Professional Documents
Culture Documents
Pre-Course Notes
Improving performance,
reducing risk
Introduction
Course hours
• The course duration is 40 hours over 4½ days.
• 100% attendance is required.
• You will be asked to complete evening work each day, which will take approximately
1 hour.
Delegate assessment
• We will fully explain at the start of the course the assessment criteria and
performance standards you need to achieve.
• We will give you written feedback each day, and guidance on any improvements
needed.
• You will complete a 2 hour written examination at the end of the course.
• During the exam you will be able to refer to a clean copy of ISO 9001 (i.e., one that
has not been annotated in any way). If appropriate you can use a paper based
bilingual dictionary. These are the only items permitted for reference.
Important
• Please complete Section G – Verification of pre-course work. This is very important.
It will help you prepare for the course.
• Please be sure you bring the completed pack and your personal copy of ISO 9001
with you when you attend the course.
• Please complete your personal course objectives at the end of the pack. We will ask
you to present these at the start of the course.
Contents
Page
Introduction 1
19
SECTION F Introduction to Auditing
• Audit terms and definitions
• Audit types and purpose
• Certification and accreditation
Note: The following spellings are used throughout for consistency with the
ISO 9000 series of documents: - Organization. Realization. Realized
Purpose
This section contains information on the ISO 9000 series of documents.
ISO 9001 and ISO 9004 are designed to complement each other, but can also be used
independently.
Most standards require periodic revision. Several factors combine to render a standard
out of date: technological evolution, new methods and materials, new quality and safety
requirements. To take account of these factors, ISO has established the general rule that
all ISO standards should be reviewed at intervals of not more than five years.
Purpose
This section introduces some essential quality terms and definitions. These will help you
interpret and audit ISO 9001 requirements. You may want to refer back to these
definitions as you read through the other sections of this pack.
Definitions
The following terms and definitions are quoted from ISO9000 Quality management
systems - Fundamentals and vocabulary.
To help your understanding, we have grouped related terms together and separated
groups using this bullet symbol.
Quality
Degree to which a set of inherent characteristics fulfils requirements
System
Set of interrelated or interacting elements
Management system
System to establish policy and objectives and to achieve those objectives
Process
Set of interrelated or interacting activities which transforms inputs into outputs
Product
Result of a process
• The term Product is used as a generic term for:
- services (for example transport)
- software (for example computer programme or information,)
- hardware (for example engine mechanical part)
- processed materials (for example lubricant)
Procedure
Specified way to carry out an activity or a process
• Where the procedure is documented the term ‘written procedure’ or ‘documented
procedure’ is frequently used. For clarity, auditors should not use the term procedure
when in fact they are referring to a written or documented procedure.
Requirement
Need or expectation that is stated, generally implied or obligatory
Nonconformity
Non-fulfilment of a requirement
Correction
Action to eliminate a detected nonconformity
• for example rework
Corrective action
Action to eliminate the cause of a detected nonconformity or other undesirable situation
Preventive action
Action to eliminate the cause of a potential nonconformity or other undesirable
situation
Document
Information and its supporting medium
Record
Document stating results achieved or providing evidence of activities performed
Purpose
ISO 9000 introduces eight Quality Management Principles that can be used to lead an
organization towards improvement. ISO 9001 includes requirements that can be traced
back to these principles.
By reading this section and working through an example of how requirements of ISO
9001 can be linked back to the principles you will help to develop your understanding of
ISO 9001 and the underlying purpose of specific requirements.
1. Customer focus
Organizations depend on their customers and therefore should understand current
and future needs, should meet customer requirements and strive to exceed customer
expectations.
2. Leadership
Leaders establish unity of purpose and direction of the organization. They should
create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.
3. Involvement of people
People at all levels are the essence of an organization and their full involvement
enables their abilities to be used for the organization’s benefit.
4. Process approach
A desired result is achieved more efficiently when activities and related resources are
managed as a process.
6. Continual improvement
Continual improvement of the organization's overall performance should be a
permanent objective of the organization.
Please note - Suppliers are stakeholders not customers. Stakeholder needs are
considered in ISO 9004 but are outside the scope of ISO 9001. Consequently there
is no direct traceability from ISO 9001 to the quality management principle of
mutually beneficial supplier relationships.
