Interpretations of The Standard ISO 9001:2008

This document is created to serve as a guidance tool for common understanding on the intent of the standard and providing clarification of the text. In order to claim conformity with ISO 9001: 2008, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Objective evidence as is defined as Data supporting the existence or verity of something and notes that Objective evidence may be obtained through observation, measurement, test or other means. Objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in ISO 9001:2008. In some cases, it is up to the organization to determine what records are necessary in order to provide objective evidence.

ISO 9001:2008 Interpretations

Element 4: Quality Management System

4.1: General
Section 4.1 includes the general requirements that must be met in order to establish, implement and continually improve the effectiveness of a quality management system meeting the requirements of the standard. These requirements are referenced to and/or further defined in subsequent clauses of the standard. Table A, shown below, contains the cross-linked references. Continual improvement of the effectiveness of the quality management system may be reflected in a number of different areas. These may include: Quality objectives; Corrective and preventive actions; Internal audits; External audits; Review of customer satisfaction surveys and associated action items; Operation meetings producing improvement actions; Actions initiated by suggestion programs; Process Changes; Infrastructure and environment changes; Management Reviews

If continual improvement has become a way of life for a company, it is unlikely that a demonstration of company wide continual improvement will come from only a few sources. System deterioration would not necessarily lead to non-conformity if all actions were positive and the improvement path is still evident and logical. The system would be questionable if the company did not recognize it or had not reacted to the issues appropriately. Note: It is the responsibility of the company to demonstrate improvement rather than the auditor to look for it. 4.1 a) Process identification It is expected to see a process model that explains the key processes of the business and how each relates and links to the others. The depth of process explanation may be as detailed as the company chooses, but should be based on its customer
1 OF 31

Interpretations of The Standard ISO 9001:2008

and applicable regulations or statutory requirements, the nature of its activities and its overall corporate strategy. In determining which processes should be documented the organization may wish to consider factors such as: Effect on quality Risk of customer dissatisfaction Statutory and/or regulatory requirements Economic risk Effectiveness and efficiency Competence of personnel Complexity of processes

4.1 b) Sequence and interaction of these processes The interactions of the processes must somehow be described in the quality manual (4.2.2 c). The organization is not required to produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the processes and their sequence and interactions were identified. Such documents may be used by organizations should they deem them useful, but are not mandatory. Graphical representation such as flow-charting is perhaps the most easily understandable method for describing interactions between processes. Other possible methods may include: documentation prepared for implementation of the product management system; deployment flowcharts; and pictorial diagrams. 4.1 c) Criteria and methods needed to ensure that both the operation and control of these processes are effective. This could be demonstrated with stated objectives, instructions and or procedures as required for consistent output of the processes. 4.1 d) Ensure the availability of resources and information necessary to support the operation and monitoring of these processes. This may be through Management Review or other methods for defining and determining resources. 4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to requirements for monitoring, measurement, and analysis for needed improvement. The methods employed and the timing of such analysis should be based upon priorities established by the organization. It is expected to set measurable objectives established for each process. These objectives should support the organizations overall objectives. 4.1 f) Implement actions necessary to achieve planned results and continual improvement of these processes Same as described above. It is expected to see corrective action taken when measurable objectives fall below target or defined action level. Outsourced Processes: Outsourced processes must be controlled by the organization and these controls must be defined/described within their system. Organizations are required to identify the controls they apply for any outsourced processes. This does not necessarily have to be documented in the quality manual or written documentation. Examples of some outsourced processes are: Process completed wholly or partially by a sister facility outside the scope of registration. Such as corporate performing design, purchasing or customer related processes. This may include the entire element or a subsection i.e. corporate

2 OF 31

Interpretations of The Standard ISO 9001:2008

completes supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase orders. Processes completed by an outside vendor or subcontractor such as heat treating, plating, calibration, painting, powder coating, etc.

Objective evidence must be ascertained to ensure that these processes are being controlled beyond the basic purchasing requirements, which are focused on controlling products not processes. The organization is responsible to ensure that the outsourced process is meeting applicable requirements to ISO9001:2008. Outsourced processes may be controlled through such methods as (not limited to): Internal Audits Internal Agreements between two sites where only the audited site is under the scope of registration (Interface Agreements) Process performance data Purchasing Process

ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on 'Outsourced Processes: An outsourced process can be performed by a supplier that is totally independent from the organization, or which is part of the same parent organization (i.e. a separate department or division that is not subject to the same quality management system). It may be provided within the physical premises or work environment of the organization, at an independent site, or in some other manner The organization has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of ISO 9001:2008, and any other requirements of the organizations quality management system. The nature of this control will depend, among other things, on the importance of the outsourced process, the risk involved, and the competence of the supplier to meet the process requirements.
TABLE A: Cross-linked references 4.1 General requirements a) Identify the processes, including outsourcing, needed for the quality management system and their application throughout the organization (see 1.2), b) Determine the sequence and interaction of these processes,

Relevant further clauses 5.4.2 QMS planning 7.1 Planning of product realization 8.1 General

5.4.2 QMS planning 7.1 Planning of product realization 4.2.2 (c) c) Determine criteria and methods needed to 7.1 (c) ensure that both the operation and control 7.3.3 (c) of these processes are effective, 7.4.1 (Criteria for selection) 7.5.2 d) Ensure the availability of resources and Whole of 6 information necessary to support the operation and monitoring of these processes, e) Monitor, measure, and analyze these Whole of 8.2 processes, and, f) Implement actions necessary to achieve Whole of 5, 6, 7 and 8

3 OF 31

Interpretations of The Standard ISO 9001:2008

planned results and continual improvement of these processes. These processes shall be managed by the organization in accordance with the requirements of this International Standard. Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system.

4.2: Documentation Requirements 4.2.1: General

The Quality Management System (QMS) documentation shall include: 4.2.1 a) Statements showing the organizations quality policy (see 5.3) and quality objectives (see 5.4.1). 4.2.1 b) A quality manual (see 4.2.2). 4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). 4.2.1 d) Documents that the organization will need to ensure that the planning, operation, and control of their processes is effective. 4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).

4.2.2: Quality Manual

Exclusions from the quality management system must be described and justified within the quality manual (see 4.2.2 a). The documented procedures established for the quality management system must be included or cross-referenced in the quality manual (see 4.2.2 b). A description of the interaction between the organizations processes needs to be identified in the quality manual (see 4.2.2 c). The applicable processes might include those relating to four general categories: 1) Management Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and Monitoring. Manual content and design - There are many ways of documenting the quality management system and organizations should adopt the approach that is most useful for effective operation of their system.

4 OF 31

Interpretations of The Standard ISO 9001:2008

Examples include: Flowcharts; Written text; Diagrams; System maps; Process maps; Process Turtles.

