ISO 9001:2015 Audit Procedures [4 ed.] 2013014681, 9781138025882, 9781138025899, 9781315774817

Revised and fully, ISO 9001:2015 Audit Procedures describes the methods for completing management reviews and quality au

338 52 5MB

English Pages [307] Year 2016

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Cover
Title
Copyright
Contents
About the author
Dedication
Foreword
Preface
PART 1: QUALITY MANAGEMENT OVERVIEW
1 The background to ISO 9001:2015
1.1 So what has changed?
1.2 Background to the ISO revision process
1.3 The revision process
1.4 Annex SL
1.5 What are the main changes to the new standard?
1.6 Key changes
1.7 ISO 9001:2015 clauses that have been changed, amended or deleted
1.8 Top management
1.9 The process model
1.10 Benefits of the revised standard
1.11 Other benefits
1.12 Permissable exclusions
1.13 Cost
2 The content and requirements of the ISO 9001:2015 Standard
2.1 What are the current ISO 9000 standards?
2.2 What is the structure of ISO 9001:2008?
2.3 What is the difference between ISO 9001:2015 and ISO 9001:2008?
3 Compatibility of ISO 9001:2015 with other management systems
3.1 Is ISO 9001:2015 compatible with other management systems?
3.2 What other standards are based on ISO 9001:2008?
4 Background reminders for auditors
4.1 Purpose of an audit
4.2 The basic audit process
4.3 Types of audit
4.4 Audit categories
4.4.1 First party (internal) audit
4.5 External audit
4.6 Third party certification audits
4.7 Conformity assessment
4.8 Quality assurance during a product’s or service’s lifecycle
4.9 What is the effect of ISO 9001:2015’s new requirements on auditors?
PART 2: ISO 9001:2015 CHECKLISTS
Introduction
2.1 ISO 9001:2015 – Organisational responsibilities
4 Context of the organisation
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the quality management system
4.3.1 Quality management system and its processes
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organisation roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8 Operation
8.1 Operational planning and control
8.2 Requirements for products and services
8.3 Design and development of products and services
8.4 Control of externally provided processes, products and services
8.5 Production and service provision
8.6 Release of products and services
8.7 Control of nonconforming outputs
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual improvement
2.2 ISO 9001:2015’s Organisational Requirements
2.2.1 Context of the organisation
2.2.2 Leadership
2.2.3 Planning
2.2.4 Support
2.2.5 Operation
2.2.6 Performance evaluation
2.2.7 Improvement
2.3 A complete checklist against the requirements of ISO 9001:2015
Introductory questions
4 Context of the organisation
4.1 Understanding the organisation and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the Quality Management System
4.4 Quality Management System and its processes
5 Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 Organisational roles, responsibilities and authorities
6 Planning
6.1 Actions to address risks and opportunities
6.2 Quality objectives and planning to achieve them
6.3 Planning of changes
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Control of documented information
8 Operation
8.1 Operational planning and control
8.2 Requirements for products and services
8.3 Design and development of products and services
8.4 Control of externally provided processes, products and services
8.5 Production and service provision
8.6 Release of products and services
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10 Improvement
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual improvement
2.4 Additional (general purpose) check sheets
2.4.1 Quality Management System
2.4.2 Documented information requirements
2.4.3 Management commitment
2.4.4 Customer focus
2.4.5 Quality Policy
2.4.6 Planning
2.4.7 Responsibility, authority and communication
2.4.8 Management review
2.4.9 Provision of resources
2.4.10 Human resources
2.4.11 Infrastructure
2.4.12 Work environment
2.4.13 Planning and product realisation
2.4.14 Customer-related processes
2.4.15 Design and development
2.4.16 Purchasing
2.4.17 Production and service provision
2.4.18 Control of monitoring and measuring devices
2.4.19 Monitoring and measurement
2.4.20 Auditing
2.4.21 Control of nonconforming products and services
2.4.22 Analysis of data
2.4.23 Improvement
2.5 Example stage audit checks
2.5.1 Design stage
2.5.2 Manufacturing or production stage
2.5.3 Acceptance stage
2.5.4 In-service stage
2.6 Comparison between ISO 9001:2015 and ISO 9001:2008
2.7 Counter-comparison between ISO 9001:2008 and ISO 9001:2015
2.8 Comparison between the 2015 versions of ISO 14001 and ISO 9001
Annex A
Abbreviations and acronyms
Reference standards for Quality Management Systems
Glossary of terms used in Quality Management standards
Books by the same author
Recommend Papers

ISO 9001:2015 Audit Procedures [4 ed.]
 2013014681, 9781138025882, 9781138025899, 9781315774817

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page i

ISO 9001:2015 Audit Procedures

Revised and fully expanded, ISO 9001:2015 audit procedures describes the methods for completing management reviews and quality audits and describes the changes made to the 2015 standard and how they are likely to impact on your own audit procedures. Now in its fourth edition, this guide includes essential material on process models, generic processes and detailed coverage of auditor questionnaires. Part II includes a series of useful checklists to assist auditors in compiling their own systems and individual audit check sheets. The book is also supported with a glossary of terms as well as explanations of acronyms and abbreviations used in quality. ISO 9001:2015 audit procedures is for auditors of small businesses looking to complete a quality audit review for the 2015 standards. This book will also prove invaluable to all professional auditors completing internal, external and third party audits. Ray Tricker (MSc, IEng, FCQI-CQP, FCMI, FIET, FIRSE) is currently working as the Senior Management Consultant for Herne European Consultancy Ltd – a company offering organisations access to a range of highly skilled and specialist consultants to help these companies enhance their business performance.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page ii

‘Ray’s easy to read book ISO 9001:2015 audit procedures is a must have for small businesses wishing to complete management reviews and quality audits. This step by step guide includes forms, questionnaires and author’s hints that are invaluable.’ – D.M. Belair, CAO, Kawartha Controls ‘An invaluable resource I highly recommend. Easy to read, to the point explanations, detailed checklists and diagrams, this is the one book you need if you would like to understand ISO 9001:2015 audit procedures. Ray explains the ISO terminology, definitions, and processes, and provides checklist questions that an auditor would be looking to answer. I would also recommend this book alongside Ray’s ISO 9001:2015 in Brief, as combined they give you all you need to know about the QM System and associated Audit and Certification processes.’ – Jonathan Parkinson, Plantastic DWC LLC, Dubai

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page iii

ISO 9001:2015 Audit Procedures Fourth edition

Ray Tricker

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page iv

First published 2001 by Butterworth-Heinemann Reprinted 2003 Second edition 2005 by Elsevier Third edition 2009 by Herne Fourth edition 2016 by Routledge 2 Park Square, Milton Park, Abingdon, Oxon OX14 4RN and by Routledge 711 Third Avenue, New York, NY 10017 Routledge is an imprint of the Taylor & Francis Group, an informa business © 2002, 2005, 2009, 2016, Ray Tricker The right of Ray Tricker to be identified as author of this work has been asserted in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988. All rights reserved. No part of this book may be reprinted or reproduced or utilised in any form or by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying and recording, or in any information storage or retrieval system, without permission in writing from the publishers. Trademark notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging in Publication Data Tricker, Ray ISO 9001:2015 Audit Procedures / Ray Tricker. – Fourth edition. pages cm Includes bibliographical references and index. 1. ISO 9000 Series Standards. 2. Small business – Quality Control. I. Title. TS156.6.T753 2013 658.02′2–dc23 2013014681 ISBN: 978-1-138-02588-2 (hbk) ISBN: 978-1-138-02589-9 (pbk) ISBN: 978-1–315-77481-7 (ebk) Typeset in Minion Pro and Optima by Florence Production Ltd, Stoodleigh, Devon, UK

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page v

Contents

About the author Foreword Preface

xi xiii xv

PART 1: QUALITY MANAGEMENT OVERVIEW

1

1

3

The background to ISO 9001:2015 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13

2

So what has changed? Background to the ISO revision process The revision process Annex SL What are the main changes to the new standard? Key changes ISO 9001:2015 clauses that have been changed, amended or deleted Top management The process model Benefits of the revised standard Other benefits Permissable exclusions Cost

The content and requirements of the ISO 9001:2015 Standard 2.1 2.2 2.3

What are the current ISO 9000 standards? What is the structure of ISO 9001:2008? What is the difference between ISO 9001:2015 and ISO 9001:2008?

5 6 6 7 9 10 12 18 19 25 25 27 27

29 29 32 53

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page vi

Contents

vi

3

4

Compatibility of ISO 9001:2015 with other management systems

57

3.1 3.2

57 61

Is ISO 9001:2015 compatible with other management systems? What other standards are based on ISO 9001:2008?

Background reminders for auditors 4.1 4.2 4.3 4.4 4.4.1 4.5 4.6 4.7 4.8 4.9

Purpose of an audit The basic audit process Types of audit Audit categories First party (internal) audit External audit Third party certification audits Conformity assessment Quality assurance during a product’s or service’s lifecycle What is the effect of ISO 9001:2015’s new requirements on auditors?

PART 2: ISO 9001:2015 CHECKLISTS

2.1

75 78 78 80 80 81 91 99 102 104 113

125

Introduction

127

ISO 9001:2015 – Organisational responsibilities

133

4

136 136

5

6

7

Context of the organisation 4.1 Understanding the organisation and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the quality management system 4.3.1 Quality management system and its processes Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organisation roles, responsibilities and authorities Planning 6.1 Actions to address risks and opportunities 6.2 Quality objectives and planning to achieve them 6.3 Planning of changes Support 7.1 Resources 7.2 Competence 7.3 Awareness

136 136 136 136 136 137 137 137 137 137 138 138 138 139 139

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page vii

Contents

8

9

10

2.2

2.3

vii

7.4 Communication 7.5 Documented information Operation 8.1 Operational planning and control 8.2 Requirements for products and services 8.3 Design and development of products and services 8.4 Control of externally provided processes, products and services 8.5 Production and service provision 8.6 Release of products and services 8.7 Control of nonconforming outputs Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review Improvement 10.1 General 10.2 Nonconformity and corrective action 10.3 Continual improvement

139 139 140 140 140 141 141 142 143 143 143 143 144 144 145 145 145 145

ISO 9001:2015’s Organisational Requirements

147

2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7

148 148 149 149 150 152 152

Context of the organisation Leadership Planning Support Operation Performance evaluation Improvement

A complete checklist against the requirements of ISO 9001:2015 Introductory questions 4 Context of the organisation 4.1 Understanding the organisation and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the Quality Management System 4.4 Quality Management System and its processes 5 Leadership 5.1 Leadership and commitment 5.2 Policy 5.3 Organisational roles, responsibilities and authorities

153 156 156 156

157 157 158 160 162 163 165

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page viii

Contents

viii 6

7

8

9

10

2.4

Planning 6.1 Actions to address risks and opportunities 6.2 Quality objectives and planning to achieve them 6.3 Planning of changes Support 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Control of documented information Operation 8.1 Operational planning and control 8.2 Requirements for products and services 8.3 Design and development of products and services 8.4 Control of externally provided processes, products and services 8.5 Production and service provision 8.6 Release of products and services Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review Improvement 10.1 General 10.2 Nonconformity and corrective action 10.3 Continual improvement

166 166 167 168 168 168 173 174 175 176 178 178 179 182

188 190 195 196 196 198 199 202 202 203 204

Additional (general purpose) check sheets

205

2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 2.4.9 2.4.10 2.4.11 2.4.12 2.4.13 2.4.14 2.4.15 2.4.16

207 208 210 211 211 212 212 213 214 214 215 216 216 218 219 222

Quality Management System Documented information requirements Management commitment Customer focus Quality Policy Planning Responsibility, authority and communication Management review Provision of resources Human resources Infrastructure Work environment Planning and product realisation Customer-related processes Design and development Purchasing

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page ix

Contents

2.4.17 2.4.18 2.4.19 2.4.20 2.4.21 2.4.22 2.4.23

2.5

ix Production and service provision Control of monitoring and measuring devices Monitoring and measurement Auditing Control of nonconforming products and services Analysis of data Improvement

223 227 229 230 231 233 234

Example stage audit checks

235

2.5.1 2.5.2 2.5.3 2.5.4

236 238 239 240

Design stage Manufacturing or production stage Acceptance stage In-service stage

2.6

Comparison between ISO 9001:2015 and ISO 9001:2008

243

2.7

Counter-comparison between ISO 9001:2008 and ISO 9001:2015

247

Comparison between the 2015 versions of ISO 14001 and ISO 9001

251

2.8

Annex A Abbreviations and acronyms Reference standards for Quality Management Systems Glossary of terms used in Quality Management standards Books by the same author

255 271 273 275 281

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page x

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xi

About the author

Ray Tricker (MSc, IEng, FCQI-CQP, FIET, FCMI, FIRSE) is a senior consultant with over 50 years’ continuous service in Quality, Safety and Environmental Management, Project Management, Communication Electronics, Railway Command, Control and Signalling systems and the development of molecular nanotechnology. He served with the Royal Corps of Signals (for a total of 37 years), during which time he held various managerial posts culminating in being appointed as the Chief Engineer of NATO’s Communication Security Agency (ACE COMSEC). Most of Ray’s work since leaving the services has centred on European Railways. He has held a number of posts with the Union International des Chemins de Fer (UIC) [e.g. Quality Manager of the European Train Control System (ETCS)] and with the European Union (EU) Commission [e.g. T500 Review Team Leader, European Rail Traffic Management System (ERTMS) Users Group Project Coordinator, HEROE Project Coordinator]. Currently (as well as writing books on such diverse subjects as International Standards, Communication Electronics, Building, Wiring and Water Regulations for Taylor & Francis, Elsevier and Van Haren) he is busy assisting small businesses from around the world (usually on a no-cost basis) to produce their own auditable Quality and/or Integrated Management Systems to meet the requirements of ISO 9001, ISO 14001 and OHSAS 18001. He is also a UKAS Assessor (for the assessment of certification bodies in regard to the harmonisation of the Trans-European, High Speed Railway Network), and recently he was the Quality, Safety and Environmental Manager for the consultancy overseeing the multi-billion-dollar Trinidad Rapid Rail System. Currently he is working as the Senior Management Consultant for Herne European Consultancy Ltd – a company specialising in offering organisations access to a range of highly skilled and specialist consultants to help these companies enhance their business performance. One day, he says that he might retire!!

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xii

To my grandson Kenneth – the Refereeing Auditor

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xiii

Foreword

Those tasked with commissioning and undertaking audits will admit that for many small business owners and occasional auditors such as myself, any changes to the standard represent a steep learning curve and increased workload for us as we try to grapple with the changes. To assist us we require an understanding of the audit procedures and an easy-to-use manual so that we can demonstrate to our customers that we have a fully auditable Quality Management System that meets their requirements, as well as our own and those of ISO 9001:2015. This latest (4th edition) ISO 9001 Audit Procedures book from Ray Tricker does not disappoint in this regard. In addition to discussing the procedures themselves, it describes how the 2015 changes to the ISO 9001 Standard represent a major update and are a step away from the process approach to a risk-based management and Leadership style. As the new standard requires management to have full control of continual improvement rather than delegating it to a management representative, now is the time for them to get to grips with the topic. Those wanting a historical perspective (for example to explain to senior management why and how things have changed) will find his comparison of the 2008 and the 2015 standards provides much-needed clarity in this regard. Ray is able to concisely explain the aims and principles outlined in the standard, as well as describing the audit process. He is honest about advantages and disadvantages and gives us the benefit of his own opinions before providing suggested formats for the check-sheets required for each clause. I commend the clarity with which Ray has discussed the different clauses of the standard in detail (Chapter 2). He continues to use his ‘light bulb’ author’s hints liberally throughout the book as a way of drawing attention to particular areas, or to give the benefit of his significant practical experience in this field. I find this invaluable. There are many types of audit, and the way that the sections in Chapter 4 are self-contained so that readers can dip in and out of the different types of audit without having to back refer will be very useful (this is common throughout Ray’s books). The roles and responsibilities of management during the different stages of production, and an explanation of often misused terminology such as certification, registration, validation and accreditation, are going to be much used.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xiv

xiv

Foreword

Most valuable of all is the offer to provide purchasers of this book with ‘free access’ to the checklists and forms. This to my mind is an added bonus and sets this book ahead of any other in the field. Tom Alford FCMI, MBA, MSc, MCIPS, MILT is an ISO 9001 auditor, business owner and public sector procurement specialist.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xv

Preface

To achieve its main objective, ISO 9001:2015 requires designers, manufacturers, service industries as well as end users to possess a fully auditable Quality Management System consisting of Quality Policies, Quality Processes, Quality Procedures and Work Instructions. It is this Quality Management System that will provide the auditable proof that the requirements of ISO 9001:2015 have been and still are being met. Since the introduction of ISO 9001:2015, however, certain sections of the industry see compliance auditing as no longer being ‘fashionable’ and performance auditing is the only way forward. However, although the compulsory requirement for Quality Procedures has gone, the emphasis is still very much on the need (indeed, as you can see from the wording below, a mandatory obligation) for organisations to conduct regular internal audits. ISO 9001:2015 Clause 9.2.1 ‘Internal audit’

‘The organisation shall conduct internal audits at planned intervals to provide information on whether the Quality Management System: • conforms to: – the organisation’s own requirements for its Quality Management System; – the requirements of this international standard; • is effectively implemented and maintained’.

To meet this requirement, organisations must continually review their system to ensure its ongoing suitability and success, reveal defects, danger spots or irregularities, suggest possible improvements, eliminate wastage and loss, check the effectiveness of management (at all levels) and be sure that managerial objectives and methods are effective and that they are capable of achieving the desired result. Above all, organisations must be prepared to face up to an audit of their own Quality Processes and procedures from potential customers and prove

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xvi

Preface

xvi

to them that their Quality Management System fully meets the recommendations, requirements and specifications of ISO 9001:2015 – and that it is also capable of meeting customer requirements. ISO 19011 (‘Guidelines for quality and/or environmental management systems auditing’) shows that the best way of preparing for a review is for audit team members to create a set of documents that cover all of the possible areas that they will be required to review, and to use these documents for reference when conducting an audit. Such documents may include checklists, sampling plans and forms for recording information, supporting evidence, audit findings and Minutes of Meetings. Whilst not always required for all management system standards, audit checklists (composed of items relating to both compliance with the requirements of the particular standard and items that check the performance of the organisation’s processes) are just one tool available from the ‘auditor’s toolbox’. Most auditors usually find it beneficial to audit from the organisation’s Quality Management System up to the ISO 9001:2015 requirements (as shown in Figure P.1 below) rather than start afresh.

CONFORMANCE

Audit from the organisation's Quality Management System to the ISO 9001:2015 requirements

COMPLIANCE AND CONFORMANCE

ISO 9001:2015 requirements

Audit from the requirements of ISO 9001:2015 to the organisation’s Quality Management System

Organisation's Quality Management System

FIG. P.1

Example auditing approach

Alternatively, a checklist may be used to ensure that all the relevant ISO 9001:2015 requirements have been addressed in the management system.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xvii

Preface

xvii

ADVANTAGES OF USING AN AUDIT CHECKLIST Checklists, if developed for a specific audit and used correctly, can: • • • • • • • • • • • • • •

act as a sampling plan and time manager; be provided to the auditee ahead of the on-site audit; be used as an information base for planning future audits; ensure a consistent audit approach; ensure that adequate evidence is obtained; ensure that the audit scope is being followed; help an auditor to perform better during the audit process; help to ensure that an audit is conducted in a systematic and comprehensive manner; provide a means of communication and a place to record data for future reference; provide a repository for notes collected during the audit process (i.e. audit field notes); provide a record that the Quality Management System was examined; provide objective evidence that the audit was performed; provide structure and continuity to an audit; but primarily: to serve as a memory aid.

