Professional Documents
Culture Documents
00.tuvsud ISO 9001 2015 Guidance
00.tuvsud ISO 9001 2015 Guidance
TÜV SÜD
Foreword
Quality management (QM) is a key topic for every
business. Only organizations which manage their
quality effectively will succeed in the market. But
how to ensure high quality and customer satisfaction?
Through a management system based on ISO 9001 –
the most widespread QM standard worldwide.
Tobias Lurk
Product Performance Manager ISO 9001
TÜV SÜD Management Service GmbH
ISO 9001:2015 audits are carried out in accordance with the ISO 9001:2015 standard, not on the basis of this guidance.
Errors and omissions excepted. This guidance is protected by copyright. All publications – also in excerpts – are subject to prior approval by the authors, which must be obtained
from TÜV SÜD Management Service GmbH.
2
Content
PART 1 – INTRODUCTION TO ISO 9001:2015 6
1 INTRODUCTION 6
2 MILESTONES OF DEVELOPMENT 6
3 HIGH LEVEL STRUCTURE 7
4 NON-APPLICABLE ELEMENTS OF THE STANDARD 8
5 QM PRINCIPLES 10
6 RESPONSIBILITIES OF TOP MANAGEMENT 11
7 PROCESS APPROACH 11
8 PROCESS MATURITY 12
9 CONTEXT OF THE ORGANIZATION 13
10 RISK-BASED THINKING 14
11 DOCUMENTED INFORMATION 15
12 HANDLING OF ORGANIZATIONAL KNOWLEDGE 15
5 LEADERSHIP 22
5.1 LEADERSHIP AND COMMITMENT 22
5.1.1 GENERAL 22
5.1.2 CUSTOMER FOCUS 23
5.2 POLICY 24
5.2.1 ESTABLISHING THE QUALITY POLICY 24
5.2.2 COMMUNICATING THE QUALITY POLICY 24
5.3 ORGANIZATIONAL ROLES, RESPONSIBILITIES AND AUTHORITIES
IN THE ORGANIZATION 24
6 PLANNING 25
6.1 ACTIONS TO ADDRESS RISKS AND OPPORTUNITIES 25
6.2 QUALITY OBJECTIVES AND PLANNING TO ACHIEVE THEM 27
6.3 PLANNING OF CHANGES 27
3
7 SUPPORT 28
7.1 RESOURCES28
7.1.1 GENERAL28
7.1.2 PEOPLE28
7.1.3 INFRASTRUCTURE29
7.1.4 ENVIRONMENT FOR THE OPERATION OF PROCESSES29
7.1.5 MONITORING AND MEASURING RESOURCES29
7.1.5.1 GENERAL29
7.1.5.2 MEASUREMENT TRACEABILITY29
7.1.6 ORGANIZATIONAL KNOWLEDGE30
7.2 COMPETENCE31
7.3 AWARENESS31
7.4 COMMUNICATION32
7.5 DOCUMENTED INFORMATION33
7.5.1 GENERAL33
7.5.2 CREATING AND UPDATING34
7.5.3 CONTROL OF DOCUMENTED INFORMATION34
8 OPERATION35
8.1 OPERATIONAL PLANNING AND CONTROL35
8.2 REQUIREMENTS FOR PRODUCTS AND SERVICES36
8.2.1 CUSTOMER COMMUNICATION36
8.2.2 DETERMINING THE REQUIREMENTS FOR PRODUCTS AND SERVICES36
8.2.3 REVIEW OF THE REQUIREMENTS FOR PRODUCTS AND SERVICES36
8.2.4 CHANGES TO REQUIREMENTS FOR PRODUCTS AND SERVICES37
8.3 DESIGN AND DEVELOPMENT OF PRODUCTS AND SERVICES38
8.3.1 GENERAL38
8.3.2 DESIGN AND DEVELOPMENT PLANNING38
8.3.3 DESIGN AND DEVELOPMENT INPUTS39
8.3.4 DESIGN AND DEVELOPMENT CONTROLS39
8.3.5 DESIGN AND DEVELOPMENT OUTPUTS39
8.3.6 DESIGN AND DEVELOPMENT CHANGES40
8.4 CONTROL OF EXTERNALLY PROVIDED PROCESSES, PRODUCTS, AND SERVICES40
8.4.1 GENERAL40
8.4.2 TYPE AND EXTENT OF CONTROL42
8.4.3 INFORMATION FOR EXTERNAL PROVIDERS42
8.5 PRODUCTION AND SERVICE PROVISION43
8.5.1 CONTROL OF PRODUCTION AND SERVICE PROVISION43
8.5.2 IDENTIFICATION AND TRACEABILITY44
8.5.3 PROPERTY BELONGING TO CUSTOMERS OR EXTERNAL PROVIDERS44
4
8.5.4 PRESERVATION45
8.5.5 POST-DELIVERY ACTIVITIES45
8.5.6 CONTROL OF CHANGES46
8.6 RELEASE OF PRODUCTS AND SERVICES47
8.7 CONTROL OF NONCONFORMING OUTPUTS47
9 PERFORMANCE EVALUATION48
9.1 MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION48
9.1.1 GENERAL48
9.1.2 CUSTOMER SATISFACTION49
9.1.3 ANALYSIS AND EVALUATION49
9.2 INTERNAL AUDIT50
9.3 MANAGEMENT REVIEW51
9.3.1 GENERAL51
9.3.2 MANAGEMENT REVIEW INPUTS52
9.3.3 MANAGEMENT REVIEW OUTPUTS52
10 IMPROVEMENT53
10.1 GENERAL53
10.2 NONCONFORMITIES AND CORRECTIVE ACTIONS54
10.3 CONTINUAL IMPROVEMENT55
5
Part 1 – Introduction to ISO 9001:2015
6
3 High Level Structure The standard comprises 10 clauses: Clauses 1 to 3
ISO 9001 follows the High Level Structure which address the scope, normative references and terms and
shares an identical sequence of clauses, text and definitions. Clauses 4 to 10 form the P-D-C-A cycle
terminology with other management system standards, (Plan – Do – Check – Act).
e.g. ISO 14001:2015 (Environmental Management System).
The high-level structure aims at achieving consistent
structure across all management-system standards
(MSS) to improve the mutual compatibility of management
systems.
PLAN DO
4. Context of the
5. Leadership 6. Planning 7. Support 8. Operation
organization
4.2 Understanding
6.2 Quality objectives 8.2. Requirements
the needs and
5.2 Policy and planning to 7.2 Competence for products and
expectations of
achieve them services
interested parties
CHECK ACT
8.6 Release of
9. Performance products and
10. Improvement
evaluation services
9.1 Monitoring,
measurement, 8.7 Control of
10.1 General nonconforming
analysis and
evaluation outputs
10.2 Nonconformity
9.2 Internal audit and corrective
action
www.tuvsud.com/akademie
7
4 Non-applicable elements of the standard If the major part of design and development is
IS0 9001:2015 no longer permits exclusions. All performed by an external provider, the organization
clauses of the standard applicable to the organisation must prove that it has substantial control of the design
must be included in certification. However, if the and development process.
organisation can provide justification that one or
more clauses are not relevant to them, these elements Project management or process development are
need not be applied. The justification must be in not considered design and development as defined
writing to be effective. Conversely, this means that in ISO 9001 unless they influence the organization‘s
the justification must show how the organization product or service. Given this, there is no explicit
manages to produce conforming products and services requirement to apply clause 8.3 of the standard in this
and improve customer satisfaction without applying case. Application is optional.
that clause/those clauses. Non-application of one
or several clauses must not negatively impact on the Two examples, one from the service sector (healthcare/
organization‘s purpose or on applicable statutory, medical practice) and one from production are used to
regulatory, or other requirements. explain design and development and its assessment as
set forth in clause 8.3.
Service Production
No design and development:
Installation of a new patient call system. Implementation of the 5 S methodology in production.
Carried out within the scope of a project. The service Within the scope of a project, workplaces are restructured
provided by the medical practice remains unchanged; only the within production operations to reduce waste (time, material,
communication with the patient is facilitated/improved. etc.) and improve production efficiency.
Not every project or process change is to be automatically understood as design and development.
Design and development:
Development of a new treatment method within the scope of a Design and development of a new vehicle engine, e.g. taking
university research project. into account changing emission standards.
These projects clearly fall under the definition of design and development.
Design and development not mandatory:
Introduction of a new treatment method. New casting process for a new engine piston cylinder liner.