The quality manual may have many forms. Although many organizations structure their documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A quality manual doesn't have to exist as a separate document. The quality manual may: Be a direct collection of QMS documents including procedures; Be a grouping or a section of QMS documentation; Be more than one document or level; Be in one or more volumes; Be a stand alone document or otherwise; Be a collection of separate documents. The ISO 9001:2008 standard offers companies a possibility to establish effective, userfriendly systems. This edition offers the current users a unique opportunity to streamline their quality management system documentation. A separate document "addressing" all the clauses of the standard is not required by the standard - neither does the standard require the quality manual to "address" or "cover" the requirements of the standard. The manual may be documented specifically to the organizations processes. 4.2.2 a) Scope The organization may exclude portions of the standard that do not apply to their quality management system due to the nature of the product or service that they supply. ISO 9001:2008 clearly limits and identifies which activities may be excluded. The justification for exclusion and those considered not applicable must be clearly documented in the quality manual. If, for example, design does not apply to the quality management system, the standard stipulates (in section 1.2 Application) how a reduction in scope of the standard may be justified and documented within the quality manual. The exclusion applicability shall be within the clause Design and Development (7.3) only. All other potential exclusions within section 7 must be identified as not applicable or not applicable. The scope of the QMS should be based on the nature of the organization's products and their realization processes, the result of risk assessment, commercial considerations, and contractual, statutory and regulatory requirements. If an organization chooses to implement a quality management system with a limited scope, this should be clearly defined in the organization's Quality Manual and any other publicly available documents to avoid confusing or misleading customers and end users (this includes, for example, certification/registration documents and marketing material). Note: For multi-site/corporate certifications, it is expected to see that one quality manual is applicable for all sites and that any changes are centrally controlled (see 4.2.3)

5 OF 31

Interpretations of The Standard ISO 9001:2008

4.2.2 b) Documented Procedures The manual must include reference to, at a minimum the six required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may reference other documentation but must list those required documents in some format. This may be in the form of a link or other such reference. The notes after sub clause 4.2.1 in ISO9001: 2008 make it clear that where the standard specifically requires a documented procedure, the procedure has to be established, documented, implemented and maintained. It also emphasizes that the extent of the QMS documentation may differ from one organization to another due to: The size of the organization and the type of activities; The complexity of processes and their interactions and The competence of personnel

4.2.2 c) Interaction between processes This requirement ties closely to section 4.1 b), which is discussed in the previous paragraphs. The interactions between the quality management system processes do not have to be separately described, or illustrated, by charts, tables or maps. Although many organizations may choose such a form, it is not a mandatory method. Interaction between processes may be described, for instance, by way of references and/or cross-references within the procedures, where the procedures form part of the Quality Manual.

4.2.3: Control of Documents

A documented procedure is required for control of documents. 4.2.3 a) Approve documents procedure must identify the approval process. 4.2.3 b) Review and update All management system documentation must be covered by some review strategy. The procedure must identify a period of time (at least annually) in which all documents are reviewed on an ongoing basis. A method must be in place to show review was completed where there were no changes. Those documents that are updated must be put back through the organizations required approval process (4.2.3 a). 4.2.3 c) Changes and current revision status The procedure must identify how changes and revisions to documents are identified. These must be identifiable for each document. How does the user know what the changes are? 4.2.3 d) Availability of documents procedure must identify how documents are made available to employees. Auditor will expect to see that documents are readily available to employees through out the facility at their points of use. 4.2.3 e) Documents are legible and readily identifiable auditor will expect to see that documents are maintained and remain legible and easily identifiable. 4.2.3 f) Documents of external origin Documents of external origin are those that are produced from outside the organization that are used by the organization in support of the quality management system processes. The procedure must address if documents of external origin are applicable and if so how these documents are controlled by the facility. The auditor

6 OF 31

Interpretations of The Standard ISO 9001:2008

expects to see that controls are in place to ensure current versions are used and documents are controlled within the facility. 4.2.3 g) Obsolete documents Procedure must address how obsolete documents are controlled to prevent unintended use and if retained how these documents are identified. Note: For multi-site/corporate certifications the auditor will expect to see that System documentation and changes are centrally managed (usually performed at the headquarters location).

4.2.4: Control of Records

Records required by the organization may be in any format deemed suitable for the organizations method of operation. A documented procedure must be in place and define the controls needed for: Identification the procedure must identify the system/process is in place to identify records. Storage where records are stored specific location i.e. Quality filing cabinet in the QC Laboratory. Protection how individual records are protected i.e. tape back up every 24 hours (for electronic records), fireproof safe, filing cabinet etc. Retrieval any special requirements for retrieval. Generally dependant on location and protection. May be a request process. Retention time identification of how long each record will be maintained. Disposition of records method for disposing of records i.e. shredding, burned, trash

A spreadsheet or other document may be used to identify the above requirements.

Element 5: Management Responsibility

This section has nine references to top management. Top Management is person or group of people who directs or controls an organization at the highest level. It is therefore essential to examine top managements commitment to, and support for, the QMS (and to record objective evidence to support any conclusions reached).

5.1: Management Commitment

Objective evidence of management commitment can be obtained (and recorded) from following: 5.1 a) Evidence that top management has communicated to the organization the importance of meeting customer requirements as well as statutory and regulatory requirements. This can be achieved through meetings, newsletters, bulletin boards, training records etc. NOTE - statutory and regulatory requirements are broad based and include all applicable requirements for processes, products and activities.

7 OF 31

Interpretations of The Standard ISO 9001:2008

5.1 b) Top Managements establishment of and input into, and commitment to, the quality policy (its definition, delivery and maintenance) through management review or other meetings. 5.1 c) Documented quality objectives (for all processes). 5.1 d) Top Managements active participation in management review meetings. 5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate resources are available. In short, how well they address requirements 5.2 through 5.6.

5.2: Customer Focus

Customer requirements and customer satisfaction are directly linked with the process approach concept in the standard. It is necessary to seek objective evidence to demonstrate that the customer requirements are indeed being met, whether the satisfaction is revealed in customer survey results, repeat sales or any other type of mechanism that would reveal trends and lead to improved customer satisfaction. Management review minutes might be a record where Customer Focus is addressed. Quality plans and or product plans that include customer related requirements can also be looked as documents having customer focus.

5.3: Quality Policy

It is expected that there is evidence that Top Management fully back the quality policy. The standard identifies five specific points which requires that top management ensures that the policy; 5.3 a) Is appropriate to the purpose of the organization 5.3 b) Includes a commitment to meeting requirements and to continual improvement of the quality system 5.3 c) Provides framework for establishing and reviewing quality objectives 5.3 d) Is communicated and understood at appropriate levels in the organization 5.3 e) Is reviewed for continuing suitability. It is important to determine that Quality Policy meets the intent and is understood, by interviewing personnel at all levels. Although the exact policy does not need to be recited by interviewees, the awareness of the quality policy and how their job affects the company objectives should be determined. If personnel interviewed do not know what their measurable objectives are and/or do not know what the organizational objectives are that they have a direct effect on, further evaluation is required for managements communication of the policy and objectives. The Quality Policy must be documented (typically in the quality manual because it must be controlled). The Quality Policy does not have to include objectives but should create a
8 OF 31

Interpretations of The Standard ISO 9001:2008

framework for establishing them. The Quality Policy should be stated in such a way that it aims toward continual improvement. It should be reviewed and possibly revised to meet higher aspirations. To meet the intent of this clause, the auditor looks for a clearly defined Quality Policy that is sufficiently detailed to provide a framework for quality objectives that can be monitored for continual improvement. When interviewing top management, their input into, and commitment to, the quality policy needs to be determined. Is it theirs, or have they clearly just signed something written for them by the management representative? Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.

