of it, know where it
4.2. You should seek evidence to confirm that your organization has may be found and be able to paraphrase, or give an interpretation as it
identified the necessary internal and external communications that are applies to them.
required for the operation of the QMS. You should confirm how your If the personnel interviewed do not know what their measurable objectives
organization has determined: are and/or do not know what the organizational objectives are that they
1. What it needs to communicate; have a direct effect upon, the auditor would be further directed to evaluate
top management’s communication of the policies and objectives.
2. When it will communicate;
3. With whom it will communicate; Inferred awareness through knowledge of procedures is not considered
sufficient; otherwise why have the requirement in the first place? A quick
4. How it will communicate.
and convenient way to promote and communicate the policy might be to

create a shortened version of main policy; try condensing it to five key improved employee morale and increased market exposure, either of
words or even a couple of short sentences. This can be posted on bulletin which can lead to increased profits.
boards in each department.
7.5 Documented Information
You could even add it to the reverse side of staff security passes or ID 7.5.1 General
badges. If an auditor asks an employee whether they are aware of the
This requirement is identical to the requirements from ISO 9001:2008
policy; they can point to the bulletin board, or point to it on their badge.
Clause 4.2.3 – Document Control. It should be noted that there is no need
The employee can further elaborate to the auditor, what the policy means
to maintain a documented procedure but your organization may still chose
to them and how it influences their work.
to operate one.
External Communications
You should ensure that you organization’s QMS includes documented
In most instances, external interested parties (such as consumers, information required to be maintained and retained by ISO 9001:2015, and
stockholders, neighboring communities, etc.) are the main driving forces the documented information identified by your organization to
for organizations to implement a QMS. The appropriate external demonstrate the effective operation of its QMS as defined in 7.5.3 below.
communications may establish environmental and safety credibility and
7.5.2 Creating & Updating
satisfy stakeholder requests by presenting objective information on the
organization’s significant aspects, its QMS, or its performance. The various This requirement is comparable to the requirements from ISO 9001:2008
processes or means of external communication may include: Clause 4.2.3 – Document Control. You should seek to confirm that when
documented information is created or updated, your organization has
 Annual reports or newsletters of performance sent to external
ensured that it is appropriately identified and described (e.g. title, date,
stakeholders;
author, reference number).
 Open house meetings for interested parties and focus groups;
It must be in an appropriate format (e.g. language, software version,
 Availability of regulatory submissions, or results of audits;
graphics) and on appropriate media (e.g. paper, electronic). Confirm that
 Policies published in the media and industry association documented information is reviewed and approved for suitability and
publications and press releases;
adequacy.
The various means of such communication are endless. Such
7.5.3 Control of Documented Information
communication may benefit your organization in several ways, including
This requirement is comparable to the requirements from ISO 9001:2008
Clause 4.2.4 – Control of Records. A robust document control process

invariably lies at the heart of any compliant management system; almost Maintain the following as documented information: Clause
every aspect of auditing and compliance verification is determined through Information necessary to support the operation of processes 4.4
the scrutiny of documented information. With this in mind, it becomes
The quality policy 5.2
apparent that the on-going maintenance of an efficient document
The quality objectives 6.2
management system must not be overlooked.
Documented information required by ISO 9001:2015 7.5.1a
Your organization must control the documented information required by
the QMS. A suitable process must be implemented to define the controls
Retain the following as documented information: Clause
needed to; approve, review, update, identify changes, identify revision
Documented information to the extent necessary to have confidence
status and provide access. The documented information process should 4.4
that the processes are being carried out as planned
define the scope, purpose, method and responsibilities required to
Evidence of fitness for purpose of monitoring and measuring
implement these parameters. 7.1.5.1
resources
In order to comply with the documented information requirements, it is Evidence of the basis used for calibration of the monitoring and
essential that all personnel understand what types of information that measurement resources (when no international or national standards 7.1.5.2
exist)
should be controlled and more importantly, how this control should be
exercised. To get the most out of your documented information process, it Evidence of competence of people doing work under the control of
the organization that affects the performance and effectiveness of the 7.2
must communicated to ensure that staff and other users of the
QMS
documentation information understand what they must do in order to
manage that information effectively and efficiently. Documented information required by the QMS 7.5.1b
Departmental managers should always be responsible for promoting good

Results of the review and requirements for the products and services 8.2.3
documented information practices in their area whilst supporting overall
compliance to the requirements. Individuals and their line managers Records to demonstrate compliance with design and development
8.3.2
should be responsible for the information that they create, as well as being requirements
responsible for their retention and disposal in line with legislative Records of design and development inputs 8.3.3
requirements and organizational needs.
Records of the activities of design and development controls 8.3.4
Maintain the following as documented information: Clause
The scope of the quality management system 4.3

Retain the following as documented information: Clause 8.0 Operation

Records of design and development outputs 8.3.5 8.1 Operational Planning and Control
Design and development changes, including the results of the review
8.3.6 Clause 7.1 – Product Realization Planning, but it has been extended to
and the authorization of the changes and necessary actions
Records of the evaluation, selection, monitoring of performance and include implementation and control, as well planning. You should seek and
8.4.1
re-evaluation of external providers and any actions arising record evidence that your organization has determined the design and its
Evidence of the unique identification of outputs when traceability is a processes to meet the requirements of your customers and the
8.5.2
requirement requirements of your QMS. Evidence that the process, including all inputs,
Records of property of the customer or external provider that is lost, outputs, resources, controls, criteria, and process measurement and
8.5.3
damaged or non-conforming and of its communication to the owner performance indicators being planned should be sought.
Results of the review of changes for production or service provision,
8.5.6 This is a new requirement. For those risks and opportunities that your
the persons authorizing the change, and necessary actions taken
organization has identified, you should seek evidence that these actions
Records of authorized release of products for delivery to the customer
have been integrated into the management system; as such, these actions
including acceptance criteria and traceability to the authorizing 8.6
person(s) should be verifiable at process level – for example, evidence of controls,
acceptance criteria and resources to address the risks and opportunities.
Records of non-conformities, actions taken, concessions and the
identity of the authority deciding the action in respect of the 8.7 Review the acceptability criteria; this may include targets, measures, values,
nonconformity KPIs, specifications and other criteria as relevant to the output.
Results of the evaluation of the performance and the effectiveness of You should ensure that the implemented processes are controlled as
9.1.1
the QMS
planned and that there is evidence that your organization has evaluated
Evidence of the implementation of the audit programme and the audit
9.2.2 the effectiveness of actions taken when addressing risks and opportunities.
results
Evaluate and record any evidence pertaining to planned and unintended
Evidence of the results of management reviews 9.3.3 changes.
Evidence of the nature of the nonconformities and any subsequent Operational planning is about controlling the design and development
10.2.2
actions taken
process. The organization must ensure that all related activities take place
Results of any corrective actions 10.2.2 under controlled conditions. The final product or service is the culmination
of events that transfer customer requirements and expectations into a