According to the above criteria, the introduction of a new The process is aligned to the new technical requirements
treatment method can be regarded as design and development (outputs of the design and development process) and can, but
as defined in the standard. Other process developments which need not, be part of a higher level design and development
are carried out within the scope of a project can also be project.
classified under this clause.
Application of clause 8.3 is not mandatory in these cases.
8
Design and development as defined in ISO 9001:2015, clause 8.3
MUST
Design & development of a new product/service (e.g. a new treatment
method within the scope of university research)
CAN
Process development
(e.g. through the use of project management)
The likelihood of clause 8.5.3 “Property belonging to 7.1.5 Monitoring and measuring resources
customers” not being applicable is very small. In the 8.3 Design and development of products and
healthcare system, for example, this clause is always services
applicable. According to the note to clause 8.5.3 8.4.1 Control of externally provided processes,
customer‘s property can also include personal data. products, and services (e.g. purchasing for the
entire organization is centralized at one site,
Examples of standard elements that may not thus the requirement is not applied at sites
be applicable, for example in case of multi-site without purchasing function)
organizations with differing scopes at the individual 8.5.2 Identification and traceability (e.g. for some
sites, include: services)
8.5.3 Property belonging to customers or external
providers
8.5.4 Preservation (e.g. for some services)
9
5 QM principles
A common understanding is necessary to fulfill the
organization‘s strategic approach. The seven QM
principles form the basis of the requirements of
ISO 9001:2015.
Customers are at the centre of every corporate Executives at all levels are responsible for
activity. They decide success or failure. Given aligning the organization to the requirements
this, understanding the needs of customers of the market. To do so, they must establish
and ensuring that their expectations are not and maintain an internal environment, in which
only fulfilled but exceeded where possible, is employees are fully motivated and engage in
important. achieving the corporate objectives.
The character of an organization is determined To reach the requested output more efficiently,
by employees across all levels. Appreciation, there should be clear interrelationships and
empowerment and support are critical to ensure interdependencies between all activities and the
employees are motivated to invest their skills and associated resources.
expertise for the good of the organization.
Organizations and their interested parties Exact analysis of data and information forms
(e. g. suppliers) depend on each other. Given the basis for understanding cause and effect
this, fair and transparent relationships based on relationships and their possible consequences
mutual trust are important and form the basis of and for implementing effective actions.
sustainable success.
Improvement
10
6 Responsibilities of top management 7 Process approach
ISO 9001:2015 clearly expanded the requirements for The process approach ensures that application
leadership, leadership roles and responsibility. Top of the standard is easy and does not depend on
management is now accountable for the effectiveness, the organization‘s size or purpose. The process
maintenance and continual improvement of the QMS. A approach improves the organization‘s effectiveness
Quality Management Representative (QMR) is no longer and efficiency in achieving the intended objectives.
absolutely necessary. While responsibility itself cannot Expectations are fulfilled and customer satisfaction
be delegated, individual tasks can still be assigned to a thus improved.
management representative. A process is a set of interrelated and interdependent
activities that transform inputs into outputs.
Lived and breathed quality culture is to be spread to
the organization from the top, i.e. from management. The process approach enables an organization to:
Given this, top management is also responsible for
improve its understanding and consistency in
promoting improvement and ensuring the achievement meeting requirements (improved, consistent, and
of the expected outputs. Top management must also predictable results)
ensure provision of the resources needed (including the
create added value (reduced costs and shorter cycle
necessary knowledge). times based on the effective use of resources)
achieve effective key performance indicators (KPIs)
In this context, top management is accountable for
improve processes based on the evaluation of data
quality culture both within the organization and in and information
the organization‘s external relationship towards
promote employee participation and clear
the customer. Integration of understanding for the responsibilities
customer, the customer‘s perspective and the relevant
statutory and regulatory requirements into the
organization forms part of the responsibilities of top
Input
management. Requirements defined
Quality management policy and objectives not only (including resources)
need to be established and communicated, but
also need to be compatible with the context of the
organization and its strategic direction; objectives need Interacting
to be planned and cascaded. activities and
control measures
Given this, audit planning should allow more time for
the auditing of top management.
Output
Requirements fulfilled
(process results)
Monitoring and
measurement
11
8 Process maturity
To ensure a high level of process quality, the following quality characteristics should be available and effective
in an organization.
ACT Process + QMS improvement CIP workshops, process analysis, internal audits
12
Monitoring and measuring A quality management system according to
In step seven, processes are evaluated with the help ISO 9001:2015 must be familiar with the own
of appropriate monitoring and measuring methods. organization, the external environment and
These are necessary if technical or personnel risks or the influencing factors which interact with the
instabilities have been identified and, in particular, in organization. This understanding can be generated by
cases involving risks related to customer requirements. various analyses, such as competition analysis, trend
Checking for possible indications of nonconformities analysis etc. These strategic management measures
with the target at an early stage is recommended, as are management responsibilities.
a high level of measuring accuracy is of little use if
results are only available too late. The rationale of ISO 9001:2015 is that organizations
need to consider their stakeholder‘s requirements
Process improvement in order to ensure sustainable success. Beyond
In step 8, the data gained from process evaluation customers, these can also include suppliers, owners,
enable management to make a robust decision employees, authorities, business partners and even
regarding the necessary improvement actions. As competitors.
outlined above, the process approach of the ISO 9001
ensures a high level of transparency and thus supports Please note: Products or services need not meet the
organizations in launching and driving the improvement requirements and expectations of all external parties,
process in a targeted manner. but only of those considered relevant to the quality
management system.
9 Context of the organization
The context of the organization is to bridge the gap
from quality management to strategic management:
What is the essential purpose of the organization?
What are key external and internal influencing factors,
and which interested parties have which claims and
expectations relating to the products and services of
the organization?
13
10 Risk-based thinking In contrast to an extensive risk management system,
The central requirements of risk-based thinking in quality management need not identify all risks existing
ISO 9001:2015 show strong reference to strategic in an organization, establish consistent evaluation and
management. Now, the principle of prevention is reporting, or take financial precautions, for example.
present throughout the entire quality management
system. ISO 9001:2015 combines the analysis and evaluation
of risks – and opportunities – right from the stage of
The standard defines opportunities as the result of process definition or revision. When planning for the
a set of circumstances which follow from a situation quality management system, we must also examine the
and which impact favorably on achieving the intended risks and opportunities to ensure that we will achieve
results. For example, a situation may favorably impact the intended outputs and avoid undesirable results.
on attracting new customers. However, not all processes of an organization involve
the same level of risk. Given this, responsibility for risk-
By contrast, risk is defined as the effect of uncertainty based thinking and the actions associated therewith
on an intended result, which is evaluated as negative. rests with the organization. Organizations also can
decide which risks to address, including whether or not
ISO 9001:2015 examines all risks and opportunities to retain documented information as evidence of their
in very direct connection to the processes in an determination of risks and opportunities.
organization. Therefore, the text of the standard
also ensures clear differentiation from general risk The actions taken to address risks and opportunities
management, e.g. as per ISO 31000. shall be proportionate to their possible consequences.
Implement actions D
14
11 Documented information Also essential is that the organization addresses
The new ISO 9001:2015 strengthens the responsibility the aspect of control of documented information
of the organization. The organization itself is now with respect to access, protection, storage and
responsible for determining what needs to be retained preservation, retrievability, identification, revision
(how and for how long). Where the standard refers to status etc. Annex 2 includes a table that summarizes
“information” and not “documented information,” the the points at which ISO 9001:2015 requires documented
organization can decide whether it wants to document information.
this information or not.
12 Handling of organizational knowledge
The standard requires neither a quality management What knowledge is required for which process? Is
manual or documented procedures. Even if the required knowledge available in the organization,
ISO 9001:2015 requires documented information at or does it still need to be acquired? Building on these
some points, the amount of documentation depends questions, organizations can determine their knowledge
on the size of the organization, the complexity of its needs and derive possible fields of action. ISO 9001:2015
processes, the competence of persons and risks, etc. understands knowledge as an internal resource which
needs to be controlled to ensure product and service
ISO 9001:2015 gives organizations more flexibility conformity. Given this, it is essential for organizations
regarding process documentation as a part of the to develop awareness of organizational knowledge
management system. This applies to the documentation as a resource across all levels of the organization.
of management, strategy, and core processes as well Knowledge is a tool to ensure successful corporate
as support processes – i.e. all processes within the management. It must be sensibly applied to achieve the
organization. Generally, traceable documentation in intended results.
forms such as a checklist or an electronic workflow will
be required to provide guidance for defined work steps. No formalized knowledge management is required.
However, this can be decided independently by the
organization.