5.4: Planning 5.4.1 Quality Objectives

Auditor expects that the organization has developed measurable quality objectives for relevant functions and levels of the organization. It is expected that overall objectives to be established at the facility/corporate level and objectives established for each identified process. Process objectives shall support the organizations overall objectives. The organization must establish what the relevant functions of the organization are, however at a minimum this will include all defined processes (reference 4.1 a, c, e). If some functions or levels have been excluded, it may be necessary to explore, evaluate (and record) the reasons for such omissions (which might be quite acceptable at that particular stage in the continual improvement process). The organization must identify quality objectives that can be measurable, such as vendor ontime rating, on-time delivery, all employees will have completed an ISO 9001 awareness class and all machines will have clearly defined procedures on their usage. If the objectives were not measurable (including a time-based element where appropriate), they would not meet the intent of the standard. The objectives do not have to be defined in a specific document although the objectives are required to be documented (see 4.2.1 a). Objectives can either be defined in associated procedures or instructions, or could be recorded in meeting minutes such as management review records. The organization must have a process that ensures that all the objectives are clear and communicated to all employees who can influence the defined objective(s). The organization should be able to demonstrate that the objectives are being measured and reviewed (see 4.2.4 and 8.5.1).

5.4.2: Quality Planning

Auditors use their judgment in evaluating the entire collected audit evidence in order to assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning was done, by interviewing the personnel involved in establishing or achieving specific quality objectives.
9 OF 31

Interpretations of The Standard ISO 9001:2008

Auditors attribute such QMS deficiencies to relevant clause, requirements of which were contravened, rather than to clause 5.4.2. Determining effective and efficient planning may be found by evidence of: All those planning activities undertaken to establish the QMS in accordance with clause 4.1. The existence of an effective, documented, and implemented QMS that provides collective evidence demonstrating that these planning activities have been performed effectively. Deficiencies in the quality system that may indicate that these planning activities were not quite effective. The evidence and use of Strategic Plans, Business Plans, Management Review results, Contingency Plans, Quality Objectives, any programs or plans, documented or not, such as Minutes of meetings, Memos, Internal communications.

Where there is lack of documented evidence, an auditor may satisfy him/herself through interviewing the personnel at those levels and functions involved in achieving particular objectives to determine the level of planning. Another methodology allowing audit of effective planning involves review of the progress in implementation of such plans aimed at adhering to individual objectives.

5.5: Responsibility, Authority and Communication 5.5.1: Responsibility and authority

In order for the auditor to be satisfied that the intent of this element has been met, he/she may review organization charts, job descriptions or a responsibility matrix. Identification of responsibility and authority could be written into procedures and/or work instructions, as well. The auditor may also use interviews of individuals to determine if responsibility and authority has been communicated effectively.

5.5.2: Management Representative

Responsibilities to include: 5.5.2 a) Ensuring that the processes needed for the quality management system are established, implemented and maintained. 5.5.2 b) Reporting on the performance of the system to top management. 5.5.2 c) ensuring the promotion of awareness of customer requirements. The resource designated as management representative may be from any part of the organization or may be subcontracted (consultant) from outside the organization. The Auditors determine that the Management Representative (employee or subcontractor) is a member of management. If the designated management representative, particularly if from
10 OF 31

Interpretations of The Standard ISO 9001:2008

outside the organization such as a consultant, operates in a part time mode, the management system must ensure continuity in fulfilling the management representative responsibilities. Promotion of customer awareness might include news releases, meetings, training, photographs, models; examples of products demonstrating required visual attributes. We look for one individual to be the management representative in terms of defined responsibility. However, implementation of those responsibilities may be in the form of a defined and delegated team. Note: The management representative is responsible for ensuring it happens not making it happen, which is the job of line management. Note: For multi-site/corporate certifications the auditor will expect to see that there is a management representative with overall responsibility across all sites for ensuring that requirements are established, implemented, maintained, and for reporting on performance.

5.5.3: Internal Communication

Although there is no mandate for documenting methods for communication, the auditor will expect to find evidence of communication through interviews with employees. Evidence could possibly include the employees understanding of process linkage and effectiveness, customer satisfaction levels, preventive and corrective action information, on time delivery, quality costs, returned material, non-conformances. This could be communicated by access to the computer network, an information board, newsletters, or even process routers, checklists, and multifunctional meetings (see 6.2.2 d). The type and extent of the documentation will depend on the nature of the organizations products and processes, the degree of formality of communication systems and the level of communication skills within the organization and the organization culture.

5.6: Management Review 5.6.1: Management Review - General

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time registration/certification, a full round of Management Review meeting(s), including documented evidence of all required inputs and outputs, must be completed prior to the registration/certification audit (note a full internal audit cycle must be completed prior to this review see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must include inputs (as appropriate) from each site (see the standard 5.6.2 a g). Normally, the review process is conducted at the headquarters location. Top management shall review the quality management system at planned intervals not only for continuing suitability and effectiveness, but also adequacy. Additionally, this review shall include assessing opportunities for improvement, the need for changes to the system, the quality policy, and quality objectives. These words are more prescriptive which cause a more proactive expectation and approach to keeping the system current and useful and maintaining improvement activities. The auditor cannot prescribe the intervals for reviews to occur, but can look for evidence that the frequency is sufficient to accomplish the requirements of the standard. Although the dictionary would suggest that suitable and adequate are the same, the standard seeks to
11 OF 31

Interpretations of The Standard ISO 9001:2008

distinguish both the system from a global perspective of adequacy as well as the detailed suitability of the many processes that comprise the system.

5.6.2: Management review input

The auditor will expect to see documented evidence that the (7) required inputs are discussed during the review. Although a documented procedure for management review is not required, records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs are required in those records (see the standard 5.6.2 a g). Evidence of cross functional input is also expected, which means one person alone could do the review, but there would need to be evidence of multifunctional input in the evaluation of the system and its status and actions concluded.

5.6.3: Management review output

Output should focus on decisions and actions related to system improvement (5.6.3 a), product improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect to see that some documented conclusions have been developed. The output record must include evidence of action and progress for system improvement, customer requirements, resource needs as it all relates to system health. It is important to note that a documented procedure may or may not exist. It should also be noted that formal meetings for review may or may not happen and still be complaint - such as in the case of being accomplished in stages; on going process review; or by circulated documentation covering the system incrementally.