DISADVANTAGES OF USING AN AUDIT CHECKLIST When audit checklists are not available, or poorly prepared, the following disadvantages can occur or be observed: • • • • • •

checklists should not be a substitute for audit planning; generic checklists, which do not reflect the specific organisational management system, may not add any value and may interfere with the audit; poorly prepared checklists can slow down an audit due to duplication and repetition; the focus of the checklist may be too narrow in scope to identify specific problem areas; an inexperienced auditor may not be able to clearly communicate what he is looking for; checklists can be restrictive if used as the auditor’s only support mechanism.

Author’s Hint As can be seen from the foregoing, there are both advantages and disadvantages to using audit checklists. It depends on many factors, including customer needs, time and cost restraints, auditor experience and sector scheme requirements. Auditors should therefore assess the value of the checklist as an aid to the audit process and consider its use as a functional tool.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xviii

Preface

xviii

PURPOSE OF THIS BOOK Historically this is the 4th edition of this ISO 9001 Audit Procedures series and, in order to comply with the requirements and recommendations of Annex SL (with text and terminology common to all other Management System Standards), in Edition 4, although retaining the basic layout of its predecessor, you will find the structure has changed quite dramatically. With this in mind, and with the benefit of seven years’ field experience of the previous 2008 version of the standard, this book has been completely updated, rewritten, copyedited and now includes: • • • • • •

more detail about the aims, benefits and requirements of ISO 9001:2015; more detail concerning the actual structure of ISO 9001:2015; more detail concerning the seven principles of management which are applied within the standard; reformatted diagrams drawn against a common template; thoroughly reviewed and updated auditors’ check sheets to meet ISO 9001:2015’s requirements; updated Glossary, References and Abbreviations and Acronyms sections.

For convenience, this book is divided into two parts as follows:

Part 1 Quality Management overview This part contains chapters concerning: • •





The background to ISO 9001:2015 – what clauses have been changed, amended or deleted. The content and requirements of the ISO 9001:2015 standard – its structure and explanation of the requirements; and differences between the previous 2008 edition of the standard and the current one. ISO 9001:2015’s compatibility with other management systems – an example of the similarity between this new Quality Management standard and that of the Occupational Health and Safety (i.e. the OHSAS 18000 series) and the Environmental standard (i.e. the ISO 14000 series), together with details of other standards that are based on ISO 9001:2015. Background reminders for auditors – a quick overview of the purpose and types of audit and the effect of ISO 9001:2015’s new requirements for auditors.

Part 2 ISO 9001:2015 checklists Author’s Hint To save you having to photocopy all of these checklists, explanations and questionnaires contained in this book (and/or having to type them all out again), ‘unlocked’, fully accessible, non-.pdf, soft copies of all these files are available from the author in Word format ([email protected]).

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xix

Preface

xix

This part of the book is intentionally the most important element of this publication and contains: •

















ISO 9001:2015 headings and structure: A complete listing of 10 clause and sub-clause headings that make up the ISO 9001:2015 standard, together with an indication of the actions an organisation would be expected to complete, and against which they should be audited. ISO 9001:2015 explanation and likely documentation: A brief explanation of the specific requirements (i.e. the ‘shalls’) of each element of ISO 9001:2015, together with a description of the likely documentation that an organisation would need to have in place to meet the requirements. A complete checklist against the requirements of ISO 9001:2015: A series of checks, questions and reminders covering all of the clauses and sub-clauses of ISO 9001:2015 and which can be used for conducting internal, external or third party audits of an organisation’s Quality Management System. Additional (general purpose) audit checks: A list of some of the most important questions that an external auditor would be likely to ask when assessing an organisation’s QMS for conformance to ISO 9001:2015. Example stage audit check sheet: A list of the most important questions that an external auditor is likely to ask when evaluating an organisation for their: – design stage; – manufacturing or production stage; – acceptance stage; – in-service stage. Comparison between ISO 9001:2015 and ISO 9001:2008: A list of the 10 clauses and sub-clauses that make up ISO 9001:2015, cross-referenced to the previous eight clauses contained in the ISO 9001:2008 standard. Counter-comparison between ISO 9001:2008 and ISO 9001:2015: A table showing how the previous 8 clauses from the 2008 edition of the standard have been included in the 10 clauses making up the ISO 9001:2015 publication. Comparison between the 2015 versions of ISO 14001 and ISO 9001: An indication of how two of ISO’s main Management System Standards are closely related, now that they have been rewritten according to Annex SL. A selection of audit forms: A small selection of forms, typically used by auditors.

This second part is concluded by the following sections: • • • •

Abbreviations and acronyms: A list of abbreviations and acronyms used in this book. Reference Standards for Quality Management Systems: A guide to the ISO Quality Management Standards most used by auditors. Glossary of terms used in Quality Management Standards: A list of the main terms and conditions used in Quality Management. Books by the same author: Details of some of the other technical books that Ray has written.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page xx

Preface

xx

Author’s Hint To save you having to constantly refer to different chapters in the book, I have duplicated some of the text from one section to another – particularly in Chapter 4.

Further assistance For further details about these books and other ISO 9001 consulting services, please e-mail me at [email protected] or visit www.thebestqms.com.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 1

PART 1

Quality Management overview The first part of the book is intended to be used by auditors (qualified or unqualified, professional or amateur) as a reminder of what ISO 9001:2015 is all about and the need to meet its requirements for Quality Management. It consists of four separate chapters, namely: Chapter 1: The background to ISO 9001:2015: What clauses have been changed, amended or deleted. Chapter 2: The content and requirements of the ISO 9001:2015 standard: Its structure and explanation of the requirements. The differences between the previous 2008 edition of the standard and the current one. Chapter 3: Compatibility of ISO 9001:2015 with other management systems: An example of the similarity between this new Quality Management standard and that of Occupational Health and Safety (i.e. the OHSAS 18000 series) and the Environmental standard (i.e. the ISO 14000 series), together with details of other standards that are based on ISO 9001:2015. Chapter 4: Background reminders for auditors: A brief overview of the purpose and types of audit and the effect of ISO 9001:2015’s new requirements for auditors.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 2

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 3

Chapter 1

The background to ISO 9001:2015 CONTENTS 1.1

So what has changed?

5

1.2

Background to the ISO revision process

6

1.3

The revision process

6

1.4

Annex SL

7

1.5

What are the main changes to the new standard?

9

1.6

Key changes

10

1.7

ISO 9001:2015 clauses that have been changed, amended or deleted

12

1.7.1 1.7.2 1.7.3 1.7.4 1.7.5 1.7.6 1.7.7 1.7.8 1.7.9 1.7.10 1.7.11 1.7.12 1.7.13 1.7.14 1.8

Clause 3: Terms and definitions Clause 4: Context of the organisation Clause 4.3: Determining the scope of the Quality Management System Clause 4.4: Quality Management System and its processes Clause 5: Leadership Clause 6: Planning Clause 7: Support Clause 7.5: Documented information Clause 8: Operation Clause 8.2: Design and development of products and services Clause 8.4: Control of externally proved processes, products and services Clause 8.7: Control of nonconforming processes Clause 9: Performance evaluation Clause 10: Improvement

Top Management

12 13 14 14 14 15 15 15 17 17 17 17 17 18 18

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 4

ISO 9001:2015 Audit

4 1.9

The process model

19

1.10 Benefits of the revised standard

25

1.11 Other benefits

25

1.11.1 Customers 1.11.2 People within the organisation 1.11.3 Owners and investors 1.11.4 Suppliers and partners 1.11.5 Society 1.12 Permissible exclusions

26 26 26 26 26 27

1.13 Cost

27

Following the publication of the minor amendment to ISO 9001 in 2008, ISO carried out extensive research in preparation for an updated edition of ISO 9001 aimed at developing a long-term strategic plan for ISO and increasing the alignment of ISO’s management system standards through the development of a common high-level structure, common definitions and some common text for all current and future management standards. The main result of ISO’s research indicated that whilst there was still significant satisfaction with the 2008 version of the standard, most people considered that in order to keep ISO 9001 relevant and reflect changes in its environment a revision of the 2008 edition was appropriate and that this revised standard (among other things) should: •

• • • • • • •

remain generic, and relevant to all types and sizes and of organisation regardless of whether they were designers, manufacturers, suppliers or end users; maintain the current focus on effective process management to produce costeffective and desirable end results; take account of changes in Quality Management Systems practices and technology since the last major revision in 2008; reflect changes in the increasingly complex, demanding and dynamic environments in which organisations operate; enhance compatibility and alignment with other ISO management system standards; facilitate effective organisational implementation and effective conformity assessment by first, second and third parties; use simplified language and writing styles to aid understanding and consistent interpretations of its requirements; but above all; provide a stable core set of requirements for the next 10 years or more.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 5

Background to ISO 9001:2015

ISO 9001:1987

ISO 9001:1994

Procedures

Preventative Action

New ISO Standard

Minor updates

FIG. 1.1

5

ISO 9001:2000 PDCA & Process Approach

Major update to introduce Process

ISO 9001:2008 PDCA& Process Approach

Minor updates

ISO 9001:2015 Risk-based Management & Leadership

Major updates (next update predicted not until 2025)

History of the ISO 9001 Standard

Quality used to be about making sure that products and services were right and with an emphasis on producing something that could be inspected against a specific dimension or criterion. The product was then considered acceptable, or had to be reworked to become acceptable, or had to be scrapped (which could be very expensive). When things went wrong it was usual to blame the craftsmen (e.g. designers, software engineers, construction engineers, etc., etc!).

1.1 SO WHAT HAS CHANGED? In a nutshell, the revised standard has: •







Brought quality and continuous improvement into the heart of every business – ensuring that Quality Management is now completely integrated and aligned with the business strategies of a particular organization. Emphasised the importance of Leadership – making Top Management responsible for ensuring that the whole organisation is motivated towards ensuring that the organisation’s Quality Management System is not only maintained but continually improved. Introduced risk and opportunity management – reinforcing the use of management systems to help identify business opportunities that contribute to bottom-line improvements. Introduced a new integrated approach to management standards – by introducing the new structure detailed in Annex SL (previously known as ISO Guide 83), which has now become mandatory to all new ISO management systems standards and which, in future, will make it easier to implement multiple, integrated management systems.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 6

ISO 9001:2015 Audit

6

1.2 BACKGROUND TO THE ISO REVISION PROCESS Under existing international agreement, all international standards have to be reinspected, five years after publication, for their continued applicability and so in accordance with this agreement, the International Standards Organization (ISO) contacted more than 1,000 users and organisations for their views on ISO 9001:2008, using a questionnaire covering: • • •

problems with the existing standard; requirements for a new/revised standard; possible harmonisation and interoperability between Quality Management, environmental management, health and safety standards and other management system standards.

1.3 THE REVISION PROCESS The revision process for ISO 9001:2015 was the responsibility of ISO Technical Committee (TC) 176 and was conducted on the basis of consensus among quality and industry experts nominated by ISO member bodies, and representing all interested parties (from small businesses to multinationals, government departments to industry and trade associations), in order to ensure that the standards reflected the broadest stakeholder representation possible. Initial specifications and goals were established following extensive user surveys, and these were followed by a user verification and validation process to ensure that the standards produced would actually meet the requirements of the user. ISO/TC 176 Quality Management and Quality Assurance

SC1

SC2

SC3

Fundamentals & Vocabulary (ISO 9000)

Quality Systems (ISO 9001, ISO 9004)

Supporting Technologies (e.g.….ISO 10011)

WG 22 Interpretations

FIG. 1.2

ISO committees

WG 23 Communications & Product Support

WG 24 Revision of ISO 9001

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 7

Background to ISO 9001:2015

7

The aims of the revision were (in the words of the International Standards Organization) to: • • • • • • •

give users the opportunity to add value to their activities; continually improve their performance by focusing on the major processes within the organisation; guarantee the effectiveness (but not necessarily the efficiency) of the organisation; make sure the standard is applicable to all types of organisations; make the language used in the revised standard simpler, more user-friendly, and with less bias towards manufacturing; make the new standard equally appropriate to all sectors, including service providers; produce a standard that will minimise any potential costs during a smooth transition.

2102

03/2012 Background research

2013

2014

2015

04/2013 Committee Draft

04/2014 Draft International Standard

03/2015 Final Draft International Standard

CD

06/2012 Working Draft

WD-No 1 12/2012 Working Draft

DIS

FDIS

11/2014 Proposal for Final Draft International Srandard

09/2015 Published International Standard

2016

2017

2018

IS

Transition Timeline 09/2015 – 09/2018

WD-No 2

FIG. 1.3

Timeline

Author’s Hint Once the Draft International Standard has been adopted by the Technical Committee, it is then circulated to Member Bodies for voting and, provided that it gets more than a two-thirds majority of the votes, it will then be published as an International Standard.

1.4 ANNEX SL As well as ISO 9001 for Quality Management Systems, ISO also publishes a number of other Management Systems Standards (MSS) (e.g. Safety and Security, General Management, Health and Medical, Environmental and Energy, Industry, Services, Occupational Health & Safety, Risk, Business Continuity, Asset Management Systems etc.) and of course there are many other standards that are actually based on ISO 9001 (such as ISO/IEC 27001:2013 for Information Security Management). However, the structure and format of each of these standards vary

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 8

ISO 9001:2015 Audit

8

considerably and so it is not surprising, therefore, that these variations continue to cause problems for organisations who have to become certified against multiple schemes.

Author’s Hint A good example of this was a company who were manufacturing therapeutic medical devices which, as they concerned patient safety, had to be assessed against both ISO 9001 (for Quality Management) and the mandatory requirements of ISO 13485 for Medical Devices. They asked for my assistance back in the late 1990s, and this was the first time that I realised how very similar were the requirements between the two standards, and so I was able to assist them in composing a QMS that could be audited by a Notified Body for compliance with both standards, and thereby reduce both time and costs for them.

Thankfully ISO have now also realised this and in an attempt to produce some form of consistency across the standards, they have now agreed that in future all new revisions to existing Management Systems Standards will have to have the same high-level structure (as detailed in Appendix 3 of ISO/IEC Directives, Part 1 Annex SL – previously known as ISO Guide 83, but now usually referred to as just ‘Annex SL’), which forms the basis of a generic management system with identical core text, as well as common terms and definitions where suitable, with the overall aim of making them easier to read and understand and thus easier to integrate more than one standard into an overall business management system. Whilst the high-level structure cannot be changed, sub-clauses and disciplinespecific text can be added. This commonality requires less maintenance and audit resources, meaning that it can be changed more easily to meet evolving business needs. Annex SL defines the common structure and format for the development of all new ISO management system standards and associated publications. In short, it’s a rulebook for standard writers setting out what they must and must not do in the development of any international standard.

By adopting Annex SL (named SL simply because it happens to appear after SK and before SM!), ISO considered that new standards could be designed to be much less ‘fussy’, allowing organisations greater freedom to design their own management system and the scope to create organisation-specific manuals and procedures. As we all know, external audits can become very disruptive but the increased commonality of requirements across standards means that there is now potential for a change in the way that third party assessments can be completed. For example, if an organisation normally has a Health and Safety Audit in January, a Quality Management Audit in May and an Environmental Management Audit in

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 9

Background to ISO 9001:2015

9

September, they could now combine all these into one single audit – and thus save time and expenditure! Appendix 2 to SL sets out a high-level core structure that all management system standards must adopt and follow. This ensures there is at least 30% common text between each management system standard by using an identical structure, clause titles (and sequence of clause titles), text definitions, scope, common references, terms and definitions, organisational structure, Leadership and planning support. Annex SL applies to all management system standards, such as full ISO standards, Publicly Available Specifications (PAS) and Technical Specifications (TS), and quite a number of these have already used this common framework and many more are currently under revision. Although ISO emphasises that Annex SL no longer sets its associated management standards as a series of ‘requirement standards’ (except, of course, for standards like ISO 13485, which has to have some mandatory requirements because of patent safety), by introducing identical core text this has, in turn, led to 45 ‘shall’ statements - generating 84 requirements!

So, with the introduction of Annex SL, all of the major clause numbers and titles of every ISO management system standard will now be identical, such as the introduction, scope and normative references (whose content will be specific to each discipline); terms and definitions (22 terms and definitions have been listed which must be addressed; they cannot be deleted or changed – however, each standard can add its own additional terms and definitions if required and also add to or modify the notes written against these stated terms and definitions); and operation. ISO has, however, said that as an option, each standard may have its own bibliography!

Author’s Hint Obviously, each discipline will have their own requirements, so the total for any new standard will probably have more – but this is the absolute minimum.

1.5 WHAT ARE THE MAIN CHANGES TO THE NEW STANDARD? The new ISO 9001:2015 standard is a great opportunity for organisations to put quality at the core of their business strategy and deliver tangible business improvements. Some of the key changes to the standard include: • • •

greater emphasis on building a management system that is best suited to an organisation’s particular needs; increased emphasis on achieving value for an organisation and its customers; a requirement that those at the top of an organisation be involved and fully accountable for aligning quality with wider business strategy;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 10

ISO 9001:2015 Audit

10





less prescriptive requirements for documentation, thus allowing an organisation to decide what documented information it needs and in what format it should be; alignment with other key management system standards through the use of a common structure and core text.

The new structure also takes an overall risk-based approach rather than putting risk into a separate clause. Although companies are not required to carry out a formal risk assessment, the options are there if required.

1.6 KEY CHANGES Although management systems must now all be written in compliance with Annex SL’s common structure and text, the requirements of ISO 9001 remain mainly the same, but with the advantage that they are now far less prescriptive. For example, there’s a shift from an explicit need for traditional documents such as a Quality Manual to a much broader requirement for ‘documented information’. This doesn’t mean, however, that an organisation with an existing Quality Manual has to immediately change anything (not a simple job if your organisation has offices worldwide!) – it simply means that there’s now more flexibility with respect to documents and records – provided that relevant information is retained and available as and when required.

Author’s Hint Virtually all of the requirements from the previous 2008 standard have been included in the revised ISO 9001:2015 standard (but with clearer definition) and with the addition of a lot of ‘shalls’ (totalling 138 in all!) as well as numerous ‘coulds’ and ‘shoulds’.

The main changes are that the new standard now includes: • • • •

• •

a definite focus on risk-based management; more emphasis on preventive action; increased emphasis on achieving value for an organisation and its customers; the introduction of ‘Documented Information’ – which replaces the need for a formal procedure to control ‘Documents’ and ‘Records’ which, whilst decreasing the emphasis on documentation, actually expands the overall concept of documentation; an emphasis on Leadership and responsiveness to business environment; more emphasis on communication and customer awareness.