15
16
PART 2 – standard requirements of ISO 9001:2015
4 Context of the organization direction and able to explain the fundamental long-
This clause requires the organization to address term strategy.
external and
Top management must have addressed the context of
internal issues that the organization (e.g. within the scope of management
impact on its scope, its strategic direction, and review).
its ability to achieve the intended results of its
To audit the context of the organization, auditors
quality management system (QMS). (4.1.) require business-specific knowledge and
understanding of the financial situation.
This includes
Documented information of the context of the
understanding the requirements and expectations organization is advisable. However, verbal
of interested parties (4.2); information is also possible (e.g. in case of small-sized
determining the scope of the quality management organizations.
system (4.3), and
its processes (4.4). The organization must:
Determine external and internal issues that are
4.1 Understanding the organization and its relevant for its purpose and strategic direction, e.g.
context − legal
Summary/interpretation: − cultural
Identification of (internal and external) issues which − competitive
impact on the results of the QMS and are therefore − social
important for the organization. Information about these − economic
issues must be monitored and evaluated. − technological issues
Determine and monitor the impacts/requirements
Additional notes: (risks and opportunities) of these factors on
Basic requirement is that the organization has − organization
verifiable knowledge of the requirements of the − products and services
standard. − investments
Top management of the organization must be familiar − interested parties
with the purpose of the organization and its strategic
What are
How does the What actions
the risks and
What parties are Which processes organization have been de-
What is our QMS opportunities
interested in our involve risks and evaluate these fined to address
to achieve? connected with
QMS? opportunities? risks and oppor- these risks and
these interested
tunities? opportunities?
parties?
17
Examples of audit questions: Examples of process evidence:
To what extent has the QMS resulted in competitive C ontext of the organization
advantages (quality, on-time delivery, price), Process description
improved image, or higher customer benefits? Interview with top management
W hat further positive effects, such as improvement Management review
of quality, are evident or achievable in the A nalysis of statutory and regulatory requirements
organization? S TEP (social, technological, economic and political)
W hat quality factors directly impact on the analysis
activities of the organization? S trategy
W hat legal requirements that impact on financial Scope of the QMS
and human resources are relevant for the Business plans
organization? Benchmarking
W hat risks and opportunities were determined for Mind mapping
the context of the organization?
18
4.2 Understanding the needs and
Requirements and expectations (risks and
expectations of interested parties opportunities) of interested parties must be
Summary/interpretation: regularly (define interval) identified, monitored
Identification of the interested parties that are relevant and taken into account. Where identified as
to the QMS and monitoring and review of information relevant, they shall be considered binding on the
about those interested parties. organization.
The organization decides the extent to which Examples of process evidence:
interested parties are of relevance to the QMS.
List of relevant interested parties and requirements
Top management of the organization must be able to
Method of identification of the needs and
provide information on this issue. expectations of interested parties
Generally, documented information as evidence
360° analysis
of the relevant interested parties is advisable.
Stakeholder mapping
However, verbal information is also possible (e.g. in
Scope of QMS
case of small-sized organizations).
Register of legal requirements
What are
How does the What actions
the risks and
What parties are Which processes organization have been de-
What is our QMS opportunities
interested in our involve risks and evaluate these fined to address
to achieve? connected with
QMS? opportunities? risks and oppor- these risks and
these interested
tunities? opportunities?
parties?
19
4.3 Determining the scope of the quality
Purchasing cannot be excluded for an entire
management system organization. However, within the scope of multi-
Summary/interpretation: site certification (organization with more than one
Determination of the scope of the QMS (type of location), the non-applicability of purchasing at
products and services covered by the QMS). some locations may be possible.
The organization must apply all applicable Outsourced processes and their interfaces with the
requirements of the standard. organization, including control of these processes,
The organization must provide justification for any must be defined.
requirement of the standard that it deems non- In organizations with multiple locations, the central
applicable. Non-applicability of a requirement must QMS function must be entitled to require all
not affect the organization‘s ability or responsibility to locations to implement the actions that it considers
ensure the conformity of its products and services and necessary (control and influence).
the enhancement of customer satisfaction. I f an organization maintains several management
systems, the independent objectives of the
individual MS, if any, may have to be taken into
Additional notes: consideration.
T he scope (sites/range of services) must be
available in the form of documented information. Examples of audit questions:
Generally, the scope of the QMS must be described
What is the scope of the management system?
in more detail than the scope written on the
How has the organization defined the boundaries of
certificate. the scope?
T he scope must cover all activities, products or
Which requirements of the standard has the
services and equipment that significantly impact, or organization defined as not applicable?
can significantly impact, quality.
How does the organization communicate the scope
T he scope must be defined on the basis of external to interested third parties (e.g. customers)?
and internal issues (4.1), the requirements of the
relevant interested parties (4.2) and products and Examples of process evidence:
services.
Boundaries and applicability of the QMS
E xclusions from the scope (requirements of the
Statement regarding the suitability of the scope
standard that are not applicable) are only possible
Limitations of the scope
under certain conditions. Documented justification
Justification for non-application of requirements
must be provided (e.g. non-application of monitoring
Scope verification
and measuring equipment at a beverage bottling
Process landscape
facility is unacceptable). Conversely, this means
Organizational chart
that justification must show how the organization
Register of companies
manages to produce conforming products and
services and improve customer satisfaction without
applying this clause/these clauses. If the major
part of design and development is performed by
an external provider, the organization must prove
that it has substantial control of the design and
development process.
Explanation:
Documented information
must be available
20
4.4 Quality management system and its development, production, packaging, customer
processes service) any decision as to whether there are risks
Summary/interpretation: that may impact on the conformity of products,
QMS structure, maintenance and continual services, and customer satisfaction is at the
improvement, identification of the necessary discretion of the organization. However, the
processes and their interactions. organization must provide reasonable justification
of its decision. The actions (see 6.1) to address
risks and opportunities must be integrated into, and
Additional notes: implemented in, the QMS processes.
The organization needs to document its processes. The
The organization must determine, apply, and analyze
following aspects must be defined for all processes: key performance indicators (KPIs) for all QMS
processes (clause 10 – Improvement)
Inputs and outputs of each established process
The requirements for the quality management
Sequence and interaction (interfaces) of these system must be integrated into the business
processes processes.
Measurement of key performance indicators (KPIs)
Processes within the scope (see 4.3) can be
Resources needed and how to ensure their outsourced. The organization must be able to
availability explain which processes have been outsourced.
Assigned responsibilities
Monitoring and measuring and continual Examples of audit questions:
improvement (CIP)
How are the management system processes and
Documented information that supports the their interactions defined (approach)?
implementation of processes must be available to
How do the processes influence each other?
the required extent.
How are the processes mapped?
Evidence that processes are carried out as planned
How are processes communicated within the
must be available. organization?
The type of process presentation is at the discretion
How are processes monitored?
of the organization, e.g. Turtle Model, flow chart,
Are there any outsourced processes and which
etc. ones are they?
The risks and opportunities of each process of
an organization‘s QMS must be addressed. The Examples of process evidence:
organization determines how to define documented
Process landscape
information of risks and opportunities and their
Process sheets (Turtle, ERP)
relation to processes.
Quality management manual
For processes that do not form part of the
Process flowchart
core processes of a QMS (e.g. sales, design &
Software-supported process mapping
What are
How does the What actions
the risks and
What parties are Which processes organization have been de-
What is our QMS opportunities
interested in our involve risks and evaluate these fined to address
to achieve? connected with
QMS? opportunities? risks and oppor- these risks and
these interested
tunities? opportunities?
parties?
21
5 Leadership and commitment business reasons). However, that representative
This clause is dedicated to should be an employee of the company who can
t he responsibilities and duties of management (5.1), answer the auditor‘s questions, not an external
i ts customer focus (5.2), consultant.
t he quality policy and its implementation (5.2) and
Top management must be able to explain the
the question of context, quality policy and key aspects of the
w hich roles, responsibilities and authorities are in quality objectives of the organization.
place in the organization (5.3). Top management is responsible for ensuring
communication of customer requirements, the
5.1 Leadership and commitment applicable legal requirements and regulations
5.1.1 General throughout the organization.
Summary/interpretation:
Top management is responsible for leadership with Examples of audit questions:
respect to the QMS. Given this, top management is
How does top management fulfill their commitment?
responsible for: How does the organization develop the quality
accepting accountability for effectiveness policy and quality objectives (including inputs)?
establishing the quality policy and quality objectives W hy is a QMS of strategic significance for the
and their compatibility with the context and organization (e.g. market or customer requirements,
strategic direction of the organization targets)?
integrating the QMS requirements into the business How does top management ensure consistent
processes of the organization internal communication of leadership issues?
process approach/risk-based thinking How does the organization communicate quality
ensuring the availability of resources objectives across various levels of hierarchy
communicating the importance of the QMS (e.g. employee performance appraisals, KPIs,
ensuring achievement of the intended results incentives for CIP)?
improvements
supporting employees and executives Examples of process evidence:
Management review
Additional notes: Works agreement
Top management is responsible for the QMS and E mployee information (notices, agenda of
its effectiveness, and must demonstrate this by information events)
management reviews and other measures.