Element 6: Resource Management

6.1: Provision of Resources
The intent of this section is to ensure that adequate resources are provided to continually improve the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating and determining resource needs. This may be through management review, production planning, budget review, long range planning etc. The auditors may determine that process activities are not prevented by a lack of resources. Auditors may review instances where customer requirements were not met and determine if a lack, or insufficiency, of any resources was causation factors of these instances. This requirement also ties to paragraphs 5.1 and 5.6.3, which address managements responsibility to determine and provide necessary resources. Additionally, any clear evidence of resource problems links directly to this section.

6.2: Human Resources 6.2.1: General

The standard requires that personnel be competent. This could be demonstrated by a person being qualified. Competence may be based on appropriate education, training, skills, experience, and/or demonstrated performance.
12 OF 31

Interpretations of The Standard ISO 9001:2008

6.2.2: Competence, awareness and training
The intent of this section is to ensure that suitably competent people are performing the activities as defined in the quality system. Evidence of the effectiveness of the training or other means of providing competent employees must be available. Employees must be aware of the impact that they have on the overall quality system. It is expected that employees to be able to verbalize how their job activities contribute to the achievement of the quality objectives. 6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating training and other activities aimed at ensuring employee competence. Identification of competency is essentially a precursor to identification of training needs. The organization should determine knowledge and/or skills an employee would need to be considered competent, in their opinion, to perform a particular job. The company could then determine if the employee performing the job possesses that knowledge or skill and, if not, consider it a training need. Changes in the business and its environment may necessitate new competencies, which may not be available. Therefore the identification of competencies may need to be revisited. There is no requirement for any particular frequency of such re-review. Competency may be defined in a job description, position profile, or by any other method or associated documents such as specific instructions or procedures. Usually competency is determined during performance reviews, if the organization does not perform reviews of this nature, other methods for determining personnel competence would need to be defined and records maintained. 6.2.2 b) Provide training or take other actions - The requirement allows for options other than training to obtain competent personnel. Training includes all those activities where a learning opportunity needs to be satisfied. It may take a number of forms: Classroom style, tutor led training; Hands on experience training; Shadowing Individual or group coaching; Mentoring; Briefings; Distance learning; Technology based training (CD ROMS, web based etc); Workshops.

Organizations will choose whichever form best suits their needs at any particular moment. Other actions to bridge competence gaps might include: Recruitment; Outsourcing; Acquisitions; Use of experts and/or consultants. Documented procedures or work instructions

All such means are acceptable as long as an organization has ensured the availability of the competencies needed.
13 OF 31

Interpretations of The Standard ISO 9001:2008

6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring that the training or other activity has produced the desired result. This requirement could be met in a variety of ways, including, but are not limited to: Observation of personnel performing their duties; Written or oral exams; Assessment of employee in achieving learning objectives during the course of the training program; Audit of performance at work focusing, for example, on: Productivity; Reduction of rejects; Efficiency; Interviews with the persons; Annual appraisal. Performance reviews; Discussions; Evaluation of performance, quality or other indicators; Cost reviews; Customer satisfaction assessment 6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities (perhaps by internal communication see 5.5.3) and how they contribute to the achievement of the quality objectives - The requirement could be met in a variety of ways. Options include: Training; Memos, and/or meetings regarding the impact of various individual or departmental goals on quality objectives; Plant tours or briefings where an individuals work and goals are shown as an integral part of the larger processes; Cross functional teams working towards quality objectives and reporting their progress to their departments.

Any activity that allows individuals to understand how their efforts affect quality objectives may satisfy this requirement. All personnel need to know the specific measurable objective(s) for the process that they work in; they should also know what organizational objective their process effects. They should be able to demonstrate that they know what the actual measurable is, their progress towards that goal, what the plan is to achieve the goal. If they do not know the actual numbers, they should be able to communicate the topics of the measurable and know where the actual measurements are maintained or posted. 6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to include education, skills and experience, in addition to training, where appropriate. There are a great variety of ways to record and provide evidence of training, education, skills and experience. Records may include: Diplomas; Certificates; Training log; Annotations in shift logs; Toolbox meeting notes;
14 OF 31

Interpretations of The Standard ISO 9001:2008

Attendance lists; Resumes; Employment history; Test results.

Such records may be filed in any location as long as the Records remain legible, readily identifiable and retrievable.

6.3: Infrastructure
It is the organizations management who determines the adequacy of the infrastructure provided by the organization. Auditors will seek objective evidence to demonstrate that the necessary infrastructure exists for the quality management system to be effectively implemented, for improvement of its effectiveness, and for fulfilment of customer requirements. Auditor would expect to see a process in place for maintenance of the building(s), equipment and any other supporting services. This is generally the responsibility of the maintence and IT departments.

6.4: Work Environment

The organization must identify and manage all those factors of the work environment that are needed to supply a conforming product. These factors may include among others: Human Factors Creative work methods; Opportunities for greater involvement of personnel; Safety rules and guidance; Ergonomics; Special facilities for people. Physical Factors Heat; Noise; Light; Hygiene; Humidity; Cleanliness; Vibration; Pollution; Airflow. Different types of businesses and industry sectors may vary dramatically with regard to an acceptable work environment, so it is the organizations management who determines the adequacy of the work environment provided by the organization. For instance; A training provider may need to ensure the training area is adequately lighted and contains appropriate seating and visual aid capabilities.
15 OF 31

Interpretations of The Standard ISO 9001:2008

Some manufacturing facilities may require clean rooms or humidity-controlled areas. Companies handling items easily damaged by electrostatic discharge may require special flooring or equipment, and chemical storage areas may require special protective barriers. As an additional example, an employee might perform a particular function that requires repetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the overuse of the wrist could result in poorly torqued screws resulting in a possible quality defect. The company should identify such a situation and provide a means of eliminating the potential defect (i.e., air-driven screwdrivers). Evidence could consist of records of decreased quality defects and/or medical problems related to that activity.

Element 7: Product Realization

Exclusions/non-applicability can be claimed with in element 7 only. Exclusion should only be taken for clause 7.3 Design and Development and must be fully justified in the quality manual. Other sections within element 7 may be claimed as not applicable or not applicable at this time.

7.1: Planning of product realization

An organization needs to plan in advance for how they will manufacture their product or deliver their service. The plans need to take into account the product requirements and any quality objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1 b), what type of monitoring and/or inspection activities should be put in place to ensure the product or service will meet the requirements (7.1 c), and what types of records should be kept (7.1 d). While the sub-clause does not state that the output of this planning must be documented, it does state that it must be in a form suitable for the organizations method of operations.

7.2: Customer Related Processes 7.2.1: Determination of requirements related to the product
This clause promotes an up-front determination of all requirements related to the product. This includes requirements for servicing which are now included as post-delivery activities, which implies anything that is provided after the customer has received the product (i.e. repair and/or warranty work, installation, maintenance, etc.).

