ISO 9001 2015 Interpretation Guidance Sample

www.iso-9001-checklist.co.
uk
We’re committed to helping you and your organization

understand the updated requirements. This guidance
document identifies the steps you should take to achieve
compliance to ISO 9001:2015, and more importantly; what you
don’t need to do!
Clause-by-
clause
Interpretation
Transitioning to ISO 9001:2015
Clause-by-clause Interpretation
Clauses that Promote Risk-based Thinking................................................ 11

Table of Contents
Risk Evaluation Process ...................................................................................... 12
CLAUSE-BY-CLAUSE INTERPRETATION .................................................... 3 6.2 Quality Objectives and Planning to Achieve Them ........................ 15
4.0 CONTEXT OF THE ORGANIZATION ......................................................................... 3 Training & Communication .............................................................................. 16
4.1 The Organization and its Context ........................................................... 3 6.3 Planning of Changes .................................................................................. 16
4.2 The needs and Expectations of Interested Parties ........................... 3 7.0 SUPPORT ................................................................................................................. 16
4.3 Determining the Scope of the QMS ...................................................... 3 7.1 Resources........................................................................................................ 16
4.4 The QMS and its Processes ....................................................................... 3 7.1.1 General ........................................................................................................ 17
Identifying Key Processes .................................................................................... 4 7.1.2 People.......................................................................................................... 17
Sequence and Interaction ................................................................................... 5 7.1.3 Infrastructure ............................................................................................ 17
5.0 LEADERSHIP .............................................................................................................. 6 7.1.4 Environment for the operation of processes ............................... 17
5.1 Leadership and Commitment ................................................................... 6 7.1.5 Monitoring and Measuring ................................................................. 17
5.1.1 General.......................................................................................................... 6 7.1.6 Organizational Knowledge.................................................................. 17
5.1.2 Customer Focus ......................................................................................... 6 7.2 Competence .................................................................................................. 18
5.2 Policy .................................................................................................................. 7 7.3 Awareness ...................................................................................................... 18
5.2.1 Establishing the Quality Policy ............................................................ 7 7.4 Communication ............................................................................................ 19
5.2.2 Communicating the Quality Policy .................................................... 7 Internal Communications .................................................................................. 19
5.3 Organizational Roles, Responsibilities and Authorities.................. 7 External Communications.................................................................................. 20
6.0 PLANNING ................................................................................................................ 7 7.5 Documented Information ........................................................................ 20
6.1 Actions to Address Risks and Opportunities ...................................... 7 7.5.1 General ........................................................................................................ 20
Why is Risk Management Important? ............................................................ 8 7.5.2 Creating & Updating ............................................................................. 20
Risk Management Methodology...................................................................... 9 7.5.3 Control of Documented Information .............................................. 20
Risk Management Information ....................................................................... 10 8.0 OPERATION ............................................................................................................ 22
Communication of Risks .................................................................................... 10 8.1 Operational Planning and Control........................................................ 22
Outsourced Processes ........................................................................................ 10 8.2 Requirements for Products and Services ........................................... 23
Design & Development ..................................................................................... 10 8.2.1 Customer Communication .................................................................. 23
Risk Registers ......................................................................................................... 11 8.2.2 Determination of Requirements for Products & Services ...... 23
Auditing Risk Management .............................................................................. 11 8.2.3 Review of the Requirements for Products & Services.............. 23
www.iso-9001-checklist.co.uk Page 1 of 42
8.2.4 Changes to Requirements for Products & Services .................. 24 9.2 Internal Audit ................................................................................................ 32
8.3 Design and Development of Products & Services ......................... 24 9.3 Management Review ................................................................................. 33
8.3.1 General........................................................................................................ 24 9.3.1 General ........................................................................................................ 33
8.3.2 Design and Development Planning................................................. 24 9.3.2 Management Review Inputs ............................................................... 34
8.3.3 Design and Development Inputs...................................................... 24 9.3.3 Management Review Outputs ........................................................... 34
8.3.4 Design and Development Controls ................................................. 24 10.0 IMPROVEMENT ....................................................................................................... 35
8.3.5 Design and Development Outputs .................................................. 24 10.1 General ............................................................................................................ 35
8.3.6 Design and Development Changes ................................................. 25 10.2 Nonconformity and Corrective Action ................................................ 35
8.4 Externally Provided Processes, Products & Services ..................... 25 Dealing with Corrective Action ....................................................................... 35
8.4.1 General........................................................................................................ 25 Define the Problem .............................................................................................. 36
8.4.2 Type and Extent of Control ................................................................. 25 Select an Interim Containment Action ......................................................... 36
8.4.3 Information for External Providers ................................................... 25 Verify an Interim Containment Action ......................................................... 36
8.5 Production and service provision ......................................................... 25 Implement an ICA ................................................................................................. 37
8.5.1 Control of Production and Service Provision............................... 25 Identifying the Root-Cause............................................................................... 37
8.5.2 Identification and Traceability ........................................................... 26 Complete a Comparative Analysis ................................................................. 37