Q uality policy
Top management is responsible for promoting Q uality objectives
awareness of the process approach and risk-based C ontext of the organization
thinking. Process flowchart
Top management must ensure that the organization Investment plan
identifies risks and opportunities that impact on Q ualification matrix
the conformity of products and services and on Project plan
customer satisfaction. L etter of undertaking
Top management (or a representative) must be
A uthorization matrix
available for the audit. A representative may only fill
S trategy
in during the audit in exceptional cases (for urgent
Action list
22
5.1.2 Customer focus Examples of process evidence:
Summary/interpretation:
Evaluation of customer surveys
Fulfillment of customer requirements and applicable
Market analysis
statutory/regulatory requirements
Customer-satisfaction analysis
Identification of risks and opportunities and
Customer complaint report/analysis
improvement of customer satisfaction
Evidence of compliance with statutory and
regulatory requirements or conditions
Additional notes:
Performance specifications/requirements
Management is responsible for ensuring that customer specifications
requirements, applicable statutory requirements and
regulations that are relevant for the quality of products
and services have been established and fulfilled
throughout the organization.
23
5.2 Policy 5.3 Organizational roles, responsibilities
5.2.1 Establishing the quality policy and authorities in the organization
5.2.2 Communicating the quality policy Summary/interpretation:
Summary/interpretation: Assignment of roles, responsibilities and authorities
The quality policy must be established and must be traceable and understandable. It must ensure
implemented. It is documented, communicated within achievement of the intended results of the QMS.
the organization, available to interested parties
and includes commitments to satisfy the applicable
requirements and engage in the continual improvement Additional notes:
of the QMS. To ensure that the assignment of roles,
responsibilities and authorities is traceable,
these must generally be available as documented
Additional notes: information.
T he quality policy must be available as documented ISO 9001:2015 does not explicitly require
information, communicated within the organization quality management representative. However,
and be available to the relevant interested parties. organizations can still define and delegate this
Posting the quality policy on a notice-board or function.
uploading it to the Intranet is not sufficient. T he responsibility of top management is
T he linking of quality policy, context, scope of the strengthened and expanded (e.g. definition of the
QMS, (key) performance indicators and quality strategic direction). It must demonstrate clear
objectives must be evident and traceable. commitment to the QMS.
C onformity with the strategic direction and context
of the organization (i.e. with clause 4) must be Examples of audit questions:
evident.
W hat roles, responsibilities and authorities has the
organization defined as relevant for its QMS?
Examples of audit questions: How does the organization communicate
W hen did the organization last review its quality responsibilities within the organization?
policy for appropriateness and what were the On what basis/according to which requirements
results? does the organization define its functions?
W hich criteria does the organization use to assess
the appropriateness of its quality policy? Examples of process evidence:
How does the organization communicate its quality A ssignment of roles, responsibilities and authorities
policy within the organization? Job/functional profile
Organizational chart
Examples of process evidence: L etter of appointment of QM representative
Q uality policy Process landscape or process map
C ontext of the organization
Signature authorization
Internal audit report Deputization arrangements
Management review
E mployment contracts
C orporate strategy and principles HR development plan
Relevant interested parties Delegation of responsibilities
Q uality objectives
C ommunications to employees (black board, notices,
Intranet etc.)
24
6 Planning
E xamples of opportunities:
This clause defines the requirements for the – Opening of a market niche or access to new
organization‘s planning systems and markets (e.g. based on bilateral agreements)
t he actions to address risks and opportunities (6.1), – Reduction of reject rates or rework
quality objectives and planning to achieve them E xamples of risks:
(6.2), and – Difficulties during the ramp-up phase of
t he planning of changes (6.3). new products
– Demographic challenges
6.1 Actions to address risks and – Data security (e.g. in purchasing, personnel,
opportunities warehousing, supply chain etc.)
Summary/interpretation: – Shorter product cycles (innovation pressure)
When planning the QMS, organizations must identify
the risks and opportunities that need to be addressed
References to risks and opportunities can be
to achieve the intended results. found in clause 6.1 and many other clauses of
ISO 9001:2015, e.g. 4.2 (Interested parties), 5.1.2
Additional notes: (Customer focus) or 9.3.1 (Analysis and evaluation).
R isks constitute the positive and negative effects R isk-based thinking ensures that risk is taken into
of uncertainty regarding an expected result account from the outset and throughout the process
(ISO 9000:2015). approach. Risks are frequently only regarded as
ISO 9001:2015 does not require formal risk negative.
management (e.g. ISO 31000). However, risk-based thinking may also help to
One of the core purposes of the QMS is to act as identify opportunities. This can be seen as the
a preventive tool. The risk-based approach must positive side of a risk.
already be considered during formulation of QMS
requirements
R isks and opportunities must be determined and
must result in actions. However, these actions must
be in proportion to the potential damage.
What are
How does the What actions
the risks and
What parties are Which processes organization have been de-
What is our QMS opportunities
interested in our involve risks and evaluate these fined to address
to achieve? connected with
QMS? opportunities? risks and oppor- these risks and
these interested
tunities? opportunities?
parties?
25
Examples of audit questions: Examples of process evidence:
W hat systematic method has the organization Definition of risks and opportunities
applied to determine and analyze risks and
R isk matrix
opportunities?
Action list
W hich systematic method has the organization R isk analysis (FMEA, SWOT)
applied to define actions for risks and opportunities? C ontext of the organization
How has the organization evaluated the Relevant interested parties
effectiveness of the defined measures? Process description for risks and opportunities;
How has the organization considered the context C ost/benefit analysis for projects
and the interested parties in its planning of actions R isk management (risk map, risk product map)
to address risks and opportunities? Penetration test (data security)
How does the organization explain cases in which
it did not define any actions to address risks and
opportunities?
W hich type of cyber security threats (data security)
has the organization identified, and how does it
handle these threats?
26
6.2 Quality objectives and planning to 6.3 Planning of changes
achieve them Summary/interpretation:
Summary/interpretation: Should changes to the QMS become necessary, these
Establishment of the quality objectives at relevant changes must be carried out in a planned manner.
functions, levels and processes needed for the QMS.
Additional notes:
Changes to the QMS are only acceptable if based on
Additional notes: systematic planning and implementation.
Documented information of the quality objectives
and records of achievement of the objectives must Examples of audit questions:
be available.
How does the organization plan and control
Q uality objectives must have a connection to the changes?
quality policy, be relevant to conformity of products How has the organization evaluated the purpose
and services and to enhancement of customer and benefits of the changes?
satisfaction, and include the identified risks and How do the changes impact on the QMS?
opportunities (the central theme must be consistent How does the organization determine the necessary
and traceable). resources in case of changes to the QMS?
Q uality objectives must be measurable W hat aspects that impact on changes to the MS
(SMART – specific, measurable, attainable, does the organization take into account, e.g.:
realistic, time-bound) context?
27
7 Support 7.1.2 People
This clause outlines the requirements regarding Summary/interpretation:
the resources needed for QMS establishment and The organization must determine the persons
maintenance. necessary for effective implementation of its QMS.
They include:
Resources, people, infrastructure, process Additional notes:
operation environment, monitoring and measuring R isk-based thinking should be considered when
resources and organizational knowledge (7.1) determining the persons necessary for the QMS.
E mployees‘ competence (7.2) and awareness Persons responsible and employees should be
of the QMS (7.3) clearly assigned to the established processes
C ommunication of the organization (7.4) (see 4.4.)
Requirements for documented information (7.5) I f an organization uses temporary/leased staff,
these employees must also receive induction and
7.1 Resources continual training.
7.1.1 General T he age structure in the organization should be
Summary/interpretation: considered and analyzed.
The organization must determine and provide the
resources needed for establishment, implementation, Examples of audit questions:
maintenance and continual improvement of the QMS.
How has the organization addressed demographic
change?
Additional notes: How has the organization determined systematically
T he resources needed for the QMS must be which persons are needed for the QMS?
regarded in relation to the organization‘s economic How has the organization determined the workload
situation. of its personnel?
