540 likes | 802 Views
Transitioning to ISO 9001:2008 – Considerations for Internal Auditors. Instructor: Don Wood, ISOmatrix Senior Specialist. Review of Changes from ISO 9001:2000 to ISO 9001:2008. High-level summary of changes. Emphasis on “product conformity to requirements” as the focus of the QMS
E N D
Transitioning to ISO 9001:2008 – Considerations for Internal Auditors Instructor: Don Wood, ISOmatrix Senior Specialist
High-level summary of changes • Emphasis on “product conformity to requirements” as the focus of the QMS • Addition of “statutory and“ to clauses that previously only referenced “regulatory” requirements • Changes in terminology • Measuring “equipment” vs.. “devices” – better alignment with ISO 9000:2005 • “Determine” vs.. “identify” – implies that more review and analysis (especially with regard to processes) should take place • Increased use of “Where applicable..”, placing more onus on organizations to use judgment in how requirements are applied within their QMS • Expanded use of notes to clarify the intent of requirements and provide more examples for organizations to use • Numerous changes to improve grammar, flow and ease of translation into other languages • Improved alignment with ISO 14001:2004 • Updated references, both internally within ISO 9001:2008 and externally to other management system and guidance standards Transitioning to ISO 9001:2008 3
What didn’t change • No new requirements for documented procedures • No requirements for documented procedures removed, either • By most interpretations, no new requirements period, merely minor modifications to existing requirements • Some of these modifications have implications for internal auditors • No changes in the certification process • No changes in the auditing processor auditing guidelines Transitioning to ISO 9001:2008 4
Transitioning to ISO9001:2008 Maximum 24 month Implementation from Publication Nov. 15, 2010 Existing ISO 9001:2009 certificates no longer valid Nov. 15, 2008 ISO 9001:2008 released 12 Months 24 Months Nov. 15, 2009 All NEW certificates must be issued against ISO 9001:2008 Maximum Allowed Time to Upgrade
ISO 9001:2000 ISO 9001:2008 Key to summary of changes Clause 0.3 Relationship with ISO 9004 The present editions of ISO 9001 and ISO 9004 have been developed as a consistent pair of quality management system standards which have been designed to complement each other, but can also be used independently. Although the two International Standards have different scopes, they have similar structures in order to assist their application as a consistent pair. ISO 9001 specifies requirements for a quality management system that can be used for internal application by organizations, or for certification, or for contractual purposes. It focuses on the effectiveness of the quality management system in meeting customer requirements. ISO 9004 gives guidance on a wider range of objectives of a quality management system than does ISO 9001, particularly for the continual improvement of an organization's overall performance and efficiency, as well as its effectiveness. ISO 9004 is recommended as a guide for organizations whose top management wishes to move beyond the requirements of ISO 9001, in pursuit of continual improvement of performance. However, it is not intended for certification or for contractual purposes. ISO 9001 and ISO 9004 are quality management system standards which have been designed to complement each other, but can also be used independently. ISO 9001 specifies requirements for a quality management system that can be used for internal application by organizations, or for certification, or for contractual purposes. It focuses on the effectiveness of the quality management system in meeting customer requirements. At the time of publication of this International Standard, ISO 9004 is under revision. The revised edition of ISO 9004 will provide guidance to management for achieving sustained success for any organization in a complex, demanding, and ever changing, environment. ISO 9004 provides a wider focus on quality management than ISO 9001; it addresses the needs and expectations of all interested parties and their satisfaction, by the systematic and continual improvement of the organization’s performance. However, it is not intended for certification, regulatory or contractual use. Text removed from ISO 9001:2000 Text added to ISO 9001:2008 Transitioning to ISO 9001:2008 6
Caution! • What follows is NOT a complete summary of changes from the 2000 to the 2008 version of ISO 9001 • Rather, this is a listing of changes we feel are of greatest concern to internal auditors and their management • Internal auditors MUST review ISO 9001:2008 in detail and review ALL of the changes to ensure adequate competency as auditors • There are a number of excellent articles and summaries available online • Major certification bodies • Quality Digest • ASQ • ISO • Whittington Group