tangible product or effective service that conforms to specified 2. Quotations and order forms;
requirements and expectations. Control product realization planning by: 3. Confirmation of authorized orders and amended orders;
 Determining quality objectives for the product; 4. Delivery notes and certificates of conformity;
 Determining requirements for the product; 5. Invoices and credit notes;
 Identifying processes required to achieve conformance; 6. E-mail and general correspondence;
 Establishing processes required to achieve conformance; 7. Site visit reports or notes to/from customer;
 Identifying documents to demonstrate conformance; 8. Customer feedback and complaints management process.
 Identifying resources required to achieve conformance; 8.2.2 Determination of Requirements for Products & Services
 Maintaining and retaining documented information. This new requirement replaces ISO 9001:2008 Clause 7.2.1 -
Your organization needs to plan in advance for how they will manufacture Determination of Requirements Related to Product Requirements. You
their product or deliver their service. The plans need to take into account should seek and record evidence that your organization has implemented
the product requirements and any quality objectives that might be a process to determine the requirements for the products and services that
appropriate, resources and documents that may be necessary, what type of it intends to offer to customers.
monitoring and/or inspection activities should be put in place to ensure This may also include the requirements from interested parties and also
the product or service will meet the requirements, and what types of statutory and regulatory requirements relating to the product.
records should be kept.
8.2.3 Review of the Requirements for Products & Services
8.2 Requirements for Products and Services
This requirement is comparable to ISO 9001:2008 Clause 7.2.1 -
8.2.1 Customer Communication
Determination of Requirements Related to Product and Clause 7.2.2 -
This requirement is directly comparable to the requirements of ISO Review of Requirements Related to Product.
9001:2008 Clause 7.2.3 – Customer Communication. It has been expanded
The requirement states that your organization should now include a review
to include new requirements to obtain ‘customer views and perceptions’
of the requirements arising from any relevant interested parties. You
instead of ‘customer feedback’. Some or all of the following specific
should seek and record evidence that these requirements are considered
customer communication should be observed and evidenced:
during product and service reviews.
1. Marketing information;

8.2.4 Changes to Requirements for Products & Services 8.3.3 Design and Development Inputs
This is a new requirement. You should seek and record evidence that your This requirement expands upon the requirements from ISO 9001:2008
organization has ensured that all relevant documented information; Clause 7.3.2 - Design and Development Inputs 7.3.1. You should seek and
relating to changed product or service requirements, is amended and record evidence that your organization has documented and retained
those relevant design personnel are made aware of the changed information concerning the need for internal and external resources and
requirements. the potential consequences of design or development failure.
8.3 Design and Development of Products & Services 8.3.4 Design and Development Controls
8.3.1 General This requirement is comparable to the requirements from ISO 9001:2008
This is a new requirement that mandates the introduction of a design and Clauses 7.3.3, 7.3.4, 7.3.5 and 7.3.6. You should seek and record evidence
development process where this activity is required. You should seek and that your organization has applied the necessary controls to its design and
record evidence that, where applicable, your organization has development process in order to ensure that:
implemented a design and development process to allow effective product 1. The results from undertaking the design and development process
or service provision, where the requirements for products and services are are clearly defined;
not defined by the customer or interested parties. 2. The design and development reviews take place in accordance
8.3.2 Design and Development Planning with planned arrangements;
This requirement expands upon the requirements from ISO 9001:2008 3. The design and development outputs meet the design and
development inputs (verification);
Clause 7.3.1 – Design and Development Planning. It is likely that if your
organization already complies with ISO 9001:2008, you will already be 4. The resulting products and services are fit for their intended use or
undertaking the activities required by this clause. specified application where this is known to the organization
(validation).
You should seek and record evidence that your organization has
8.3.5 Design and Development Outputs
considered the explicitly referenced considerations relating to the design
and development process set out above. You should also ensure that your This requirement is comparable to the requirement from ISO 9001:2008
organization has retained documented information to confirm the Clauses 7.3.3 – Design Development Outputs. You should seek and record
identified design and development requirements were met and that design evidence that the additional requirement to retain documented
reviews were undertaken. information concerning design outputs. You should also check the need
for design outputs to reference monitoring and measuring requirements.

8.3.6 Design and Development Changes specified requirements. Confirm that your organization has established
This requirement is directly comparable to ISO 9001:2008 Clause 7.3.7 - and implement a process of inspection to ensure that purchased products
Control of Design and Development Changes. It is important to control conform to:
design changes throughout the design and development process and it 1. Purchase orders;
should be clear how these changes are handled and what affects they have
2. Delivery notes;
on the product. You should seek and record evidence that your
3. Product specifications;
organization has retained documented information concerning:
4. National or international standards.
1. Design and development changes;
8.4.3 Information for External Providers
2. The results of reviews;
This requirement is again comparable to the requirements from ISO
3. The authorization of changes;
9001:2008 Clause 7.4.2 – Purchasing Information. You should seek and
4. Actions taken to prevent adverse impacts. record evidence that your organization has, where appropriate,
8.4 Externally Provided Processes, Products & Services communicated not just the products or services they wish to receive, but
8.4.1 General also any processes they want the external provider to undertake on their
behalf, as well as any interactions with your organization’s QMS. You
This requirement is comparable to the requirement from ISO 9001:2008
should also check that the requirement for competency of external
Clauses 7.4.1 – Purchasing Process and Clause 7.4.3 - Verification of
personnel is communicated.
Purchased Product. You should seek and record evidence that your
organization has retained documented information that records not only 8.5 Production and service provision
the criteria by which suppliers were selected, but also the results of the 8.5.1 Control of Production and Service Provision
selection activities, and the results from the monitoring of their
performance.
Clause 7.5.1 - Control of Production and Service Provision and Clause 7.5.2
8.4.2 Type and Extent of Control Validation of Processes from Production and Service Provision. You should
This requirement is comparable to the requirements from ISO 9001:2008 seek and record evidence that your organization has controlled the
Clauses 7.4.1 – Purchasing Process and Clause 7.4.3 - Verification of conditions by which products or services are provided, ensuring that:
Purchased Product. You should seek and record evidence you’re your 1. Documented information that defines the characteristics of the
organization has ensured that the supplied product or service meets the product or service is available;