T he necessary resources should be in relation to How does the organization ensure that temporary
the scope of the QMS, quality policy, processes, staff/leased personnel (continually) meet its
objectives and size of the organization. requirements?
28
7.1.3 Infrastructure Examples of audit questions:
Summary/interpretation:
W hat are the value adding processes of the
The organization must determine and provide the organization?
necessary infrastructure to maintain conformity of W hat criteria did the organization consider when
products and services. designing the environment for the operation of
processes?
Additional notes: W hat regulatory and statutory requirements
Infrastructure can significantly influence the quality did the organization consider when planning the
of products and services. environment for the operation of processes?
T he organization not only needs to define the
necessary infrastructure (determine what is Examples of process evidence:
needed), but must also monitor and control Process environment (orderliness, noise,
the interfaces with purchasing (procurement) temperature, humidity, cleanliness, lighting, etc.)
and maintenance (servicing). Given this, these
Workplace studies
requirements are mostly spread across several Work environment related statutory and regulatory
processes. requirements
Maintenance/servicing schedule (records)
Examples of audit questions: Work environment benchmarking
W hat is the state of repair of the organization‘s
infrastructure (including hardware and software)? 7.1.5 Monitoring and measuring resources
W hat large-scale investments in infrastructure has 7.1.5.1 General
the organization made in the last year and/or are 7.1.5.2 Measurement traceability
currently being planned/implemented? Summary/interpretation:
How does the organization determine necessary Determination and provision of the resources needed
investments in infrastructure? for suitable monitoring/measuring to verify the
conformity of products and services to requirements.
Examples of process evidence: The necessary measuring equipment must be suitable
Investment plan for buildings and associated and calibrated/verified.
building technologies
Technical equipment, including hardware and
software Additional notes:
Transport facilities T he organization must maintain documented
Information and communication technology information as evidence of the resources‘ fitness of
Investment plan for equipment and real estate purpose.
Maintenance plan I f no standard exists, the basis of calibration or
Internet, intranet, extranet verification must be available.
O verview of maintenance costs Identification of the monitoring and measuring
equipment should be checked within the scope of
7.1.4 Environment for the operation of the on-site inspection or the on-site audit.
processes W hile in the past this clause referred primarily to
Summary/interpretation: technical measuring equipment, the heading now
Determination of the environment necessary to includes anything that may contribute to measuring
achieve conformity. or monitoring, i.e. also checklists or questionnaires.
Requirements for measuring quality or the validity and
Additional notes: suitability of measuring equipment do not differentiate
C ompliance with this requirement of the standard between production and service provision.
should be checked within the scope of the on-site Reference to a standard can be waived in certain
inspection and the on-site audit cases, even if measurements of relevance for
quality are performed.
29
Examples of audit questions: Additional notes:
W hat monitoring and measuring equipment does K nowledge comprises internal and external
the organization use to monitor the conformity of knowledge. The necessary knowledge shall be
products and services? determined, maintained, and made available.
W hat documented information is available as T he organization must consider its current
evidence of calibration of monitoring and measuring knowledge compared against evident changes and
equipment? determine how to acquire necessary additional
How does the organization ensure that monitoring knowledge.
and measuring equipment is suitable for E xamples of organizational knowledge:
measurement? Internal:
– Intellectual property
Examples of process evidence: – Knowledge gained from experience
Documented information as evidence of the – Lessons learned from projects
conformity of products and services, including – Capturing and sharing undocumented knowledge
defined requirements and experience
Test record/certificate, including acceptance – Succession policy
criteria External:
E vidence of the capability of monitoring and – Standards
measuring equipment – Universities
L ist/file index of test equipment/management of – Conferences
software programs – Trade shows
Calibration instruction – Gathering knowledge from customers
C ertificate/record of calibration
Records of software capability test Examples of audit questions:
Initial sample test report
How does the organization acquire knowledge?
Records of sensory tests (visual, taste, odor) How does the organization protect current
knowledge (e.g. succession policy)?
7.1.6 Organizational knowledge How does the organization handle confidential
Summary/interpretation: knowledge (e.g. access rights, authorizations)?
The organization must determine the knowledge
necessary to achieve conformity of products and
services with the defined requirements.
30
Examples of process evidence:
E mployee development/training plan
Sources forming the basis of organizational Documented information of evaluations of training
knowledge effectiveness
Work induction plan Documented information of evaluations of competence
Q ualification matrix Records of employee appraisals/job reference
Process landscape
E mployment contract
Technical specifications Induction plan
C ertificate of competence
A ppointment of deputies 7.3 Awareness
Succession policy Summary/interpretation:
Non-disclosure agreement To meet the requirements of the QMS, employees must
be aware of the quality policy and relevant quality
7.2 Competence objectives and of the implications of failing to conform
Summary/interpretation: with QMS requirements.
Employees need to be competent.
Additional notes:
T he organization should take appropriate actions
Additional notes: to promote the awareness of QMS requirements of
T he organization must retain appropriate people not directly employed by the organization
documented information as evidence of the (e.g. service providers).
competence of its employees. Organizations must ensure that employees are
T he competence of employees is verified at various aware of the significance of their activities and
instances, including during the auditing of other how they contribute to achievement of quality
elements of the standard. objectives, and/or of the consequences of not
E mployees should be able to assess and present conforming to the requirements.
process effectiveness.
C ompetence is the combination of ability, Examples of audit questions:
knowledge, and skills. Deficits, if any, must be Aspects to include during employee interviews:
eliminated by training, job rotation, mentoring,
How was the employee informed of the QMS?
and other measures. How does the QMS influence employees in their
activities and what has changed since QMS
Examples of audit questions: establishment?
How does the organization identify the competence To what extent are employees aware of the quality
requirements of its staff? policy and quality objectives?
How does the organization ensure compliance W hat happens if people fail to observe rules and do
with the identified competence requirements not conform to requirements?
(e.g. training, mentoring, exchange programs)? W hat information do employees need for their
How does the organization determine and activities and how does the organization handle
implement identified training needs? access to this information?
How does the organization evaluate the W hat contact partners are available, if necessary?
effectiveness of training measures and how does it
handle non-achievement of training goals? Examples of process evidence:
How does the organization ensure that external Documented information of training on quality policy
employees (e.g. temporary staff/leased personnel) Documented information of training on relevant
have the necessary competence? quality objectives
Documented information of training on QMS
Examples of process evidence: Minutes of quality circle
Q ualification matrix
Q uality workshop
Records of qualification requirements E mployee performance appraisals
Job/functional description
31
7.4 Communication Examples of process evidence:
Summary/interpretation:
Concerns by third parties/external communication
The organization must determine the type of internal
Minutes and reports of meetings
and external communication.
Website
Product description
Additional notes:
Team training and other meetings
Organizations should have reflected on
Bulletin boards, internal publications and
“communication strategy” (both horizontal and newsletters
vertical) and its implementation in the organization.
Audiovisual and electronic media (Intranet, notices,
The quality of communicated information is information boards).
assessed in the audit.
Agenda of company events
External communication needs may also concern
Communication matrix/diagram
relevant interested parties.
Minutes
Process description
Examples of audit questions:
How does the organization handle customer queries
and complaints?
How does the organization handle improvement
suggestions?
How does the communication strategy work within
the organization?
What regulations apply to external communication?
32
7.5 Documented information health and safety management).
7.5.1 General
There are no explicit requirements for documented
Summary/interpretation: procedures or a QM Manual. This depends on
The organization must define the extent of the complexity of the organization‘s document
documented information for the QMS, depending on structure.
the requirements of the standard and the information
A document review is carried out (in stage 1, or in
necessary for the organization and for QMS the case of major changes).
effectiveness.
During the audit, the audit team will make random
checks to verify access to, and navigation in,
electronic systems.
Additional notes:
During the audit, the audit team will make random
The documented information required by the checks to verify access to relevant documented
standard must be on hand. information.
Documented information which the organization
deems necessary for QMS effectiveness must be Examples of audit questions:
available.
How is the handling and control of documents
The requirements for documented information defined in the organization?
depend on the size, complexity and the risks of the
How are data security and retention defined in the
organization. organization?
Flexible documentation offers particular advantages
How does the organization ensure update (patch)
for the organization. This applies in particular to management?
the establishment of a new QMS or restructuring
of an existing system and to expansion of a Example of process evidence:
QMS to include other management systems
List/overview of documented information.
(e.g. environmental management, occupational
33
7.5.2 Creating and updating Additional notes:
Summary/interpretation: The organization must have provisions on the
The organization must define the identification and control of documented information as evidence of
format of documented information and their review conformity.
and approval. The organization must retain documented
information as evidence of conformity.