ISO 9001:2000 ISO 9001:2008 Clause 4.1 General requirements The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard. The organization shall a) identify the processes needed for the quality management system and their application throughout the organization (see 1.2), b) determine the sequence and interaction of these processes, c) determine criteria and methods needed to ensure that both the operation and control of these processes are effective, d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes, e) monitor, measure and analyse these processes, and f) implement actions necessary to achieve planned results and continual improvement of these processes. These processes shall be managed by the organization in accordance with the requirements of this International Standard. The organization shall establish, document, implement and maintain a quality management system and continually improve its effectiveness in accordance with the requirements of this International Standard. The organization shall a) determinethe processes needed for the quality management system and their application throughout the organization (see 1.2), b) determine the sequence and interaction of these processes, c) determine criteria and methods needed to ensure that both the operation and control of these processes are effective, d) ensure the availability of resources and information necessary to support the operation and monitoring of these processes, e) monitor, measure where applicable, and analyse these processes, and f) implement actions necessary to achieve planned results and continual improvement of these processes. These processes shall be managed by the organization in accordance with the requirements of this International Standard. Transitioning to ISO 9001:2008 8
ISO 9001:2000 ISO 9001:2008 Clause 4.1 General requirements (cont’d) Where an organization chooses to outsource any process that affects product conformity with requirements, the organization shall ensure control over such processes. Control of such outsourced processes shall be identified within the quality management system. NOTE Processes needed for the quality management system referred to above should include processes for management activities, provision of resources, product realization and measurement. Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall ensure control over such processes. The type and extent of control to be applied to these outsourced processes shall be defined within the quality management system. NOTE 1 Processes needed for the quality management system referred to above include processes for management activities, provision of resources, product realization, measurement, analysis and improvement. NOTE 2 An “outsourced process” is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party. NOTE 3 Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements, b) the degree to which the control for the process is shared, c) the capability of achieving the necessary control through the application of 7.4. Transitioning to ISO 9001:2008 9
Impact of changes –4.1 General requirements • Effect of changes • “Determine” vs.. “identify” processes – clearer intent, easier to translate • Subclause e) – removes requirement to “measure” ALL QMS processes. Now organizations can use judgment as to where measurement of a process (vs.. monitoring and analysis) is warranted • Note 1 – expands scope of required QMS processes to include processes for analysis and improvement • Outsourced processes • Expands definition – can include QMS processes performed by other entities within an organization (i.e. corporate HQ, design centers, distribution centers) as well as by third parties • Emphasizes point that organizations are held responsible for performance of outsourced processes • Lists factors that should be considered in defining controls on outsourced processes • Auditing Considerations • Re: Subclause e) – The use of “Where applicable” here has implications for both QMS design and auditing – more on this later in the presentation • Re: Note 1 – Auditors should ensure that processes for analysis and improvement are defined within the QMS, and documented where deemed necessary • Re: Outsourced processes – Auditors should carefully review how their organization has identified any outsourced processes, and how control of such processes is identified within their QMS. Transitioning to ISO 9001:2008 10
ISO 9001:2000 ISO 9001:2008 Clause 4.2.1 (Documentation Requirements) General The quality management system documentation shall include a) documented statements of a quality policy and quality objectives, b) a quality manual, c) documented procedures required by this International Standard, d) documents needed by the organization to ensure the effective planning, operation and control of its processes, and e) records required by this International Standard (see 4.2.4). NOTE 1 Where the term “documented procedure” appears within this International Standard, this means that the procedure is established, documented, implemented and maintained. NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to a) the size of organization and type of activities, b) the complexity of processes and their interactions, and c) the competence of personnel. NOTE 3 The documentation can be in any form or type of medium. The quality management system documentation shall include a) documented statements of a quality policy and quality objectives, b) a quality manual, c) documented procedures and records required by this International Standard, and d) documents, including records, determined by the organization to be necessary to ensure the effective planning, operation and control of its processes. NOTE 1 Where the term “documented procedure” appears within this International Standard, this means that the procedure is established, documented, implemented and maintained. A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document. NOTE 2 The extent of the quality management system documentation can differ from one organization to another due to a) the size of organization and type of activities, b) the complexity of processes and their interactions, and c) the competence of personnel. NOTE 3 The documentation can be in any form or type of medium. Transitioning to ISO 9001:2008 11