Process approach 4.1a) identify the processes needed for the quality management system….
4.1b) determine the sequence and interaction of these processes
4.1c) determine criteria and methods needed to ensure that both the
operation and control of these processes are effective
Now refer to ISO 9001. Read what it says in the sections listed below and
see how these requirements support the process approach principle.
4.1 e)
4.1 f)
7.1 – refer to the first paragraph
8.2.3
Complete the “Quality Management Principle and ISO 9001 cross reference
section” that is part of the “Verification of pre-course work” section.
Purpose
ISO 9001 promotes a process approach to quality management. We introduce in this
section the Process Improvement Model, the Process Model and process conformance
and effectiveness.
ACT PLAN
CHECK DO
This is the “Plan-Do-Check-Act” improvement cycle. You may hear it called the PDCA
cycle or the Deming cycle. You can apply it to all processes and you can use it to plan
and implement process change.
• Plan – Plan the improvement and plan how you will know if it has worked.
• Act – Act to maintain the improvement, address any shortfall and learn from
experience.
ISO 9001 aims to bring about continual improvement through the Plan-Do-Check-Act
cycle, which is embedded into ISO 9001 requirements.
u Controls
u Resources
Process Interaction
Individual processes rarely operate in isolation and processes can often be broken down
into sub-processes. Outputs from one process are often inputs into later processes.
Some times the output from one process will become a control to another process. For
example, consider two parts of a purchasing process.
u Supplier
Performance
standards
u Potential
u Approved
Suppliers Supplier Approval
Suppliers
u Competent
Personnel
u Approved
Suppliers
u Purchase u Purchase
Purchasing
Requirements Order
u Competent
Personnel
• Effectiveness – extent to which planned activities are realized and planned results
achieved.
Checking a process has been carried out in accordance with planned arrangements is a
conformance audit. Checking the results of a process meet requirements is an
effectiveness audit. Auditors must consider the purpose of a process to determine its
effectiveness.
Purpose
Read this section and start to familiarise yourself with ISO 9001. It will help you during
the course, the exam and later as an auditor if you can navigate your way around ISO
9001 requirements quickly and accurately.
Applying a quality management system framework can help an organization meet the
current and future needs of its customers in an effective and efficient way, and ensure
that products and services consistently meet customer and regulatory requirements.
The achievement of certification to a standard by an independent body, or an award
against a recognised framework, provides public recognition that an organization meets
those standards, and can be a useful marketing tool.
Continual improvement of
the quality management system
Management
Responsibility
Customers Customers
Measurement,
Resource Satisfaction
analysis and
management improvement
Input Output
Requirements Product
Product
Realisation
The diagram illustrates the relationship between customers and the supplying
organization. On the left-hand we have customer requirements. In the middle we have
the organization supplying the customer. On the right-hand we have the customer’s
perception as to whether the organization has met their requirements.
The organization’s quality policy should reflect what is important to the organization
and its customers. Top management may formulate and review the quality policy as part
of other business planning activities. In practice an organization’s policies tend to
remain fairly constant from one year to the next whilst objectives change to meet
emerging needs.
Having set policy and established objectives for quality as well as other business
requirements such as profitability, the role of top management is to communicate these
and establish a unity of purpose throughout the organization.
Resource Management - All businesses need resources. Within the context of ISO
9001 these comprise:
• Human resources - including competence, training and awareness.
• Infrastructure - including buildings, workspace and associated utilities, process
equipment (hardware and software) and supporting services (such as transport,
communication or information systems).
• Work environment - including physical, environmental and other factors under which
work is performed.
In addition to the three resource types given, organizations will need also to plan and
manage other resources such as financial resources and supplier partnerships. These are
outside of the scope of ISO 9001 but are referred to in ISO 9004.
Examples of realization processes that apply to most companies are sales, purchasing,
delivery and invoicing. For a manufacturing company, realization processes could also
include production processes, inspection and test, calibration and installation. For a
service company such as a hotel, examples of realization processes would be guest
reception, restaurant and room services.
And:
2. At organization level – through use of the quality policy, quality objectives, audit
results, analysis of data, corrective and preventive actions and management review.