Additional notes: The principles of distribution, access and use must
During the audit, the audit team will carry out be addressed.
random checks of the identification, format and Control of changes (version control) and retention
approval of documented information at their place must be addressed.
of use. Measures taken to ensure data protection
The organization should check whether (e.g. restricted access authorization) must be
internal/external documented information addressed.
might be necessary in several languages
(e.g. work instructions for employees with little Examples of audit questions:
or no knowledge of German; technical product How does the organization address external
specifications for international customers). documented information?
How does the organization protect documented
Examples of audit questions: information from unauthorized changes?
How does the organization check the suitability How does the organization ensure the availability
of documented information? of documented information?
How does the organization review the content How does the organization ensure that its
of documented information? documented information is up to date?
34
8 Operation Examples of audit questions:
Requirements for the necessary planning/control of the What is the strategic direction for the products/
processes needed to provide the products/services. services?
This includes: How does the organization ensure that operational
Planning of processes (8.1) planning is in conformity with the strategic
Requirements for products and services (8.2) direction?
Design and development of products and services What processes are needed for operational
(8.3) planning and control?
Control of externally provided processes, products, How does the organization control the relevant
and services (8.4) QMS processes?
Production and service provision (8.5) Does the organization maintain any outsourced
Release of products and services (8.6), and, in case processes, and if so, which?
of nonconforming products/services, What production equipment/resources (including
Management/control of nonconforming outputs (8.7) personnel) are in place?
35
8.2 Requirements for products and services 8.2.2 Determining the requirements
8.2.1 Customer communication for products and services
Summary/interpretation: Summary/interpretation:
The organization must control customer Determining the requirements for products and
communication within the context of the services.
manufacturing of products and the provision of
services. Additional notes:
Strong focus on the definition of requirements for
Additional notes: products and services to facilitate the subsequent
The organization must control customer verification of this phase.
communication.
“Emergency measures” must be added to customer Examples of audit questions:
communication if necessary. What are the legal and official requirements for the
Every company must define and communicate product/service?
requirements for emergency measures. Are there any requirements (legal or from
customers) that cannot be met, and if so, what are
Examples of audit questions: they and why?
What customer property is available in the
organization? Examples of process evidence:
How does the organization handle customer Preparation/processing of offer quotation?
property? Specifications
How (media, methodology) does the organization Product relevant standards and statutory
communicate information about products/services requirements
to the outside? Feasibility study
How does the organization handle enquiries/orders?
What complaints did the organization receive last 8.2.3 Review of the requirements
year? for products and services
How is the management of change requests Summary/interpretation:
regulated and how does the organization handle The organization must ensure that it is able to meet the
change requests? requirements for products and services.
36
Examples of process evidence: Examples of audit questions:
Review of contract for customer requirements How does the organization identify, plan and control
Compliance with requirements not specified the necessary changes?
by the customer What are the results/consequences and risks of
Feasibility study unplanned/unintended changes (nonconformities of
Specifications services, products)?
Outcomes of review of requirements Does the organization define actions in case of
Confirmation of order unintended changes and how does it monitor these
Quotation/Offer, contract actions?
Legal requirements
Example of process evidence:
8.2.4 Changes to requirements Change management
for products and services
Summary/interpretation:
To meet requirements for products/services that
may have changed, the organization must amend the
relevant documented information and communicate
the changes to the relevant employees.
Additional note:
Amendment of documented information must be
ensured in case of changes of requirements for
products and services.
37
8.3 Design and development of 8.3.2 Design and development planning
products and services Summary/interpretation:
8.3.1 General Design and development must be planned and
Summary/interpretation: framework conditions must have been defined.
The design and development that may be necessary
for production/service provision must first be prepared
in an appropriate design and development process. Additional notes:
The organization must implement and maintain this The organization must maintain the required
process. documented information to confirm the
requirements for design and development.
Additional notes:
Design and development of products and services Examples of audit questions:
is considered applicable if the organization defines What are the phases for design and development
and/or modifies the specification of products/ projects of the organization? What is a current
services itself. design and development project and in which
If the characteristics and information of products/ development phase is it currently in?
services are defined by customers or government/ Which requirements does the organization impose
the legislator, for example, clause 8.3 (or parts on its design and development process?
thereof) may be not applicable. How does the organization determine the necessary
If project management or process design and resources for a design and development project?
development do not impact on the products/
services of an organization clause 8.3 may not Examples of process evidence:
apply, at least partially. Documented information that the organization
meets the design and development requirements
Example of an audit question: Project and resource plan
What is a current/recently completed design and Flowchart
development project? Feasibility study
Milestone plan
Examples of process evidence: Measuring and test plan
Design and development project Verification and validation requirements
Pilot study Risk assessment
Performance and requirements specifications
Design and development process
38
8.3.3 Design and development inputs of the requirements. Validation means that outputs
Summary/interpretation: are tested in the specified application (for the
The organization must determine the requirements customer).
and information that find their way into the design and
development process. Examples of audit questions:
How does the organization check whether the
outputs of design and development meet the project
Additional notes: requirements?
The organization must retain documented How does the organization verify and validate the
information of design and development inputs. conformity with these requirements?
The inputs for design and development must be Which nonconformities did the organization identify
clear and complete and in compliance with product/ during verification/validation and how did it handle
service characteristics. them?
When determining inputs, the organization must
take into account various aspects, including the Examples of process evidence:
required function and performance of the product Documented information of the continuous control
or service, possible risks and subsequent damage of a design and development project
arising from nonconforming products/services. Test plan (validation requirements)
Laboratory test
Examples of audit questions: Results of pilot series/field testing
To what extent does the organization take lessons Test records/reports (also from customers, where
learned from previous design and development applicable)
projects into consideration for the planning and Validation approval
implementation of a new project? Prototypes/test samples
What inputs does a design and development project Milestone and gate reviews
need to be effectively implemented? Design and development/interim/final reports
What possible risks has the organization considered FMEA
in the design and development project?
8.3.5 Design and development outputs
Examples of process evidence: Summary/interpretation:
Evidence of design and development inputs Design and development outputs must demonstrate that
Legal requirements, standards, state of the the requirements for products/services are met and
technology that production processes are adequate for providing
Lessons learned/experience from previous projects products/services in the requested quality.
– Technical specifications
– Patent investigation
– Release documentation Additional notes:
The organization must maintain documented
8.3.4 Design and development controls information on design and development outputs.
Summary/interpretation: Design and development outputs should meet the
The design and development process must be planned input requirements.
and controlled. Design and development outputs are inputs for
production/service provision. In this context,
ISO 9001:2015 does not differentiate between internal
Additional notes: and outsourced processes.
The organization must maintain documented Design and development outputs should supply exact
information of the activities to control the design requirements for the subsequent monitoring and
and development process. measuring of processes, products, or services and
Organizations must make sure to take note of the for subsequent acceptance.
difference between verification and validation
activities. Verification covers a technical review
39
Examples of audit questions: Examples of process evidence:
What design and development outputs does the Documented information of design and development
organization pass on and to which processes? changes
How does the organization ensure understandable New revision status of technical specifications,
and appropriate communication of design and drawings, process descriptions, test procedures,
development outputs for further processes? monitoring and measuring equipment etc.
How does the organization consider design and Test report of design changes
development outputs in test plans? Acceptance documents on completed changes
Risks and opportunities
Examples of process evidence: Action list
Verification and validation meetings
Design and development report 8.4 Control of externally provided
Release documents and test records processes, products, and services
Evidence of design and development outputs 8.4.1 General
Drawing Summary/interpretation:
Order specification document The organization must ensure that externally provided
Test records (for production, verification and processes, products and services conform to
validation) requirements and must determine the controls to be
Confirmation of acceptance applied.
40
The extent of the control activities is determined What criteria are available for selection,
by the risk-based thinking on which the standard is assessment, and evaluation/development of new
based. and existing providers?
Does the organization maintain a classification/
Examples of audit questions: grouping of suppliers (e.g. revenue, risk assessment,
Does the organization have outsourced processes, strategy and competition)?
and if so, how does it ensure the safety and
reliability of these processes? Examples of process evidence:
How does the organization control outsourced Documented information of control of the quality of
processes? outsourced processes, products and services
How does the organization communicate List of approved suppliers
requirements to external providers? Quality agreement/contract
How does the organization procure external Supplier evaluation
products/services? Supplier classification
What legal requirements are applicable (product, Supplier audit
service)? Evaluation criteria
41
8.4.2 Type and extent of control 8.4.3 Information for external providers
Summary/interpretation: Summary/interpretation:
The type and extent of control must be defined. The organization must control its communication with
The objective is to deliver conforming products and external providers.
services to customers.