2. Documented information that defines the activities that need to be 8.5.3 Property Belonging to Customers or External Providers
performed to produce the product or deliver the service is
available, and that this specifies the results that are to be achieved;
Clause 7.5.4 – Customer Property but it has now been expanded to cover
3. Monitoring and measurement takes place at appropriate points in property belonging to external providers that your organization intends to
the production process to ensure that both the processes
incorporate into its own products and services. You should seek and record
themselves and the process outputs meet the organization’s
evidence that your organization has extended their treatment of customer
acceptance criteria;
property to include that of external providers.
4. The process environment and infrastructure are suitable;
Check that your organization communicates with its customers in regard
5. Suitable monitoring and measurement resources are made
to the handling and treatment of their property. You should also check
available;
that contingency plans and, where relevant, actions are undertaken when
6. Personnel are competent and, where necessary, appropriately
non-conformities occur with customer property. Good sources of
qualified;
information often include the following examples:
7. For processes where the results cannot be verified by subsequent
monitoring or measurement, 1. Goods returned by the customer;
8. The process itself is initially validated and then periodically re- 2. Warranty claims;
evaluated; 3. Revised invoices;
9. Product and service release, delivery and post-delivery activities 4. Credit notes;
are implemented.
5. Articles in the media;
8.5.2 Identification and Traceability
6. Consumer websites;
7. Direct observation of, or communication with, the customer.
Clause 7.5.3 - Identification and traceability. You should seek and record
evidence that product is identified (as appropriate) and its status with 8.5.4 Preservation
regards to monitoring and measuring (conforming or not) is identified This is a new requirement. The auditor will expect to see that adequate
throughout the manufacturing processes. Where traceability is a measures are taken to protect/preserve the product during internal
requirement, you should expect to see that your organization is controlling processing and delivery to the intended destination. The preservation
and recording the unique identification of the product. process must include the following: Preservation, packaging and other

product specific handling methods are likely to an output of the product 4. Customer requirements;
design process. 5. Customer feedback.
1. Identification – this is relative to Identification and Traceability Post-delivery activities can include actions under warranty provisions,
however for preservation of product it is a requirement and not ‘as contractual obligations such as maintenance services, and supplementary
applicable’. The auditor will expect to see that all products are
services such as recycling or final disposal.
clearly identified;
8.5.6 Control of Changes
2. Handling – the auditor will verify that suitable handling methods
are implemented throughout the processes. This may include bulk This is a new requirement for the organization to implement a process for
handing using moving equipment or physical contact where responding to unplanned changes that are considered essential in order to
handling may influence product conformity; ensure that products or services continue to meet their specified
3. Packaging – the auditor will expect to see that methods have been requirements, in such a way that conformity with requirements is
established for packaging the product to preserve its integrity; maintained. Changes should be documented and information retained
4. Storage – the auditor will expect to see that product is stored in a about the changes, including who authorized the change and the actions
manner to safe guard product; arising from the change.
5. Protection – the auditor will verify that appropriate measures are You seek objective evidence that your organization has implemented a
in place to protect product. This will vary depending on the process to control unplanned changes in accordance with the
product.
requirements set out above.
8.5.5 Post-delivery Activities
8.6 Release of Products and Services
This is a new requirement. Your organization must meet requirements for
This requirement is comparable to ISO 9001:2008 Clause 8.2.4 Monitoring
post-delivery activities associated with the products and services. In
and Measurement of Processes. Your organization must show evidence
determining the extent of post-delivery activities that are required, the
that a process (method, techniques, formats, etc.) is in place to monitor
organization shall consider:
and measure the characteristics of product to verify that requirements are
1. Statutory and regulatory requirements; being met. This must be accomplished at appropriate stages of the design
2. The potential undesired consequences associated with its products and development process. The auditor will verify that records are
and services; maintained to provide evidence of conformity and indicate the person(s)
3. The nature, use and intended lifetime of its products and services; authorizing the release of products.

The release of product or delivery of service must not be completed until By keeping records of your non-conformities it is easier to spot negative
the planned requirements (7.1) have been met. ‘Release’ of product may trends and examine the root cause, and eliminate the cause of your
include, according to product planning and the verification stages, release problems. This, in turn, should result in fewer defective products or process
to the next operation, release to an internal customer, release to final outputs and could lead to more satisfied customers.
customer, etc.
If you have manufactured a product, inspected it and found it to be out of
For product release or service delivery, the planning requirements may be specification, it is most likely to be deemed nonconforming product. In
waived, but must be approved by relevant authority and by the customer some instances you will have to scrap the defective product but in other
as appropriate. Monitor and measure product characteristics to ensure situations you may be able to do some remedial work and bring it back
they are able to demonstrate: into specification.
1. Product characteristics are continually met; What the clause is telling us is that the product should then be subject to
2. Evidence of conformity with product requirements. further inspection to verify that it is now correct. As for records, if you
documented the non-conforming product there should normally be
8.7 Non-conforming Process Outputs, Products & Services
somewhere to verify that you successfully (or not) cured the problem and
This requirement is comparable to the requirements from ISO 9001:2008 that it is now conforming.
Clause 8.3 – Control of Non-conforming Product but it now includes as a
Re-verification simply means that you cannot assume that because
new requirement, the terms ‘process outputs’ and ‘services’ as well as
someone tells you they have corrected the problem then it is ok. The
products. It should be noted that there is no need to maintain a
clause is asking you to re-verify by whatever means you originally chose. If
documented procedure but your organization may still chose to operate
you used inspection as a method of verification then re-inspect in the
one. You should seek and record evidence that your organization has
same method. If not, use whatever method suits you (or your customer).
retained documented information concerning non-conformities and the
Just make sure it is ok before it leaves!
actions arising.
Controlling Product and Process Non-conformities The re-verification after remedial work might involve testing as well as
inspection. The reason is not just to verify that the defect has been
No matter how you resolve a non-conformance, you must keep records of
removed, but also to assure that fresh defects have not been introduced
each non-conformance and how it was dealt with. Records of product non-
by the rework.
conformity should be periodically reviewed to determine if a chronic
problem exists with the production process, it’s all about improvement! Records would be as appropriate for the re-inspection or re-testing
performed. Re-verification is equivalent to re-inspection and records could