Impact of changes –4.2.1 Documentation requirements - General • Effect of changes • Emphasizes that both records required by ISO 9001:2008 AND records deemed necessary by the organization are considered part of an organization’s QMS documentation • With regard to “documented procedures” required by ISO 9001:2008, clarifies the intent that organizations can structure their QMS documentation any way they choose – one procedure to address a requirement for a documented procedure, or many procedures, or one procedure to address multiple documented procedure requirements (i.e. Document AND Record Control, Corrective AND Preventive Action) • Auditing Considerations • Re: Note 1 – Auditors now have clear direction from ISO concerning their organization’s freedom to be flexible in how they structure their QMS documentation Transitioning to ISO 9001:2008 12
ISO 9001:2000 ISO 9001:2008 Clause 4.2.3 Control of documents Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4. A documented procedure shall be established to define the controls needed a) to approve documents for adequacy prior to issue, b) to review and update as necessary and re-approve documents, c) to ensure that changes and the current revision status of documents are identified, d) to ensure that relevant versions of applicable documents are available at points of use, e) to ensure that documents remain legible and readily identifiable, f) to ensure that documents of external origin are identified and their distribution controlled, and g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose. Documents required by the quality management system shall be controlled. Records are a special type of document and shall be controlled according to the requirements given in 4.2.4. A documented procedure shall be established to define the controls needed a) to approve documents for adequacy prior to issue, b) to review and update as necessary and re-approve documents, c) to ensure that changes and the current revision status of documents are identified, d) to ensure that relevant versions of applicable documents are available at points of use, e) to ensure that documents remain legible and readily identifiable, f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and g) to prevent the unintended use of obsolete documents, and to apply suitable identification to them if they are retained for any purpose. Transitioning to ISO 9001:2008 13
Impact of changes –Control of documents • Effect of changes • Subclause f) clarifies the intended scope of “external documents” • Improves alignment of 4.2.3 f) with its corresponding requirement in ISO 14001:2004 (4.4.5 f) • Auditing Considerations • Auditors should review controls on external documents. The focus of this requirement is clearly on external documents pertaining to “conformity to product requirements”. You may be over- (or under-) controlling these documents • Examples may include customer-supplied drawings, customer specifications and product standards, nationally-or-industry recognized standards (i.e. ASTM, ASME, commodity-specific), statutory/regulatory requirements (FMVSS, FAA, FDA) • Keep in mind – “documents” can be hard copy or electronic Transitioning to ISO 9001:2008 14
ISO 9001:2000 ISO 9001:2008 Clause 6.2.1 (Human resources) General Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills and experience. Personnel performing work affecting conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience. NOTE Conformity to product requirements can be affected directly or indirectly by personnel performing any task within the quality management system. Transitioning to ISO 9001:2008 15
Impact of changes –Human resources - General • Effect of changes • Emphasizes the definition of product quality as the degree of conformance to product requirements • Clarifies the intended scope of competency, training and awareness • Auditing Considerations • Ensure that this requirement is applied appropriately within your organization: • Employees that impact product quality, directly or indirectly • Contract personnel that impact product quality, directly or indirectly • Temporary personnel that impact product quality, directly or indirectly Transitioning to ISO 9001:2008 16
ISO 9001:2000 ISO 9001:2008 Clause 6.2.2 Competence, training and awareness ….(was Competence, awareness and training) The organization shall a) determine the necessary competence for personnel performing work affecting product quality, b) provide training or take other actions to satisfy these needs, c) evaluate the effectiveness of the actions taken, d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and e) maintain appropriate records of education, training, skills and experience (see 4.2.4). The organization shall a) determine the necessary competence for personnel performing work affecting conformity to product requirements, b) where applicable, provide training or take other actions to achieve the necessary competence, c) evaluate the effectiveness of the actions taken, d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and e) maintain appropriate records of education, training, skills and experience (see 4.2.4). Transitioning to ISO 9001:2008 17