Additional notes:
Additional notes: The organization must regulate and clearly
Outsourced processes can be monitored via defined communicate the requirements for products and
key performance indicators (KPIs), e.g. monitoring services of external providers and their controls.
of deadlines, quality and delivery conditions. The organization‘s information to external providers
Supplier audits may prove useful to control should be checked. This can be done simply on the
implementation. basis of a checklist, the four-eye principle (principle
of dual control), or even a telephone confirmation.
Examples of audit questions: The information to external suppliers should cover
How does the organization evaluate and monitor the all relevant criteria for the product/service, such as
requirements for externally provided processes? technical characteristics, types of tools, packaging,
What are the type and extent of controls and identification, laboratory analyses, test records etc.
potential impacts of externally provided processes External providers must be monitored. How the
and how does the organization determine them? organization manages such monitoring shall be
How does the organization verify the results of communicated to the provider (e.g. supplier audits).
external processes?
Examples of audit questions:
Examples of process evidence: Which requirements related to the product/service
Contractual regulations, taking into account legal and its measurement were communicated to
and regulatory requirements external providers and how?
First article inspection How do external providers ensure that they meet
Inspection of incoming goods/acceptance of goods the requirements for the product/service?
Product specification, including verification and How does the organization monitor the service of
validation requirements the external supplier?
Regulations regarding outsourced processes
Suppliers‘ test records Examples of process evidence:
Supplier audits Supplier audit
Missing parts list Product specification (including approval of
methods, processes or equipment)
Evidence of personnel qualification
Order specification document
Order list, piece list
Service level agreement/delivery contract
Quality assurance agreement
42
8.5 Production and service provision Examples of process evidence:
8.5.1 Control of production and service Machine and process capability records
provision Process monitoring data
Summary/interpretation: Work plan including manufacturing steps
The organization must implement production and Data of machine setting
service provision under controlled conditions. Process validation
Product specification, including verification and
validation requirements
Additional notes: Verification and validation of manufacturing
The organization must maintain documented processes
information on the characteristics of the products Suitable infrastructure and process environment
to be produced/services to be provided and the Process description
outcomes to be achieved. Installation plan
Actions taken to prevent human error depend on Control plan
the complexity and the risk associated therewith Qualification matrix
and can extend from e.g. instructions or inductions Action list
about the 4-eye principle (principle of dual control) Manufacturing and production plan
to control plans and poka-yoke. List of orders
Poka-yoke
Examples of audit questions: 4-eye principle (principle of dual control)
How does the organization implement the
requirements from operational planning in
production/service provision?
How does the organization identify and monitor the
acceptance criteria for products/services?
Which actions to prevent human error does the
organization implement and how does it verify their
effectiveness?
43
8.5.2 Identification and traceability 8.5.3 Property belonging to customers or
Summary/interpretation: external providers
The processes of an organization must be implemented Summary/interpretation:
under controlled conditions, i.e. the organization must The organization must regulate the handling of external
apply suitable means to identify the outputs necessary property.
for its products and services.
Additional notes:
Additional notes: The organization must retain documented
The organization shall maintain documented information if property of customers or external
information that enables traceability. providers is lost, damaged etc.
Organizations define how identification and The auditor must check the identification of
traceability must be applied. They need to determine customer property against the internal requirements
why something should be, or has to be, identified of the organization.
(e.g. legal requirements) and in which process.
In case of recalls, complaints, or, for example, cases Examples of audit questions:
of liability, documented information as evidence Which customer property is currently present in the
of identification will be necessary to protect the organization?
organization from heavy financial penalties. One How does the organization ensure that customer
example concerns the traceability of monitoring property is not damaged?
measuring equipment and their regular calibration. Did the organization damage customer property in
The type of identification depends on the output. the last year, and if so, what?
Examples of identification and traceability can What does the organization define as customer
include: property?
Order number
Parts number(s) Examples of process evidence:
Label, inscription or marking Inventory of customer property
Barcode (electronic) Identification (labels, engraving, inventory, etc.) of
Checklist, including service number customer property
Contractual regulations regarding the property of
Examples of audit questions: customers or external providers
To what extent is traceability required/necessary Instructions on the handling of damaged property of
for the products/services of the organization? customers or external providers
Using an example, how can the organization prove Incoming goods inspection
traceability? Evidence about loss or damage of customer
In what cases did the organization apply traceability property
in the last year or did traceability prove helpful?
44
8.5.4 Preservation 8.5.5 Post-delivery activities
Summary/interpretation: Summary/interpretation:
The organization must preserve the outputs of Identification of the post-delivery activities necessary
production and service provision to the extent for the provision of products/services.
necessary to ensure conformity to requirements.
Additional notes:
Additional notes: Examples of post-delivery activities
The organization must identify the process Warranties and guarantees
outputs that may deteriorate in quality over time Disposal of old products/packaging (during
and determine the extent and impacts of such mounting/assembly on-site at the customer)
deterioration in quality. The organization must Technical support
address this by taking appropriate counteractions.
Preservation of outputs not only refers to the Examples of audit questions:
finished product or service, but also to the results Which statutory and regulatory requirements apply
of the individual processes. This includes mounting to product or services after delivery?
parts, components and even information. Which further services does the organization offer
The quality of products/services may be impaired after delivery?
during handling or storage, e.g. from one production What customer requests/requirements apply to the
line to the next. Organizations must be able to product/service after delivery?
identify this and take appropriate counteractions.
Examples of process evidence:
Examples of audit questions: Contractual regulations on warranty, maintenance/
Which process outputs can deteriorate over time servicing
and how? Additional services (e.g. recycling or disposal)
How does the organization ensure that the quality of Order documentation/work plan/route cards
outputs is maintained and does not deteriorate? Operating instructions/user manuals
From when and under which conditions does the Statutory and regulatory requirements
quality of products/services deteriorate?
45
8.5.6 Control of changes Examples of audit questions:
Summary/interpretation: How does the organization identify, plan and control
The organization must review, control and document the necessary changes?
the necessary changes in production or service What are the results/consequences and risks of
provision. unplanned/unintended changes (nonconformity;
service, product, process)?
Does the organization define actions in case of
Additional notes: unintended changes and how does it monitor these
The organization must retain documented actions?
information of the results of the review of changes,
including the names of the person(s) authorizing Examples of process evidence:
said changes and any necessary activities arising Changes in production and service provision
from the review. Results of the review of changes
Changes during production/service provision can Minutes of meetings
become inputs for the design and development Training records
process (8.3.3). Revised work instructions
Changes can be based on internal or external
reasons.
The necessary changes must be reviewed prior to
implementation in all processes concerned.
46
8.6 Release of products and services 8.7 Control of nonconforming outputs
Summary/interpretation: Summary/interpretation:
The organization must carry out checks at appropriate Handling of nonconforming products or services
stages in the process to verify that the requirements
for the products and services have been met.
Additional notes:
The organization must maintain documented
Additional notes: information on nonconformities, the actions
The organization must retain documented initiated and acceptance under concession where
information about the release of products and appropriate, as well as the function responsible for
services, including evidence of conformity with the deciding on the relevant actions.
acceptance criteria and traceability to the persons The requirements for documented information
authorizing the release. have been clearly expanded in the new standard.
Products and services must not be released to For example, the organization now also needs to
customers until all individual criteria have been name the authority responsible for deciding on the
fulfilled completely. actions (correction, segregation, acceptance under
Traceability to the persons authorizing release must concession etc.) to address the nonconforming
be ensured. outputs.
47
9 Performance evaluation The results of the evaluation can be included as
This clause addresses the requirements for input into the management review.
performance evaluation including the necessary External service providers/laboratories, if any,
measurements (9.1), might need to hold accreditation.
internal audits (9.2), and The organization must demonstrate that the
management review (9.3). provided services are in conformity with the
requirements and evaluate the effectiveness of the
9.1 Monitoring, measurement, analysis quality management system.
and evaluation
9.1.1 General Examples of audit questions:
Summary/interpretation: How does the organization monitor, measure,
Definition of what needs to be monitored and measured analyze and evaluate QMS performance and
when, by whom, and why and how the results will be effectiveness, including intervals and evaluation
handled and documented. criteria?
How does the organization ensure that only tested
and calibrated monitoring and measuring equipment
Additional notes: will be used?