Specific to 7.2.1 (a)

Post delivery activities may include among others: Product support Servicing where applicable

16 OF 31

Interpretations of The Standard ISO 9001:2008

Specific to 7.2.1 (b)
Organization shall be proactive in evaluating if there were any additional requirements for the product or services intended use. If the organization determined there were not any additional requirements this should be evident in associated records, if there were additional requirements then evidence should be present how they were addressed in the affected process i.e. design, purchasing, manufacturing.
The analogy that can be used here is a screwdriver, everyone knows the intended use of a screwdriver, put in and take out screws. However with a screwdriver, there are requirements that are not stated but are intended for use, such as using a screw driver to open paint cans, could be used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the handle should be nonconductive, but none of these requirements might be stated by the customer, but the manufacturing organization would need to address these non-stated requirements for the screwdrivers intended use.

Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related to the product (i.e., taking these requirements into account when designing a product or service). This includes ensuring process control (i.e., ensuring that these requirements were met). Statutory requirements are those that are stipulated by local/national governments that form part of regional, national and international legislation. Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health & Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of these. These requirements are not necessarily part of national legislation. Compliance with regulatory requirements issued by national regulators (i.e. by The Rail Authority) may be mandatory for those organizations to which they apply if a statutory instrument requires so. Organizations are required to comply with a number of legal requirements to be allowed to operate. Management must be aware of the requirements that apply to its products, processes and activities and should include these requirements as part of the quality management system. Organization has to be aware that as the national legislation may apply to product intended for the domestic market, in the case of export sales, organizations will be required to consider the statutory and/or regulatory requirements in the target country that may apply to (a) product(s) supplied. Organization is not required to maintain the lists of applicable statutory and/or regulatory requirements, nor need they maintain copies of these documents. Organization must ensure that it has adequate access to / or knowledge of applicable statutory and regulatory requirements.

17 OF 31

Interpretations of The Standard ISO 9001:2008

7.2.2: Review of requirements related to the product
The sub-clause mandates that the organization shall not issue a quotation or accept an order until it has been reviewed to ensure requirements are defined and the organization has the capability to meet the defined requirements. It goes on to require that records of the review and any subsequent actions be maintained. If the customer does not provide their requirements in writing (i.e., telephone call), the requirements must be confirmed before they are accepted. If the requirements are changed, all documents must be amended and relevant persons must be notified. A note is included that covers situations such as internet sales where a formal review of each order is impractical, stating, instead, that the review could cover the product information provided in catalogs and advertising material.

7.2.3: Customer communication

The organization must establish effective arrangements for providing the customer with product information (i.e., catalogs or advertising that adequately describe the product or service), means of handling inquiries and orders, and a method for handling customer comments (both compliments and complaints).

7.3: Design and development

This clause addresses product/service development as well as (conceptual) design, so organizations involved in product/service development will have to address some or all of section 7.3 of ISO 9001:2008. Many companies perform some enhancements or minor reconfiguration of mature designs, and are able to use the guidance of ISO 9004:2008 in order to address some or all of section 7.3 of ISO 9001:2008. Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO 9001:2008. Such organizations may have to introduce a comprehensive design system or process, however may have to address design and development as it is applicable to the organization. They may have to address some or all sections of 7.3 to the extent that they apply.

7.3.1 Design and development planning

Although the standard does not require a documented procedure, the design process needs to demonstrate how the process is controlled and planned. The organization, however, will need to provide some type of objective evidence as to what the planning activities include. This can be accomplished with the use of time-lines, gant charts or any other planning method such as Microsoft project manager. In addition the auditor see objective evidence of how the interfaces between other processes are managed, either through statements in associated procedures, process mapping, matrix approach or in the time line planning.

18 OF 31

Interpretations of The Standard ISO 9001:2008

7.3.2 Design and development inputs
The auditor will review evidence that the inputs (7.3.2 a d) have been addressed based on the nature of the product being produced, that they have been reviewed for adequacy and that records are maintained of the activity.

7.3.3 Design and development outputs

The auditor expects objective evidence that the outputs (7.3.3 a d) have been verified against the design inputs. This can be accomplished by reviewing documents, plans, etc. interfacing with the customer or internal processes and by comparison with past proven designs.

7.3.4 Design and development reviews

Reviews shall be conducted in accordance to the time line or plan established at the beginning of the design activity. Reviews shall show evidence that all activities required in each phase of the design have been addressed or adjustments made. Records should show who attended the reviews and that all concerned parties were present and that all actions were satisfied before proceeding forward with the design process.

7.3.5 Design and development verification

Design verification basically means that the product can be produced as designed and that output meets the intended inputs. Additionally it should show that the organization has the capability to produce the product with existing equipment and has the personnel competencies or has the ability to train or subcontract the required capabilities.

7.3.6 Design and development validation

Validation has to ensure capability of meeting intended use where known as well as specified requirements, and has been completed prior to delivery and implementation wherever practicable (typically as a prototype or first article). In most organizations they cant rely on the customer to perform the validation, the lack of a negative response from the customer does not meet the intent of this clause. The organization should have records that the product designed will meet defined user needs prior to delivery of the product to the customer. Methods of validation could include simulation techniques, proto-type build and evaluation, comparison to similar proven designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity should be planned, executed with records maintained as defined in the planning activity in 7.3.1.

7.3.7 Design and development changes

Design and development changes (after the original verification and validation) have to be verified and validated as appropriate (as well as reviewed) and to include evaluation of the effect of changes on constituent parts and products already delivered. If the organization chooses not to perform re-verification and re-validation on every design change, then the auditors expect to see some very well defined criteria as to when the activity needs to occur. This includes any changes that do not affect fit, form or function.
19 OF 31

Interpretations of The Standard ISO 9001:2008

7.4: Purchasing 7.4.1 Purchasing Process
It would be extremely uncommon for purchasing to be excluded from the quality management system (i.e., perhaps applying to such situations as small consultancies using no subcontractors, and using proprietary office materials and equipment that do not directly impact on product or service performance but not to many other situations). Where procurement is centrally controlled by a corporate procurement organization outside the scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its entirety. The organization is certainly responsible for providing purchasing information (7.4.2) to the corporate procurement organization, and for verification of purchased product (7.4.3) and perhaps participating in the re-evaluation process. In the event that a corporate office or other entity, outside the scope of registration, performs any sections of purchasing this shall be considered an outsourced process per requirements identified in section 4.1. It is expected to see a documented agreement in place (i.e. an Interface Agreement) between the organization and the supplier. It is expected to see a process is in place for evaluating and selecting suppliers as well as a process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not required, records of evaluation and actions arising from the evaluation are required to be maintained.

7.4.2 Purchasing Information

Purchasing information may take many forms however is generally a purchase order or requisition. It is expected to see that the information clearly describes the product to be purchased as well as any other requirements, including as appropriate: 7.4.2 a) the approval of products, procedures, processes and equipment. 7.4.2 b) the qualification requirements of personnel. 7.4.2 c) the QMS requirements.

7.4.3 Verification of Purchased Product

It is expected to see a process is in place to verify that purchased product meets requirements. This may take many forms depending on the product, these requirements shall be known to concerned and being accomplished. This may include receiving inspection and testing, visual inspection, receipt of certificates of conformance etc. In the event verification will take place at the suppliers premises the method for doing so must be stated in the purchasing information.