The aim is to:
• Review what has been achieved against the quality policy and quality objectives and
act to address any shortfalls.
• Plan for the future, taking account of changes in requirements and other changes
that could affect the quality management system such as development of
technology.
This activity is part of what ISO 9001 calls “management review” and is the process
by which new quality objectives and targets are established.
Look now at clauses 5 through to 8. The main body of the Standard is organised in the
same way as the model of a process-based quality management system. That is:
• Clause 5 – Management responsibility.
• Clause 6 – Resource management.
• Clause 7 – Product realization.
• Clause 8 – Measurement, analysis and improvement.
monitoring and measuring equipment the requirements of clause 7.6 can be excluded.
The quality manual shall include details of, and justification for, any exclusion.
Pre-course preparation
Before attending the course you are required to have knowledge of the requirements of
ISO 9001.
Depending on your previous knowledge and experience, you may find it useful to
complete the following activities before the course, to consolidate your existing
knowledge and understanding:
1. Read through the “guide to ISO 9001 requirements” that is in the appendix to this
document.
2. Select some of the sections from the guide, maybe those that you are less familiar
with and find out what processes and procedures your own organization uses to
address these requirements. Now compare these with the requirements as they are
detailed in ISO 9001.
3. Review some of the internal and external audit reports for your organization, and
compare their findings with the relevant sections of ISO 9001.
4. Look at you organization’s quality policy, quality objectives and quality manual, and
compare their contents with the relevant ISO 9001 requirements.
5. If available, look at the inputs and outputs form your organization’s management
review. How do they meet the requirements of 5.6.2 and 5.6.3? What is your
organization seeking to improve?
Purpose
This section introduces some basic concepts of auditing. It contains essential
information, which you should know and understand before attending the course.
Read this section carefully. You will have an opportunity during the course to clarify any
points with the trainer.
Audit
Systematic, independent and documented process for obtaining audit evidence and
evaluating it objectively to determine the extent to which audit criteria are fulfilled.
Audit evidence
Records, statements of fact or other information, which are relevant to the audit criteria
and verifiable.
Audit criteria
Set of policies, procedures or requirements used as a reference against which audit
evidence is compared.
Auditor
Person who conducts an audit.
Audit team
One or more auditors conducting an audit, supported if needed by technical experts.
Note – one auditor of the audit team is appointed as the audit team leader.
Technical expert
Person who provides specific knowledge or expertise to the audit team.
Audit client
Organization or person requesting an audit.
Auditee
Organization being audited.
Audit programme
Arrangements for a set of one or more audits planned for a specific time frame and
directed towards a specific purpose.
Audit plan
Description of the activities and arrangements for an audit.
Audit scope
Extent and boundaries of an audit.
Accreditation bodies, for example the United Kingdom Accreditation Service (UKAS):
Audit and award accreditation to:
Certification bodies, for example LRQA
Who audit and award certification to:
Organizations
Accreditation bodies audit certification bodies against the requirements of ISO 17021
“Conformity assessment — Requirements for bodies providing audit and certification of
management systems”.
Accredited certification bodies will generally follow the guidelines contained in ISO
19011 “Guidelines for auditing management systems”.
ISO 19011 is a guidance document whereas ISO 17021 is an auditable document. And
where ISO 17021 only applies to certification bodies, ISO 19011 is also referenced by
nd
many organizations operating 1st party (internal) or 2 party (supplier) audit systems.
The purpose of this section is to check your understanding of the information given in
this pre-course work.
1. Match the definition to the term and write the letter of the correct definition against
the term. There are two definitions for which there is no term listed.
G Non-fulfilment of a requirement
2. In the space below, describe the difference between corrective action and preventive
action and give an example of each.
Customer focus
Leadership
Involvement of people
Continual
improvement
Factual approach to
decision making
5. With reference to this pre-course work and ISO 9001, who has overall responsibility
for the organization’s quality policy and quality objectives?
6. With reference to this pre-course work and ISO 9001 describe in the space below
the purpose of “Management review”
-----------------------------------------------------------------------------------------------------------------
Purpose
Each delegate will have their own reason for coming on the course. For example you
may be an internal auditor (1st party audits) who wants now to audit against ISO 9001.