include a signature of approval or a more formal test report. Whichever 6. Providing evidence that corrected products and processes now
format is chosen, it must defined Control of Non-conformance procedure. conform to requirements;
Generally, you could take two routes. If you have an internal non- 7. Keeping records that catalogue non-conforming products and
processes.
conformance then depending on your NCR documentation, your
verification could be documented on your non-conformance report. If your Controlling non-conformances applies to services just as much as it does
non-conformance is external, you should supply evidence of conformance to tangible goods. Reports, data, test results and intellectual property, to
to your customer. name just a few service outputs, can all be potentially non-conforming, in
which case all the disciplines of this process apply. It is the company’s
You may need to supply new evidence of conformance to your customer
policy is to detect, control and rectify any aspect of non-conformance as
along with corrective action documentation if requested. The method that
quickly and efficiently as possible.
you use in either of these situations should be defined in your IMS and
procedures, that way you relieve yourself and your auditor from guessing Controlling Service-based Non-conformities
how you would address them. In the case of service processes that directly involve the customer, the
Where necessary, any product or process outputs that do not conform to control of non-conforming outputs is the way the organization deals with
specified requirements should be properly identified and controlled to non-conformities in the service provision until the appropriate corrective
prevent unintended use or delivery. Improvements are then implemented action can be defined and implemented. When non-conformities are
to ensure the non-conformance does not reoccur. Control non-conforming identified, you should examine whether the personnel involved are
products by: sufficiently empowered with the authority to decide the disposition of the
service, for example:
1. Defining how non-conforming products and processes are
identified; 1. To immediately terminate the service;
2. Defining how non-conforming products and processes are dealt 2. To replace the service provided;
with; 3. To offer an alternative.
3. Removing or correcting non-conformities; You should also examine:
4. Preventing the delivery or use of non-conforming products and
1. Your organization's customer claims and complaints processes;
processes;
2. Any temporary corrections that are implemented to mitigate the
5. Verifying how non-conforming products and processes were
effect of the Non-conformity (e.g. refund, credit, upgrade, etc.)
corrected;

3. The identification, segregation and replacement of the service 3. Process performance results;
4. Equipment, service providers and environment. 4. Meeting objectives;
This will enable you to judge whether the control of such non-conforming 5. Internal audit findings;
services are effective. In such situations the quality management system 6. Customer surveys and feedback;
should have provisions to capture data on the non-conformities and to
7. 2nd or 3rd party audit results;
feedback information, at the appropriate management level, for the
effective definition and implementation of corrective actions. Evidence will 8. Competitor and benchmarking information;
need to be sought to justify effective implementation of these techniques. 9. Product test results;
10. Supplier performance information.
9.0 Performance Evaluation
This ‘input’ (information and data) should reflect upon the adequacy,
9.1 Monitoring, Measurement, Analysis and Evaluation
suitability and effectiveness of the integrated management system and its
9.1.1 General
processes. The ‘output’ (result of the analysis) must provide information
You should note the additional requirement for your organization to (understanding, insight, awareness, confidence, knowledge of, etc.). The
evidence evaluation of the results of monitoring and measurement, not analysis output must provide insight to:
just their analysis. They should confirm that the organization has
 Customer satisfaction and perception;
considered what, how and when to measure and that the outcomes from
 Product conformance;
this decision result are ensuring appropriate process control.
 Process performance;
They should also note a new requirement to monitor the quality
performance and effectiveness of the organization’s quality management  Product and process characteristics;
system. You should expect to see that the organization has developed a  Trends in products and processes;
process (method, techniques, format, etc.) to identify, collect and analyze  Opportunities for preventive action;
various data and information from both internal and external sources,
 Suppliers and subcontractors.
including:
Other potential or useful options might include:
1. Quality records;
 Need for corrective action;
2. Monitoring and measuring results;
 Opportunity for improvement;

 Competition. organization must now solicit customer’s perception about the your
Documented information and organizational knowledge that records organization, and its products and services. You should seek and record
process data should be considered for analysis. Records are evidence of evidence that your organization has implemented a consistent and
system performance and should be analyzed for potential improvements. systematic approach to dealing with customer feedback and is obtaining
information on customer perception.
Monitoring and measuring QMS operations and activities will establish a
mechanism to ensure that your organization is meeting its policies, Just collecting data on customer perceptions is not sufficient, you should
seek and record evidence that your organization has analyzed and
objectives and targets. In order to meet this requirement, your
evaluated customer data and that conclusions have been made with
organization must perform six steps:
regard to the effectiveness of the QMS.
 Step 1 - Identify the activities that can have a significant impacts 1. Are there any trends?
and risks;
2. Is the situation stable, improving, or deteriorating?
 Step 2 - Determine key characteristics of the activity to be
monitored; 3. Are customer needs and expectations changing?
 Step 3 - Select the best way to measure the key characteristics; Both internal and external auditors will look for proof that a consistent and
systematic approach has been implemented to deal with customer
 Step 4 - Record data on performance, controls and conformance
complaints. This approach would typically include defined responsibilities
with objectives and targets;
for logging and tracking complaints, clearing technical issues, determining
 Step 5 - Determine the frequency with which to measure the key
problem causes and actions to address them. Specific examples of
characteristics;
complaints must be sampled.
 Step 6 - Establish management review and reporting.
The link between the customer complaint process and corrective action
Establish the monitoring and tracking criteria for each activity that has a
also requires special scrutiny. Determine appropriate methods for
significant impact or risk and review the action plan. You should
monitoring and measuring customer satisfaction by:
incorporate any monitoring and measurement information to cover these
same activities. 1. Using customer satisfaction surveys;
9.1.2 Customer Satisfaction 2. Providing methods for receiving and dealing with customer
feedback;
3. Providing suitable processes to monitoring trends in, and
Clause 8.2.1 – Customer Satisfaction, the change being that your
reviewing customer data.