8.5.3 Property Belonging to Customers or External Providers ........ 26 Develop Root-cause Theories.......................................................................... 38
8.5.4 Preservation .............................................................................................. 26 Test the Theories................................................................................................... 38
8.5.5 Post-delivery Activities ......................................................................... 27 Verify the Root-Cause ......................................................................................... 39
8.5.6 Control of Changes ................................................................................ 27 Determine and Verify the Escape Point ....................................................... 39
8.6 Release of Products and Services ......................................................... 27 Implementing & Validating Permanent Corrective Actions ................ 40
8.7 Non-conforming Process Outputs, Products & Services ............ 28 Preventing Recurrence ....................................................................................... 40
Controlling Product and Process Non-conformities .............................. 28 10.3 Continual Improvement ............................................................................ 41
Controlling Service-based Non-conformities ........................................... 29
9.0 PERFORMANCE EVALUATION ............................................................................... 30
9.1 Monitoring, Measurement, Analysis and Evaluation ..................... 30
9.1.1 General........................................................................................................ 30
9.1.2 Customer Satisfaction ........................................................................... 31
9.1.3 Analysis and Evaluation ........................................................................ 32
relevant interested parties that impact the QMS. If this differs from the
Clause-by-Clause Interpretation
perception, you should be prepared to challenge this. Look for evidence
4.0 Context of the Organization that the organization has undergone a process to initially identify these
groups, and then to identify any of their requirements that are relevant to
4.1 The Organization and its Context
your organization’s quality management system.
The ‘Context of the Organization’ is a new requirement. You should allow
additional time to prepare for each audit in order to establish a suitable You should also determine whether these groups’ requirements are
understanding of the circumstances, and the market in which your reviewed and updated as changes in their requirements occur, or when
organization operates. To be compliant, evidence should be obtained that changes to your organization’s QMS are planned.
proves that your organization is reviewing all pertinent internal and 4.3 Determining the Scope of the QMS
external issues at periodic intervals. This requirement is comparable to ISO 9001:2008 Clause 4.2.2 – Quality
Although there is no requirement for documented information to define Manual. You will need to verify that your organization’s scope exists as
the context of the organization, your organization will find it helpful to documented information (which may be in the form of a Quality Manual)
retain the types of documented information listed below to help justify in accordance with Clause 7.5.1a. Look for confirmation that your
compliance: organization has determined the boundaries and applicability of the QMS
to establish its scope with reference to any external and internal issues
1. Business plans and strategy reviews;
referred to in 4.1 and the requirements of relevant interested parties
2. Competitor analysis; referred to in 4.2.
3. Economic reports from business sectors or consultant’s reports;
Check that this has been produced in consideration of your organization’s
4. SWOT analysis; context and your products. You should review any exclusions previously
5. Minutes of meetings (Management and design review minutes); noted under ISO 9001:2008 for ongoing suitability. Check that legacy
issues which limited scope and omitted activities do not affect product
6. Process maps, tables, spreadsheets, mind mapping diagrams;
conformity. Check that they are recorded and that the rationale for the
4.2 The needs and Expectations of Interested Parties
exclusion is stated and justified.
‘Understanding the Needs and Expectations of Interested Parties’ is a new
4.4 The QMS and its Processes
requirement. You should allow additional time to prepare for each audit
in order to establish a suitable understanding of the relevant interests of This requirement is comparable to ISO 9001:2008 Clause 4 - Quality
Management System and Clause 4.1 – General Requirements. You should
review how your organization has designed its process-based Identifying Key Processes
management system. Key processes are steps that you go through to give the customer what
Existing operational procedures, work instructions and flow charts are valid they want, e.g. from order acceptance to design through to delivery.
examples of documented information and can be used to evidence the Whereas support processes do not contribute directly to what the
requirement for ‘documented information to support the operation of customer wants but do help the key processes to achieve it. Support
processes is being met’. processes include often human resources, finance, document control,
training and facilities maintenance, etc.
Check that process inputs and outputs are defined and review how each
the processed are sequenced and how they interact. Look for evidence that A good way to do this is to think about how workflows through your
your organization has: organization. Consider how the inputs and outputs to the key processes
flow from one process to the next, what sub-processes might exist within it
1. Implemented measurement criteria; (Clause 9.0)
and how the support processes link in. For now, ignore the standard, in
2. Provided resources; (Clause 7.1) fact put it in a draw and forget it exists. Instead focus on your key
3. Assigned duties/process owners; (Clause 5.3) processes and how the departments interface with each other.
4. Assessed risks and opportunities; (Clause 6.1) Once you have defined the processes and interfaces; go back to the
5. Improved its processes and the QMS; (Clause 10.0) standard and determine which processes are responsible for meeting
which requirements. When defining your organization’s processes, think
6. Maintained and retained documented information. (Clause 7.5.1)
about each process and department and assign try to define those
Most of the requirements from Clause 4.4 are comparable to those found processes around the current organizational model and not around the
in ISO 9001:2008 Clauses 4.1 and 8.1 - General Requirements and Clause requirements of the standard.
8.2.3 - Monitoring and Measurement of Processes.
Certification auditors will expect to see a process model that explains the
Based upon the extent of your organization’s QMS and processes, you key processes of the business and how each relates and links to the others.
should seek and record evidence that your organization has maintained The depth of process explanation may be as detailed as the company
documented information to support the operation of its processes; and chooses, but should be based on its customer and applicable regulations
that it has retained documented information to provide confidence that or statutory requirements, the nature of its activities and its overall
the processes are being carried out as planned. corporate strategy. In determining which processes should be determined
and documented the organization may wish to consider factors such as:
responsibility. Implement and maintain a risk management process to 2. Assure consistency of quality of goods and services;
protect and support your organization’s responsibilities. 3. Establishes a proactive culture of prevention and improvement;
An effective risk management approach is not only good business practice 4. Intuitively take a risk-based approach.
but provides organizational resilience, confidence and benefits, including:
We suggest that you use the familiar Plan-Do-Check-Act (PDCA)
1. Provides a rigorous decision-making and planning process; methodology to manage your organization’s transition to risk-based
2. Provides the flexibility to respond to unexpected threats; thinking; using this approach:
3. Takes advantage of opportunities and provides competitive •Act: Implement any •Plan: Gain
advantage; changes to your leadership
approach, commitment,
4. Equips managers with tools to anticipate changes and threats, and continually review identify and assess
to allocate appropriate resources; opportunities for risks. Create a plan
improvement to address risks and
5. Provides assurance to Top management and stakeholders that opportunities.
critical risks are being managed appropriately;
6. Enables better business resilience and compliance management.
Act Plan
Risk Management Methodology
Risk will influence every aspect of your organization’s operations.