Or you may be coming on the course as part of your personal development. It will help
you and the trainer if before you arrive you think about and plan what you want to get
from the course. We have designed this section to help you with this. It forms a bridge
between the pre-course pack and the course itself.
In thinking about your objectives for the course you also want to consider:
• What you need to do to meet the IRCA requirements for Auditors. You may find it
beneficial to visit the IRCA web site for more details of the requirements for
becoming an IRCA certificated auditor. www.irca.org
• Any other expectations which you or your employer have from the course.
Please now write your personal objectives using the form on the next page and bring it
with you to the course.
Name: Company:
My current auditing experience is: (please give a brief description of your auditing
experience including the type of audits you have completed or been involved in)
My future auditing role will be: (please give a brief description of how you see your role as
an auditor developing in the future and include also the type of audits you expect to be
involved in)
My objectives for the course are: (please list between three and five specific things that you
want to be able to do as a result of completing the course)
Please take a copy of this page and bring it with you to the course. You will be asked to
discuss and present your course objectives to your group and LRQA trainer.
To keep the document brief, only an overview of the requirements is included. You
should refer to your personal copy of the standard for definitive information.
Caution!
ISO 9001 specifies requirements for a quality management system. It does not prescribe
how these requirements are to be met.
4.1a) determine the processes needed for the quality management system and their
application throughout the organization
If the management system is to work, a starting point must be to identify all those
things that need to be managed. The purpose of this clause is to ensure that all
processes that can have a direct or indirect impact upon customer satisfaction and
compliance with applicable statutory and regulatory requirements are identified as part
of the management system. What are the processes involved in producing products and
services? What support processes are needed?
Businesses are made up of processes that feed other processes. For example, in a
vehicle repair operation the parts ordered in the “parts ordering” process would feed
into the “repair” process. Organizations need to understand how their processes feed
into each other in order to actively manage the business, making sure that processes are
effective and efficient.
4.1c) determine criteria and methods needed to ensure that both the operation and
control of these processes are effective
How will we know that the process is delivering the desired outcome?
Requirements: Firstly determine what the process needs to achieve and set some
acceptance criteria. For example in a paint shop this might be the specification for the
paint finish. Then you need to determine what process controls are needed to ensure
this result, for example you might specify paint consistency and drying
time/temperature. You then need to plan how you will monitor the operation of
processes; that is to see if they are being performed as you planned. You will need to
plan how you will assess the effectiveness of controls, for example is the paint
QMS Auditor/Lead Auditor Page 28 of 45
Version 3 - Revision 5.0
Precourse Notes.docx
© LRQA Training 2014
Appendix: Guide to ISO 9001 requirements
consistency producing the result we want? Such methods might include inspection and
audit activities.
4.1d) ensure the availability of resources and information necessary to support the
operation and monitoring of these processes
The business needs to ensure that there are sufficient resources to allow processes to
work as intended. Resources include appropriately competent people, equipment,
hardware and software, materials, environment and so on and so on. Resources should
also be available to monitor processes – this would include activities such as internal
audit.
Requirements: Make sure the necessary resources and information is available at the
right time and in the right place.
4.1e) monitor measure where applicable, and analyse these processes and
Processes can be monitored through means such as internal audit, customer feedback,
mystery shoppers; process measures may include quantitative data such as process
times, conversion ratios, turnaround times, volume, costs, revenue etc. Analysis should
help the organization answer the “so what?” question - what is the data telling us
about how we are performing?
Management is all about taking decisions and acting to ensure that objectives can be
attained. Implementing this requirement will help to ensure that results are achieved,
and that the effectiveness of processes in delivering results is enhanced.
Summary
Section 4.1 introduces the general requirements for the quality management system. It
provides an overview of the requirements. It applies the PDCA cycle, described earlier.
4.2.1 General
How can we ensure that the documentation supporting our management system is
adequately but not overly detailed?
Requirements: Organizations must document their quality policy and objectives. There
must be a quality manual, and records required by the Standard to demonstrate
effective operation of the management system.
The quality manual acts as a guide to how the business is organised and what processes
there are. It should provide a documented overview of the quality management system.