9.1.3 Analysis and Evaluation 10. Competition.

This requirement is comparable to ISO 9001:2008 Clause 8.4 - Analysis of The requirements of Clause 9.1.3 interrelate with those in clauses:
Data. You should expect to see that the organization has developed a
1. Management review input;
process (method, techniques, format, etc.) to identify, collect and analyze
2. Improvement;
and evaluate data and information from both internal and external sources
(i.e. quality records, monitoring and measuring results, process 3. Corrective action;
performance results, objectives, internal audit findings, customer surveys 4. Risks and opportunities.
and feedback, 2nd or 3rd-party audit results, competitor and
Furthermore, any record with data that is an established part of the QMS
benchmarking information, product test results, complaints, supplier
may be considered relevant for analysis. Records are evidence of system
performance information, etc.).
performance and should be analyzed for potential improvements.
This ‘input’ (information and data) should reflect upon the adequacy,
9.2 Internal Audit
suitability and effectiveness of the quality management system and its
This requirement is unchanged from the requirements of ISO 9001:2008
processes. The ‘output’ (result of the analysis) must provide information
Clause 8.2.2 – Internal Audit. Quality professionals should note that these
(understanding, insight, awareness, confidence, knowledge of, etc.). The
requirements are essentially unchanged from ISO 9001:2008 sub-clause
analysis output must provide insight to:
8.2.2.
1. Customer satisfaction and perception;
The auditor’s role is to gauge how well this system is functioning by
2. Product conformance;
gathering of objective evidence of process conformance and performance.
3. Process performance; The auditee will often be a processes owner; they are the experts of that
4. Product and process characteristics; process and as such will provide an invaluable insight into the mechanics
of the process.
5. Trends in products and processes;
6. Opportunities for preventive action; The auditor will verify that processes are documented, implemented and
understood. He will also seek confirmation that each process complies with
7. Suppliers and subcontractors.
the necessary requirements, that the process is effective and demonstrates
8. Need for corrective action; continual improvement. Implement an internal audit programme:
9. Opportunity for improvement;
1. Establish audit schedule;

2. Plan your audits; to effectively carry out this evaluation. Information that must be reviewed
3. Assign audit duties; includes:
4. Review and amend the audit checklist; 1. Minutes from previous management reviews;
5. Do auditing; 2. The policies, objectives and targets;
6. Prepare and submit audit report; 3. Results of QMS and process audits;
7. Obtain feedback from auditees. 4. The extent to which objectives and the numeric targets were met.
Auditors should not necessarily expect to find a documented internal audit Suitability and effectiveness of the QMS based possible changing
procedure in place. However, they must be able to access documented circumstances that may include:
information confirming the implementation of an audit programme by the 1. New or proposed legislation or regulations;
organization. Documented information must also be available to evidence
2. Changing expectations/requirements of relevant interested parties;
the results of audits.
3. New or modified activities, products, or services;
When determining how the audit programme has been designed, auditors
4. Advances in technology and science;
should ensure that customer feedback, organizational changes, and risks
and opportunities have been brought into consideration. 5. Changing market preferences of buyers.
9.3 Management Review All management reviews must be documented. Observations, conclusions,
and recommendations for further necessary action from the review must
9.3.1 General
be recorded. If any corrective action must be taken, Top management
The management review process is comparable to ISO 9001:2008 Clause should follow up to ensure that the action was effectively implemented.
5.6 – Management Review and requires that top management periodically
review the QMS to ensure its continuing suitability, adequacy, and The purpose and final outcome of the management review should be
effectiveness. The frequency or intervals of the top management review continual improvement of the IMS. As your organization’s IMS increases in
must be defined in the QMS. The management review must address the its effectiveness and efficiency, your environmental performance will
possible need for changes to policy, objectives, targets, and other likewise increase.
elements of the QMS. The management review process must ensure that Here's what ISO 9001:2015 is really all about: defining a policy, creating a
the necessary information is collected ahead of time to allow management plan devising with relevant objectives. You then implement the system
according to the plan. You then begin auditing, monitoring and measuring

performance against the plan and reacting to your findings. Bi-annual internal and external issue changes, and its potential effect on the strategic
management reviews are insufficient in frequency to be able react to any direction of your organization. Your organization’s management review
issues effectively. process must also include discussion of external provider’s, and other
supplier’s performance. It must also include an assessment of risk
Performance metrics should be monitored with varying frequencies, some
management actions.
hourly, some daily, some weekly and some monthly. Management cannot
wait for six months to respond, if they do, it will be too late. Every time Auditors should expect to evidence the same outputs from management
management convenes to review and react to performance, it is reviews as at present. However, they should note that the results of
considered as a management review. Whether they are reviewing an management reviews can now be held in any format that the organization
individual's performance, departmental programmes and projects, etc., this chooses. The management review process should focus on the following
should be considered as valid management review. inputs:
Some companies have multiple review levels, whereby, each review may 1. Risks and opportunities (Clause 6.1);
require multiple subjects and rely upon multiple metrics as inputs. 2. Possible changes that might affect the system (Clause 6.3);
Sometimes subjects are reviewed at more than one level, e.g. production
3. External provider and suppliers performance (Clause 8.4);
numbers might be reviewed by the Production teams during daily
production meetings and then by senior management, possibly weekly. 4. Customer satisfaction and perception (Clause 9.1.2);
5. Audit results (Clause 9.2);
Top management might conduct weekly meetings in which they review
metrics and objectives to determine if any corrective action is required. The 6. Non-conformity and corrective actions (Clause 10.2).
process owner is then responsible for reporting close out progress in the 9.3.3 Management Review Outputs
meeting a week later. Undertake management reviews in order to:
The management review process is comparable to ISO 9001:2008 Clause
1. Determine and evaluate QMS performance; 5.6.3 – Management Review Outputs. You should seek and record
2. Determine the need for change and improvement; evidence of outputs from the management review process, there should
be evidence of decisions regarding:
3. Determine the suitability of the policies and the objectives.
9.3.2 Management Review Inputs 1. Process improvement actions;
2. QMS improvement actions;
This now includes additional requirements for your organization to have
a structured management review process that includes discussion of 3. Product improvement actions;