Impact of changes –Competence, training and awareness • Effect of changes • Again, “conformity to product requirements” vs.. “product quality” • Subclause b) – “where applicable”, allows organizations to use judgment regarding the need for training or other actions • Long-term employees • Very simple tasks • Keeps focus on competence • Auditing Considerations • Subclause b) – “Where applicable” – more on this later • “Competence” – “Demonstrated ability to apply knowledge and skills” (ISO 9000:2005 3.1.6) – how is competence assessed? (vs. simple delivery of training). This is often fertile ground for auditing • Good technique – assess process/product performance to requirements, compare to training provided. Transitioning to ISO 9001:2008 18
ISO 9001:2000 ISO 9001:2008 Clause 6.3 Infrastructure The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable a) buildings, workspace and associated utilities, b) process equipment (both hardware and software), and c) supporting services (such as transport or communication). The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to product requirements. Infrastructure includes, as applicable, a) buildings, workspace and associated utilities, b) process equipment (both hardware and software), and c) supporting services (such as transport, communication or information systems). Transitioning to ISO 9001:2008 19
Impact of changes –6.3 Infrastructure • Effect of changes • Subclause c) – “such as” list now includes information systems • Auditing Considerations • Assess the impact of information systems on conformance to customer, statutory and regulatory requirements and ensure that 6.3 requirements are appropriately addressed (if they’re not already) Transitioning to ISO 9001:2008 20
ISO 9001:2000 ISO 9001:2008 Clause 7.2.1 (Customer-related processes) Determination of requirements related to the product The organization shall determine a) requirements specified by the customer, including the requirements for delivery and post-delivery activities, b) requirements not stated by the customer but necessary for specified or intended use, where known, c) statutory and regulatory requirements applicable to the product, and d) any additional requirements considered necessary by the organization. NOTE Post-delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal. The organization shall determine a) requirements specified by the customer, including the requirements for delivery and post-delivery activities, b) requirements not stated by the customer but necessary for specified or intended use, where known, c) statutory and regulatory requirements related to the product, and d) any additional requirements determined by the organization. Transitioning to ISO 9001:2008 21
Impact of changes –7.2.1 Determination of requirements related to the product • Effect of changes • Subclauses c) and d) – clarifies intent of requirement • Note: Clarifies definition and gives examples of “post-delivery services”; encourages consideration of entire product lifecycle • Auditing Considerations • Ensure that any customer-required post-delivery services are determined and reviewed during contract review/quotation processes (or their equivalent in your organization) Transitioning to ISO 9001:2008 22
ISO 9001:2000 ISO 9001:2008 Clause 7.3.1 (Design and development) Design and development planning The organization shall plan and control the design and development of product. During the design and development planning, the organization shall determine a) the design and development stages, b) the review, verification and validation that are appropriate to each design and development stage, and c) the responsibilities and authorities for design and development. The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility. Planning output shall be updated, as appropriate, as the design and development progresses. The organization shall plan and control the design and development of product. During the design and development planning, the organization shall determine a) the design and development stages, b) the review, verification and validation that are appropriate to each design and development stage, and c) the responsibilities and authorities for design and development. The organization shall manage the interfaces between different groups involved in design and development to ensure effective communication and clear assignment of responsibility. Planning output shall be updated, as appropriate, as the design and development progresses. NOTE Design and development review, verification and validation have distinct purposes. They can be conducted and recorded separately or in any combination, as suitable for the product and the organization. Transitioning to ISO 9001:2008 23
Impact of changes –7.3.1 Design and development planning • Effect of changes • Emphasizes that organizations can structure the activities of review, verification and validation in any means that suits them, so long as these activities “…are appropriate to each design and development stage…” • Auditing Considerations • Auditors should ensure that the activities of design and development review, verification and validation are suitable for their organization’s modes of operation (keep in mind, all 3 activities are required at some point in the design and development process). • This is especially important if you structured these activities around your perception (or a CB auditor’s perception) of ISO 9001:2000’s requirements, rather than what makes sense: • To your organization • For the products/services you provide • For the level of responsibility your organization has for design and development Transitioning to ISO 9001:2008 24