Readers should gain a good understanding in overview of the organization. What
processes it operates and how they interact. The quality manual should help readers to
navigate their way through the management system and its documentation.
This requirement is intended to ensure that people have the right information at the
right time. It applies to both hard copy and electronic documents. It applies to
documented procedures and some everyday working documents, for example drawings
and specifications. A hotel for example would probably want to control in some way its
room rate list. Customers’ documents that are copied and circulated in the organization
should be controlled. For example, customers' order setting out requirements.
Organizations must decide which every day documents need to be controlled and what
is an appropriate method.
Requirements:
• Approve documents and procedures before issue and amendment.
• Make it clear which is the most up to date version of the document. For example,
use a revision status or date.
• Circulate documents to the right people, and make sure that old versions are
removed or destroyed.
• Set out in a documented procedure how documents will be controlled.
Records may be needed for traceability, and for comparing what happened with what
was planned – a clear understanding of this will be essential for any improvement
activity.
Requirements:
• What records do we need to keep, to demonstrate the effective operation of the
management system?
• How long for?
• Where/how shall we keep them?
• What happens to records that are no longer needed?
• Set out in a documented procedure how records will be controlled.
Summary
Section 4.2 sets out requirements for quality management system documentation
comprising the policy, objectives, manual, procedures and records.
5 Management responsibility
(Look at your copy of ISO 9001 for the full text).
How does management provide appropriate leadership for the management system?
And, how is this demonstrated?
“People do what their managers pay attention to” and the management system will
only deliver results if people within the organization know that using and improving the
management system to satisfy customers and comply with legal requirements is
important to top management.
Requirements:
• Communicate clearly and consistently how important achieving customer satisfaction
and conforming to regulations is.
• Set direction through the quality policy and objectives.
• Be personally involved in reviewing the effectiveness of the system.
• Demonstrate commitment by allocating resources where they are needed.
How can we tell our people what we want the business to achieve and how important it
is that everyone follows and improves the way we work?
The quality policy provides focus and direction for the organization and what it should
achieve.
Requirements: Top management should establish and document a quality policy that
reflects the business strategy and provides long term direction. They should review their
quality policy periodically. The quality policy should reflect the need for continual
improvement, and facilitate setting of quality objectives. The quality policy should be
communicated and understood by all staff.
5.4 Planning
How are we going to achieve our goals? How are we going to direct and control the
organization?
How the quality policy will be achieved needs to be planned. The management system,
the way the organization will operate to achieve the policy needs to be planned. Top
management is responsible for making this happen.
Requirements: Measurable quality objectives should be set that support the quality
policy. These should be cascaded throughout the organization, so that departments
and individuals that are required to contribute to the achievement of objectives have a
clear understanding of what is required of them. Planning also applies to the general
operation of the management system, and includes the management of change.
For organizations to run smoothly, people need to know what they are supposed to do
and what authority they have, and what others are supposed to do, and to know what’s
going on.
The management system and its effectiveness are fundamental to the success of the
organization. Someone has to have overall responsibility for it.
Requirements: People throughout the organization should be clear about their own
job roles, the decisions they can make, and those of their colleagues’. A member of
management must be appointed to take overall responsibility for the management
system and promoting awareness of customer requirements.
How are we doing, are we meeting customers’ needs and achieving our objectives?
The system needs to be actively managed and continually adjusted and improved and
management review enables this to happen. Management review is the key to ensuring
the system adds value to the business.
Requirements: All of the data gathered about the performance of the system should
be analysed and submitted in an appropriate form to the management review. The
review examines this to see if the system is achieving what it set out to achieve. Other
changes and developments affecting the business are also considered and any changes
needed to the quality policy, objectives and to the management system to improve its
performance are decided.
Summary
Section 5 sets out requirements for top management involvement in leading and
directing the organization through the development and implementation of the quality
management system and continually improving its effectiveness.
6 Resource management
(Look at your copy of ISO 9001 for the full text).
What resources do we need to achieve our goals, policy objectives and targets?
Requirements: Determine what resources are needed and provide them, including for
continual improvement.
6.3 Infrastructure
What equipment, facilities and supporting services do we need to achieve our goals?