4. Resource provision actions; If Top management has set realistic process objectives, and there is no
5. Revised business plans and budgets; evidence of improvement, this information should fed back via the audit
report to allow Top management to determine what type of action is
6. Changes to quality objectives and policies
appropriate.
7. Management meeting minutes.
10.2 Nonconformity and Corrective Action
Management review meeting minutes should be retained as documented
The requirements of Clause 10.2.1 are comparable to Clause 8.3 - Control
information.
of Non-conforming Product and Clause 8.5.2 - Corrective Action. There is
10.0 Improvement an additional requirement for your organization to determine whether
other similar non-conformances exist or have the potential to exist that
10.1 General
may affect product, process or QMS conformity. There is also a new
Organizations should note the new requirements to consider requirement for your organisation to determine whether changes to the
improvement with respect to its processes, products and services, and the QMS are required to prevent a reoccurrence.
performance of the quality management system overall. You should
Regarding Clause 10.2.2, auditors should no longer expect to find a
continue to seek objective evidence that improvement is taking place. They
documented corrective action procedure. Your organization should be able
should note, however, that while improvement does not need to be
to provide evidence that it is fulfilling the requirements of this sub-clause
continual, it does need to be evidenced as occurring.
by other means, e.g. by the use of computer-based records.
Auditors should look for evidence that the organization is considering
Note the new requirement to record the nature of non-conformities as
improvement in respect of its processes, products and services, and the
well as the subsequent action(s) undertaken. You should ensure that your
performance of the quality management system overall.
organization is meeting this additional requirement.
In the case of products and services, this is to meet not just known but
Dealing with Corrective Action
predicted requirements. They should note that there is no longer a
requirement to audit preventive action as a distinct entity. A corrective action should be considered as a reactive response to a
problem since it is taken when a non-conformance is detected or upon
Auditors should also note the removal of the explicit requirement for the
receipt of a customer complaint. Your organization should first contain the
organization to improve its quality management system through the
problem and then determine its root cause in order to take appropriate
review of the quality policy, quality objectives, audit results, analysis of
corrective action to prevent the problem’s recurrence.
data and corrective actions, and management review.

 Recording corrective actions using the forms provided;  Skill in the required technical disciplines;
 Performing an initial review;  A designated Team Leader.
 Determining causes and the need to take action; Define the Problem
 Implementing action where required; Describe the internal/external customer problem by identifying what is
 Preventing recurrence; wrong and detail the problem in quantifiable terms Define, verify and
implement the interim containment action to isolate the effects of the
 Evaluating effectiveness;
problem from any internal/external customer until permanent corrective
 Recording the results using the forms provided; actions (PCA) are implemented. Validate the effectiveness of the
 Examine the effectiveness of corrective actions; containment actions.
In response to a symptom, evaluate the need for initiating the problem Select an Interim Containment Action
solving process. If necessary, provide an emergency response action to
An interim containment action is kept in place until a verified permanent
protect the customer and initiate the process.
corrective action can be implemented. In some cases, the interim
Application criteria: containment action may be the same as or similar to the emergency
 The symptom(s) has been defined and quantified; response action. However, an emergency response action is implemented
with minimal supporting data. An interim containment action provides
 The customer(s) who experienced the problem(s)/symptom(s) are
more opportunity for investigation.
identified;
Verify an Interim Containment Action
 Measurements taken to quantify the problem(s)/symptom(s);
Any interim containment action you implement must protect the customer
 Look for a performance gap;
from the problem without the introduction any new problems. Also, a
 The cause is unknown;
single interim containment action may not be enough. You may need to
 Symptom complexity exceeds the ability of one person to resolve. implement more than one interim containment action to fully protect the
Establish an investigation team with: customer.
 Process and/or product knowledge; An interim containment action can be any action that protects the
 Allocated time; customer from the problem. However, before you implement an interim
 Authority to solve the problem and implement corrective actions;

containment action, you need to verify that the interim containment action containment action is planning how you will implement the action. To
will work. To verify the interim containment action: implement an interim containment action, follow this management cycle:
 Prove before implementation it protects the customer from the  Plan (Re-plan);
problem;  Do (Implement);
 Provide a before-and-after comparison;  Check (Monitor);
 Prove that the interim containment action will not introduce any  Act (Evaluate);
new problems. Identifying the Root-Cause
Methods of verification may include: Isolate and verify the root-cause by testing each possible cause against the
 A test to determine the desired performance level; problem description and test data. Also isolate and verify the place in the
process where the effect of the root-cause should have been detected and
 A demonstration that changes eliminated the issue without
creating a new problem; contained (escape point).
 A comparison between the interim containment action and similar Complete a Comparative Analysis
proven actions; The problem description should describe the problems in terms of what,
 A review to evaluate whether the interim containment action was where, when, and how big. The description should contain facts; such as
effective; observations and documentary evidence and not assumptions. All
 Assurance that the interim containment action did not introduce a information must be gathered before identifying the root-cause can begin.
new problem. Make sure both of the above factors are true before you move to the next
Implement an ICA step. Consider any new information that the team may have gathered since
completing the initial problem description.
Conduct trial runs whenever possible. However, in some situations, your
verification may simply be a matter of common sense. For example, if an Once you have reviewed the problem description, you can begin a
interim containment action involves stopping the shipment of all products, comparative analysis. A comparative analysis will help you identify relevant
you can be sure that customers will stop experiencing the problem. changes in a change-induced situation. Then you can reduce the number
of possibilities that you must consider to determine root-cause. To
You and your team must consider all of the trade-offs connected to your
complete a comparative analysis:
interim containment action. An important part of implementing an interim