7.5 Production and Service Provision 7.5.1: Control of product and service provision
20 OF 31

Interpretations of The Standard ISO 9001:2008

There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their quality management system. The non-applicability of these items must be justified in the quality manual (4.2.2 a) and must not affect the organizations ability, or responsibility to provide product that meets customer and applicable regulatory requirements (1.2). The auditor will expect to see that production activity is well defined and understood. This is generally ascertained through interviews with employees on the production floor, review of documentation and observations. The auditor will verify the following at a minimum: 7.5.1 a) the information describing the characteristic of the product. This may be in the form of a work order, traveller, schedule etc. 7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any format (electronic or paper); instructions may simply be included on the work order or traveller. Instructions do not have to be documented and could simply be provided through training. The auditor will review Control of Document, 4.2.3 as applicable. 7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is suitable for the process and that it is maintained. The auditor will investigate how equipment is maintained and how malfunctions are handled. This may be in conjunction with Infrastructure 6.3. 7.5.1 d - e) the availability of suitable monitoring and measuring devices and the implementation of monitoring and measurement. Measuring and monitoring may require record keeping i.e. operator log sheets, inspection sheets, routers or other documentation. Documentation will be reviewed as applicable per Control of Records 4.2.4. 7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor will expect to see that release, delivery and post delivery activities are defined. This may include release to the next process or for shipment to customers.

7.5.2: Validation of processes for production and service provision

This clause applies exclusively to special processes and not to all the processes of the quality management system in general. This clause may be considered within the quality management system as not applicable. Any organization that does not have any special processes can clearly note this clause as not applicable. Where special processes have been identified, ISO 9001 Certification Auditors will expect to see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that: 7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewed and approved. 7.5.2 b) the equipment used and the personnel involved are qualified.

21 OF 31

Interpretations of The Standard ISO 9001:2008

7.5.2 c) specific methods and procedures are used (may require documentation). 7.5.2 d) records are maintained. 7.5.2 e) re-validation is performed for those instances where, for example, a deficiency is found. As an example, it may be determined that an individual is actually not qualified to perform a particular special process. Training may be provided to improve the individuals skills, following which the individuals qualifications should be re-validated to ensure they are capable of providing the planned results.

7.5.3: Identification and traceability

Organizations cannot completely exclude 7.5.3. Despite the phrase where appropriate, no organization can wholly claim non-applicability for identification. However, traceability can be identified as not applicable where it is not a requirement of the customer, the product regulatory requirements, or of the organization itself. The auditor will expect to see that product is identified (as appropriate) and its status with regards to monitoring and measuring (conforming or not) is identified throughout the product realization processes. Where traceability is a requirement, the auditor will expect to see that the organization is controlling and recording the unique identification of the product. This documentation is a required record per Control of Records 4.2.4.

7.5.4: Customer property

The auditor will expect to see that the organization has clearly identified any and all customer property. The auditor will verify that the organization has established a process to protect customer property. Further a process must be established for contacting the customer when these items are lost, damaged or otherwise found unsuitable for the process. This communication to the customer must be maintained as a Quality Record 4.2.4. Customer property may include (not limited to): Components supplied for inclusion into the product. Packaging material Transport Intellectual property drawings, specifications etc. Equipment or tools

7.5.5: Preservation of product

Auditor will expect to see that adequate measures are taken to protect/preserve product during internal processing and delivery to the intended destination. The preservation process must include the following: Identification - this is relative to 7.5.3 Identification and Traceability however for preservation of product it is a requirement and not as applicable. Auditor will expect to see that all products are clearly identified.

22 OF 31

Interpretations of The Standard ISO 9001:2008

Handling - auditor will verify that suitable handling methods are implemented throughout the processes. This may include bulk handing using moving equipment or physical contact where handling may influence product conformity. Packaging - auditor will expect to see that methods have been established for packaging product to preserve integrity. Storage - auditor will expect to see that product is stored in locations and in a manner to safe guard product. Protection auditor will verify that appropriate measures are in place to protect product. This may vary widely depending on the product.

7.6: Control of monitoring and measuring devices

Companies with no measuring equipment can claim non-applicability for this (as addressed from paragraph 3 of section 7.6 of the standard onwards). This clause addresses devices as well as equipment, and reconfirmation of computer software as necessary. The first two paragraphs address monitoring and measuring devices, and can be applicable to service companies as well as manufacturing organizations. For example, in a training organization, where consistency of evaluating and grading trainees (the product) needs to be assured, then calibration may be applicable. The Standard requires that a process be established to ensure that monitoring and measurement is carried out in a manner consistent with measurement requirements. Auditors will be looking for some process that ensures consistency of measurement outcome between all personnel who make acceptance decisions (for example, Gage R&R studies for key or critical characteristics might be one such process). The auditor will expect to see a process is in place to determine required measuring and monitoring to be accomplished as well as the devices needed to provide evidence of conformity. Many facilities use calibration software including a calibration master list of all devices. While this is not required, all devices requiring calibration must be identified and shall: 7.6 a) be calibrated or verified at specific intervals or prior to use . Devices must be calibrated using measurement standards traceable to international or national measurement standards. Where there is no standard available for the device the basis for calibration or verification must be recorded. Auditor expects to see that traceable standards are used and where applicable have not expired. Where calibration is completed by an outsourced process (vendor), the records of traceability must be reviewed. 7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that devices found to be out of calibration are adjusted/re-adjusted by qualified personnel and the validity of the previous measuring results are accessed when a device is found to be out of calibration and appropriate action is taken (may include recall of product). Auditor will expect to see that a process is in place to provide traceability of each device to the

23 OF 31

Interpretations of The Standard ISO 9001:2008

process/product the device was used on. The results of calibration and verification are required to be maintained as quality records. 7.6 c) be identified to show calibration status. Auditor will expect to see that each device is labelled in such a way that the user can determine that the device has current calibration. Generally this is accomplished with a calibration sticker that provides a unique identification for the device, current calibration date and next calibration date. Other methods may be used however must clearly identify the calibration status. 7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in place to ensure that users outside the calibration process do not adjust devices. Devices may be verified prior to use however any adjustments made to a device must meet all requirements of this section. 7.6 e) be protected from damage during handling, maintenance and storage. Auditor will expect to wee that measuring devices are handled and stored in a manner to protect the device from damage.

Clause 8: Measurement, Analysis and Improvement

8.1: General
The means (i.e. processes) and resources for accomplishing the three (3) requirements must be planned for and implemented. The processes must address four (4) different, but related, aspects: 1) Monitoring (i.e. examination, information and data collection, and reporting) 2) Measurement (i.e. determination and comparison of performance indicators against actuals against knowns, or against expectations and requirements i.e. inspections, tests, product and process audits, systems audits, SPC, etc.) 3) Analysis (review of data, evaluation of results and variances, causation analysis, application of statistical techniques, etc.) 4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement, etc.) The various techniques, methodologies, resources, tools (including statistical techniques), and applicable procedures need to be determined for these Measurement, Analysis and Improvement processes. This is not for an organization to state that there is no need to use a statistical technique, if there is variability in their process or product characteristics, then there is a need for the use of a statistical technique. Fulfillment of the requirements in Section 8 is important if the organization is to fully embrace and effectively apply the principles of the Process Model and the Plan Do Check Act model.