Also, at the time of writing, ISO 9001:2015 has removed: • •

the requirement for a management representative; the requirement for a Quality Manual.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 11

Background to ISO 9001:2015

11

The standard is, nonetheless, still: • •

centred around a process-orientated structure – but with a more logical sequence; inclusive of a requirement for the organisation to monitor information on customer satisfaction as a measure of system performance;

Author’s Hint ‘Customer satisfaction’ is still recognised as one of the primary concerns for any organisation. In order to evaluate whether the product meets customer needs and expectations, it is necessary to monitor the extent of customer satisfaction. Improvements can be made by taking action to address any identified issues and concerns.





giving considerable emphasis on higher management issues, such as the need for defined (and auditable) quality targets and the need to include supporting activities within the system; including a continual improvement process as an important step to enhance the Quality Management System; ISO TC 176

‘Continual improvement is the process focused on continually increasing the effectiveness and/or efficiency of the organisation to fulfil its policies and objectives’ ‘Continual improvement (where ‘continual’ highlights that an improvement process requires progressive consolidation steps) responds to the growing needs and expectations of customers and ensures a dynamic evolution of the Quality Management System’



• •

• • •

providing (in ISO 9004:2009) an additional concept of organisational selfassessment as a driver for improvement (further emphasising the need to monitor customer satisfaction); establishing measurable objectives at relevant functions and levels (monitoring of information of customer satisfaction as a measure of system performance); laying increased emphasis on the role of Top Management, including a commitment to the development and improvement of the Quality Management System, consideration of legal and regulatory requirements, and establishment of measurable objectives at relevant functions and levels; extending measurements to include system, processes, and product; increasing attention to resource availability; emphasising the need to determine training effectiveness;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 12

12

• • •

• • • • • •

ISO 9001:2015 Audit

considering the benefits and needs of all interested parties; assuring consistency between Quality Management System requirements and guidelines; promoting the use of generic Quality Management Principles by organisations (and enhancement of their compatibility with environmental and safety standards such as ISO 14001, BS 8800 and OHSAS, etc.); significantly reducing the amount of documentation required; including terminology changes and improvements that allow easier interpretation; providing increased compatibility with the environmental management system standard; making specific reference to Quality Management Principles; meeting the need for more user-friendly documents; providing measures for the analysis of collected data concerning the performance of an organisation’s Quality Management System.

1.7 ISO 9001:2015 CLAUSES THAT HAVE BEEN CHANGED, AMENDED OR DELETED See Table 1.1.

1.7.1 Clause 3: Terms and definitions In accordance with Annex SL, common terms and definitions for all management systems are now to be found in the new ISO 9000:2015 whilst terms and definitions that are specific to ISO 9001:2015 will be found (and explained) in the standard itself – but in essence is including: •

• • • • • •

• •

a new term, ‘documented information’, which describes the requirements for physical evidence (electronic or hard copy media) and is defined as ‘information required to be controlled and maintained by an organisation and the medium on which it is contained’; the term ‘product’ is replaced by ‘goods & services’; the word ‘continual ‘is dropped from ‘continual improvement’; ‘purchasing’ and ‘outsourcing’ have been replaced by ‘external provision of goods and services’; ‘risk’ is defined as the ‘effect of uncertainty’; ‘design and development’ is now ‘development’; ‘monitoring and measurement’ are now separate terms: – ‘monitoring’: status of a system, a process or an activity; – ‘measurement’: a process to determine a value; ‘process approach’ is now ‘stated requirement’ (Clause 4.4.2); ‘context of organisation’ is a new term.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 13

Background to ISO 9001:2015

13

TABLE 1.1

Clause

Title

Change

Clause 1

Scope

Clause 2

Normative references

Clause 3

Terms and definitions

Clause 4

Context of the organisation

Key changes

Clause 5

Leadership

Enhanced requirements and key changes

Clause 6

Planning

Significant changes for risks and opportunities plus change management

Clause 7

Support

Resource management – enhanced requirements

Common terms with other Management System Standards More ISO 9001 terms and definitions

Knowledge management – new requirement Documented information – key change Clause 8

Control of processes – significant changes Products – new definition and significant changes External provision – enhanced requirements Design and development – simplified requirements Nonconformance – enhanced requirements

Clause 9

Performance evaluation

Monitoring, measurement and analysis – enhanced requirements Performance indicators – additional requirements

Clause 10

Improvement

Nonconformity, corrective action and improvement – enhanced requirements Continual improvement – more structured approach

1.7.2 Clause 4: Context of the organisation This clause requires examination of the organisation and its context, including thinking about the needs and expectations of interested parties, determining the scope of the Quality Management System and requiring a process approach. Organisations are now required to identify any internal and external issues that may impact their Quality Management System’s ability to deliver its intended results. They are also required to develop a methodology for understanding

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 14

ISO 9001:2015 Audit

14

the needs and expectations of ‘interested parties’ (i.e. those individuals and organisations affected by the organisation’s decisions or activities). Two new clauses have been introduced relating to the context of the organisation: • •

4.1 ‘Understanding the organisation and its context’; 4.2 ‘Understanding the needs and expectations of interested parties’.

These have been included so that an organisation is required ‘to determine the issues and requirements that can impact on the planning of the Quality Management System and can be used as an input into the development of the Quality Management System’.

1.7.3 Clause 4.3: Determining the scope of the Quality Management System Greater emphasis has been placed on the need for the organisation’s Quality Management System to take into consideration the internal and external issues identified by the context of the organisation. The previous mandatory requirement for an organisation’s Quality Management System to include a number of mandatory procedures (e.g. Document Control) has now been removed!

1.7.4 Clause 4.4: Quality Management System and its processes The explicit requirement for an organisation to adopt a process approach has been retained (indeed it is now a stated requirement – Clause 4.4.1), and this is imbedded in the requirements scattered throughout the standard.

1.7.5 Clause 5: Leadership This is a new clause for the ISO 9001 standard, which states that ‘Top Management shall be accountable for the effectiveness of the Quality Management System’. The title ‘Management Responsibility’ has now been replaced by ‘Leadership’ and in future, Top Management will be required to be actively involved in all aspects of their Quality Management System. The role of the ‘management representative’ (usually referred to as the Quality Manager) no longer exists, as the 2015 version of ISO 9001 has imbedded the Quality Management System into routine business operations – as opposed to operating as an independent system in its own right with its own dedicated management structure. In addition, it has now made it a requirement that the entire organisation is responsible for the enhancement of their Quality Management System.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 15

Background to ISO 9001:2015

15

1.7.6 Clause 6: Planning Organisations must now plan to address risks in order to achieve their quality objectives.

The term ‘Preventive action’ has now been replaced by ‘actions to address risks and opportunities’. In future, organisations will be required to determine, consider and, where necessary, take action to address any risks or opportunities that may impact (either positively or negatively) their Quality Management System’s ability to deliver its intended outcomes, or that could impact customer satisfaction. ‘Risk’ is addressed in the following ISO 9001:2015 clauses: • • • • •

Clause 4: ‘The organisation shall address the risks and opportunities’. Clause 5: ‘Top Management shall demonstrate Leadership and commitment by promoting the use of risk-based thinking’. Clause 6: ‘The organisation shall plan actions to address these risks and opportunities’. Clause 9: ‘The organisation shall analyse and evaluate the effectiveness of actions taken to address risks and opportunities’. Clause 10: ‘The organisation is required to improve by responding to changes in risk and opportunities’.

Author’s Hint To date there hasn’t been a Quality Management standard that has covered risk, and so organisations and auditors unfamiliar with risk-based management systems will need to quickly become trained in all aspects of risk!

‘Planning changes’ is also a new concept for many, whereby the basic requirement for the management of change is to ‘plan and manage change in a systematic manner’.

1.7.7 Clause 7: Support ‘“Support” is essential for success and must be managed’. Infrastructure, process environment, monitoring and measuring devices and knowledge all need to be assessed, determined, provided and maintained. Knowledge, in particular, is necessary for the smooth operation of the Quality Management System’s processes in order to guarantee conformity of products and services and to ensure customer satisfaction. Above all, knowledge must be maintained, protected, made available as necessary and considered during ‘management of change’ – which will firstly require the organisation to determine exactly what knowledge is required. Other requirements addressed in this Support Clause are competence, awareness, communication and documented information.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 16

ISO 9001:2015 Audit

16

Author’s Hint The previous ISO 9001:2008 standard required that a record be maintained for all of an organisation’s education, experience, skills, and training. In the ISO 9001:2015 standard, the documented information is called evidence of competence.

Awareness is another aspect of this clause and relates to persons doing work under the organisation’s control. They must be made aware of the organisation’s Quality Policy, objectives, their personal contribution to the effectiveness of the Quality Management System and the implications of not conforming to requirements. Communication is left open for the organisation to determine their need for the level of internal and external communication that is most relevant to their Quality Management System.

1.7.8 Clause 7.5: Documented information ISO 9001:2015 Clause 7.5.1

‘The organisation’s Quality Management System shall include:

‘General’

• documented information required by this International Standard; • documented information determined by the organisation as being necessary for the effectiveness of the Quality Management System’

With the ever-increasing reliance on information technology has come the realisation that there is now no longer any real need to maintain whole libraries of documented processes, procedures and records, etc., as all of these can now be digitally stored. With the implementation of ISO 9001:2015 into an organisation there is now only a general requirement for documentation (re-termed as ‘documented information’), with no reference to the previous requirements for a documented Quality Manual, documented procedures and quality records. How an organisation decides to maintain its ‘documented information’ is left open but, in doing so, ISO believes that this will provide organisations with a far more flexible way of running their business.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 17

Background to ISO 9001:2015

17

1.7.9 Clause 8: Operation ISO 9001:2015 now not only requires the organisation to plan, implement and control its processes in order for it to meet product or service requirements, it must now also plan how it will address any risks and opportunities that may impact these processes and, therefore, its ability to achieve these requirements.

1.7.10 Clause 8.2: Design and development of products and services The term ‘product’ has been replaced by ‘products and services’, which further emphasises that ISO 9001:2015 is applicable to all organisations whether they are designers, manufacturers, installers and/or end users.

1.7.11 Clause 8.4: Control of externally proved processes, products and services ‘Purchasing’ has been replaced by ‘control of externally provided products and services’, in order to cover all forms of external provision, whether purchased directly from a supplier, via an associate company or subcontractor, or by any other means.

1.7.12 Clause 8.7: Control of nonconforming processes The ‘control of nonconforming product’ now includes nonconforming processes as well as outputs and services.

1.7.13 Clause 9: Performance evaluation Monitoring, measurement, and analysis have now been coupled with a new word, ‘evaluation’, which strengthens the requirements for monitoring and measurement. Requirements for what to monitor and measure, what methods to use, when to perform, and when to analyse and evaluate must now also be addressed. Documented information must be retained of evidence of the results of evaluation, which emphasises the need for an organisation to be data-driven. ‘Customer satisfaction’ has been reworded to re-emphasise the need for understanding customer perceptions including customer feedback, customer views and customer perceptions of the organisation, its goods and its services. Internal audits and management review are now part of this performance evaluation clause.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 18

18

ISO 9001:2015 Audit

1.7.14 Clause 10: Improvement Nonconformity and Corrective Action and Improvement are included in this last clause, which has now been expanded as previous versions did not strongly encourage addressing nonconformity as reactions to processes other than production.

1.8 TOP MANAGEMENT Top Management is defined as ‘a person or group of people who direct and control an organisation at the highest level’. In essence the standard is now no longer dealing with a Quality Management System but more with a ‘system for management’ that can be used by the whole organisation. However, no organisation can function effectively without direction from Top Management, and in order for them to direct effectively, they will need to have at their disposal a wide range of information. The main pieces of information that they will have to have readily available are the needs and expectations of their customers and knowledge of all the regulatory and legal requirements that are applicable to the organisation. This will enable Top Management to know exactly what they need to do within the organisation to achieve customer satisfaction. Management then needs to be able to show the workforce what the purpose of the organisation is, the perceived values of the organisation and its attitude and actions towards the customers. Through the Mission and Policy statements, management should try to produce unity within the organisation by enabling the Staff to see clearly what the organisation is striving to achieve. In the past, an organisation’s Quality Policy was seen as a piece of paper signed by a senior member of Staff rather than an objective. With ISO 9001:2015, the policy now needs to show a commitment to improvement, which will be measured throughout the organisation to make sure that the policy provides a framework for the setting of the objectives and is communicated and understood throughout the organisation. Once the policies have been set, policy objectives will need to be established. These should be applicable to the various activities within the organisation and take into account the various functions of the organisation and how these fit into the strategic framework. Top Management should ensure that all Staff know what the organisation’s objectives are and know (and appreciate) the relevance and importance of how the former can affect the overall objectives of the latter. Through having a caring and open culture, the morale and motivation of the workforce will be improved and as a consequence, products and services supplied will improve as will customer satisfaction. They will also need to take into consideration the interested parties of the organisation.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 19

Background to ISO 9001:2015

19

1.9 THE PROCESS MODEL The whole concept of ISO 9001:2015 revolves round a systematic process approach which uses seven Quality Management Principles reflecting best practice, which are designed to enable a continual improvement of the business and its overall efficiency and be capable of responding to customer needs and expectations.

Author’s Hint ISO 9001:2008 was previously based on eight Quality Management Principles. With the introduction of Annex SL (and the omission of ‘A systems approach to management’), ISO 9001:2015 is now based around seven Quality Management Principles and the rather confusing phrase ‘Mutually beneficial supplier relationships’ has thankfully now been replaced by a far simpler phrase, ‘Relationship Management’.

Customer focus

Relationship management

Evidence decision making

Improvement

FIG. 1.4

Leadership

Engagement of people

Process Approach

The ISO 9001:2015 process model and the seven management principles

The seven principles contained in ISO 9001:2000 are of primary concern to an organisation, as they will affect the organisation’s overall approach to quality.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 20

20

ISO 9001:2015 Audit

Principle 1: Customer focus ‘The primary focus of Quality Management is to meet customer requirements and to strive to exceed customer expectations’ (Annex SL)

Organisations depend on their customers and therefore should understand current and future customer needs. They should meet customer requirements and should strive to exceed customer expectations. Customer communication is the method used to enable customers to interact with the organisation. The key benefits are: • • • • • •

better use of the organisation’s resources; enhanced customer satisfaction; flexible and fast response to market opportunities; improved customer loyalty; increased revenue and market share; repeat business.

Principle 2: Leadership ‘Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the quality objectives of the organisation’ (Annex SL)

Leaders establish unity of purpose, the direction and the internal environment of their organisation. They create an effective environment in which people can become fully involved in achieving the organisation’s objectives. An organisation should ensure that its leaders: • • • • • • • • • •

build trust and eliminate fear; consider the needs of all interested parties; establish a clear vision of the organisation’s future; establish shared values and ethical role models at all levels of the organisation; lead by example; promote open and honest communication; provide people with the required resources and freedom to act with responsibility and accountability; set challenging goals and targets; set up a strategy to achieve these goals and targets; understand and respond to changes in the external environment.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 21

Background to ISO 9001:2015

21

The key benefits are: • • • •

better communication levels throughout the organisation; better understanding of the reasons for achieving the organisation’s goals and objectives; evaluation of activities; minimising the possibilities for error.

Principle 3: Engagement of people ‘It is essential for the organisation that all people are competent, empowered and engaged in delivering value’ (Annex SL)

People at all levels are the essence of an organisation, and their full involvement enables their abilities to be used for the organisation’s benefit. An organisation should ensure that all personnel: • • • • • • • • •

accept ownership and responsibility to solve problems; actively seek opportunities to enhance their own competence, knowledge and experience; actively seek opportunities to make improvements; are enthusiastic and proud to be part of the organisation; are firmly focused on the creation of value for customers; are innovative and creative in furthering the organisation’s objectives; derive satisfaction from their work; freely share their knowledge and experience with other members of the organisation; represent the organisation to customers, local communities and society in general.

The key benefits are: • • • •

helping people to be motivated, committed and involved; inspiring people to continually improve on their organisation’s objectives; making people accountable for their own performance; stimulating people always to aim for continual improvement.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 22

22

ISO 9001:2015 Audit

Principle 4: Process approach ‘Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system’ (Annex SL)

A desired result is achieved more efficiently when related resources and activities are managed as a process. An organisation must ensure that all of its personnel: • • • • • • • • • • • • • • • • • •

are aware of the results the process is achieving; define the objectives of the organisation’s processes; define a process that will achieve specific objectives; determine the stages in the process necessary to achieve the results; determine the activities required to accomplish each process stage; determine the competence required of the people performing these activities; determine the measurements required to verify process inputs and outputs; determine the measurements required to establish process efficiency and effectiveness; determine the information and resource requirements needed to achieve the process objectives; determine the sequence and interaction of activities within the process; evaluate possible risks, consequences and impacts of processes on customers, suppliers and other stakeholders of that process; establish clear responsibility, authority and accountability for managing the process; identify the customers, suppliers and other stakeholders of the process; identify the inputs and outputs of the process; identify the interfaces between the processes within the organisation; measure process outputs, efficiency and effectiveness; take action to prevent use or delivery of nonconforming inputs or outputs until remedial action has been effected; take action to eliminate the cause of nonconforming inputs or outputs.

The key benefits are: • • • •

lower costs and shorter cycle times; effective use of resources; improved, consistent and predictable results; focused and prioritised opportunities for improvement.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 23

Background to ISO 9001:2015

23

Principle 5: Improvement ‘Successful organisations have an ongoing focus on improvement’ (Annex SL)

Identifying, understanding and managing a system of inter-related processes for a given objective contribute to the effectiveness and efficiency of the organisation. An organisation should ensure that all of its personnel: • • • • • •

continually improve the system through measurement and evaluation; define the organisation as a system that is established to achieve organisational goals; define the system by identifying or developing the processes that affect a given objective; establish resource constraints prior to action so that system integrity is maintained when changes are made; structure the system to achieve the objective in the most efficient and effective way; understand the interdependencies among the processes of the system.

The key benefits are: • • •

coordination of all improvement possibilities and activities; improvement in organisational capability; provision of the flexibility to react to opportunities quickly.

Principle 6: Evidence-based decision making ‘Decisions based on the analysis and evaluation of data and information are more likely to produce desired results’ (Annex SL)

• • •

Decision making built on the analysis of data should always be based on facts and evidence; effective decisions are based on the logical and intuitive analysis of data and information; gathering of reliable data via planned measures is the only way this can be achieved.

The key benefit is: •

ability to review, challenge and change opinions and decisions.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 24

ISO 9001:2015 Audit

24

Principle 7: Relationship management ‘For sustained success, organisations manage their relationships with interested parties, such as suppliers’ (Annex SL)

• • •

The mutual support of an organisation and its suppliers adds value; mutually beneficial relationships between an organisation and its suppliers enhance the ability of both organisations to create value; supplier/customer relationships should always be viewed as interdependent.

The key benefits are: • • • •

ability to react quickly to a changing market and/or customer needs and expectations; costs optimised; potential for creating value for both parties; resources used to their best advantage. Continual Improvement Continual Improvement of the Management System Customer Focus

Customer Focus

Leadership

Management Responsibility

Evidencebased Decision Making

Engagement of People

CUSTOMERS Measurement, Analysis & Improvement

Resource

CUSTOMERS

Management

Relationship Management Product Realisation

Requirements

PRODUCT

INPUT

OUTPUT

Process Approach

FIG. 1.5

The ISO 9001:2015 process model

Improvement

Satisfaction

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 25

Background to ISO 9001:2015

25

1.10 BENEFITS OF THE REVISED STANDARD There are many, quite major, benefits because of the revised Quality Management Systems standard structure, such as: • • • • • • • • •

its applicability to all product categories (in all sectors and to all sizes of organisations); being simpler to use, clearer in language, readily translatable and more understandable; having a significant reduction in the amount of required documentation; providing a link between Quality Management Systems and organisational processes; providing a natural move towards improved organisational performance; covering the requirement for continual improvement and customer satisfaction; its increased compatibility with other management systems; providing a consistent basis to address the needs and interests of organisations in specific sectors (e.g. medical devices, telecommunications, automotive, etc.); considering the needs of and benefits to all interested parties.

1.11 OTHER BENEFITS As shown below, the benefits of an organisation implementing an ISO 9001:2015 culture are far-reaching.

Customers

People within the organisation

Society

OTHER BENEFITS Suppliers and partners

FIG. 1.6

Other benefits of ISO 9001:2015

Owners and investors

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 26

26

1.11.1 Customers Customers and users will benefit by receiving products that: • • • •

conform to the requirements; are dependable and reliable; are available when needed; are maintainable.

1.11.2 People within the organisation People in the organisation will benefit from: • • • • •

better working conditions; increased job satisfaction; improved health and safety; improved morale; improved stability of employment.