 Ask yourself; what is unique, peculiar, different, or unusual about statements that describe how a change may have created the problem. To
the symptoms? develop root-cause theories:
 Consider features such as people, processes, materials, machines  Use brainstorming techniques to generate ideas;
and the environment;
 Ask: ‘how could this change have caused the problem?’
 List all facts without prejudice as to the possible cause.
 Continue to ask the question until all possible theories are
Consider each difference you listed, and look for changes, ask yourself: developed;
 What has changed to give rise to this difference?  List at least one theory for each change;
 Keep in mind that each difference may not have a corresponding  List each theory individually on a worksheet;
change;
 List every possibility, no matter how strange or unlikely;
 List the changes next to the difference;
 Don't reject or qualify any theory;
 Look at the dates each change occurred;
 Start with the simplest single change theory first;
 Eliminate some changes if they occurred after the problem started;
 Then work up to more complex theories;
 Consider categories of people, machines, processes or
 Be specific; don't use generalities such as ‘poor quality’ or ‘doesn't
measurements;
work’.
If the problem is change-induced, the root-cause must be the result of a
Test the Theories
change relative to one or more of the identified changes. It is important to
remember that you have not yet moved from the ‘observations’ phase of To test the theory, do the following:
the process. Any information you develop during the comparative analysis  Ask, ‘Does this theory explain the symptoms and data, if so how?’
must be fact based, not opinion based and must be true only for the
 Test the theory against each individual condition.
symptoms information. Do not rule out any facts that might be valid
answers. If it is a fact and it answers the question, write it down. If a theory explains the problem, but lacks information necessary to explain
why it happened, gather more data:
Develop Root-cause Theories
 Gather more data to prove or disprove these theories;
Now that you have narrowed down the possible root-causes, you need to
develop theories about how the problem occurred. Theories are  Test simple (single change) theories first;
 Test highly complex or interactive theories last.

The root-cause must explain all known data. Any theories that pass the Determine and Verify the Escape Point
trial run are the most likely causes. If only one theory passes the trial run After you have determined and verified the root-cause, you need to
then verify this theory as the root-cause. However, more than one theory determine the escape point of the problem. An escape point is the point
may pass the trial run. In those cases (and when practical and feasible), closest to the root-cause at which the problem could have been detected
collect and analyze any missing data for uncertain theories and re-examine but was not.
information to resolve uncertainties.
A control system is a system deployed to monitor the product/process and
If additional information reveals that a theory cannot fully explain why the ensure compliance to quality requirements. A control system consists of
problem happened eliminate it from consideration. If it is not feasible to responsibilities, procedures, and resources. A control point is a location
gather and evaluate additional information, try to verify each remaining within the control system at which the product/process is checked for
theory. Start verification with the theory that best explains the symptoms. compliance to the quality standards.
Verify the Root-Cause
A product or process may have more than one control point within the
Once you have determined the most likely cause(s), verify that it actually system. When you identify the escape point, you can work to improve or
causes the problem. Verification is the proof you need to confirm that you establish a system to ensure that if problems occur, they will not go
have identified the root-cause. Verification is done passively and actively. undetected. To understand how the problem escaped and to identify the
Passive verification is done by observation: escape point:
 Look for the presence of the root-cause without changing  Review the process; focus on the part of the process where the
anything; root-cause occurred;
 If you cannot prove root-cause, then the identified cause is not the  Determine if a control system exists to detect the problem.
root-cause.
If none exists, the development of a new control system must be
Active verification is done by manipulating the root-cause variable: considered as part of the problem solution. If a control system currently
 Implement and remove the root-cause variable to make the exists:
problem ‘come and go’;
 Identify the control point closest to the root-cause;
 Both ‘coming’ and ‘going’ are essential tests to confirm the root-
 Determine if the control point is capable of detecting the problem.
cause;
If the control system is not capable, the development of an improved
 There can be more than one verified root-cause.
system must be part of the problem solution. If the control point is capable

of detecting the problem, then the control point is the verified escape Preventing Recurrence
point. Choose and verify permanent corrective actions for the root-cause Modify the necessary systems, policies, practices and procedures to
and the escape point. prevent recurrence of this problem and similar ones. Make
Select the best permanent corrective action to remove the root-cause and recommendations for systemic improvements as necessary:
select the best permanent corrective action to eliminate the escape point.  Review the history of the problem;
Verify that both decisions will be successful when implemented without
 Analyze how the problem occurred and escaped;
causing undesirable effects. Steps for permanent corrective actions (PCA)
selection:  Identify affected parties;
 Identify opportunities for similar problems to occur and escape;
 Establish decision criteria, e.g. what is feasible;
 Identify practices and procedures that allowed the problem to
 Identify possible actions;
occur;
 Choose the most appropriate permanent corrective action (PCA);
 Identify practices/procedures that allowed the problem to escape
 Test and verify the permanent corrective action; to the customer;
 Re-evaluate the ICA & PCA for the escape point.  Analyze how similar problems could be addressed;
Implementing & Validating Permanent Corrective Actions  Identify and choose appropriate preventive actions;
Plan and implement selected permanent corrective actions. Remove the  Verify preventive action and its effectiveness;
interim containment action and monitor the long-term results. Steps for
 Develop action plan;
PCA implementation:
 Implement preventive actions;
 Develop Action Plan for PCA;
 Present systemic preventive recommendations to the process
 Implement the PCA Plan; owner.
 Remove the ICA; Serious consequences may occur when the underlying symptoms are not
 Evaluate the PCA for escape point; addressed, when the quick fix is accepted as a final, permanent solution.
Excessive reliance on containment or emergency response action will
 Perform validation;
create a repeating cycle. Problem containment is an addiction that will only
 Confirm with the customer that the symptom has been eliminated.
get worse until root-causes are found and addressed.