People need tools and systems to achieve results and these need to be planned and
provided. Infrastructure requirements include buildings, equipment, tools, machinery,
computers, desks, software systems, telephone, Internet and other communication and
information systems, vehicles and so on and so on.
Requirements: The organization needs to plan its requirements, provide and maintain
them, so that they are available and in working order when needed.
What environmental conditions are needed to produce our product and meet customer
requirements?
Need to ensure that the work environment is suitable. Certain processes may need a
controlled environment. Examples are cleanliness and hygiene requirements in food
QMS Auditor/Lead Auditor Page 35 of 45
Version 3 - Revision 5.0
Precourse Notes.docx
© LRQA Training 2014
Appendix: Guide to ISO 9001 requirements
processing areas and protecting components from static electricity in the electronics
industry. Where the work environment could affect peoples’ performance and meeting
customer requirements the environment people work in must be suitable. For example
in a telephone sales office data-entry should not hampered by excessive noise,
temperature or display screens that are difficult to read.
Summary
Section 6 sets out requirements for planning, providing and maintaining human
resources, infrastructure and the work environment needed by the organization to
achieve its objectives and continually improve the effectiveness of the quality
management system.
7 Product realization
(Look at your copy of ISO 9001 for the full text).
How are we going to make our product and make sure it meets the customer’s needs?
Product Realization is all those processes needed to produce the desired product. This
requirement of ISO 9001 sets out the generic requirements for the planning and
development of these processes, documents and resources needed to ensure the
effective operation and control of these processes. Referring back to the PDCA cycle
and the model of a process-based quality system, it’s about planning the everyday
activities.
The organization should design and plan product realization processes that can meet
customer and applicable statutory and regulatory requirements in the most effective
way, that is with the greatest probability of meeting requirements, striving towards
meeting them on every occasion.
Where the product is routine the processes can be designed and then applied to all
customers until the product changes or an improvement opportunity is identified. For
example a training organization may develop a standard process for dealing with off-
the-shelf courses. Where the product is very different for each customer, as would be
the case for major construction projects such as a new sports stadium a customer
specific plan probably will be developed. Planning should include inspection activity to
ensure that progress can be checked and verified against the original agreement with
the customer.
Requirements:
• Identify relevant inputs prior to planning the realization processes. For example
customer and statutory and regulatory requirements for the product, documentation
required, quality objectives, resources, responsibilities and so on and so on.
• Identify the processes and resources required. Plan how the process is to be carried
out including documents and data to support their operation, controls, acceptance
criteria, records to demonstrate product meets requirements and so on and so on –
refer back to the IDEF Process Model.
• Produce tangible outputs that show how product Realization processes will be
carried out. For example process plans, resource plans, work instructions, process
documentation, control plans, verification or inspection and test plans.
What does the customer want, and can we meet their needs?
The organization has a duty to ensure the product meets both the customers’ stated
(verbalised) and implied (expected) needs including statutory and regulatory
requirements applicable to the product. For example, a customer buying a new car may
specify the model, colour and accessories (stated needs). As the customer collecting my
new car, I would assume that the car meets safety and emissions standards, as required
by law and as outlined in product literature, and that I would not specifically need to ask
for these (implied needs).
Organizations design products to meet customer specific needs or the needs of the
market. Design is fundamental to achieving customer satisfaction. Design must include
customer and applicable statutory and regulatory requirements for the product from the
start. ISO 9001 mandates requirements to ensure design is carried out as a series of
logical steps, including periodic reviews of the design to ensure requirements are
identified and carried forward into the final product. The ISO 9001 requirements for
design incorporate the PDCA cycle.
Design should be carried out in a planned and systematic way. This applies to any form
of product design and development irrespective of whether the product is tangible, for
example hardware and software or intangible for example a service.
Frequently a number of people and departments will be involved at various stages in the
design. For example it is likely that manufacturing would be involved at some time in
the design of new hardware. There needs to be effective communication between
those involved in the design. And opportunity for the various functions to participate in
reviews of the design to ensure it is feasible to produce and deliver and meets customer
needs.
The output of the planning process should be in a format that meets the needs of the
organization.
What does our product need to do and what else must we take into account when we
design it?
Other inputs relating to the design process may include design proformas, checklists,
design protocols and procedural documents.