ISO 9001:2000 ISO 9001:2008 Clause 7.3.3 (Design and development) Design and development outputs The outputs of design and development shall be provided in a form that enables verification against the design and development input and shall be approved prior to release. Design and development outputs shall a) meet the input requirements for design and development, b) provide appropriate information for purchasing, production and for service provision, c) contain or reference product acceptance criteria, and d) specify the characteristics of the product that are essential for its safe and proper use. The outputs of design and development shall be in a form suitable for verification against the design and development input and shall be approved prior to release. Design and development outputs shall a) meet the input requirements for design and development, b) provide appropriate information for purchasing, production and service provision, c) contain or reference product acceptance criteria, and d) specify the characteristics of the product that are essential for its safe and proper use. NOTE Information for production and service provision can include details for the preservation of product. Transitioning to ISO 9001:2008 25
Impact of changes –7.3.3 Design and development outputs • Effect of changes • Grammatical • Emphasizes that preservation of product should be considered during design and development outputs • Auditing Considerations • Auditors should ensure that consideration is given to preservation of product during design and development • Examples may include (as appropriate) • Storage areas • Bins, totes transport methods used in process • Handling methods • Packaging and packaging methods • Transport and logistics methods and services (inbound and outbound) Transitioning to ISO 9001:2008 26
ISO 9001:2000 ISO 9001:2008 Clause 7.5.3 (Production and service provision) Identification and traceability Where appropriate, the organization shall identify the product by suitable means throughout product realization. The organization shall identify the product status with respect to monitoring and measurement requirements. Where traceability is a requirement, the organization shall control and record the unique identification of the product (see 4.2.4). NOTE In some industry sectors, configuration management is a means by which identification and traceability are maintained. Where appropriate, the organization shall identify the product by suitable means throughout product realization. The organization shall identify the product status with respect to monitoring and measurement requirements throughout product realization. Where traceability is a requirement, the organization shall control the unique identification of the product and maintain records (see 4.2.4). NOTE In some industry sectors, configuration management is a means by which identification and traceability are maintained. Transitioning to ISO 9001:2008 27
Impact of changes –7.5.3 Identification and traceability • Effect of changes • Clarifies the intent that product shall be identified with respect to its monitoring and measurement status during all phases of product realization • Grammatical • Auditing Considerations • Ensure that product is identified with respect to monitoring and measurement status during all stages of product realization, for example: • Receiving • Storage • In-process • Final inspection • Shipping Transitioning to ISO 9001:2008 28
ISO 9001:2000 ISO 9001:2008 Clause 7.5.4 (Production and service provision) Customer property The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported to the customer and records maintained (see 4.2.4). NOTE Customer property can include intellectual property. The organization shall exercise care with customer property while it is under the organization's control or being used by the organization. The organization shall identify, verify, protect and safeguard customer property provided for use or incorporation into the product. If any customer property is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer and maintain records (see 4.2.4). NOTE Customer property can include intellectual property and personal data. Transitioning to ISO 9001:2008 29
Impact of changes –7.5.4 Customer property • Effect of changes • Grammatical • Note – adds personal data. This is in response to increasing concerns over identity theft and security • Auditing Considerations • Auditors should review controls on customer’s personal data and ensure that adequate safeguards and security provisions are in place. • Access to this data is adequately controlled • Procedures are in place to notify customers if this data is lost (or presumably, stolen) • Legal and customer requirements are addressed Transitioning to ISO 9001:2008 30