10.3 Continual Improvement 2. Quality objectives (Clause 6.2);

This requirement is comparable to ISO 9001:2008 Clause 8.5.1 Continual 3. Risks and opportunities (Clause 6.1);
Improvement. One of the driving goals of ISO 9001 is the principle of 4. Recommendations for improvement (Clause 9.3.2);
continual improvement. You must be able to demonstrate continual
5. Improvement of the system, processes and product(Clause 9.3.3);
improvement. Most auditors would expect you to revise the quality system
documentation and processes as the quality management system matures 6. Analysis and evaluation of data (Clause 9.1);
or when a new process is implemented. 7. Non-conformity and corrective action (Clause 10.2);
You should seek objective that your organization has implemented a It is the responsibility of the company to demonstrate improvement rather
process, with appropriate methods, techniques, and formats for identifying than the auditor to look for it. Accordingly, it is a useful audit practice to
areas of underperformance or opportunities for improvement. You should ask management to identify any improvement initiatives taken since the
expect to evidence that your organization has selected the appropriate previous visit, and also any planned for the future.
tools and techniques to investigate the causes and thereby establishing
Processes can always be made more efficient and effective, even when
and implementing a process for continual improvement. The impetus for
they are producing conforming products. The aim of a continual
continual improvement must come from the use of (as a minimum):
improvement programme is to increase the odds of satisfying customers
1. Quality policy (Clause 5.2); by identifying areas that need improvement. It requires the organization to
2. Risks and opportunities (Clause 6.1); plan improvement systems and to take into account many other activities
that can be used in the improvement process.
3. Quality objectives (Clause 6.2);
You will be required to ensure that you continually improve the degree to
4. Analysis and evaluation of data (Clause 9.1);
which your products and services meet customer requirements and to
5. Audit results (Clause 9.2); measure effectiveness of your processes. To this end the continual
6. Management review (Clause 9.3). improvement principle implies that you should adopt the attitude that
7. Non-conformity and corrective action (Clause 10.2); improvement is always possible and your organizations should develop the
skills and tools necessary to drive improvement.
Requirements for continual improvement interrelate with the following
clauses: The PDCA cycle is a perfect way of introducing continual improvement to
your organization’s activities. Each step to improvement can be defined by
1. QMS planning (Clause 4.4);
four sub steps, Plan, Do, Check and Act:

1. Plan: Establish a timetable for internal audits and management

reviews. Establish the objectives and processes necessary to deliver
results in accordance with your customer’s requirements and your
organization’s policy.
2. Do: Implement changes designed to solve the problems on a

small scale first to see the effect. This minimizes disruption to
routine activity while testing whether the changes will work or not.
3. Check: Monitor and measure processes and product against

policies, objectives and requirements and report the results. Also
check on key activities to ensure that the quality of the output is
conforming and not influenced by the changes.
4. Act: Take actions to continually improve process performance.

Implement the changes on a larger scale, if the experimental
changes have proven to be successful. This means making the
changes a routine part of the activity.
Also act to involve other people, departments or suppliers affected by the

changes and whose co-operation is needed to implement them on a larger
scale. Make sure that changes are documented properly according to the
documentation requirements.

Clause-By-Clause Interpretation: Transitioning To ISO 9001:2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Clause-By-Clause Interpretation: Transitioning To ISO 9001:2015

Uploaded by

Copyright:

Available Formats

We’re committed to helping you and your organization

understand the updated requirements. This guidance

Clauses that Promote Risk-based Thinking................................................ 11

Copyright © 2016 Endeavour Technical Ltd Page 1 of 42

Copyright © 2016 Endeavour Technical Ltd Page 2 of 42

Copyright © 2016 Endeavour Technical Ltd Page 3 of 42

Copyright © 2016 Endeavour Technical Ltd Page 4 of 42

 Effect on quality;  Management review;

 Complexity of processes.  Auditing;

 Marketing, sales and purchasing;  Corrective action;

 Customer service;  Non-conformities.

 Goals, targets and objective setting;

Copyright © 2016 Endeavour Technical Ltd Page 5 of 42

5.1.1 General •Act: Agree changes •Plan: Understand

This requirement is comparable to the requirements of ISO 9001:2008 Check Do

Copyright © 2016 Endeavour Technical Ltd Page 6 of 42

Copyright © 2016 Endeavour Technical Ltd Page 7 of 42

8. Review effectiveness of actions on risks (Clause 9.3.2); 1. Meeting minutes;

1. Analysis of external and internal issues; 9. Marketing and sales data;

4. The scope of QMS of the organization; 12. Non-conformance reports;

5. The processes of the organization. 13. Management review minutes;

Copyright © 2016 Endeavour Technical Ltd Page 8 of 42

Risk will influence every aspect of your organization’s operations.

1. Improve customer confidence and satisfaction;

Copyright © 2016 Endeavour Technical Ltd Page 9 of 42

Risk Management Information Outsourced Processes

Copyright © 2016 Endeavour Technical Ltd Page 10 of 42

Risk Registers 5. Countermeasures and actions taken to prevent, reduce, or transfer

Copyright © 2016 Endeavour Technical Ltd Page 11 of 42

4. Clause 8 requires your organization to plan, implement and Evaluation

Risk Evaluation Process Step 1: Planning

Copyright © 2016 Endeavour Technical Ltd Page 12 of 42

Step 2: Identification 5. Objectives and key performance indicators;

Copyright © 2016 Endeavour Technical Ltd Page 13 of 42

Probability Evaluation Score Impact Quality

Copyright © 2016 Endeavour Technical Ltd Page 14 of 42

Step 4: Response indicators to ensure process compliance and effectiveness. Monitoring

Copyright © 2016 Endeavour Technical Ltd Page 15 of 42

Copyright © 2016 Endeavour Technical Ltd Page 16 of 42

7.1.1 General 1. Devices are calibrated at intervals or prior to use, based on

Copyright © 2016 Endeavour Technical Ltd Page 17 of 42

1. The quality policy;

Copyright © 2016 Endeavour Technical Ltd Page 18 of 42

2. Relevant quality objectives; Internal Communications

Copyright © 2016 Endeavour Technical Ltd Page 19 of 42

Copyright © 2016 Endeavour Technical Ltd Page 20 of 42

Departmental managers should always be responsible for promoting good

Copyright © 2016 Endeavour Technical Ltd Page 21 of 42

Retain the following as documented information: Clause 8.0 Operation

Copyright © 2016 Endeavour Technical Ltd Page 22 of 42

Copyright © 2016 Endeavour Technical Ltd Page 23 of 42

Copyright © 2016 Endeavour Technical Ltd Page 24 of 42

Copyright © 2016 Endeavour Technical Ltd Page 25 of 42

Copyright © 2016 Endeavour Technical Ltd Page 26 of 42

Copyright © 2016 Endeavour Technical Ltd Page 27 of 42

Copyright © 2016 Endeavour Technical Ltd Page 28 of 42

Copyright © 2016 Endeavour Technical Ltd Page 29 of 42

Copyright © 2016 Endeavour Technical Ltd Page 30 of 42

Copyright © 2016 Endeavour Technical Ltd Page 31 of 42

9.1.3 Analysis and Evaluation 10. Competition.

Copyright © 2016 Endeavour Technical Ltd Page 32 of 42

5. Do auditing; 2. The policies, objectives and targets;

Copyright © 2016 Endeavour Technical Ltd Page 33 of 42