Understanding the risks and managing them appropriately will enhance Check Do
your organization’s ability to make better decisions, safeguard assets, and
enhance your ability to provide products and services and to achieve your •Check: Monitor your •Do: Implement your
mission and goals. risk management plan to mitigate risks
plans using through
By considering risk throughout your organization the likelihood of measurements and communication,
internal audit training and control.
achieving stated objectives is improved, output is more consistent and
reporting.
customers can be confident that they will receive the expected product or
service. Risk-based thinking therefore helps to:
1. Improve customer confidence and satisfaction;
1. Clause 4.4.1 requires your organization to determine the risks effective manner to manage opportunities and threats. Risk evaluation can
which can affect its ability to meet the system objectives. Risk- be represented as a seven step, cyclical process:
based thinking means considering risk quantitatively as well as
qualitatively, depending on the business context.
2. Clauses 5.1.1 and 5.1.2 require Top management demonstrate Plan Identify
leadership and commit to ensuring that risks and opportunities
that can affect the conformity of a product or service are
determined and addressed.
3. Clauses 6.1.1 and 6.1.2 require your organization take action to
identify risks and opportunities, and plan how to address the
identified risks and opportunities.
Monitor Risk Assess
4. Clause 8 requires your organization to plan, implement and Evaluation

control its processes to address the actions identified in Clause 6.
5. Clause 9 requires your organization to monitor, measure, analyze
Cycle
and evaluate the risks and opportunities.
6. Clause 10 requires your organization to improve by responding to
changes in risk. Report Respond
The adoption of risk-based thinking will, over time, improve customer
confidence and satisfaction by assuring the consistency of the quality of
Review
goods and services brought on by establishing a culture of prevention and
improvement.
Risk Evaluation Process Step 1: Planning
Risk evaluation should become embedded into your organization’s day-to- Your organization should develop and document a plan that briefly
day operations and should be undertaken at all levels throughout your describes how and when risk, in the form of strengths, weaknesses,
organization. The overall aim of risk evaluation is to ensure that opportunities and threats, will be assessed, and who will be involved. This
organizational capabilities and resources are employed in an efficient and should reflect the scope (including its complexity, interfaces, etc.), policies
and objectives.
Probability Evaluation Score Impact Quality
Risk Quantification – Risks should be assessed in terms of their probability Quality of a product on critical path does not meet
to impact on objectives: 4 Major quality criteria for product acceptance, and specified
quality is not achievable.
Score Likelihood Description Percentage Probability Quality of more than one product on critical path does
Catastroph
May only occur in 5 not meet quality criteria for product acceptance, and
1 Rare <0.1% 1 in 1,000 ic
exceptional circumstances specified quality is not achievable.
Could occur during a
2 Unlikely 1% 1 in 100 Risk Exposure & Control Action
specified time period
Might occur within a given The purpose of prioritising the risk is to determine the level of action
3 Possible 10% 1 in 10
time period needed for the identified and assessed risks.
Will probably occur in most
4 Likely 50% 1 in 2 Score Colour Management Control Action (MCA)
circumstances
No mitigation or action is required, the risk is considered
Almost Expected to occur in most
5 >95% 1 in 1 1 to 4 Very Low ALARP. Monitor to ensure that the risk remains tolerable
Certain circumstances
at this level.
Impact & Consequence Criteria Maintain assurance that risk remains tolerable. Monitor
Risk Quantification – Risks should be assessed in terms of the consequence 5 to 8 Low and manage by routine procedures, unlikely to need
specific application of resources (managers and key staff).
of their impact on objectives:
Tolerable if the cost of reduction would exceed the
Score Impact Quality 9 to
Medium improvement gained. Mitigate by managing specific
12
Quality of one or more products not on critical path does reviews and ensuring regular monitoring occurs.