ISO 9001:2000 ISO 9001:2008 Clause 7.6 Control of monitoring and measuring equipment (was Control of monitoring and measuring devices) The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring devices needed to provide evidence of conformity of product to determined requirements (see 7.2.1). The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements. Where necessary to ensure valid results, measuring equipment shall a) be calibrated or verified at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded; b) be adjusted or re-adjusted as necessary; c) be identified to enable the calibration status to be determined; d) be safeguarded from adjustments that would invalidate the measurement result; e) be protected from damage and deterioration during handling, maintenance and storage. The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring equipment needed to provide evidence of conformity of product to determined requirements. The organization shall establish processes to ensure that monitoring and measurement can be carried out and are carried out in a manner that is consistent with the monitoring and measurement requirements. Where necessary to ensure valid results, measuring equipment shall a) be calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded (see 4.2.4); b) be adjusted or re-adjusted as necessary; c) have identification in order to determine its calibration status; d) be safeguarded from adjustments that would invalidate the measurement result; e) be protected from damage and deterioration during handling, maintenance and storage. Transitioning to ISO 9001:2008 31
ISO 9001:2000 ISO 9001:2008 Clause 7.6 Control of monitoring and measuring equipment (was Control of monitoring and measuring devices) – cont’d In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected. Records of the results of calibration and verification shall be maintained (see 4.2.4). When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary. NOTE Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use. In addition, the organization shall assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements. The organization shall take appropriate action on the equipment and any product affected. Records of the results of calibration and verification shall be maintained (see 4.2.4). When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary. NOTE See ISO 10012-1 and ISO 10012-2 for guidance. Transitioning to ISO 9001:2008 32
Impact of changes -7.6 Control of monitoring and measuring equipment • Effect of changes • “Equipment” vs. “Device” – this change in terminology is now consistent throughout ISO 9001:2008 • Subclause a) – clarifies that in some cases, both calibration and verification may be necessary in order to ensure that equipment provides valid results • Subclause e) – intent is to further clarify that identification of calibration status need not be physically present on measurement equipment (i.e. an ID number or serial number traceable to a calibration database has long been acceptable) • Note – clarifies the intent of software verification requirements • Auditing Considerations • Review the definitions in ISO 9000:2005; the intent is that the definition of “measuring equipment” encompasses “measuring instruments”, which includes measuring “devices” • Re: subclause a) – ensure that both calibration and verification are appropriately utilized in their organization • Re: software – If you use measuring equipment that relies on software to provide results, review the note and ensure that: • Appropriate procedures are in place to verify the validity of the results the software provides • Appropriate configuration management procedures are in place (think version control, for those of you not involved in aerospace or medical devices) Transitioning to ISO 9001:2008 33
ISO 9001:2000 ISO 9001:2008 Clause 8.2.1 (Monitoring) – Customer satisfaction As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined. As one of the measurements of the performance of the quality management system, the organization shall monitor information relating to customer perception as to whether the organization has met customer requirements. The methods for obtaining and using this information shall be determined. NOTE Monitoring customer perception can include obtaining input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, warranty claims and dealer reports. Transitioning to ISO 9001:2008 34
Impact of changes – 8.2.1 Customer satisfaction • Effect of changes • Gives examples of potential sources of information regarding “…customer perception as to whether the organization has met customer requirements.” • Auditing Considerations • Ensure that your organization is using appropriate methods to determine customer satisfaction. The note provides examples of data which may be reviewed. Transitioning to ISO 9001:2008 35
ISO 9001:2000 ISO 9001:2008 Clause 8.2.2 (Monitoring) – Internal audit The organization shall conduct internal audits at planned intervals to determine whether the quality management system a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and b) is effectively implemented and maintained. An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure. The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2). NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance. The organization shall conduct internal audits at planned intervals to determine whether the quality management system a) conforms to the planned arrangements (see 7.1), to the requirements of this International Standard and to the quality management system requirements established by the organization, and b) is effectively implemented and maintained. An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results. Records of the audits and their results shall be maintained (see 4.2.4). The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8.5.2). NOTE See ISO 19011 for guidance. Transitioning to ISO 9001:2008 36