Requirement: Determine inputs relating to the product and keep records of them.
What outputs from the design process do we need and format and media will we use to
record them?
The normal output of design and development is the specification for the product and
information to enable it to be made. This may include information for purchasing,
production, inspection and test, operation and maintenance of the product. If the
process is engineering design, the output may be drawings and specifications. If the
process is software design the output may be a programming functional specification.
And if it is service design the output may be a service specification.
The design should be approved as meeting requirements before being released – look at
7.3.5 design verification and validation below.
Other outputs of the design process will include a design plan that is the output of
design planning activity. Also records of reviews, verification and validation results and
records of design changes.
When and how should we review progress to make sure the design is on the right
track?
The product designed should meet the requirements specified at the start of the
process. Reviews are done as the design progresses to check that requirements are
being met. The organization decides when and how often reviews are done. The more
complex the design the more likely a number of reviews will be done. A simple design
or development project may have only one review, which would be of the completed
design – see 7.3.5 below.
Requirements: Plan and conduct reviews. Identify any problems and action needed.
Keep records. Update the design plan as necessary.
The completed design should be formally reviewed before the product is made. The
review should check that the product designed meets requirements specified. The
review should also check that all requirements and activities set out in the design plan
have been completed.
Like earlier design reviews this is a review of the outputs from the design process, not a
review of the product itself. Typically it will be a review of drawings and specifications.
Requirements: Plan and conduct a review of the design outputs against requirements.
Record the results of the review and any necessary actions.
This is a check that the product designed really does meet requirements. Where
practical this check should be done before delivery of the product or implementation of
the service. Methods may include prototype testing hardware and software products
and service trials.
It is not always possible to prove the design meets requirements before the product is
made. For example, design of a building. Where this is the case validation may only be
possible over a period, after the product has been made. In such cases a plan for
validating the design should be produced and ideally agreed with the customer. In this
type of design lessons learned from previous designs are an essential input to the
design. And lessons learned from this design should feed into later ones. See ISO 9001
- 7.3.2c.
Changes to an established design should follow the same process as an original design.
That is they should be reviewed, verified, approved and validated as appropriate and
records kept.
Changing an established design can have an impact on customers. The effect of the
design change on other parts of the product and on product already delivered needs to
be considered during the design review. For example will a new version of software be
compatible with earlier versions already in use? Or, will a new hardware component be
interchangeable with earlier versions? Depending upon the outcome of the review
there may be a need to communicate the nature of the changes and their impacts to
those potentially affected.
Requirements:
• Identify and record design changes.
• Review, verify and validate design changes.
• Evaluate the effect of the changes.
• Record results of reviews and actions necessary.
7.4 Purchasing
How can we make sure we have the materials and services we need to meet our
customers’ needs?
Need to have the right materials/services in the right place at the right time.
Requirements:
• Select suppliers who are capable of meeting the organizations needs, and monitor
their performance to ensure that they continue to meet these needs.
• Specify clearly to suppliers what is wanted and when it is needed and check that the
purchased goods/services meet requirements.
Sections 7.2, 7.3, and 7.4 gave requirements for three specific Realization processes.
This section covers all other Realization processes. Section 7.1 of ISO 9001 dealt with
planning the operation of Realization processes. This section requires the planning
activities referred to in section 7.1 to be put into practice. Referring back to the PDCA
cycle and the model of a process based quality this requirement is about doing the
everyday activities in the way they were planned.
Did our planned way of working give us what we want when we put it into practice?
In the same way that it is necessary to validate the design of a product, the design of
the processes that will produce the product needs to be validated. In many cases
checking the product can do this. In others it cannot readily or economically be done
this way. In which case, the process must be proven in its own right. For example, a
sterilisation process.
Requirements: Make sure that processes are capable of delivering what is needed.
Identify processes where the output cannot be verified by monitoring or measurement.
Prove these processes are capable of delivering what is needed and monitor the process
not their product.
Will we be using customers’ property in our product and if so how will we look after it?