1.11.3 Owners and investors Owners and investors will benefit from: • • • •

increased return on investment; improved operational results; increased market share; increased profits.

1.11.4 Suppliers and partners Suppliers and partners will benefit from: • • •

stability; growth; partnership and mutual understanding.

1.11.5 Society Society will benefit from: • • • •

fulfilment of legal and regulatory requirements; improved health and safety; reduced environmental impact; increased security.

ISO 9001:2015 Audit

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 27

Background to ISO 9001:2015

27

1.12 PERMISSIBLE EXCLUSIONS In the 2008 edition of ISO 9001 there were a number of mandatory requirements (e.g. the requirement for an organisation to possess a formal Document Control procedure), but owing to the generic nature of the standard some of these requirements did not apply directly to a particular organisation and ISO allowed for these to be ‘permitted exclusions’. In the current 2015 edition, the standard no longer refers to ‘exclusions’ in relation to the applicability of its requirements to the organisation’s Quality Management System. This enables an organisation to review the applicability of ISO 9001’s requirements based on its size or complexity, the management model it adopts, the range of its activities and the nature of the risks and opportunities it encounters. This change is reflected in Section 4.3 of ISO 9001:2015 which states: ISO 9001:2015 Clause 4.3 ‘Determining the scope of the Quality Management System’

‘Conformity to this International Standard may only be claimed if the requirements determined as not being applicable do not affect the organisation’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction’

1.13 COST In practice, Quality Management Systems can be very expensive to install and operate, particularly if inadequate Quality Assurance and Quality Control methods were previously used. If the purchaser requires consistent quality they must pay for it, regardless of the specification or order which the organisation has accepted. However, against this expenditure must always be offset by the savings in rework, scrapped material and general problems arising from lack of quality. From an organisation’s point of view, there is a business requirement to obtain and maintain the desired quality at an optimum cost. The following represent some of the additional expenses that can be incurred: • • • •

implementation and maintenance of an organised document control system throughout the organisation; training for the Quality Assurance team; salaries for the Quality Assurance team, planners, quality supervisors, calibration/test equipment Staff and Top Management; visits by the Quality Assurance Staff to other organisations, subcontractors and the eventual consumer, for evaluation and audit of their facilities and products;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 28

ISO 9001:2015 Audit

Increased cost

28

Optimum benefit

Increased benefits FIG. 1.7

• •

Quality Management System costs

testing equipment of a recognised type, standard and quality; regularly maintained and calibrated by an accredited calibration centre; better storage facilities.

With an effective QMS in place the designer, manufacturer and supplier will achieve increased profitability and market share and the purchaser can expect reduced costs, improved product fitness for role, increased satisfaction and, above all, growth in confidence.

Author’s Hint The cost of implementing any necessary changes to an existing 2008 compliant Quality Management System in order to meet the requirements of ISO 9001: 2015 will obviously vary from one organisation to another, depending on various factors such as the actual state of implementation of the QMS, the size and complexity of the organisation, the attitude and commitment of the Top Management, etc. It is anticipated that the benefits to all organisations, however, will far outweigh eventual costs associated with the transition and any additional costs should be considered as a ‘value-added investment’.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 29

Chapter 2

The content and requirements of the ISO 9001:2015 standard CONTENTS 2.1

What are the current ISO 9000 standards? 2.1.1 2.1.2 2.1.3

ISO 9000:2005 Quality Management Systems: fundamentals and vocabulary ISO 9004:2009 Managing for the sustained success of an organisation. A Quality Management approach ISO 9001:2015 Quality Management Systems. Requirements

29 30 31 32

2.2

What is the structure of ISO 9001:2008?

32

2.3

What is the difference between ISO 9001:2015 and ISO 9001:2008

53

2.1 WHAT ARE THE CURRENT ISO 9000 STANDARDS? The ISO 9000 family of standards consists of three primary standards supported by a number of technical reports. These are: •





ISO 9000:2015 Quality Management Systems: fundamentals and vocabulary – which describes the fundamentals of QMSs and specifies the terminology for QMSs. ISO 9004:2009 Managing for the sustained success of an organisation. A Quality Management approach – which provides guidance on QMSs, including the processes for continual improvement that will contribute to the satisfaction of an organisation’s customers and other interested parties. ISO 9001:2015 Quality Management Systems. Requirements – which is the most important Quality Management ‘requirements’ standard that is applicable to all organisations, products and services.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 30

ISO 9001:2015 Audit

30

ISO 9004:2009 The quality management approach

ISO 9000:2015 Fundamentals and vocabulary The ISO 9000 family of standards

ISO 9001:2015 Requirements

FIG. 2.1

The ISO 9000 family

2.1.1 ISO 9000:2005 Quality Management Systems: fundamentals and vocabulary To ensure a more harmonised approach to standardisation (and the hopeful(!) achievement of coherent terminology within the ISO 9000 family), ISO 9000:2015 was developed in order to assist: •

• • •

those concerned with enhancing the mutual understanding of the terminology used in Quality Management (e.g. suppliers, customers, regulators); internal or external auditors, regulators, certification and/or registration bodies; developers of related standards; organisations that provide advice or training on the quality matters.

ISO 9000:2015 Fundamentals and vocabulary

FIG. 2.2

The way to ISO 9000:2015

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 31

Content and requirements of the ISO 9001:2015 Standard

31

ISO 9000:2015 also provides: • • •

an introduction to the fundamentals of Quality Management Systems; terms and definitions; the methodology used in the development of the vocabulary.

2.1.2 ISO 9004:2009 Managing for the sustained success of an organisation. A Quality Management approach Author’s Hint This third edition of ISO 9004 contains up-to-date information on achieving sustainable business success through Quality Management.

It provides guidance on QMSs, including the processes that are required for continual improvement and, ultimately, customer satisfaction. It outlines the importance of self-assessment to identify areas of strength within organisations and areas where improvements can be made.

ISO 9004:2009 The quality management approach

Author’s Hint ISO 9004 will help you achieve and maintain business objectives in the long term; however, it is not intended to provide certification or regulatory requirements. Instead, it builds on ISO 9001 to widen the scope of your Quality Management and give you greater confidence in how you assess, maintain and improve it.

FIG. 2.3

The reason for ISO 9004:2009

ISO 9004 outlines a systematic approach to continual improvement of your organisation’s overall performance. This includes best practice advice on quality strategy and policy, as well as managing resources and processes. ISO 9004:2009 also provides: • • • • • • • • • •

Quality Management Principles; managing for the sustained success of an organisation; strategy and policy; resource management; process management; monitoring, measurement, analysis and reviews; improvement, innovation and learning; self-assessment tools; normative references; terms and definitions.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 32

32

ISO 9001:2015 Audit

2.1.3 ISO 9001:2015 Quality Management Systems. Requirements ISO 9001:2015 is a single Quality Management requirements standard that is applicable to all organisations, products and services. It is the only standard that can be used for the certification of a QMS, and its generic requirements can be used by any organisation to: • • •

address customer satisfaction; meet customer and applicable regulatory requirements; enable internal and external parties (including certification bodies) to assess the organisation’s ability to meet these customer and regulatory requirements.

ISO 9001:2015 Requirements

FIG. 2.4

The benefits of gaining ISO 9001:2015

For certification purposes, your organisation will now have to possess a documented management system which takes the inputs and transforms them into targeted outputs, something that effectively: • • •

says what they are going to do; does what they have said they are going to do; keeps records of everything that they do – especially when things go wrong.

The basic process used to achieve these targeted outputs will encompass: • • • •

the client’s requirements; the inputs from management and Staff; documented controls for any activities that are needed to produce the finished article; and, of course delivering a product or service which satisfies the customer’s original requirements.

2.2 WHAT IS THE STRUCTURE OF ISO 9001:2008? ISO 9001:2015 commences with an introductory section, which is then followed by the seven sections that make up ISO 9001:2015 and which are summarised below.

Clause 1 Scope The Scope is intended as a means by which organisations can demonstrate their ability to supply products and services that consistently meet customer and applicable statutory and regulatory requirements.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 33

Content and requirements of the ISO 9001:2015 Standard

1 Scopee

2 Normative references

3 Terms and definitions

4 Context of the organisation

5 Leadership

Understanding the organisation and its content

6 Planning

Leadership and committment

Needs and expectations of interested parties

Scope of the QMS

Roles, responsibilities and authorities

QMS and its processes

Quality objectives

Planning of changes

9 Performance evaluation

8 Operation

7 Support

Actions to address risk and opportunities

Quality policy

33

Monitoring, measurements analysis and evaluation

Operation, planning and control

Resources

Competence

Awareness

Communication

Documented information

10 Improvement

Determination of requirements for products and services

Nonconformity and corrective action

Internal audit

Continual improvement

Management review

Design and development

Control of eternally provided products and services

Production and service provision

Release of products and services

Control of nonconforming processes outputs, products and services

FIG. 2.5

The major clauses

Clause 2 Normative references This section lists any standards that form a mandatory input to ISO 9001:2015. ISO 9001:2015 does not contain any additional normative references.

Clause 3 Terms and definitions This section contains a description of the ISO 9001:2015 standard-specific terms and definitions. For ISO 9001:2015, all relevant terms and conditions have been brought directly into the primary standard.

Clause 4 Context of the organisation This clause is broken down into four separate sub-clauses which address the scope of the organisation’s Quality Management System, with particular emphasis on the needs and expectations of interested parties. It provides the basic foundation of any management system for identifying, monitoring and reviewing internal and external issues that are relevant to its purpose and strategic direction, and that have the ability to impact the Quality Management System’s intended results.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 34

ISO 9001:2015 Audit

34

4 Context of the organisation

The organisation and its content

Interested parties

Scope of the QMS

QMS and its processes

FIG. 2.6

Clause 4: Context

Author’s Hint The list of interested parties that the organisation needs to consider must include: direct customers, end users, suppliers, distributors, retailers (or others involved in the supply chain), regulators, etc.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 35

Content and requirements of the ISO 9001:2015 Standard

35

The organisation and its context ISO 9001:2015 Clause 4.1 ‘Understanding the organisation and its context’

‘The organisation shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its Quality Management System’

This is a new clause introduced into ISO 9001:2015 relating to ‘Context’, which requires organisations to identify, monitor and review all external and internal issues that could influence the requirements of the organisation’s QMSs.

The needs and expectations of interested parties ISO 9001:2015 Clause 4.2 ‘Understanding the needs and expectations of interested parties’

‘The organisation shall determine: • the interested parties that are relevant to the Quality Management System; • the requirements of these interested parties that are relevant to the Quality Management System’

Another new clause introduced for ISO 9001:2015, which requires organisations to identify ‘relevant interested parties’ (groups or individuals) who have the ability to impact (or potentially impact) the organisation’s capability to consistently supply products and services that meet customer and applicable statutory and regulatory requirements.

The scope of the Quality Management System ISO 9001:2015 Clause 4.3 ‘Determining the scope of the Quality Management System’

‘The organisation shall determine the boundaries and applicability of the Quality Management System to establish its scope’

The organisation must establish, implement, maintain and improve its Quality Management System (including the necessary processes and their interactions) in accordance with the requirements of this standard.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 36

ISO 9001:2015 Audit

36

Quality Management System and its processes ISO 9001:2015 Clause 4.4 ‘Quality Management System and its processes’

‘The organisation shall: • establish, implement, maintain and continually improve a Quality Management System, including the processes needed and their interactions; • maintain and retain documented information to support the operation of its processes’

ISO 9001:2015 has now made it a mandatory requirement for an organisation to establish a process-based Quality Management System. Once this is in place and fully implemented, it needs to be maintained and continually improved.

Clause 5 Leadership ‘Management responsibility’ is replaced by ‘Leadership’ in the 2015 edition of ISO 9001.

Although ‘Leadership’ would seem at first glance to be just a reiteration of what’s gone before regarding policy, organisational roles, responsibilities, authorities and so on, in the 2015 edition there is now much more emphasis on this being seen as a ‘hands on’ Leadership as opposed to just ‘management’.

5 Leadership

Leadership and commitment

Quality policy

Roles, responsibilities and authorities

FIG. 2.7

Clause 5: Leadership

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 37

Content and requirements of the ISO 9001:2015 Standard

37

Leadership and commitment ISO 9001:2015 Clause 5.

‘Top Management shall demonstrate Leadership and commitment with respect to:

‘Leadership and commitment’

• the Quality Management System; • customer focus’

ISO 9001:2015 specifically requires Top Management to accept responsibility for, and demonstrate their commitment to, their organisation’s QMS. It is also now a mandatory requirement for Top Management to guarantee that their organisation consistently provides products and services that conform to customer requirements, that meet applicable statutory and regulatory requirements and (of prime importance!) enhance customer satisfaction.

Policy ISO 9001:2015 Clause 5.2

‘Top Management shall establish, implement and maintain a Quality Policy that:

‘Policy’

• is appropriate to the purpose and context of the organisation and supports its strategic direction; • provides a framework for setting quality objectives; • includes a commitment to satisfy applicable requirements and continual improvement of the Quality Management System; • is available and maintained as documented information; • is communicated, understood and applied within the organisation; • is available to relevant interested parties, as appropriate’

Top Management are now required to ensure that their organisation’s Quality Policy and quality objectives are consistent with the organisation’s overall strategic direction, and the situation in which the organisation is currently operating or intending to operate in.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 38

ISO 9001:2015 Audit

38

Organisational roles, responsibilities and authorities ISO 9001:2015 Clause 5.3 ‘Organisational roles, responsibilities and authorities’

‘Top Management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organisation’

Top Management need to assign roles, responsibilities and authorities that are appropriate to the necessary people who can be trusted to ensure that the organisation’s QMS is capable of covering and meeting all of the requirements from ISO 9001:2015 that are necessary for their type of business.

Clause 6 Planning This clause is all about how the organisation will prevent, or reduce, undesired effects (i.e. risks). How will it ensure that it can achieve the aims of its QMS and ensure continual improvement?

6 Planning

Risks and opportunities

Quality objectives

Planning of changes

FIG. 2.8

Clause 6: Planning

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 39

Content and requirements of the ISO 9001:2015 Standard

39

Risks and opportunities ISO 9001:2015 Clause 6.1 ‘Actions to address risks and opportunities’

‘When planning the Quality Management System, the organisation shall consider the issues concerning the organisation and its context and the requirements concerning the needs and expectations of interested parties (referred to in 4.1 and 4.2) and: • determine the risks and opportunities that need to be addressed; • plan actions to address these risks and opportunities; • integrate and implement the actions into its Quality Management System processes; • evaluate the effectiveness of these actions’

This is a new requirement (brought about by the introduction of Annex SL) which requires organisations to adopt a risk-based approach when planning the workflow of their business, and which means that they will have to decide those risks and opportunities that will have the potential to impact the operation and performance of their Quality Management System, both positively and negatively.

Author’s Hint This risk-based methodology will incorporate much of what was previously called ‘preventive action’.

Quality objectives and planning to achieve them ISO 9001:2015 Clause 6.2 ‘Quality objectives and planning to achieve them’

‘The organisation shall establish quality objectives at relevant functions, levels and processes needed for the Quality Management System’, which shall: • be consistent with the Quality Policy; • be measurable; • take into account applicable requirements; • be relevant to conformity of products and services and to enhancement of customer satisfaction; • be monitored; • be communicated; • be updated as appropriate’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 40

ISO 9001:2015 Audit

40

Clause 6.2 continued

‘The organisation shall also determine: • what will be done; • what resources will be required’

Top Management need to document a set of quality objectives that the organisation must meet, particularly with respect to the conformity of products and services and the enhancement of customer satisfaction.

Planning of changes ISO 9001:2015 Clause 6.3 ‘Planning of changes’

‘When the organisation determines the need for changes to the Quality Management System, the changes shall be carried out in a planned manner’

When there is a need to make a change to the QMS, then this must be completed in a controlled manner and any changes proposed must be thoroughly reviewed.

Clause 7 Support This clause considers what resources are required to meet the goals, policies, objectives and ambitions of an organisation.

Resources ISO 9001:2015 Clause 7.1 ‘Resources’

‘The organisation shall determine and provide: • the resources needed for the establishment, implementation, maintenance and continual improvement of the Quality Management System; • the persons necessary for the effective implementation of its Quality Management System and for the operation and control of its processes; • the infrastructure necessary for the operation of its processes and to achieve conformity of products and services; • the environment necessary for the operation of its processes and to achieve conformity of products and services;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 41

Content and requirements of the ISO 9001:2015 Standard

7 Support

Resources

Competence

Awareness

Communication

Documented information

FIG. 2.9

Clause 7: Support

41

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 42

ISO 9001:2015 Audit

42

Clause 7.1 continued

• the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements’

Author’s Hint When measurement traceability is a requirement (or has become an essential part of providing confidence in the validity of measurement results), then all necessary measuring equipment should be identified, calibrated (or certified) and safeguarded from adjustments, damage or deterioration prior to use.

There are a number of specifics that an organisation is required to consider when providing resources. For example, it will have to decide and then subsequently provide the knowledge-based resources necessary to establish, implement, maintain and continually improve its QMS, taking into consideration whether this can be provided from its existing internal resources or whether it needs to be outsourced from an external provider. It will also need to provide the necessary infrastructure to support process operations and properly maintain a suitable environment for the operation of its processes, to assure conformity of products and services.

Competence ISO 9001:2015 Clause 7.2 ‘Competence’

‘The organisation shall determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the Quality Management System’

The organisation must ensure that those people performing work under its control possess the necessary competencies, either on the basis of their education, training or experience.

Awareness ISO 9001:2015 Clause 7.3

‘The organisation shall ensure that persons doing work under the organisation’s control are aware of:

‘Awareness’

• the Quality Policy; • relevant quality objectives; • their contribution to the effectiveness of the Quality Management System; • the implications of not conforming with the Quality Management System requirements’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 43

Content and requirements of the ISO 9001:2015 Standard

43

ISO 9001:2015 now makes it a requirement for people completing work under the organisation’s control (including subcontractors) to be aware of the organisation’s Quality Policy, any quality objectives that are relevant to them, how they will be contributing to the effectiveness of the QMS and what implications there will be if they don’t conform to these QMS requirements.

Communication ISO 9001:2015 Clause 7.4 ‘Communication’

‘The organisation shall determine the internal and external communications relevant to the Quality Management System’

Organisations need to decide on what they will communicate, when they will communicate, with whom they will communicate and how they will communicate – taking into consideration whether this is internal, external or third party communication.

Documented information ISO 9001:2015 Clause 7.5 ‘Documented information’

‘The organisation’s Quality Management System shall include documented information required by this International Standard in addition to that necessary for the effectiveness of their Quality Management System. This documented information shall be controlled to ensure that: • it is available and suitable for use, where and when it is needed; • it is adequately protected; • it includes all the relevant information concerning description format, type of media to be used, and how it should be reviewed and approved for suitability and adequacy’

Similar to the previous edition of the standard, the organisation must document all the information detailed in ISO 9001:2015 that is necessary for the effective operation of its QMS. Furthermore, this information must be properly identified and described (e.g. title, date, author, reference number, etc.) in an appropriate format (e.g. language, software version, graphics, etc.); and made available throughout the organisation (e.g. via paper and/or electronic means) when and where needed.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 44

ISO 9001:2015 Audit

44

It must also ensure that this information is protected against improper use, loss of integrity, loss of confidentiality and (in this day and age) has adequate anti-virus protection, of course!

Author’s Hint As previously mentioned, the terms ‘document’ and `record’ have both been replaced throughout the requirements text by ‘documented information’.

Clause 8 Operations The requirement to plan and develop processes has now been expanded for the organisation to plan, implement and control the processes that it needs.

Author’s Hint In addition, the term ‘product realisation’ has been replaced by ‘operation’, and the requirement for ‘Planning of product realisation’ has been replaced by ‘Operational planning and control’.