Impact of changes – 8.2.2 Internal Audit • Effect of changes • Better grammar and flow • Updated reference to auditing guidance standards; better alignment with ISO 14001:2004 • Auditing Considerations • ISO 19011:2002 provides guidance in auditing (1st, 2nd and 3rd party) for both the ISO 9001 and ISO 14001 standards. Use of this document is STRONGLY recommended. Transitioning to ISO 9001:2008 37
ISO 9001:2000 ISO 9001:2008 Clause 8.2.3 (Monitoring) – Monitoring and measurement of processes The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate, to ensure conformity of the product. The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes. These methods shall demonstrate the ability of the processes to achieve planned results. When planned results are not achieved, correction and corrective action shall be taken, as appropriate. NOTE When determining suitable methods, it is advisable that the organization consider the type and extent of monitoring or measurement appropriate to each of its processes in relation to their impact on the conformity to product requirements and on the effectiveness of the quality management system. Transitioning to ISO 9001:2008 38
Impact of changes – 8.2.3 Monitoring and measurement of processes • Effect of changes • Clarifies the intent of the requirement; provides detail of the rationale for monitoring and measurement of QMS processes • Auditing Considerations • Auditors should review process monitoring and measurement to ensure the appropriate application (don’t forget the changes in 4.1 concerning process monitoring and, where appropriate, measurement!) Transitioning to ISO 9001:2008 39
ISO 9001:2000 ISO 9001:2008 Clause 8.5.2 (Improvement) Corrective action The organization shall take action to eliminate the cause of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. A documented procedure shall be established to define requirements for a) reviewing nonconformities (including customer complaints), b) determining the causes of nonconformities, c) evaluating the need for action to ensure that nonconformities do not recur, d) determining and implementing action needed, e) records of the results of action taken (see 4.2.4), and f) reviewing corrective action taken. The organization shall take action to eliminate the causes of nonconformities in order to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. A documented procedure shall be established to define requirements for a) reviewing nonconformities (including customer complaints), b) determining the causes of nonconformities, c) evaluating the need for action to ensure that nonconformities do not recur, d) determining and implementing action needed, e) records of the results of action taken (see 4.2.4), and f) reviewing the effectiveness of the corrective action taken. Transitioning to ISO 9001:2008 40
Impact of changes –8.5.2 Corrective action • Effect of changes • “Causes” vs.. “cause” – recognizes that nonconformities may have multiple causes; better alignment with clause 8.5.3 Preventive action • Subclause f) – clarifies intent that the effectiveness (was the planned result achieved?) of corrective actions must be reviewed • Auditing Considerations • Good opportunity to review the EFFECTIVENESS of corrective actions – were the actions taken successful in eliminating the cause(s) of nonconformities? Transitioning to ISO 9001:2008 41
ISO 9001:2000 ISO 9001:2008 Clause 8.5.3 (Improvement) Preventive action The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. A documented procedure shall be established to define requirements for a) determining potential nonconformities and their causes, b) evaluating the need for action to prevent occurrence of nonconformities, c) determining and implementing action needed, d) records of results of action taken (see 4.2.4), and e) reviewing preventive action taken. The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. A documented procedure shall be established to define requirements for a) determining potential nonconformities and their causes, b) evaluating the need for action to prevent occurrence of nonconformities, c) determining and implementing action needed, d) records of results of action taken (see 4.2.4), and e) reviewing the effectiveness of the preventive action taken. Transitioning to ISO 9001:2008 42
Impact of changes –8.5.3 Preventive action • Effect of changes • Subclause f) – clarifies intent that the effectiveness (was the planned result achieved?) of preventive actions must be reviewed • Auditing Considerations • Good opportunity to review the EFFECTIVENESS of corrective actions – were the actions taken successful in eliminating the cause(s) of POTENTIAL nonconformities? Transitioning to ISO 9001:2008 43