Customer supplied product is often incorporated into product being supplied. For
example an organization that manufactures and installs signs may be attaching the sign
to their customer’s building. Similarly a financial institution or legal service may use
confidential information and personal data supplied by the customer. And a cleaning
company will take in items belonging to their customers. Other examples include the
use of intellectual property, tools and equipment provided by the customer and the use
of packaging or labels provided by the customer, for example brand labels. In all of
these cases the organization needs to exercise a duty of care with respect to the
customer’s property.
Requirements:
• Identify all instances where the customer provides items for use in the product or
customer property is used to provide the desired product.
How will we look after the product and making sure it is not damaged or harmed?
Product needs to be looked after during production and delivery. This applies to all
types of product. It includes customer-supplied items and information. It included
component parts of the finished product. Examples include protecting integrated
circuits from static electricity, food packaging requirements and security of confidential
information.
Need to make sure that monitoring activities and inspection of product and processes is
accurate.
Requirements:
• Determine what monitoring and measurement is needed and determine what
equipment is needed for this, including what degree of accuracy is needed.
• Monitoring and measurement equipment needs to be identified and checked to
ensure that it is sufficiently accurate to do the job it’s required to do. And re-
calibrated if it is not.
Summary
Section 7 sets out requirements for planning, validating and operating the day-to-day
processes needed for product realization.
8.1 General
Need to monitor measure and understand what happens in the business in order to
manage it effectively. Why guess when you can base your decisions on sound data and
facts? This part of ISO 9001 is the Check stage of PDCA.
Requirements: need to plan how to monitor, measure, analyse and improve processes,
and implement the plan.
Having a direction and objectives for the management system and a plan for its
implementation is of little use without information to tell the organization where it is
against its plan. Management and measurement activities will enable the organization
to work out what it needs to do to get from where it is to where it needs to be.
Requirements:
• Monitor information relating to customer perceptions, to find out what customers
think about the organization's products and services.
• Perform internal audits to check whether processes are being carried out as
intended, in accordance with ISO 9001 requirements and whether they are effective
in achieving desired results.
• Monitor and measure processes to see whether they achieve the results needed.
• Monitor and measure the product against the specification and acceptance criteria
to make sure it meets requirements.
Need to ensure that where a problem is detected the organization ensures that the
problem is rectified before it affects the customer.
Requirements:
• When problems are identified the organization needs to act to ensure that the
product cannot be used or delivered to the customer, unless the problem is
corrected or the customer is told of the nature of the problem and agree to a
concession. If problems are identified after delivery the organization must evaluate
the effect or potential effect of the problem and act appropriately.
• A documented procedure is required that describes the controls, responsibilities and
authorities for dealing with non-conforming product.
QMS Auditor/Lead Auditor Page 44 of 45
Version 3 - Revision 5.0
Precourse Notes.docx
© LRQA Training 2014
Appendix: Guide to ISO 9001 requirements
• Keep records.
Having gathered measurement and monitoring data the organization needs to make
sense of it in order to learn and improve the management system. Remember that
‘management system’ refers to how the business operates to achieve customer and
statutory and regulatory requirements for the product and quality objectives and policy.
Not the collection of paperwork called the quality manual and procedures.
Requirements:
• Decide what data needs to be collected to assess whether the management system
is doing its job, and to identify where there are opportunities to improve.
• Include data on customer satisfaction, product conformity, process performance,
opportunities for preventive action, and suppliers.
• Collect this data, and analyse it to establish patterns, trends, common areas of
strengths and weaknesses.
8.5 Improvement
If the management system is to add value to the business it must generate improvement
and enhance customer satisfaction.
Requirements
• Continual improvement through a process of setting measurable objectives,
monitoring progress, reviewing results and identifying and acting upon opportunities
to improve further.
• Identify the root cause of problems and act to make sure they cannot be repeated.
• Documented procedure for corrective action.
• Plan to prevent problems by learning from previous problems and near misses. Use
appropriate planning and risk analysis techniques to identify potential problems and
act to prevent them occurring.
• documented procedure for preventive action.
Summary
Section 8 sets out requirements for planning and implementing monitoring and
measurement, analysis and improvement of processes that comprise the quality
management system. The monitoring and measurement activities generate data that
can be used for fact based decision making in continual improvement processes and
feed through to management review for top management to act on, so completing the
PDCA improvement cycle.