FIG. 2.10

Clause 8 Operations

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 45

Content and requirements of the ISO 9001:2015 Standard

45

Planning and control ISO 9001:2015 Clause 8.1 ‘Operational planning and control’

‘The organisation shall plan, implement and control the processes needed to meet the requirements for the provision of products and services’

In addition to an organisation having to plan, implement and control its processes in order for it to meet the product and service requirements of ISO 9001:2015, it must now also plan how to address any risks and opportunities that may impact these processes and, therefore, its ability to achieve these requirements.

Requirements for products and services There are four separate subsections to this particular clause, as shown below: ISO 9001:2015 Clause 8.2.1 ‘Customer communication’

‘Requirements for products and services’ ‘Communication with customers shall include: • providing information relating to products and services; • handling enquiries, contracts or orders, including changes; • obtaining customer feedback relating to products and services, including customer complaints; • handling or controlling customer property; • establishing specific requirements for contingency actions, when relevant’

‘Determining the requirements for products and services’

‘The organisation shall ensure that: • the requirements for the products and services are defined, including: – any applicable statutory and regulatory requirements; – those considered necessary by the organisation; • the organisation can meet the claims for the products and services it offers’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 46

ISO 9001:2015 Audit

46

‘Review of requirements for products and services’

‘The organisation shall ensure that it has the ability to meet the requirements for products and services to be offered to customers and shall retain documented information, as applicable: • on the results of the review; • on any new requirements for the products and services’

‘Changes to requirements for products and services’

‘The organisation shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed’

Similarly, ISO 9001:2015 now requires the organisation to have a process in place to try to gain ‘customer feedback’, and now also to be able to gain and discuss the views and perceptions of the customer with respect to (for example) the handling and/or treatment of customer property and specific requirements.

Design and development of products and services ISO 9001:2015 Clause 8.3 ‘Design and development of products and services’

‘The organisation shall: • establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services; • determine the requirements essential for the specific types of products and services to be designed and developed; • apply controls to the design and development process and verify that the design output meets the design and development inputs; • ensure that design and development outputs are capable of meeting the input requirements; • identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 47

Content and requirements of the ISO 9001:2015 Standard

47

This is a new mandatory clause that requires the introduction of a design and development process, and is particularly aimed at organisations that have not established detailed requirements for their products or services, or where these have not been defined by the customer or other interested parties. Thus, in future, organisations will be required to plan and control the design and development of their products and services and describe a process comprising a number of stages, each of which will be subject to controls, and they must ensure the adequacy of requirements prior to their communication to the external provider.

Externally provided processes, products and services ISO 9001:2015 Clause 8.4 ‘Control of externally provided processes, products and services’

‘The organisation shall ensure that externally provided processes, products and services conform to requirements and do not adversely affect the organisation’s ability to consistently deliver conforming products and services to its customers’

The organisation must ensure that externally provided processes, products and services (including training) satisfy specified requirements.

Production and service provision ISO 9001:2015 Clause 8.5.1 ‘Production and service provision’

‘The organisation shall: • implement production and service provision under controlled conditions; • use suitable means to identify outputs when it is necessary to ensure the conformity of products and services; • exercise care with property belonging to customers or external providers while it is under the organisation’s control or being used by the organisation; • preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements; • meet requirements for post-delivery activities associated with the products and services; • review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 48

ISO 9001:2015 Audit

48

This clause requires the organisation to control the way in which it provides its products and services and what activities need to be performed to produce the product or deliver the service.

Release of products and services ISO 9001:2015 Clause 8.6 ‘Release of products and services’

‘The organisation shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met’

Before a product or service may be released to a customer, the organisation must verify that all customer- and product/service-specific requirements have been met.

Nonconforming outputs ISO 9001:2015 Clause 8.7.1 ‘Control of nonconforming process outputs’

‘The organisation shall: • ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery; • retain documented information that: – describes the nonconformity; – describes the actions taken; – describes any concessions obtained; – identifies the authority deciding the action in respect of the nonconformity’

The organisation needs to develop controls to identify any process outputs, products and/or services that do not conform to their intended requirements, are not delivered to the customer or are used unintentionally.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 49

Content and requirements of the ISO 9001:2015 Standard

49

Clause 9 Performance evaluation This new clause includes a lot of what was in Clause 8 in the previous ISO 9001:2008 – ‘Measurement, analysis and improvement’, with the addition of evaluation, internal audit and management review.

9 Performance evaluation

Monitoring, measurements analysis and evaluation

Internal audit

Management review

FIG. 2.11

Clause 9: Performance evaluation

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 50

ISO 9001:2015 Audit

50

Monitoring, measurement, analysis and evaluation ISO 9001:2015 Clause 9.1 ‘Monitoring, measurement, analysis and evaluation’

‘The organisation shall: • determine what needs to be monitored and measured; • determine the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results; • determine when the monitoring and measuring shall be performed; • determine when the results from monitoring and measurement shall be analysed and evaluated; • monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled; • determine the methods for obtaining, monitoring and reviewing this information; • analyse and evaluate appropriate data and information arising from monitoring and measurement’

Basically this clause is all about risk assessment where, having initially determined when, how and what the organisation needs to monitor and measure, it must also decide how best to carry out these activities in order to improve the quality performance and effectiveness of its Quality Management System.

Author’s Hint One of the principal changes here is that the organisation can no longer make its own decision (perception) as to whether it has satisfied its customers’ requirements; it now needs to find out exactly what the customer thinks of the organisation, its products and services.

Internal audit ISO 9001:2015 ‘Clause 9.2 Internal audit’

‘The organisation shall plan, establish and conduct internal audits at planned intervals to provide information on whether the Quality Management System conforms to: • the organisation’s own requirements for its Quality Management System; • the requirements of this International Standard’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 51

Content and requirements of the ISO 9001:2015 Standard

51

This is reiteration of the previous ISO 9001:2008 standard whereby the organisation must carry out internal audits at planned intervals in order to determine whether its Quality Management System meets the requirements of its own documented QMS, as well as those of ISO 9001:2015.

Management review ISO 9001:2015 Clause 9.3 ‘Management review’

‘Top Management shall review the organisation’s Quality Management System, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness and alignment with the strategic direction of the organisation taking into consideration: • actions from previous management reviews; • changes in external and internal issues relevant to the QMS; • customer satisfaction and feedback from relevant interested parties; • process performance and conformity of products and services; • nonconformities and corrective actions; • monitoring and measurement results; • audit results; • performance of external providers; • adequacy of resources; • effectiveness of actions taken to address risks; • opportunities for improvement. The outputs from these reviews shall include decisions and actions related to: • opportunities for improvement; • any need for changes to the Quality Management System; • resource needs’

While the overall purpose of management reviews remains unchanged and Top Management still needs to conduct regular reviews of the QMS at planned intervals, there are now new items relating to context, risk and opportunities that need to be considered.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 52

ISO 9001:2015 Audit

52

Clause 10 Improvement Author’s Hint All references to ‘preventive action’ have been removed in ISO 9001:2015, as these have been replaced by ‘risk-based thinking’.

10 Improvement

Nonconformity and corrective action

Continual improvement

FIG. 2.12

Clause 10: Improvement

The main requirement of this new clause is for the organisation to address nonconformity, corrective action and improvement and, in doing so, not only continue to meet customer requirements but also improve customer satisfaction.

Nonconformity and corrective action ISO 9001:2015 Clause 10.2 ‘Nonconformity and corrective action’

‘When a nonconformity, including any arising from complaints, occurs, the organisation shall take action to control and correct it’

When a nonconformity is identified, the organisation needs to take whatever action is necessary to control and correct the nonconformity and to make changes to the Quality Management System if necessary.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 53

Content and requirements of the ISO 9001:2015 Standard

53

Continual improvement ISO 9001:2015 Clause 10.3 ‘Continual improvement’

‘The organisation shall continually improve the suitability, adequacy and effectiveness of the Quality Management System’

Although the previous version of ISO 9001 required an organisation ‘continually to improve the effectiveness of their Quality Management System’, this has now been changed to a requirement for the organisation to work ‘continually to improve its Quality Management System in terms of its suitability, adequacy and effectiveness’.

2.3 WHAT IS THE DIFFERENCE BETWEEN ISO 9001:2015 AND ISO 9001:2008? It is important to realise that not everything in the 2015 version of ISO 9001 has changed from the previous version! However, as ISO 9001:2015 was written in accordance with Annex SL (with text and terminology common to all other management system standards), the structure has changed quite dramatically as can be seen from the following table. ISO 9001:2015 Clause

Equivalent ISO 9001:2008 Clause

1

Scope

1

2

Normative Reference

2

3

Terms and Definitions

3

4

Context of the Organisation (Section title)

1.0

4.1

Understanding the organisation 1.1 and its context

General

4.2

Understanding the needs and expectations of interested parties

1.1

General

4.2.2

Quality Manual

Determining the scope of the Quality Management System

1.2

Application

4.2.2

Quality Manual

Quality Management System and its processes

4

Quality Management System

4.1

General requirements

4.3 4.4

Scope

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 54

ISO 9001:2015 Audit

54

ISO 9001:2015 Clause

Equivalent ISO 9001:2008 Clause

5

Leadership (Section title)

5

Management responsibility

5.1

Leadership and commitment

5.1

Management commitment

5.2

Policy

5.3

Quality Policy

5.3

Organisational roles, responsibilities and authorities

5.5.1

Responsibility and authority

5.5.2

Management representative

6

Planning (Section title)

5.4.2

Quality Management System planning

6.1

Actions to address risks and opportunities

5.4.2

Quality Management System planning

8.5.3

Preventive action

6.2

Quality objectives and planning to achieve them

5.4.1

Quality objectives

6.3

Planning of changes

5.4.2

Quality Management System planning

7

Support (Section title)

6

Resource management

7.1

Resources

6

Resource management

7.1.1

General

6.1

Provision of resources

7.1.2

People

6.1

Provision of resources

7.1.3

Infrastructure

6.3

Infrastructure

7.1.4

Environment for the operation of processes

6.4

Work environment

7.1.5

Monitoring and measuring resources

7.6

Control of monitoring and measuring equipment

7.1.6

Organisational knowledge

7.2

Competence

New 6.2.1

General

6.2.2

Competence, training and awareness

7.3

Awareness

6.2.2

Competence, training and awareness

7.4

Communication

5.5.3

Internal communication

7.5

Documented Information

4.2

Documentation requirements

7.5.1

General

4.2.1

General

7.5.2

Creating and Updating

4.2.3

Control of documents

4.2.4

Control of records

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 55

Content and requirements of the ISO 9001:2015 Standard

55

ISO 9001:2015 Clause

Equivalent ISO 9001:2008 Clause

7.5.3

Control of Documented Information

4.2.3

Control of documents

4.2.4

Control of records

8

Operation (Section title)

7

Product realisation

8.1

Operational planning and control

7.1

Planning of product realisation

8.2

Requirements for products and services

7.2.2

Customer-related processes

8.2.1

Customer communication

7.2.3

Customer communication

8.2.2

Determination of requirements related to products and services

7.2.1

Determination of requirements related to the product

8.2.3

Review of requirements related 7.2.2 to products and services

Review of requirements related to the product

8.2.4

Changes to requirements for products and services

7.2.2

Review of requirements related to the product

8.3

Design and development of products and services

7.3

Design and development

8.3.1

General

8.3.2

Design and development planning

7.3.1

Design and development planning

8.3.3

Design and development inputs

7.3.2

Design and development inputs

8.3.4

Design and development controls

7.3.4

Design and development review

7.3.5

Design and development verification

7.3.6

Design and development validation

New

8.3.5

Design and development outputs

7.3.3

Design and development outputs

8.3.6

Design and development changes

7.3.7

Control of design and development changes

8.4

Control of externally provided processes, products and services

7.4.1

Purchasing process

8.4.1

General

7.4.1

Purchasing process

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 56

ISO 9001:2015 Audit

56

ISO 9001:2015 Clause

Equivalent ISO 9001:2008 Clause

8.4.2

Type and extent of control

7.4.1 7.4.3

Purchasing process Verification of purchased product

8.4.3

Information for external providers

7.4.2

Purchasing information

8.5

Production and service provision

7.5

Production and service provision

8.5.1

Control of production and service provision

7.5.1

Control of production and service provision

8.5.2

Identification and traceability

7.5.3

Identification and traceability

8.5.3

Property belonging to 7.5.4 customers or external providers

Customer property

8.5.4

Preservation

7.5.5

Preservation of product

8.5.5

Post-delivery activities

7.5.1

Control of production and service provision

8.5.6

Control of changes

7.3.7

Control of design and development changes

8.6

Release of products and services

8.2.4

Monitoring and measurement of processes Verification of purchased product

7.4.3 8.7

Control of nonconforming outputs

8.3

Control of nonconforming product

9

Performance evaluation (Section title)

9.1

Monitoring, measurement, analysis and evaluation

8

Measurement, analysis and improvement

9.1.1

General

8.1

General

9.1.2

Customer satisfaction

8.2.1

Customer satisfaction

9.1.3

Analysis and evaluation

8.4

Analysis of data

9.2

Internal audit

8.2.2

Internal audit

9.3

Management review

5.6

Management review

10

Improvement (Section title)

8.5

Improvement

10.1

General

8.5.1

Continual improvement

10.2

Nonconformity and Corrective Action

8.3 8.5.2

Control of nonconforming product Corrective action

10.3

Continual Improvement

8.5.1

Continual improvement

New

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 57

Chapter 3

Compatibility of ISO 9001:2015 with other management systems CONTENTS 3.1

Is ISO 9001:2015 compatible with other management systems? 3.1.1 3.1.2 3.1.3

3.2

The OHSAS 18000 Series The ISO 14000 Series What is the difference between ISO 9000 and ISO 14000?

58 58 60 60

What other standards are based on ISO 9001:2008?

61

3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 3.2.7 3.2.8 3.2.9 3.2.10 3.2.11 3.2.12 3.2.13 3.2.14 3.2.15 3.2.16 3.2.17 3.2.18 3.2.19 3.2.20 3.2.21 3.2.22 3.2.23

62 62 64 64 64 64 65 65 65 65 65 65 66 66 66 66 66 66 66 67 67 67 67

Aerospace Auditing management systems Automotive industry Computer software Crop production Data Education Electoral organisations Energy management systems Explosive atmospheres Food safety Good manufacturing practice Health care Human resources Information technology Information security Local government Measurement manufacturing systems Medical devices Multi-layer piping systems Packaging: transport packages for dangerous products Petroleum, petrochemical and natural gas industries Quality Management System consultants

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 58

ISO 9001:2015 Audit

58 3.2.24 3.2.25 3.2.26 3.2.27 3.2.28 3.2.29 3.2.30 3.2.31 3.2.32 3.2.33

Quality Management Systems projects Quality Plans Ships and marine technology Software engineering Space systems Supply chain management Systems engineering Telecommunications industry Testing and calibration laboratories Welding consumables

68 68 68 68 68 68 68 69 69 69

3.1 IS ISO 9001:2015 COMPATIBLE WITH OTHER MANAGEMENT SYSTEMS? Similar to its 2008 predecessor, ISO 9001:2015 is intended to be compatible with other internationally recognised management system standards – particularly those relating to Environmental Management and Occupational Health and Safety (OHS). Although ISO 9001:2015 does not include any requirements that are actually specific to any of these other management systems, it does, nevertheless, allow an organisation to align and integrate its own ISO 9001:2015 Quality Managementcompatible system with other (related) management system requirements. In many cases, it may even be possible for an organisation to adapt an existing Environmental, Health and/or Safety Management System so that it can establish a QMS that complies with the requirements of ISO 9001:2015. For example, a company designing, producing and installing a medical device, such as a pacemaker for implanting into someone’s chest, would require Registration to both ISO 13485 for Medical Devices as well as ISO 9001 for Quality Management – especially as it could involve ‘patient safety’.

3.1.1 The OHSAS 18000 Series Occupational Health & Safety Assessment Series (OHSAS) 18000 is the internationally recognised assessment specification for OHS Management Systems. It has been specifically designed to be compatible with ISO 9001 and the ISO 14001 Environmental Management Standard, and its aim is to help organisations meet their health and safety obligations in an efficient manner. OHSAS 18000 is made up of two standards (ISOs 18001 and 18002) and includes the requirements from the previous BS8800:1996 (Guide to Occupational Health and Safety Management Systems) standards, as well as other internationally recognised OHS publications.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 59

Compatibility with other management systems

59

ISO 9001:2015 Quality Management System Requirements

MANAGEMENT RESPONSIBILITY RESOURCE MANAGEMENT PRODUCT REALISATION

MEASUREMENT ANALYSIS AND IMPROVEMENT

OHSAS 18001:2001 Occupational Health and Safety Management Systems Requirements

FIG. 3.1

ISO 14001:2004 Environmental Management Systems Requirements with guidance for use

Compatibility with health and safety and environmental management systems

OHSAS 18001 OHSAS 18001 is the assessment specification for Occupational Health and Safety Management Systems. It can be used by any organisation wishing to implement a formal procedure for reducing the risks associated with health and safety in the working environment for employees, customers and the general public, by addressing the following key areas: • • • •

planning for, risk assessment, risk control and hazard identification and analysis; the OHSAS management programme; structure and responsibility; training, awareness and competence;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 60

ISO 9001:2015 Audit

60

• • • •

consultation and communication; operational control; emergency preparedness and response; performance measuring, monitoring and improvement.

Author’s Hint To complement OHSAS 18001, BSI published OHSAS 18002, which explains the requirements of the specification and shows you how to work toward implementation and registration.

3.1.2 The ISO 14000 Series The ISO 14000 Environmental Management series helps organisations minimise the negative effect of their operations on the environment (such as causing unfavourable changes to air, water or land). Similar to ISO 9001, ISO 14000 makes use of processes to describe how a product or service is produced and, in doing so, systematically reduce the impact of the environmental aspects which an organisation can control. This standard is applicable to any organisation that wishes to: • • • • • •

implement, maintain and improve an environmental management system; ensure compliance with environmental laws and regulations; assure itself of its conformance with its own stated environmental principles and activities; demonstrate conformance; seek certification of its environmental management system by an external third party organisation; make a self-determination and self-declaration of environmental conformity.

The ISO 14000 family addresses various aspects of environmental management, and its structure is very similar to the ISO 9001 series; ISO 14001 provides the requirements for an Environmental Management System (EMS), while ISO 14004 provides general EMS guidelines.

3.1.3 What is the difference between ISO 9000 and ISO 14000? ISO 9001:2015 has been closely aligned with ISO 14001:2015 in order to ‘enhance the compatibility of these two standards for the benefit of the user community’ (see table in Annex A to this chapter). While both of these standards are effectively ‘generic management system standards’, the ISO 9000 family is primarily concerned with ‘quality management’ and:

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 61

Compatibility with other management systems

• • • •

61

what the organisation does to fulfil the customer’s quality requirements; how it meets the applicable regulatory requirements; how it enhances customer satisfaction; how it achieves continuous improvement of its performance, product and/or service.

On the other hand, ISO 14000 is aimed at continuously reducing pollution (through the more efficient and responsible use of raw materials) and the minimisation of energy usage and waste. It is concerned with how an organisation: • •

minimises harmful effects on the environment caused by its activities; achieves continual improvement of its environmental performance.