1 Negligible not meet quality criteria for product acceptance, but Tolerable only if risk reduction is impractical or if cost is
specified quality is achievable. disproportionate to the improvement. Mitigate by
13 to
Quality of a product on critical path does not meet High implementing controls to reduce the risk so far as is
15
2 Minor quality criteria for product acceptance, but specified reasonably practicable. Where this cannot happen,
quality is achievable. continual monitoring should occur.
Quality of more than one product on critical path does Intolerable, the risk cannot be justified, expect in
16 to
3 Moderate not meet quality criteria for product acceptance, but Very High extraordinary circumstances. Mitigate by ceasing all
25
specified quality is achievable. related activities.
Step 4: Response indicators to ensure process compliance and effectiveness. Monitoring

For each risk, the risk owner must establish an appropriate level of may take a variety of forms and range from self-assessment and internal
mitigation. Control measures in addition to those already existing may be audit to detailed reviews by independent external experts.
needed to achieve this level of mitigation. When a response action is 6.2 Quality Objectives and Planning to Achieve Them
completed, the risk should be reassessed (i.e. repeat Step 3) to reflect any
The requirements of Clause 6.2.1 and Clause 6.2.2 are comparable with
newly introduced existing control measure.
the requirements of ISO 9001:2008 Clause 5.4.1 – Quality Objectives. You
Step 5: Review should seek and record evidence that your organization’s quality
Regular review and challenge is essential to ensure that risks are being objectives are consistent with the quality policy, and that they are relevant
appropriately managed, and that the risk data remains accurate and to product and service conformity, and the enhancement of customer
reliable, reflecting any changes in circumstances or management activities. satisfaction.
Step 6: Reporting Quality objectives should be measurable and are likely to have their own
metrics by which levels of attainment can be ascertained. Check that the
Regular reports are necessary to inform and provide assurance to Top
quality objectives are communicated throughout the organization and that
management and other key stakeholders, that risks are being appropriately
they are updated to ensure relevance to changing business needs.
managed. Reporting must be based on current process data, which must
be updated and reviewed in good time for the reporting cycle (see Step 5 You should seek and record evidence that effective planning was
above). undertaken in support of the organization’s quality objectives and their
achievement. You should ensure that this planning activity takes into
On occasion, it may be appropriate to escalate a risk to ensure it is
considerations of Clause 6.2.1, as well as the following points:
assessed and/or managed by the person or party best placed to do so
(able and with appropriate authority). For example where a more 1. Identification of processes, resources, and skills needed to achieve
substantial or coordinated response is required than the current owner can quality;
authorise or implement, or where the risk severity or its effects on the 2. Identification of suitable verification criteria at appropriate stages;
wider project justify higher level assessment and/or management. 3. Compatibility of design, production, inspection and testing;
Step 7: Monitoring 4. The confirmation of criteria of acceptability for all features and
Continuous systematic and formal monitoring of implementation of the requirements;
risk process and outputs will take place against appropriate performance

ISO 9001 2015 Interpretation Guidance Sample

Uploaded by

Copyright:

Available Formats

ISO 9001 2015 Interpretation Guidance Sample

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISO 9001 2015 Interpretation Guidance Sample

Uploaded by

Copyright:

Available Formats

www.iso-9001-checklist.co.

We’re committed to helping you and your organization

Clauses that Promote Risk-based Thinking................................................ 11

Risk will influence every aspect of your organization’s operations.

1. Improve customer confidence and satisfaction;

4. Clause 8 requires your organization to plan, implement and Evaluation

Probability Evaluation Score Impact Quality

Step 4: Response indicators to ensure process compliance and effectiveness. Monitoring

You might also like