8.2: Monitoring and Measurement 8.2.1: Customer Satisfaction

It is recognized / understood that Customer Satisfaction is:
24 OF 31

Interpretations of The Standard ISO 9001:2008

A viable, effective (albeit partial) measurement of the performance (merits, benefits, adequacy, suitability, effectiveness, etc.) of the quality system. An objective, goal, expectation of the quality system.

ISO 9000:2008, 3.3.5 defines the Customer as the organization or person that receives a product. The examples stated are; consumer, client, end-user, retailer, beneficiary and purchaser. It is intended that the customer satisfaction measurements be focused on external customer but in addition can include internal customers. Internal customer satisfaction measures can be contained in the establishment of the organizations defined internal process measurable objectives. Measuring only internal customer satisfaction would not meet the intent of this clause and must include all interested parties where appropriate. Customer Satisfaction is determined by the organization measuring its customers perception as to whether they have satisfied their customers requirements and may be somewhat subjective or qualitative as much as quantitative. Customer complaints are a common indicator of low customer satisfaction but their absence does not necessarily imply high customer satisfaction. Simply capturing customer complaints and product returns will only gauge dis-satisfaction which does not fully meet the intent of the clause and will not satisfy these requirements. The organizations management should analyse the implications of the absence or existence of customer complaints. Process definition is needed. The various techniques, methodologies, tools, resources, etc. (forms, surveys, frequency, targeted customers, responsibilities, external survey service companies, benchmarking, etc.) and applicable procedures need to be determined for: 1) Obtaining customer satisfaction information (i.e. identifying, collecting, monitoring and reporting various data/information) 2) Using customer satisfaction information (analyzing, understanding and responding to i.e. making changes, corrections, enhancements and improvements to the products/services/quality system) The requirements 5.2 8.4 a) 8.5.1 5.6.2 b) 7.2.3 in 8.2.1 interrelate closely with those in sub-clauses:

Customer Focus (. with aim of enhancing customer satisfaction.) Analysis of Data customer satisfaction Continual Improvement (via analysis of data) Management Review Input customer feedback Customer Communication customer feedback & complaints

8.2.2: Internal Audit

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time registration/certification, a full round of internal audits, including documented evidence that all processes and sections of the standard have been audited, must be completed prior to the registration/certification audit being conducted. For multi-site/corporate certifications all processes performed at each site must be included in the initial round of internal audits. It is an expectation that internal audit planning and the evaluation of the internal audit results across all sites will be performed by the headquarters location (i.e. centrally managed). The results of this evaluation are to be presented during the management review process (see 5.6).
25 OF 31

Interpretations of The Standard ISO 9001:2008

Auditor expects a documented procedure developed that defines responsibilities and requirements for planning and conducting audits, reporting results and maintaining records (see 4.2.4). The Auditor makes a determination if the internal audit process is effective in maintaining the integrity of the quality management system. A statement indicating the level of effectiveness is normally included in the summary of the Certification audit report. In the event the auditor cannot state that the audit process is effective, a nonconformance should be raised. Internal audits should be planned based on the status and importance of the processes executed, in other words more emphasis (time audited) on those processes that have a direct or significant impact on the achievement of the organizational goals. In addition, previous audit results must be considered in the scheduling of future internal audits. Auditor will expect to see a schedule (plan) that has been developed considering the status and importance of the processes, previous audit results, and selection/assignment of auditors to ensure objectivity/impartiality (auditors can not audit their own work). It is expected that the internal audit process and internal audit schedules reflect the process approach. The auditor sees evidence that the audits include the requirements of ISO 9001:2008 as well as the requirements established by the organization. Nonconformances raised during the audit must be addressed without undue delay. The external auditor will expect to see that a process is in place to ensure that actions taken are implemented to eliminate the nonconformance and the cause. A process must be in place for follow up to ensure that the action(s) taken were effective. The results must be recorded. Auditors would expect to see that nonconformances follow the requirements of 8.5.2. However, there is no requirement to have one corrective action system and therefore it is acceptable to have a separate process for audit nonconformances as long as requirements for corrective action 8.5.2. are being met. Requirements of 8.2.2 interrelate closely with those in sub-clauses: 5.6.2 a) Management Review Input results of audits 8.5.1 Continual Improvement (via use of audit results) 8.5.2 Corrective Action (to eliminate deficiencies found in the audit) 8.5.3 Preventive Action (resulting from audit, analysis and observations)

8.2.3: Monitoring and Measurement of Processes

Applicable processes need to be identified in the Quality Manual, along with a description of the interaction between those processes. The applicable processes might include those relating to four general categories: 1) Management Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and Monitoring, but most companies will prefer to focus on their own particular COPS, MOPS, and SOPS. Fulfillment of the requirements in this sub-clause is important if the organization is to fully embrace and effectively apply the principles of the Process Model, the Plan Do Check Act model. The requirements of 8.2.3 interrelate closely with those in sub-clauses:

4.2.2 c) Quality Manual (include a description of interaction between processes) 5.6.2 a) Management Review Input (process performance)
26 OF 31

Interpretations of The Standard ISO 9001:2008

8.5.1 Continual Improvement (via analysis of data) 4.1 e & f) General Requirements (to implement, measure, monitor, Analyze and continually improve the processes).

The organization should identify monitoring, and, where appropriate, measurement methods to evaluate process performance. The organization should incorporate these measurements into processes and use the measurements in process management. Measurements of process performance should cover the needs and expectations of interested parties in a balanced manner. Examples (from ISO 9004:2008) might include: Process capability Reaction time Cycle time or throughput Measurable aspects of dependability Yield The effectiveness and efficiency of the organizations people Utilization of technologies Waste reduction Cost allocation and reduction

8.2.4: Monitoring and Measurement of Product

The organization must show evidence that a process is in place to monitor and measure the characteristics of product to verify that requirements are being met. This must be accomplished at appropriate stages of the product realization process and must be defined as required per Planning of Product Realization 7.1. Auditor will verify that records are maintained to provide evidence of conformity and indicate the person(s) authorizing the release of products. The release of product or delivery of service must not be completed until the planned requirements (7.1) have been met. For product release or service delivery, the planning requirements may be waived, but must be approved by relevant authority and by the customer as appropriate.