3.2 WHAT OTHER STANDARDS ARE BASED ON ISO 9001:2008? Over the last 10–15 years, reliance on the ISO 9000 series of quality standards has become a growing trend worldwide with not just large multinationals seeking registration to ISO 9001, but also an increasing number of small and medium-sized enterprises (SMEs). Within Europe and the United States, ISO 9001 has had a huge impact on a large part of the business community. Larger companies have seen the immediate benefits of becoming registered, particularly those expanding into the global marketplace. Smaller US companies, although not as quick to jump on the bandwagon (mainly due to the perceived cost of registration), are now seeing the benefits of working in compliance with ISO 9001 and, because of the reduced fees associated with registering a small company (indeed of those companies registered since 2000, about 50% were able to recover their ISO 9001 implementation costs in three years or less, according to a recent McGraw-Hill study), the USA is now among the world leaders in ISO 9001:2015 SME-registered companies. The ISO and ANSI have always worked closely together in producing interpretative and interoperable standards on both sides of the Atlantic, and previous versions of ISO 9000 standards have frequently been used as the generic template for other industry management system standards. Currently, these are all gradually being rewritten (using the same Annex SL structure, format and terminology, etc.) around the requirements and recommendations of ISO 9001:2015 and, listed below, are some of the standards having a strong ‘relationship’ with ISO 9001:2015 of which I am aware at the time of writing this book.

Author’s Hint It has to be said, however, that much of the previous ISO 9001:2008 standard that was used in these other documents has been preserved, and it is assumed that any future revisions of these standards that will have to be made in accordance with the 2015 version will be of a very minor nature only.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 62

ISO 9001:2015 Audit

62

Automotive Data

Education

Food

Computer Manufacturing

Crops

Energy

Local government

Explosives

Health

Aerospace

ISO 9001

Quality plans

Information

Systems Petrochemical

Testing and calibration

Plastics

Packaging Ships Piping

Measurement Systems

Supply chain Medical

FIG. 3.2

Telecomms

The extent of the ever-growing ISO 9001:2015 family

Table 3.1 lists other standards based on the previous ISO 9001:2008.

3.2.1 Aerospace ‘AS/EN/JIS 9100: 2009 (Quality Management Systems – Aerospace – Requirements)’ is an international aerospace standard for Quality Assurance in design, development, production, installation and servicing of aircraft and aircraft systems.

3.2.2 Auditing management systems ‘ISO 19011:2011 (Guidelines for auditing management systems)’ provides the fundamental knowledge needed for the internal, external or third party audit of a management system, and this has been expanded to reflect modern thinking and the intricacies of auditing multiple Management System Standards (MSS).

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 63

Compatibility with other management systems

TABLE 3.1

63

Other standards based on the previous ISO 9001:2008

Aerospace Auditing management systems Automotive industry Computer software Crop production Data Education Electoral organisations Energy management systems Explosive atmospheres Food safety Good manufacturing practice Health care Human resources Information security Information technology Local government Measurement manufacturing systems Medical devices Multi-layer piping systems Packaging transport of dangerous goods Petroleum, petrochemical and natural gas industries Quality Management System consultants Quality Management Systems projects Quality Plans Ships and marine technology Software engineering Space systems Supply chain management Systems engineering Telecommunications industry Testing and calibration laboratories Welding consumables

AS 9100:2009 ISO 19011:2011 ISO 16949:2009 ISO 90003:2014 ISO 22006:2009 ISO/TS 8000-150:2011 ISO 18091:2014 ISO 17582:2014 ISO 50001:2011 ISI/IEC 80079–34:2011 ISO 22000:2005 ISO 15378:2011 IWA 1:2005 ISO 76000:2015 ISO 27001:2013 ISO 19796-1:2005 BS ISO 18091 ISO 10012:2003 ISO 13485:2012 ISO/TS 21003–7:2008 ISO 16106:2006 ISO/TS 29001:2011 ISO 10019:2005 ISO 10006:2003 ISO 10005:2005 ISO 30000:2009 ISO/IEC 90003:2014 ISO 16192:2010 ISO 28000:2007 ISO TR 90005:2008 TL 9000 ISO/IEC 17025:2005 BS EN 12074:2000

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 64

ISO 9001:2015 Audit

64

3.2.3 Automotive industry ‘ISO/TS 16949:2009 (Quality Management Systems – Particular requirements for the application of ISO 9001:2008 for automotive production and relevant service part organisations)’ defines the Quality Management System requirements for automotive-related services. When used in conjunction with ISO 9001:2008 it outlines best practice for design and development, production and installation when working with road vehicles.

3.2.4 Computer software ‘ISO/IEC 90003:2014 (Software engineering – Guidelines for the application of ISO 9001:2008 to computer software)’ provides guidance to organisations for the acquisition, supply, development, operation, and maintenance of computer software.

Author’s Hint TickIT procedures relate directly to the requirements set out in the previous ISO 9001:2008 and, similar to this standard, certification is conducted by an independent third party Certification Body using specialist auditors trained by the International Register of Certificated Auditors (IRCA), with the support of the British Computer Society.

3.2.5 Crop production ‘ISO 22006:2009 (Quality Management Systems – Guidelines for the application of ISO 9001:2008 to crop production)’ is (as the title indicates) aimed at assisting the crop industry by adapting the old ISO 9001:2008 processes. The term ‘crop’ includes seasonal crops (such as grains, pulses, oilseeds, spices, fruit and vegetables), row-planted crops that are cultivated, perennial crops that are managed over a period of time and wild crops that are not formally planted or managed. Horticultural crops provide an even greater range of types, from annual and perennial fruits, vegetables and ornamental flowering plants to perennial shrubs and trees, and root crops. These diverse crops require a broad range of planting, cultivating, pest control and harvesting methods and practices.

3.2.6 Data ‘ISO/TS 8000-150:2011 (Data quality – Part 150: Master data: Quality Management framework)’ specifies the fundamental principles of quality data management, and the requirements for implementation, data exchange and provenance. This standard also contains an informative framework identifying processes for data Quality Management which can be used in conjunction with, or independently of, Quality Management Systems standards, such as ISO 9001.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 65

Compatibility with other management systems

65

3.2.7 Education ‘ISO 18091:2014 (Quality Management Systems – Guidelines for the application of ISO 9001:2008)’ has been prepared in order to provide local governments worldwide with a consistent approach to Quality Management. It aims to ‘translate’ the technical language of the previous ISO 9001:2008 into language that is more user-friendly for people who are involved in local government.

3.2.8 Electoral organisations ‘ISO 17582:2014 (Quality Management Systems. Particular requirements for the application of ISO 9001:2008 for electoral organisations at all levels of government)’ is, well, what it says ‘on the tin’!

3.2.9 Energy management systems ‘ISO 50001:2011 (Energy management systems – Requirements with guidance for use)’ specifies requirements for establishing, implementing, maintaining and improving an energy management system.

3.2.10 Explosive atmospheres ‘ISO/IEC 80079–34:2011 (Part 34: Application of quality systems for equipment manufacture)’ specifies particular requirements and information for establishing and maintaining a quality system to manufacture Ex (explosive) equipment, including protective systems in accordance with the Ex certificate.

3.2.11 Food safety ‘ISO 22000:2005 (Food safety management systems – Requirements for any organisation in the food chain)’ specifies requirements for a food safety management system where an organisation in the food chain needs to demonstrate its ability to control food safety hazards in order to ensure that food is safe at the time of human consumption.

3.2.12 Good manufacturing practice ‘ISO 15378:2011 (Particular requirements for the application of ISO 9001:2008, with reference to Good Manufacturing Practice (GMP))’ specifies requirements for a Quality Management System where an organisation needs to demonstrate its ability to provide primary packaging materials for medicinal products that consistently meet customer requirements, including regulatory requirements and international standards applicable to primary packaging materials.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 66

66

ISO 9001:2015 Audit

3.2.13 Health care ‘IWA 1:2005 (Quality Management Systems – Guidelines for process improvements in health service organisations)’ provides additional guidance for health service organisations involved in the management, delivery or administration of health service products and services.

3.2.14 Human resources ‘BS 76000:2015 (Human resource. Valuing people. Management system. Requirements and guidance)’ provides a framework for organisations to value people, for the mutual benefit of both parties.

3.2.15 Information technology ‘ISO 19796-1:2005 (Information technology – Learning, education and training – Quality Management, assurance and metrics – Part 1: General approach)’ provides a framework to describe, compare, analyse and implement Quality Management and Quality Assurance approaches.

3.2.16 Information security ‘ISO 27001:2013 (Information security management systems – Requirements)’ specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS), taking into consideration the organisation’s overall business risks.

3.2.17 Local government ‘BS ISO 18091 (Quality Management Systems – Guidelines for the application of ISO 9001:2008 in local government)’ provides local governments with guidelines for the voluntary application of ISO 9001 on an integral basis.

3.2.18 Measurement manufacturing systems ‘ISO 10012:2003 (Measurement management systems)’ specifies generic requirements and provides guidance for the management of measurement processes and measuring equipment used to support and demonstrate compliance with metrological requirements.

3.2.19 Medical devices ‘ISO 13485:2012 (Medical devices – requirements for regulatory purposes)’ specifies the requirements for a QMS where an organisation needs to demonstrate

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 67

Compatibility with other management systems

67

its ability to provide medical devices and related services that consistently meet customer requirements and regulatory requirements applicable to medical devices and related services. As patient safety is involved, all of the requirements of ISO 13485:2012 are mandatory!

3.2.20 Multi-layer piping systems ‘ISO/TS 21003–7:2008 (Multi-layer piping systems for hot and cold water installations inside buildings – Part 7: Guidance for the assessment of conformity)’ is applicable (in conjunction with the other parts of the ISO 21007 series) to hot and cold water installations inside buildings for the conveyance of water – whether or not the water is intended for human consumption (domestic systems) or for heating systems – under specified design pressures and temperatures appropriate to the class of application.

3.2.21 Packaging: transport packages for dangerous products ‘ISO 16106:2006 (Packaging – Transport packages for dangerous products – Dangerous products packagings, intermediate bulk containers and large packagings – Guidelines for the application of ISO 9001)’ provides guidance on Quality Management provisions applicable to the manufacture, measuring and monitoring of design type-approved dangerous products packagings, Intermediate Bulk Containers (IBCs) and large packagings.

3.2.22 Petroleum, petrochemical and natural gas industries ‘ISO/TS 29001:2011 (Petroleum, petrochemical and natural gas – requirements for product and service supply organisations)’ defines the Quality Management System for the petroleum, petrochemical and natural gas industries.

3.2.23 Quality Management System consultants ‘ISO 10019:2005 (Guidelines for the selection of Quality Management System consultants and use of their services)’ provides guidance on the factors to be taken into consideration when selecting a Quality Management System consultant.

Author’s Hint This standard will be especially useful for SMEs who are or may be considering drawing up an ISO 9001:2015-compliant Quality Management System with the assistance of an outside consultancy. It will also be of value to consulting organisations themselves!

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 68

68

ISO 9001:2015 Audit

3.2.24 Quality Management Systems projects ‘ISO 10006:2003 (Guidelines for Quality Management in projects)’ provides guidance on the application of Quality Management in projects of varying complexity, small or large, of short or long duration, in different environments, and irrespective of the kind of product or process involved.

3.2.25 Quality Plans ‘ISO 10005:2005 (Guidelines for Quality Plans)’ provides guidelines for the development, review, acceptance, application and revision of quality.

3.2.26 Ships and marine technology ‘ISO 30000:2009 (Specifications for management systems for safe and environmentally sound ship recycling facilities)’ provides requirements for the development and implementation of procedures, policies and objectives that will enable safe and environmentally sound ship recycling operations in accordance with national and international standards.

3.2.27 Software engineering ‘ISO/IEC 90003:2014 (Software engineering – Guidelines for the application of ISO 9001:2008 to computer software)’ provides guidance for organisations in the application of ISO 9001:2008 for the acquisition, supply, development, operation and maintenance of computer software and related support services.

3.2.28 Space systems ‘ISO 16192:2010 (Space systems – Experience gained in space projects [Lessons learned])’ outlines principles and guidelines that are applicable in all space project activities (e.g. management, technical, quality, cost and schedule).

3.2.29 Supply chain management ‘ISO 28000:2007 (Specification for security management systems for the supply chain)’ specifies requirements for security management, including those aspects critical to the security assurance of the supply chain.

3.2.30 Systems engineering ‘ISO TR 90005:2008 (Systems engineering – Guidelines for the application of ISO 9001 to system life cycle processes)’ provides guidance for organisations involved in the application, acquisition, supply, development, operation and maintenance of systems and related support services.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 69

Compatibility with other management systems

69

3.2.31 Telecommunications industry ‘TL 9000 (Quality management standard for the telecommunication sector)’ is a set of quality system requirements for the telecommunications industry which were originally developed by the QuEST Forum (Quality Excellence for Suppliers of Telecommunications Leadership). First published in November 1999, it was then updated to conform to the old ISO 9001:2008.

3.2.32 Testing and calibration laboratories ‘ISO/IEC 17025:2005 (General requirements for the competence of testing and calibration laboratories)’ specifies the general requirements for testing and calibration that is completed using standard methods, non-standard methods and laboratory-developed methods.

3.2.33 Welding consumables ‘BS EN 12074:2000 (Quality requirements for manufacture, supply and distribution of consumables for welding and allied processes)’ specifies tools for communication between a purchaser and a supplier of welding consumables within quality systems, such as those based upon ISO 9001.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 70

ISO 9001:2015 Audit

70

Annex A: Comparison between ISO 9001:2015 and ISO 14001:2015 standards ISO 14001:2015

ISO 9001:2015

4.

Context

4.

Context

4.1

Understanding the organisation and its context

4.1

Understanding the organisation and its context

4.2

Understanding the needs and expectations of interested parties

4.2

Understanding the needs and expectations of interested parties

4.3

Determining the scope of the environmental management system

4.3

Determining the scope of the Quality Management System

4.4

Environmental management system

4.4

Quality Management System and its processes

5.

Leadership

5.

Leadership

5.1

Leadership and commitment

5.1

Leadership and commitment

5.1.1 General 5.1.2 Customer Focus 5.2

Environmental policy

5.2 Policy 5.2.1 Establishing the Quality Policy 5.2. Communicating the Quality Policy

5.3

Organisational roles, responsibilities and authorities

5.3

Organisational roles, responsibilities and authorities

6.

Planning

6.

Planning

6.1

Actions to address risks and opportunities

6.1

Actions to address risks and opportunities

6.2

Quality objectives and planning to achieve them

6.1.1 General 6.1.2 Environmental aspects 6.1.3 Compliance obligations 6.1.4 Planning action 6.2

Environmental objectives and planning to achieve them

6.2.1 Environmental objectives 6.2.2 Planning actions to achieve environmental objectives

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 71

Compatibility with other management systems

71

continued

ISO 14001:2015

ISO 9001:2015 6.3

Planning of changes

7.

Support

7.

Support

7.1

Resources

7.1

Resources

7.1.1 General 7.1.2 People 7.1.3 Infrastructure 7.1.4 Environment for the operation of processes 7.1.5 Measurement traceability 7.1.6 Organisational knowledge 7.2

Competence

7.2

Competence

7.3

Awareness

7.3

Awareness

7.4

Communication

7.4

Communication

7.5

Documented information

7.4.1 General 7.4.2 Internal communication 7.4.3 External communication 7.5

Documented information

7.5.1 General

7.5.1 General

7.5.2 Creating and updating

7.5.2 Creating and updating

7.5.3 Control of documented information

7.5.3 Control of documented information

8.

Operations

8.

Operations

8.1

Operational planning and control

8.1

Operational planning and control

8.2

Emergency preparedness and response

8.2

Requirements for products and services

8.2.1 Customer communication 8.2.2 Determining the requirements for products and services 8.2.3 Review of the requirements for products and services

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 72

ISO 9001:2015 Audit

72

continued

ISO 14001:2015

ISO 9001:2015 8.2.4 Changes to requirements for products and services 8.3

Design and development of products and services

8.3.1 General 8.3.2 Design and development planning 8.3.3 Design and development inputs 8.3.4 Design and development controls 8.3.5 Design and development outputs 8.3.6 Design and development changes 8.4

Control of externally provided processes, products and services

8.4.1 General 8.4.2 Type and extent of control 8.4.3 Information for external providers 8.5

Production and service provision

8.5.1 Control of production and service provision 8.5.2 Identification and traceability 8.5.3 Property belonging to customers or external providers 8.5.4 Preservation 8.5.5 Post-delivery activities 8.5.6 Control of changes

9.

Evaluation

9.1. Monitoring, measurement, analysis and evaluation

8.6

Release of products and services

8.7

Control of nonconforming outputs

9.

Performance evaluation

9.1. Monitoring, measurement, analysis and evaluation

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 73

Compatibility with other management systems

73

continued

ISO 14001:2015

ISO 9001:2015

9.1.1 General

9.1.1 General

9.1.2 Evaluation and compliance

9.1.2 Customer satisfaction 9.1.3 Analysis and evaluation

9.2

Internal Audit

9.2

Internal audit

9.3

Management Review

9.3

Management review

9.3.1 General 9.3.2 Management review inputs 9.3.3 Management review outputs 10.

Improvement

10.

Improvement

10.1 General 10.1 Nonconformity and corrective action

10.2 Nonconformity and corrective action

10.2 Continual improvement

10.3 Continual improvement

* Bold font = shared requirement

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 74

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 75

Chapter 4

Background reminders for auditors CONTENTS 4.1

Purpose of an audit

78

4.2

The basic audit process

78

4.3

Types of audit

80

4.4

Audit categories

80

4.4.1 4.4.2

81 83

4.5

4.6

First party (internal) audit Internal audit programme

External audit

91

4.5.1 4.5.2

93 98

External audit programme Ongoing supplier surveillance visits

Third party certification audits 4.6.1 4.6.2 4.6.3 4.6.4

What is the difference between being certified and being registered? What is the difference between being certified and being compliant? What is the difference between being certified and being accredited? What is the cost of certification?

99 100 100 101 102

4.7

Conformity assessment

102

4.8

Quality Assurance during a product or service’s life cycle

104

4.8.1 4.8.2 4.8.3 4.8.4 4.8.5

104 107 108 109

Design stage Manufacturing stage Acceptance stage In-service stage What is the difference between validation and verification?

110

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 76

ISO 9001:2015 Audit

76 4.8.6 4.8.7 4.9

Supplier’s responsibilities Purchaser’s responsibilities

What is the effect of ISO 9001:2015’s new requirements on auditors? 4.9.1 4.9.2 4.9.3 4.9.4 4.9.5 4.9.6 4.9.7

Context of the organisation (ISO 9001:2015 Clause 4) Leadership (ISO 9001:2015 Clause 5) Planning (ISO 9001:2015 Clause 6) Support (ISO 9001:2015 Clause7) Operations (ISO 9001:2015 Clause 8) Performance evaluation ISO 9001:2015 Clause 9) Improvement (ISO 9001:2015 Clause 10)

111 112 113 114 115 116 117 119 121 122

One of the most important requirements of ISO 9001:2015 is that: ISO 9001:2015 ‘Clause 9.2 Internal audit’

‘The organisation shall plan, establish and conduct internal audits at planned intervals to provide information on whether the Quality Management System conforms to: • the organisation’s own requirements for its Quality Management System; • the requirements of this International Standard’

This is a reiteration of the previous ISO 9001:2008 standard whereby the organisation must carry out internal audits at planned intervals in order to determine whether its Quality Management System meets the requirements of its own documented QMS, as well as those of ISO 9001:2015. In order to meet and satisfy this requirement, organisations must continually review their Quality Management System (QMS): • • • • • •

to ensure its continuing suitability and success; to reveal defects, danger spots or irregularities; to suggest possible improvements; to eliminate wastage or loss; to check the effectiveness of management at all levels; to be sure that managerial objectives and methods are effective and are capable of achieving the desired result.