Bibliography Bibliography – now refers to current editions of referenced standards, new standards referenced and standards withdrawn since the publication of ISO 9001:2000. New Standards ISO 10001:2007, Customer satisfaction - Guidelines for codes of conduct for organizations ISO 10002:2004, Customer satisfaction - Guidelines for complaints handling in organizations ISO 10003:2007, Customer satisfaction - Guidelines for dispute resolution external to organizations ISO 10019:2005, Guidelines for the selection of quality management system consultants and use of their services ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing IEC 61160:2006, Design review ISO 90003:2004, Software engineering - Guidelines for the application of ISO 9001:2000 to computer software New Editions ISO 9004:200x, Managing for the sustained success of an organization - A quality management approach ISO 10005:2005, Quality management systems - Guidelines for quality plans ISO 10006:2003, Quality management systems - Guidelines for quality management in projects ISO 10007:2003, Quality management systems - Guidelines for configuration management ISO 10012:2003, Requirements for measurement processes and measuring equipment ISO/TR 10013:2001, Guidelines for quality management system documentation ISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefits ISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000 ISO 14001:2004, Environmental management systems - Requirements with guidance for use IEC 60300-1:2003, Dependability management - Part 1: Dependability management systems Withdrawn Standards ISO 9000-3:1997 (replaced by ISO 90003:2004) ISO 10011-1: 1990 (replaced by ISO 19011:2002) ISO 10011-2: 1991 (replaced by ISO 19011:2002) ISO 10011-3:1991 (replaced by ISO 19011:2002) ISO 10012-1:1992 (replaced by ISO 10012:2003) ISO 10012-2:1997 (replaced by ISO 10012:2003) Transitioning to ISO 9001:2008 44
Impact of changes - Bibliography • Effect of changes • None • Auditing Considerations • The referenced standards provide excellent guidance into the intents of ISO 9001:2008. Auditors are strongly advised to understand these guidance documents – you’ll be a better auditor for it! Transitioning to ISO 9001:2008 45
Auditing “Where Appropriate/Where Applicable…” Clauses • Many auditors prefer “black and white” requirements – “where applicable” implies judgment. What to do? How do auditors assess applicability of and conformity with a requirement in the absence of a definite “shall” • The ISO 9000 Auditing Practices Group and the International Accreditation Forum (IAF), an affiliate organization of ISO, has published two relevant white papers on the subject. • Determination of the “where appropriate” processes • Auditing the “where appropriate” requirements • In ISOmatrix’s opinion, the same logic applies to “where applicable” as “where appropriate” • The source documents are available at http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/3541460/customview.html?func=ll&objId=3541460&objAction=browse&sort=name • Keep in mind, these are guidance documents, NOT ISO 9001 requirements or standards
Auditing ““Where Appropriate/Where Applicable…” Clauses “Determination of the “where appropriate” processes” – Summary • If there are conflicts between the auditee’s understanding of process applicability and the auditor’s, it’s the auditor’s responsibility to understand the auditee’s point of view. • Auditors should NOT impose their own point of view WITHOUT OBJECTIVE EVIDENCE TO SUPPORT THEIR POINT OF VIEW that a requirement is not met!!! • The issue may be conflicts in understanding the organization’s terminology vs. ISO’s – use ISO 9000:2005 as a reference to resolve these conflicts wherever possible • Don’t forget Clause 1.2 – Applicability! • ISOmatrix suggests considering the impact of the process or requirement on product conformity to requirements, statutory/regulatory compliance and customer satisfaction
Auditing ““Where Appropriate/Where Applicable…” Clauses “Auditing “where appropriate” requirements” – Summary • The organization should carefully consider the applicability of the “where appropriate” requirements during implementation • Impact on product conformity to requirements, statutory and regulatory compliance and customer satisfaction (remember Clause 1.1?) • Auditors should look at these requirements in light of the organization’s QMS scope – how will these requirements impact the QMS’ ability to fulfill this scope? • “Does this requirement add value to this element of confidence, without the ‘where appropriate’ being addressed?” • “Does it increase the risk that the organisation cannot meet its customer requirements? (This may be more than a specific set of customer requirements, as it can include the demands and expectations of end users, consumers, or the supply chain).”
Auditing ““Where Appropriate/Where Applicable…” Clauses “Auditing “where appropriate” requirements” – Summary (cont’d) • Individuals responsible for the selection of internal auditors should consider whether the auditor has the necessary technical competence to make these determinations – the use of “technical experts” per ISO 19011 may be necessary • Auditors should consider the impact of the “where appropriate” requirements on how processes are defined and implemented, and the process outputs. • If the requirement is NOT considered “appropriate”, it’s recommended that the audit provide objective evidence to support that the system is effective and customer requirements are consistently met. • ISOmatrix adds – consider the performance of the system and process. Review monitoring (and where applicable, measurement) of the associated process. Is the process effective and efficient in the absence of conformance to this requirement?