8.3: Control of Nonconforming Product

The Auditor will verify that a documented procedure has been developed to define the controls, responsibilities and authorities for dealing with nonconforming product. Product that does not meet requirements must be identified and controlled. The auditor will expect to see that nonconforming product is clearly labelled and segregated to prevent unintended use. It is important to note that requirements may extend beyond delivery of product, and/or to the point or time of use (i.e. during shipment/transit, until received and accepted at the customer, while on consignment at customers facility, etc.) This also suggests that the organization may be responsible to take action, even after use of the product has begun. Appropriate objective evidence (quality records) must be maintained. Requirements of 8.3 interrelate with those in sub-clauses: 8.2.1 Customer Satisfaction (possible impact upon)
27 OF 31

Interpretations of The Standard ISO 9001:2008

8.4 b) Analysis of Data (information relating conformance to product requirements) 8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the action shall be appropriate to the effects)

There are only four possibilities auditors should see as dispositions of nonconforming product, 1- scrap, 2- rework or repair, 3- re-grading of the product, or 4 use with the concession of the customer and records maintained. Obviously reworked or repaired product requires subsequent verification prior to release.

8.4: Analysis of Data

The Auditor will expect to see that the organization has developed a process to identify, collect and analyse various data and information from both internal and external sources (i.e. quality records, monitoring and measuring results, process performance results, quality objectives, internal audit findings, customer surveys and feedback, 2nd or 3rd-party audit results, competitor and benchmarking information, product test results, complaints, supplier performance information, etc., etc.). This input (information and data) should reflect upon the adequacy, suitability, and effectiveness of the Quality Management System and its processes. The output (result of the analysis) must provide information (understanding, insight, awareness, confidence, knowledge of, etc.) about: Customer Satisfaction / Perception. Product Conformance Process performance Product / Process Characteristics Trends in Products / Processes Opportunities for Preventive Action Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))

Other potential or useful options might include: Need for Corrective Action Opportunity for Improvement Competition

Requirements of 8.4 interrelate with those in sub-clauses: 5.6.2 8.5.1 8.5.2 8.5.3 Management Review Input Continual Improvement Corrective Action Preventive Action

8.5: Improvement 8.5.1: Continual Improvement

Distinction must be made between continual and continuous improvement. Unlike continuous improvement (which must be constant, steady and always positive), continual

28 OF 31

Interpretations of The Standard ISO 9001:2008

improvement may show signs of dwells, momentary set-backs, delays or slight reversal provided the overall trend is positive/improving. The auditor will expect to see a process is in place for establishing and implementing continual improvement. Significant or sustained lack of improvement must be met with corrective action (i.e. get well plan) unless the undesirable condition is expected/predicted resulting from a conscious/deliberate decision by management (i.e. willingness to accept a temporary setback in productivity while new equipment/ processes are introduced.)

Drivers, or impetus for continual improvement must come from the use of (as a minimum): The quality policy Quality objectives Audit results Analysis of data Corrective actions Preventive actions Management review

Requirements of 8.5.1 interrelate with those in clauses / sub-clauses: 5.6.2 g) Management Review Input (recommendations for improvement) 5.6.3 a - b) Management Review Output (improvement of system, processes and product) 8.4 Analysis of Data 8.5.2 Corrective Action 8.5.3 Preventive Action

Note: it is the responsibility of the company to demonstrate improvement rather than the auditor to look for it. Accordingly, it is useful audit practice to ask management to identify any improvement initiatives taken since the previous visit, and also any planned for the future.

8.5.2: Corrective action

Corrective action is action taken to PREVENT the recurrence of actual problems. When a problem occurs, organizations invariably take remedial or containment action, or implement CORRECTION to contain or fix the immediate problem. Corrective action (as addressed in ISO 9001:2008 8.5.2) is any subsequent action to address the root cause and prevent recurrence. The auditor will verify that a documented procedure is in place to define the requirements for corrective action: 8.5.2 a) Reviewing nonconformities auditor will expect to see a process is in place for identifying nonconformities (types) and reviewing them to determine if the nonconformity
29 OF 31

Interpretations of The Standard ISO 9001:2008

requires corrective action. The section specifically identifies customer complaints however other sections such as internal audits, nonconforming product, monitoring and measurement of processes reference corrective action. Sources from ISO 9004:2008 include: Customer complaints Nonconformity reports Internal audit reports Output from management review Output from data analysis Outputs from satisfaction measurements Relevant quality management system records The organizations people Process measurements Results of self assessment

8.5.2 b) Determining cause auditor will expect to see a process is in place for determining root cause. 8.5.2 c) Evaluating action needed to prevent recurrence auditor will expect to see evidence that action(s) are evaluated and developed to prevent the nonconformance from recurring. 8.5.2 d) Implementing action evidence that actions are implemented. There is no requirement for time however auditor will expect to see evidence that actions are taken in a timely manner. 8.5.2 e) Maintaining records - corrective actions are required to be maintained as quality records per 4.2.4. 8.5.2 f) Reviewing action taken auditor will expect to see a process in place for reviewing completed corrective action to ensure that the action taken was effective in correcting the nonconformity. Note: The organization may choose to maintain one document for both corrective and preventive action. While this is acceptable, external auditors believe that the processes are unique and should be documented separately. Note: Organizations are free to use their own terminology (i.e., many define corrective action as the fix and preventive action as the subsequent cure). There is no problem with this provided they are not claiming that this preventive action (i.e., after the event) meets the requirements of 8.5.3 (action taken before the event). Note: For multi-site/corporate certifications auditors will expect to see that evaluation of corrective actions across all sites is being performed and analyzed (usually from the headquarters location). This would be an input to management review (see 5.6.2).

8.5.3: Preventive action

The auditor will verify that a documented procedure is in place to define the requirements for preventive action:
30 OF 31

Interpretations of The Standard ISO 9001:2008

8.5.3 a) Determining potential nonconformities - auditor will expect to see evidence that a process is in place for determining potential nonconformities. This may include many methods. Sources from ISO 9004:2008 include: Use of risk analysis tools. Review of customer needs and expectation. Market analysis. Management review output. Output from data analysis. Satisfaction measurements. Process Measurements. Lessons learned from past experience. Results of self-assessment. Processes that provide early warning of approaching out-ofcontrol operating conditions.

8.5.3 b) Evaluating action needed to prevent occurrence auditor will expect to see evidence that action(s) are evaluated and develop to prevent the occurrence of potential nonconformances. 8.5.3 c) Implementing action evidence that actions are implemented. There is no requirement for time however auditor will expect to see evidence that actions are taken in a timely manner. 8.5.3 d) Maintaining records - preventive actions are required to be maintained as quality records per 4.2.4. 8.5.3 e) Reviewing action taken auditor will expect to see a process in place for reviewing completed preventive action to ensure that the action taken was effective. Preventive action is action taken to PREVENT the occurrence of potential problems. The organization might welcome some auditor guidance on terminology. Many companies (especially small companies with simple systems) are struggling to identify opportunities to satisfy 8.5.3, as most of the standard is, in fact, focused on prevention. Anything related to evaluation of risk and related actions, or action to prevent an early dip in a trend graph becoming a problem can be accepted as objective evidence of compliance as well as clear up-front preventive initiatives, of course.

31 OF 31