Above all, organisations must be prepared to face up to an audit of their own Quality Processes and procedures from potential customers, and prove to them

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 77

Background reminders for auditors

AUDIT CLIENT organisation or person requesting an audit

77

AUDIT PROGRAM a number of audits planned for a specific time frame

AUDIT A systematic, independent and documented process for obtaining auditable evidence and evaluating it objectively in order to determine the extent to which audit criteria are fulfilled

AUDIT CRITERIA Set of policies, procedures and/or requirements that are used as a reference

TECHNICAL EXPERT Person who provides specific knowledge or expertise on the subject being audited

FIG. 4.1

AUDITEE Organisation being audited

AUDIT CONCLUSION Outcome of an audit after consideration of the audit objectives and audit findings

AUDITOR Person with the overall competence to be responsible for conducting an audit

AUDIT FINDINGS results from the evaluation of collected audit evidence against audit criteria

AUDIT TEAM One or more auditors carrying out an audit

AUDIT EVIDENCE Records, statements, facts and other information relevant to the audit criteria

Concepts relating to auditing

that their QMS fully meets the recommendations, requirements and specifications of ISO 9001:2015 and their promises made regarding product and/or service quality. Whilst the previous editions of ISO 9000 were still primarily concerned with manufacturers, ISO 9001:2015 (being a mandatory, process-oriented requirements standard) is equally applicable to products as well as services. Thus, following the publication ISO 9001:2015, auditors, regardless of whether they are completing an internal, external, or third party audit, will have to demonstrate their competence not only on the structure, content and terminology of the revised standard, but also on its underlying Quality Management Principles. The revised standard requires auditors to fully understand the organisation’s objectives, policies and processes and competently audit these against the requirements of the standard. As a minimum, auditors must demonstrate competency in: • • •

the requirements of ISO 9001:2015; the concepts and terminology of ISO 9000:2015; the seven Quality Management Principles, namely: – customer focus; – leadership; – engagement of people;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 78

78

• •

ISO 9001:2015 Audit

– process approach; – improvement; – evidence-based decision making; – relationship management. a general understanding of the performance improvement guidelines of ISO 9004:2009; familiarity with the latest draft of the auditing guidance standard (ISO 19011).

4.1 PURPOSE OF AN AUDIT The primary purpose of an audit is to enable organisations to evaluate their process management systems, determine deficiencies and generate cost-effective and -efficient solutions. An audit is performed to check practice against procedure, and to thoroughly document any differences. It is used to measure an organisation’s ability ‘to do what it says it is going to do’.

4.2 THE BASIC AUDIT PROCESS Auditing generally follows a linear process, starting by establishing the criteria against which you are auditing and leading to a report concluding whether these criteria are being met. Should the audit find problems with the performance of a process, then you will apply corrective action aimed at preventing recurrence. A simple process map of the internal audit procedure is shown in Fig. 4.2. •



• • • • • • • •

An audit programme is agreed (see associated text later in this chapter) aimed at auditing areas that are causing concern more frequently than those parts of the business that are performing well. Using the organisation’s management system requirements as a yardstick, checklists are prepared which the auditor can use as an aide mémoire when completing their audit. All management system processes are checked to see that they are appropriate and that they are being followed correctly. Results of the audit are summarised in a report which will document both nonconformities and good practices. If nonconformities have been found, an investigation is completed to determine why that particular process is failing. A plan is drawn up to prevent recurrence of nonconformances (in some cases this may mean redrafting an existing management system process). Process improvements are put in place. An evaluation of the implemented corrective action is then carried out and adjustments (if necessary) made. Once all corrective actions have been completed, the audit may be closed out. A complete documented record of the audit is then retained for future reference.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 79

Background reminders for auditors

START

79

(1) Schedule the audit

(2) Prepare checklists

(3) CONDUCT AUDIT

4 (Report the results)

(5) Verify non conformities

(6) Develop corrective action

(10) File audit reports

(9) Close out audit

FIG. 4.2

(7) Implement corrective action

Yes

A typical generic audit process

(8) Is action successful?

No

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 80

ISO 9001:2015 Audit

80

4.3 TYPES OF AUDIT There are several types of audit that can be completed under the general umbrella of ‘audits measuring conformance with ISO 9001:2015’, such as: Quality System An overall measurement of an organisation’s capability to meet audit the requirements of ISO 9001:2015. Management audit

Checks carried out to see whether a business’s strategic plan reflects its business objectives and, more specifically, whether it has met the requirements of the intended market.

Process audit

Focuses specifically on single processes to verify whether they are capable of delivering the outputs expected of them.

Procedural audit

Verification that documented practices are sufficient to ensure the implementation of approved policies and are capable of controlling the organisation’s operations.

System audit

Carried out to ensure that a business management system is sufficiently comprehensive to control all of the activities within that business. (Generally, this type of audit would look for gaps in the management system that may result in them not achieving their business objectives.)

Product/Service Verification that an organisation’s plans and proposals for audit supplying a product or service will ensure that that product or service fully meets specified requirements.

4.4 AUDIT CATEGORIES Whilst the common aim of all audits is to establish that an organisation’s documented policies, processes and procedures, when implemented, are fit for their purpose and satisfy the needs of those who require them, the actual type of audit will depend on whether it is a first, second or third party audit. These are the three main types of audit associated with ISO 9001:2015, and are used as follows: First party

Audits of an organisation, or parts of an organisation, by personnel employed by that organisation. These audits are usually referred to as ‘internal audits’, where (as the name suggests) members of a business look inwards at their own processes. This is the least effective form of auditing, as generally the auditors will find it difficult to criticise their own work.

Second party

Audits carried out by customers upon their suppliers, and which are completed by an organisation independent of the actual organisation being audited. These audits are usually referred to as ‘external audits’ or ‘vendor audits’.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 81

Background reminders for auditors

81

Audits carried out by personnel who are employees of neither the customer nor the supplier, usually comprising members of a Certification Body or registrars such as BSI, TÜV or Yardley. These are basically external audits but are sometimes referred to as ‘certification audits’, ‘compliance audits’, ‘supplier evaluation’ or ‘quality system assessments’.

Third party

4.4.1 First party (internal) audit The type and content of any first party internal quality audit will vary according to the size and activities of the organisation. Its purpose is to: • • • •

identify potential danger spots; eliminate wastage; verify that corrective action has been successfully achieved; provide a comparison between what the QMS or Quality Plan stipulates should be done and what is actually being done;

Eliminate wastage Identify quality deficiencies

Identify potential danger spots

Minimum qualifications

Applicability of procedures

(of personnel)

FIRST PARTY AUDIT Availability of Work Instructions

Quality Assessment

FIG. 4.3

First party (internal) audit

Organisation changes

Verify corrective action

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 82

ISO 9001:2015 Audit

82

• • • •

confirm that everything is OK; identify non-compliance with previously issued instructions; identify deficiencies within the QMS; recommend any corrective actions that can be achieved to improve the system.

To meet these aims, the auditor must prepare an audit plan to determine whether the QMS is effectively achieving its stated quality objectives. It should be established as soon as possible, and the procedures with which to carry out these audits should always be documented and available. The selection of the department to be audited should always be completed on a random basis, and normally these internal audits will be scheduled every three months or so. Ideally, the audit should be preplanned so that it covers all aspects of Quality Control within one calendar year, and the audit plan should: • • • •

cover the specific areas and activities that are to be audited; stipulate the reasons why an internal audit is being completed (e.g. organisational changes, reported deficiencies, survey or routine check); stipulate the minimum qualifications of the personnel who are to conduct or assist with the audit; describe how the audit report should be finalised and submitted.

It is essential that management take timely corrective action on all deficiencies found during an internal audit. In some circumstances this can even mean going so far as having to review the statistical control methods that are used to indicate or predict the need for corrective action being carried out. Follow-up actions should include the verification of the implementation of corrective action and the reporting of verification results.

Qualification of audit personnel

Type of audit

AUDIT PLAN

Areas to be audited

FIG. 4.4

Audit plan

Reasons for an internal audit

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 83

Background reminders for auditors

83

4.4.2 Internal audit programme As shown in Figure 4.5 an internal audit programme normally consists of eight separate (but interrelated) steps:

Step 1: Audit schedule Internal quality audits are usually planned and initiated by the Quality Manager in relation to the status and importance of the various activities of a section and/or deliverable. For large organisations, it would be quite normal for all departments and sections to be subject to at least three complete quality audits every year, as shown in the example below. ANNUAL (INTERNAL) QUALITY AUDIT SCHEDULE Function/ Department Administration and finance Drawing office

Jan Feb Mar Apr May Jun

x

Jul

Aug Sep Oct Nov Dec

x

x

Workshops Stores

x

x x

x x

x

x x

x

Author’s Hint For smaller organisations (e.g. those only employing a handful of people), an audit every four months or so of selected areas would probably be sufficient.

Step 2: Audit preparation and organisation Depending on the complexity and the size of the audit, the Quality Manager (or Section Manager) may perform the audit themselves, or (when sections are too large, or when activities from other sections are involved) they can assign a Lead Auditor and a team of auditors to complete the task. The Quality Manager (or Lead Auditor) is then responsible for organising an annual (internal) quality audit schedule that will include: • • • • •

the scope and objectives of the audit; persons having direct responsibilities for the procedure(s) to be audited; reference documents; name of Lead Auditor and name(s) of assigned auditor(s); date when audit is to be concluded.

START

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 84

(1) Schedule the audit

(2) Prepare checklists

(3) CONDUCT AUDIT

4 (Report the results)

(5) Verify non conformities

(6) Develop corrective action

(10) File audit reports

(9) Close out audit

FIG. 4.5

Internal audit plan

(7) Implement corrective action

Yes

(8) Is action successful?

No

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 85

Background reminders for auditors

85

INTERNAL AUDIT PLAN Audit Reference No.:

File No.:

Purpose of audit: Scope of audit: Lead auditor assigned: Location(s) of audit: Unit or area to be audited: Reference documents: Team members: Date of audit:

Anticipated duration of audit:

Time of opening meeting:

Anticipated time of closing meeting:

Facilities requested:

Following a review of earlier audit reports on the same section or the same subject, the Lead and assigned auditors will prepare an audit checklist containing all of the topics/items to be covered, together with an audit programme (see examples below). AUDIT CHECKLIST

Item no.

Function/process audited:

Audit no.:

Document References:

Audit date:

Audit questions

Prepared by:

Reference

Result

Notes/observations

Page __ of __

Date prepared:

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 86

ISO 9001:2015 Audit

86

AUDIT PROGRAMME Timetable

Team A

Team B

0900–0930

Opening Meeting

0930–1030

Managing Director Quality Policy management review

Laboratory 1

Technical Director

1030–1100

Review of: document control Nonconformity

Laboratory 2

Department heads

1100–1200

Purchasing

Laboratory 2

Department heads

1200

Auditee participation Senior management and department heads

LUNCH

1330–1500

Purchasing

Laboratory 2 (cont.)

Department heads

1500–1600

Personnel training

Electrical test house

Department heads

1600–1700

Commercial/Sales

Calibration service

Department heads

Step 3: audit execution An initial meeting between the auditor(s), the auditee(s) and the Quality Manager is held, during which: • • •

a brief summary of the methods and procedures that will be used to conduct the audit is given; the method of communication between auditor(s) and auditee(s) is agreed; the audit programme is confirmed in accordance with ISO 9001:2015: ISO 9001:2015 Clause 9.2 ‘Internal audit’ (Part 9.2.2)

‘The organisation shall plan, establish, implement and maintain an audit programme including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organisation, and the results of previous audits’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 87

Background reminders for auditors

87

Normally this will be in some form of documented information (e.g. a Quality Procedure) that will distinguish between two kinds of internal quality audits, namely a ‘standards audit’ and a ‘procedures audit’.

Author’s Hint The standards audit evaluates how well the ISO standard is being applied, whilst the procedures audit evaluates the effectiveness of the organisation’s Quality Procedures, policies, plans and instructions.

Using the standards audit, the auditor will begin collecting evidence of compliance by interviewing auditee personnel, reading documents, reviewing manuals, checking records, examining data, observing activities and studying working conditions. As the evidence is collected, the auditor will answer each audit question and record their observations as either: YES

Means that this activity is in compliance with the standard

NO

Means this activity is not in compliance

Not applicable

Means that this question is not applicable to this activity’s situation

Once the auditor has completed the audit questionnaire, they will make a list of all the nonconformities (i.e. the ‘NOs’) and summarise the evidence. Similarly, using the procedures audit, each applicable quality procedure, policy, plan and work instruction will be looked at from the point of view of ‘Is it documented?’, ‘Is it being followed?’ and ‘Is it effective?’ On the basis of evidence collected, the auditor will record their observations as: YES

Means that this activity is in compliance

NO

Means that this activity is not in compliance

Auditors will record all their observations on the Audit Observation Sheet (see example below), and all non-compliances will then be listed on a ‘non-compliance worksheet’ which will eventually form part of the final audit report.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 88

ISO 9001:2015 Audit

88

AUDIT OBSERVATION SHEET Section or project to be audited: Reason for audit: Audit No.:

Date:

Auditor:

Sheet ___ of ___

Serial No.

Observation/supporting evidence Yes/No

Action required

Circulation: Attached sheets: Signed: Name:

Date:

Step 4: summarise audit results Auditors will then meet to discuss all of their observations (particularly any noncompliances that they may have found) with the Quality Manager.

Author’s Hint All observations of nonconformity must be formally acknowledged by the manager responsible for the activity being audited.

A closing meeting of auditor(s), auditee(s) and Quality Manager will then be held, during which: • • • • • •

audit observations will be clarified; the critical significance of observations will be presented; conclusions drawn about compliance will be presented; system effectiveness in achieving the quality objectives will be presented; corrective actions will be agreed; the date for completion of the audit report will be agreed.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 89

Background reminders for auditors

89

Author’s Hint Minutes of all relevant Meetings, decisions and agreements must be attached to the audit report.

Step 5: prepare audit report The lead auditor now needs to prepare an audit report using an Audit Report Form similar to the one shown below. AUDIT REPORT FORM Section or project audited: Reason for audit: Audit no.:

Date:

Auditor:

Sheet __ of __

Audit area(s): Reference document(s): Summary: Audit observation sheet number

Observation number

Comments

Prepared:

Name:

Date:

Agreed:

Name:

Date:

Circulation:

Attached sheets:

Corrective action requirement

The report must be signed by all members of the audit team, plus the Quality Manager, and copies sent to auditee(s) and Top Management as required. The audit report will list all nonconformities discovered, observations made and discuss any conclusions drawn. It will also detail (in the summary) recommendations that should be implemented in order to correct or prevent nonconformities occurring and to make improvements.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 90

ISO 9001:2015 Audit

90

Step 6: corrective action After the closing meeting, the lead auditor will prepare a Corrective Action Request (similar to the example below) for each agreed corrective action.

Author’s Hint Corrective Action Requests should always state who is responsible for carrying out the corrective action and the timescale for its completion.

CORRECTIVE ACTION REQUEST Section or project audited: Reason for audit: Audit No.:

Audit date:

Auditor(s):

Auditee(s):

Audit area(s): Reference document(s): Nonconformance details: Signed: (Auditor) Name: Date: ______________________ ______________________ ______________________ Agreed corrective action: Signed: (Auditee) Name: Date: ______________________ ______________________ ______________________ Agreed time limit: Signed: (Actionee) Name: Date: ______________________ ______________________ ______________________ Progress: Signed: Date: ______________________ ______________________

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 91

Background reminders for auditors

91

Author’s Hint One sheet should be used for each agreed corrective action.

Step 7: take remedial action The section/department that has been audited is then responsible for ensuring that the agreed corrective actions are implemented and that any observations, comments and recommendations made by the audit team have been taken into account.

Step 8: follow-up Finally, the Lead Auditor is then responsible for ensuring that corrective action has been carried out and for notifying the Quality Manager of the status and/or completion of corrective actions.

4.5 EXTERNAL AUDIT All organisations are eventual ‘suppliers’ of their product or service and, in order to stay in business, they will need to provide proof that they can continue to provide a quality product/service at all times – which is actually a ‘measurement of their Quality Control’ and usually takes the form of a supplier’s evaluation, surveillance and/or external audit.

Author’s Hint Although a supplier may have been able to convince the purchaser that their QMS is effective, it is in the interests of the purchaser to conduct their own evaluation (i.e. audit) of the supplier. This is usually done on an irregular basis and the supplier must, of course, agree to the principle of ‘purchaser evaluations’ being carried out; it is usual to find this as a separate clause in the contract.

External audits are audits carried out by an organisation independent of the organisation being audited – ‘independence’ being taken as there is no financial association other than by a contract, and the personnel carrying out the audits are employees neither of the customer nor the supplier, and would normally belong to Certification Bodies or registrars such as BSI, TÜV, and Yardley. The purpose of both these audits is to ensure that: •

• •

the organisation’s QMS is being correctly and effectively implemented and that a corresponding compliance with the ISO 9001:2015 quality standard is maintained; any relevant legislation and standards are being strictly adhered to; the system and procedures in operation are still effective and remain accurate for the working practices used;

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 92

ISO 9001:2015 Audit

92





the data and information feedback from internal audits, complaints, compliments or routine work are considered by Top Management so that adjustments to the systems can be made; potential danger spots are identified, wastage eliminated and corrective action successfully achieved.

Correct implantation of QMS Elimination of wastage

Compliance with ISO 9001:2015

Evaluation of corrective action procedure

Compliance with relevant standards

EXTERNAL AUDIT

Verification of previous system adjustments

Availability of procedures

Verification of work packages

FIG. 4.6

Verify corrective action

Purpose of an external audit

If the organisation is a manufacturer (i.e. as opposed to being a service provider) then they will have to adhere to the relevant national and international Quality Management standards requiring them to establish, and maintain, a fully documented process for the inspection of their system for Quality Assurance and Quality Control. Procedures for classifying lots, cataloguing characteristics, selecting samples and rules for acceptance and/or rejection criteria, together with procedures for segregating and screening rejected lots, need to be identified and developed.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 93

Background reminders for auditors

93

Normally these audits are fairly simple, but (particularly when the material, product or service being purchased is complex) the purchaser will need to have a reasonably objective method of evaluating and measuring the efficiency of the Quality Control at the supplier’s premises. The auditor needs to be certain that the system established by the supplier complies with laid down standards and is, above all, effective. This method is known as the ‘supplier evaluation’.

4.5.1 External audit programme This is basically an eight-stage process. (See Figure 4.7.)

Step 1: Preparation and facilities Part of the initial contract between a supplier (particularly those who actually manufacture a product) and a purchaser will normally stipulate that the supplier provides access, accommodation and facilities to the purchaser’s inspectors. These facilities will depend upon the level of surveillance, but could require the supplier to provide: • • • • •

suitable office and administrative facilities; adequate work space for product verification; access to those areas where work is in progress or to those which affect the work; help in documenting, inspecting and releasing products and services; the use of inspection and test devices and availability of personnel to operate them as necessary.

Step 2: Assemble evaluation team The evaluation team will normally consist of a Lead Auditor assisted by two or more inspectors from the purchaser’s organisation. These inspectors must be thoroughly skilled in the requirements of Quality Assurance and are normally drawn from the purchaser’s own Quality Control section.

Step 3: Pre-evaluation meeting Before the evaluation team visits the supplier’s premises, they must first be given the chance to: • • • •

meet the supplier’s Staff to discuss the procedures being used; identify the areas that will be tested; decide which representative(s) of the supplier’s organisation will be required to accompany the evaluation team during their inspection; agree dates and outline timetables, etc.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 94

ISO 9001:2015 Audit

START

94

(1) Preparation and facilities

(2) Assemble evaluation team

(3) Pre-evaluation meeting

(4) Study Quality Manual

(5)

AUDIT EXECUTION

(6) Prepare report

(7) Present report

Acceptable system control

Weak system control

(8) Record proceedings

FIG. 4.7

External audit programme

Unacceptable system control

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 95

Background reminders for auditors

95

Step 4: Study of the Quality Manual Prior to commencing an evaluation, the Lead Auditor must be given a copy of the supplier’s Quality Manual, which they will scrutinise not only for its accuracy and clarity but also for its position compared to national and international standards, and to see that it conforms to the relevant sections of ISO 9001:2015.