The organization must retain appropriate
documented information as evidence of the Examples of process evidence:
monitoring, measuring, analysis and evaluation Criteria for performance evaluation and
results. QMS effectiveness
To verify fulfillment of the objectives, the Results of monitoring and measuring performed
organization must – as a minimum requirement – Test flowchart/work plan
monitor (frequently without measuring equipment) Test plan/control plan
and measure (with equipment) the processes, Test certificates
design and development outputs (in as far as Quality control chart
applicable), production/service provision and Quality records
customer satisfaction. Appropriate and informative Sampling plans (attributive and variable samples)
parameters/key performance indicators (KPIs) are Reference samples
necessary for this purpose. Process indicators (KPIs)
48
9.1.2 Customer satisfaction 9.1.3 Analysis and evaluation
Summary/interpretation: Summary/interpretation:
The organization must determine customer satisfaction The organization must analyze and evaluate
and must define the methods for doing so. information from customer-satisfaction surveys.
49
9.2 Internal audit Examples of audit questions:
Summary/interpretation: Which criteria has the organization considered in
Internal processes must be checked at regular its definition of the audit program (e.g. how stable,
intervals so that suitable corrections and corrective critical, or complex are the individual processes;
actions can be determined and implemented. which changes have been implemented in the QMS;
results of other audits, nonconformities, complaints
etc.)?
Additional notes: Which effectively implemented actions have
The organization must maintain documented resulted from internal audits?
information as evidence of the implementation of Which requirements have been defined for internal
the audit program and the audit results. auditors?
The standard explicitly requires an internal report of Have the internal auditors received training on the
audit results to top management. content of the new standard?
Change management must now be considered in the
audit program. Examples of process evidence:
The organization must establish, implement and Documented information as evidence of internal
maintain an audit program for internal audits based audit reports and action lists
on the requirements of ISO 9001:2015. The audit Internal audit program (frequency)
program must increasingly consider changes that Nonconformity report
affect the organization. Auditor qualification
The organization must review the internal audit Auditor appointment
program for risk-based thinking (e.g. frequency, Audit planning
sites, processes, binding obligations), regular Procedure/process description: Internal audits
updating and the expertise of internal auditors.
The entire QMS must be internally audited within
the scope of a 3-year cycle. However, not all
processes need to be audited annually.
The organization must provide justifications for
any exceptions from the annual internal audits at
individual sites in multi-site organizations. All sites
must be subjected to an internal audit within a
3-year cycle.
Internal auditors must not audit their own activities.
50
9.3 Management review Examples of audit questions:
9.3.1 General On what aspects is management review based
Summary/interpretation: (e.g. internal criteria, centralized, decentralized)?
Top management must review the quality management How often does the organization perform
system at regular intervals to ensure its continuing management review?
suitability, adequacy and effectiveness, and its
alignment with the strategic direction of the Examples of process evidence:
organization. Date of the last management review
Action list
Additional notes:
A full management review must be carried out
annually.
Objective of the management review is to check the
suitability, adequacy, effectiveness and strategic
direction of the organization.
51
9.3.2 Management review inputs 9.3.3 Management review outputs
Summary/interpretation: Summary/interpretation:
The organization must determine which information it The organization must document the outputs of
needs for the management review. the management review. The outputs must include
information on opportunities for improvement/necessary
Additional notes: resources.
The organization must define sufficient inputs for the
management review and these inputs also need to be
available (e.g. results of internal audits, KPIs, supplier Additional notes:
evaluations, opportunities for improvement etc.) The organization must retain documented information
of the outputs of the management review.
Examples of audit questions: The organization must use its own findings to check
Which inputs for management review has the the outputs of the management review for plausibility/
organization defined? appropriateness (e.g. surveys of participants, in
Which areas provide information as inputs for particular top management, review of inputs).
management reviews? Management review should include information on
Which necessary data was surveyed and evaluated? how to improve QMS performance and effectiveness
based on defined criteria.
Examples of process evidence:
Previous management review Examples of audit questions:
Internal/external objectives (organization-/product-/ To what extent does the organization maintain
customer-related) from the previous year documented information as evidence of the
Trend analysis management review results (e.g. separate complete
Process indicators report, agenda items of several meetings, lists of
Customer-satisfaction analysis participants, presentations, records)?
Quality objectives Which actions have resulted from the management
Process analysis (KPIs) review to improve the QMS?
Action list Which weaknesses of the QMS has the organization
Monitoring and measurements identified in the management review?
Reports of internal audits/process audits/product
audits Examples of process evidence:
Analysis of external providers Management review
Benchmarking Results of the management review
Feedback from relevant interested parties Business plan
Strategy plan
Project plan
Action list
52
10 Improvement customer requirements, needs and expectations
The organization shall make use of opportunities for today and in the future.
improvement to meet customer requirements and Examples of improvement include corrective
enhance customer satisfaction. The organization actions, continual improvement, changes,
should take into account the results of the analysis innovation and reorganization.
and evaluation of QMS performance, internal audits
and management review when taking actions for Examples of audit questions:
improvement. What opportunities for improvement has the
organization identified?
10.1 General How has the organization established and
Summary/interpretation: implemented the necessary actions resulting
Top management of the organization must commit therefrom?
to continual improvement of the QMS and to the How have QMS performance and effectiveness
improvement of products and services, in order to meet noticeably improved based on defined criteria?
requirements and take into account future needs and
expectations. Examples of process evidence:
Process improvement
Additional notes: Improvement of products and services
The organization should take into account the Improvement of the quality management system
results of the analysis and evaluation of QMS Action list
performance, internal audits and management Design and development projects
review when taking corrective actions.
Continual improvement shall be demonstrated with
the help of suitable indicators as evidence.
The objective of any improvement is to fulfill
53
10.2 Nonconformities and corrective actions Examples of audit questions:
Summary/interpretation: How does the organization check the effectiveness
The organization must determine the handling and of corrective actions?
root-cause of nonconformities and the corrective Which sources of nonconformities does the
actions resulting therefrom. organization consider?
How did the organization determine the causes of
nonconformities (examine examples)?
Additional notes: How does the organization ensure that
The organization must maintain documented nonconformities will not recur at another time or
information as evidence of the type of place?
nonconformity, the actions taken and the results of
corrective actions. Examples of process evidence:
The standard does not require any procedures Change project
or processes for handling actual and potential Documented information of nonconformities and
nonconformities or for taking corrective and results of corrective actions
preventive actions. Quality management plan
This clause shows that a QMS is primarily a tool of Corrective actions list
prevention. Suggestion system
The concept of preventive actions is included Complaint analysis
throughout the standard, including clause 6.1 8D report
"Actions to address risks and opportunities." Procedure/process description: Nonconformities
The objective is to ensure that nonconformities and corrective actions
will not recur at a different time or place. Where Complaints
recurrence cannot be excluded completely, it should Failure analysis
at least be reduced. Design and development projects
What is important is that the actions taken and their
consequences are monitored. Further actions could
be necessary.
For nonconformities and the actions resulting
therefrom, the following must be included: binding
obligations, process indicators, quality objectives,
process control requirements, results of internal
audits, risks and opportunities and others.
Steps must be taken to ensure that corrective
actions aim at the actual cause of the
nonconformity (quality of root cause analysis).
Updating the risks and opportunities determined
during planning may even be necessary.
54
10.3 Continual improvement Examples of audit questions:
Summary/interpretation: How does the organization evaluate whether
The QMS of an organization must be continually continual improvement actions need to be
improved and enabled to identify needs (risks) or considered?
opportunities that must be addressed in the future. Which methods does the organization apply to
continually improve?
The results of analysis and evaluations and the outputs
of management review serve as astarting point for Examples of process evidence:
continual improvement. CIP (Continual improvement process)
Suggestion system
Management review
Additional notes: Quality management plan
Continual improvement must be proved as a Improvement proposal system of the QMS
minimum requirement within the 3-year surveillance Key performance indicators of the QMS
period.
If there is no documented information as evidence
of continual improvement of the QMS (e.g. in the
case of organizations that are already at the level of
the best available technology) alternative methods/
projects (e.g. Six Sigma, Lean, 5S, Kaizen, Scrum,
Kanban, benchmarking) must be addressed.
55
Annex 1 – Overview of the documentation requirements
of EN ISO 9001:2015
56
Annex 1 – Overview of the documentation requirements of EN ISO 9001:2015
57
Annex 3 – Evaluation of audit findings
58
59
We look forward
to hearing from you
www.tuvsud.com/iso-9001
systemcertification@tuvsud.com
Explanation:
2021 © TÜV SÜD AG | MKG/MS/49.2/en/DE
TÜV SÜD AG
Westendstr. 199
80686 Munich Germany Documented information
+49 89 5791 0
must be available
www.tuvsud.com