Author’s Hint An essential part of an ISO 9001:2015 Quality Management System is its relationship not only to its customer perceptions and requirements, but also to the organisation’s business goals.

Step 5: Audit execution Having completed the pre-evaluation, the evaluation team will now go to the supplier’s premises to fully scrutinise every aspect of the supplier’s QMS. If the supplier is a manufacturer, then the evaluation team will pay particular attention to the supplier’s design office, purchasing department, storekeeping, manufacturing, assembly and test facilities to see that the work carried out complies with the procedures and promises made in their documented quality information (e.g. QMS’s Quality Manual).

Preparing for the on-site audit activities The three main actions that must be completed prior to actually starting the audit are: • • •

thoroughly plan and agree all on-site audit activities; allocate audit team work assignments; prepare work documents (e.g. audit report forms). Identified exclusions will be a key input to scope definition and subsequent audit planning.

Author’s Hint Owing to ISO 9001:2015’s mandatory process-oriented approach, this part of the audit will have to be completed without any ‘official template’ to follow, and the actual layout and content of documented quality information will most definitely vary from organisation to organisation. In some cases there may be a distinct lack of documents (after all, a QMS can, now, consist of just a few pages or fill two or three filing cabinets depending on the organisation), and so any document review will have to reflect this and concentrate on trying to understand the most important customer and business issues. Auditors can react in different ways to this changed requirement and whilst some may want to complete the document review on site, others may require all Quality Management System documents (manual, procedures, flowcharts, working documents, etc.) be submitted for review, prior to the site audit.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:28 Page 96

ISO 9001:2015 Audit

96

On-site audit activities There are six separate activities to an on-site audit: • • • • • •

the opening meeting; collecting and verifying information; identifying audit findings; communication during the audit; preparation for closing meeting; the closing meeting.

For an auditor, much more emphasis now needs to be placed upon the policy requirements and objectives and how these have been covered in the organisation’s QMS. Whilst the old-style, tick-in-the-box checklist will now not provide an effective audit, checklists and questionnaires still serve a useful purpose – if used correctly.

Author’s Hint Part 2 provides a series of example checklists that give an indication of the areas of an organisation’s QMS that could be looked at and possibly further investigated during internal, external and/or third party audits, or to confirm that the organisation’s QMS fully covers the requirements (i.e. clauses) of ISO 9001:2015. Auditors can select the most relevant ones to include in their own checklist, supplemented by each specific case that they have to deal with. The experienced auditor will be able to extend this checklist using earlier experience, coupled with the views of other experts in this field.

As the focus of an ISO 9001:2015 audit has now changed quite significantly, an appropriate change must also occur to the audit methodology used. The emphasis now will be very much on ‘walking-the-walk’ to see whether the stated objectives have been achieved. Did the system improve? Is the organisation’s stated policy being achieved? Are the processes being followed? Are the processes relevant?! In particular, auditors will now have to ensure that exclusions are identified during the initial audit stage and that justification of any exclusion is appropriate.

Step 6: Prepare report The Lead Auditor now needs to prepare an audit report using an Audit Report Form similar to the one shown below.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 97

Background reminders for auditors

97

AUDIT REPORT FORM Section or project audited: Reason for audit: Audit no.:

Date:

Auditor:

Sheet __ of __

Audit area(s): Reference document(s): Summary: Audit observation sheet number

Observation number

Comments

Prepared:

Name:

Date:

Agreed:

Name:

Date:

Circulation:

Attached sheets:

Corrective action requirement

The report must be signed by all members of the audit team, plus the Quality Manager, and copies sent to auditee(s) and Top Management as required.

Step 7: Present report At the end of this evaluation, a meeting will be arranged between the evaluation team and the organisation’s management to discuss their findings, and to ensure that there are no misunderstandings, etc. The eventual evaluation report will then be formally presented at a meeting with the management, and the result of this meeting could be one of the following: Acceptable system control

Weak system control

This means that the evaluation has shown that the supplier has a satisfactory QMS, there are no deficiencies and the supplier has been able to give an assurance of quality. When this happens, there should be no reason why the purchaser should feel it necessary to demand any radical changes to the supplier’s system. This covers the situation where the evaluation team find several significant weaknesses in the supplier’s system.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 98

ISO 9001:2015 Audit

98

If this happens, the supplier will have to take steps to overcome these failures and improve its QMS. Having done this, the supplier can then ask for another evaluation to be carried out to confirm that its quality now meets the required standards.

Unacceptable system control

This is when the evaluation team finds that the number of deficiencies – or the lack of quality discipline at the supplier’s premises – means that the supplier will have to make radical changes to improve its overall QMS before it is anywhere near acceptable to the potential purchaser.

When the supplier has completed the necessary changes, it will then require a second evaluation to see that the improvements are satisfactory.

Step 8: Record proceedings Having been inspected, it is important that the records of this inspection are safely filed away in case they may be required to reinforce some point at a later stage, or to provide statistical data for the analysis of a supplier’s performance. This is sometimes referred to as vendor rating.

4.5.2 Ongoing supplier surveillance visits Although an organisation may well have successfully passed its initial evaluation and the purchaser may well be satisfied that the supplier is capable of providing an assurance of quality, it cannot be assumed that the supplier will be able to retain, or even be capable of retaining, this status forever. Many things can happen to change this situation, such as Staff moving through promotion or natural wastage, changes in the design of the product or service that may or have been necessary, or perhaps a new man-management philosophy.

Multiple

Multiple audits?

evaluations?

SUPPLIER SURVEILLANCE Secondary audits?

FIG. 4.8

Ongoing supplier evaluations and audits

Third party audits?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 99

Background reminders for auditors

99

For this reason it is quite possible that the purchaser might want to make irregular surveillance visits of the supplier’s premises to further examine a particular aspect of its QMS. These ongoing surveillance or audit visits by the purchaser will be run on exactly the same lines as the supplier evaluation, and are aimed at providing the purchaser with a confidence in the supplier and an assurance that it is still capable of providing the purchaser with the quality of service, goods and/or products it requires.

Author’s Hint The aim of these audit visits should be that all the important aspects of the Quality Control system are checked, in rotation.

Multiple evaluations and audits It is possible that some suppliers might well be providing the same product to several different customers, and it could just happen that all of these customers ask to have an audit – at the same time. This obviously cannot be allowed to happen as the supplier would forever have people visiting the organisation which would be disturbing not only the labour force, but also the production line. Purchasers can avoid this problem by agreeing to accept a secondary audit.

Secondary audit If a purchaser indicates that they want to carry out an audit, the supplier can offer to provide the details of another customer’s audit or the result of a third party’s evaluation that has recently been carried out at their premises. If this does not quite cover the problem area sufficiently, then the supplier could offer to check in more detail the appropriate points raised by the purchaser.

Maintenance audit The focus of maintenance audits will change from planned arrangements to achievement and the management of defined objectives. The system will be reviewed for continual improvement, and enhancement of customer satisfaction.

4.6 THIRD PARTY CERTIFICATION AUDIT ISO 9001:2015 certificates are available to those organisations which see the need for formal recognition that they are working in conformance with the requirements and recommendations of ISO 9001:2015. Certificates are awarded by Inspection Bodies (also known as Certification Bodies and/or Registrars) who have, themselves, been assessed as being competent by an official Assessment Body – but be warned, not all companies who profess to be able to award ISO 9001:2015 certificates are actually accredited!

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 100

100

Within the UK, the Directory of Accredited Inspection Bodies shows which organisations have been accredited by the United Kingdom Accreditation Service (UKAS) and also the field and range of inspections for which they are accredited. These Inspection Bodies are accredited to ISO 17020: ‘General criteria for the operation of various types of bodies performing inspection’ and are authorised to issue accredited inspection reports/certificates for work covered by their scope of accreditation. Such reports/certificates will carry the national mark for inspection bodies. For more information regarding accreditation and UKAS’s services, use one of the contact numbers (see right). Within the USA, the ANSI–ASQ National Accreditation Board (ANAB) accredits Certification Bodies. Their contact details are on the right.

ISO 9001:2015 Audit

UKAS 21–47 High Street Feltham Middlesex TW13 4UN Tel: 020 8917 8400 [email protected] www.ukas.com

ANAB 600 N. Plankinton Ave. Suite 300 Milwaukee, WI 53203 Phone: 414-347-9858 Email: [email protected] Web: http://www.anab.org

4.6.1 What is the difference between being certified and being registered? Actually there is no difference! In some countries organisations will say that they are ‘certified’, in others they will say that they are ‘registered’ – but it means the same thing.

4.6.2 What is the difference between being certified and being compliant? When an organisation claims that they are ISO 9000 certified or registered, they mean that a Notified Body (i.e. an independent registrar) has audited their QMS, certified that it meets the requirements of ISO 9001:2015, given them a written assurance that ISO’s Quality Management System standard has been met and registered their organisation as having been certified. On the other hand, when an organisation says that they are ISO 9000 ‘compliant’, they usually mean that they have met ISO’s quality system requirements but have not been formally certified by an independent registrar. In effect, they are self-certified and whilst this is perfectly acceptable for many organisations, especially the smaller ones, an official certificate issued by an independent registrar does tend to carry more weight in the marketplace.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 101

Background reminders for auditors

101

Author’s Hint As ISO 9001:2015 is a process standard (and not a product standard): when a company says that they are certified or compliant, they are not saying that their products and/or services fully meet the ISO 9000’s requirements!

4.6.3 What is the difference between being certified and being accredited?

START

Inspection Bodies (also known as Certification Bodies and/or registrars) audit and certify organisations that wish to become ISO 9000 registered. Accreditation Bodies like UKAS and ANAB, on the other hand, evaluate and accredit the Inspection Bodies. In effect, accreditation bodies audit the auditors and certify that the Inspection Bodies are competent and authorised to issue ISO 9001:2015 certificates in specified business sectors. A typical certification route is shown in Fig 4.9. The amount of time required to attain certification is dependent upon a number of variables, including the size of the company, the complexity of its business processes and the resources available to develop its Quality Management System, etc. Experience shows that for some larger companies, allowing one year is not

Quality Manual Processes Procedures

Organisation documents their business management system

Regular on-going surveillance visits by Inspection Body

Organisation implements business management system

Organisation receives ISO 9001:2015 Certification

Summarise results

No

(5) Prepare report

Organisation makes appropriate amendments to their QMS

FIG. 4.9

Yes

Are there any non compliances?

Typical route to certification

Follow-up assessment if required

Are there any non compliances?

No

FORMAL ASSESSMENT by Inspection Body

Yes

Organisation makes appropriate amendments to their QMS

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 102

ISO 9001:2015 Audit

102

unreasonable, but this is usually down to the employment of a dedicated quality development team. On the other hand, most small and medium-sized enterprises have been known to attain certification in considerably less time.

4.6.4 What is the cost of certification? The cost of certification can vary significantly, as Certification Bodies have different pricing structures. Some will charge for each and every visit, assessment and followup surveillance inspections. Others may be happy to settle for a one-off fixed payment to take the organisation through the certification process, followed by an annual renewal fee. When considering a suitable Certification Body, it would be best to obtain a number of quotes to establish the best offer.

Author’s Hint Certification Bodies do not generally provide a consultancy service, so it is probably best to use an independent consultant to ease the way through the certification process. You could of course do it yourself, but there are pitfalls that an experienced consultant would help you over (and potentially save you money by avoiding unnecessary repeat visits from the Certification Body).

4.7 CONFORMITY ASSESSMENT In these days of international markets and cross-border trading, many national regulations require that a product or deliverable is first tested for compliance with an internationally agreed specification for safety, environmental and/or quality conformance before it can be released to the market. This sort of testing is referred to as ‘conformity assessment’ and, in its simplest form, means that a product, material, service, system (or, in some cases) people have been measured against the specifications of a relevant standard – which, in most cases, will be an internationally agreed standard. Although some conformity assessment can be completed using internal facilities, when a product has health and/or environmental implications, national legislation will probably stipulate that testing is carried out by an independent registrar, Notified Body or specialist organisation, in other words, by a third party. Many testing laboratories and certification bodies offer independent conformity assessment services, performed either as a commercial venture or under mandate to their national government.

Author’s Hint For details of availability in your area, try the DTI website (www.dti.gov.uk) or perhaps one of the search engines (e.g. www.google.com).

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 103

Background reminders for auditors

103

Design

Manufacture of product or implementation of service

Acceptance

In-service

End of life FIG. 4.10

Quality Assurance life cycle

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 104

ISO 9001:2015 Audit

104

4.8 QUALITY ASSURANCE DURING A PRODUCT’S OR SERVICE’S LIFE CYCLE The life of a manufactured product or implemented service can be split into five stages, as shown in Fig. 4.11.

REQUIREMENTS

QUALITY PROCEDURES

SYSTEM RELIABILITY

DESIGN STAGE

DRAWINGS

IN-SERVICE STAGE

DESIGN CAPABILITY

COMPONENTS

RECORDS

QUALITY ASSURANCE MEASUREMENTS PRODUCT OR SERVICE PERFORMANCE

DEGREE OF QUALITY

MARKETING STAGE

RELIABILITY OF PRODUCT OR SERVICE DESIGN

FIG. 4.11

PRODUCT OR SERVICE RELIABILITY

ACCEPTANCE STAGE

QUALITY LEVEL

PRODUCT OR SERVICE RELIABILITY

Quality Assurance measurements

As Quality Assurance affects the product throughout its life cycle, it is important that Quality Assurance procedures are introduced for the design, manufacturing and acceptance stages, as well as in service utilisation.

4.8.1 Design stage

Design

Throughout the design stage of a service or product, the quality of that design must be regularly checked. Quality Procedures have to be planned, written and implemented to predict and evaluate the fundamental and intrinsic reliability of the proposed design.

It doesn’t matter whether the responsibility for the design of a product rests purely with the supplier, the purchaser, or is a joint function. It is essential that the designer

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 105

Background reminders for auditors

105

INFORMATION

AMENDMENTS AND MODIFICATIONS

IDENTIFICATION

STANDARDS

PROCEDURES

ADEQUACY

REQUIREMENTS

DRAWINGS

COMPONENTS

CATALOGUING

AVAILABILITY

ACCEPTABILITY

DESIGN STAGE

RELIABILITY DATA

PROCEDURES MANUAL

IMPLEMENTATION

QUALITY PROCEDURES

FAILURE REPORTS

GRAPHS DIAGRAMS AND PLANS

PLANNING AND PREDICTION

FIG. 4.12

RECORDS

Design stage

is fully aware of the exact requirements of the project and has sound background knowledge of the relevant standards, information and procedures that will have to be adopted during the design stages. This is extremely important, because the actions of the design office not only influence the maintenance of quality during manufacture and/or supply, but also play a major part in setting the quality level of the eventual product or service. From the point of view of a supplied product, if there is no Quality Control in a manufacturer’s drawing office, then there is little chance of there ever being any on the shop floor. When the engineers are trying to manufacture something (or a technician is attempting to assemble a system or module) to a set of drawings that have countless mistakes, what chance is there of them ever being able to produce an acceptable item! These problems, although not specifically stipulated in ISO 9001:2015 should nevertheless be addressed. The design office (or team) should produce some sort of Procedures Manual, which lists and describes the routine processes, procedures and instructions that are required to turn a concept into a set of functional product or service drawings.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 106

ISO 9001:2015 Audit

106

For all suppliers, these procedures will cover such activities as: • • • • •

the numbering of drawings and documents (i.e. document control); authorisation to issue amendments and modifications to documents and drawings; how to control changes to documents and drawings; the method of withdrawing obsolete documents and drawings; the identification, cataloguing and maintenance of documents and drawings.

For product manufacturers the design office (in addition to these procedures, etc.) is required to: • • •

provide a complete listing of all the relevant components and their availability, acceptability and adequacy; be aware of all the advances in both materials and equipment that are currently available on the current market and which are relevant to the product; assist in the analysis of failures, swiftly produce solutions and forestall costly work stoppages.

Author’s Hint One of the main problems to overcome is the ease with which the design office can make an arbitrary selection, but then find that the size and tolerance is completely inappropriate for the manufacturing or assembly process.

In order that the statistical significance of a particular failure can be assessed and correct retro-active action taken, it is essential that the design team also has access to all the records, failure reports and other data as soon as these are available. The storage, maintenance and analysis of reliability data will require the design team to follow the progress of the product throughout its productive life cycle, its many in-service and/or maintenance cycles and to take due note of customers’ comments. The compilation and retention of such reliability data is not only very important, but is also essential to the reliability of the product and/or service. Nowadays, of course, most large design offices are computerised and use processors to store their records on discs so that these records can be continually updated and amended. This information (data) can then be used with standard software such as computer-aided design (CAD) programs and CAD facilities to produce lists, graphs and drawings. The possibilities are almost endless, but there are associated problems such as security against virus attack and computer crashes.

Author’s Hint See Chapter 3, Section 3.7.1 for a typical example of an audit check sheet for the design stage.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 107

Background reminders for auditors

107

4.8.2 Manufacturing stage

Manufacture of product or implementation of service

During all manufacturing or production processes (and throughout early in-service life), the product or service must be subjected to a variety of Quality Control procedures and checks in order to evaluate the degree of quality.

One of the first things that must be done is to predict the reliability of the product’s or service’s design. All the appropriate engineering data must be carefully examined, particularly the reliability ratings of recommended parts and components, etc. in order to be able to estimate the actual reliability of the design before a product is manufactured or a service is implemented.

MANUFACTURING STAGE

RELIABILITY OF PRODUCT DESIGN

DESIGN OF QUALITY

QUALITY CONTROL

PROCEDURES

FIG. 4.13

AVAILABILITY

ADEQUACY

CHECKS

GRAPHS DIAGRAMS AND PLANS

FAILURE REPORTS

RELIABILITY DATA

The manufacturing stage

Design deficiencies such as assembly errors, operator learning, motivational or fatigue factors, latent defects and improper part selection are frequently uncovered during this process.

Author’s Hint See Chapter 3, Section 3.7.2 (p. 207), for a typical example of an audit check sheet for the manufacturing stage.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 108

ISO 9001:2015 Audit

108

4.8.3 Acceptance stage

Acceptance

During the acceptance stage, the product or service will be subjected to a series of tests designed to confirm that the workmanship of the product/service fully meets the levels of quality required, or stipulated by the user, and that the product/service performs the required function correctly.

In the case of a manufactured product, this will range from environmental tests of individual components to field testing complete systems. Three mathematical expressions are commonly used to measure reliability, and each of these expressions can be applied to a part, component assembly or an entire system. They are probability function (PF), failure rate (FR) and mean time between failures (MTBF).

ACCEPTANCE STAGE PROBABILITY FUNCTION

PRODUCT PERFORMANCE

RELIABILITY

WORKMANSHIP

FIG. 4.14

MEAN TIME BETWEEN FAILURE

QUALITY LEVEL

TESTS

ENVIRONMENTAL TESTING OF COMPONENTS

FAILURE RATES

FIELD RESTING OF COMPLETE SYSTEMS AND SERVICES

Acceptance stage

Author’s Hint See Chapter 3, Section 3.7.3 (p. 208), for a typical example of an audit check sheet for the acceptance stage.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 109

Background reminders for auditors

109

4.8.4 In-service stage During the in-service stage the purchaser is, of course, principally concerned with system and equipment reliability.

In-service

Although reliability is based on the product system’s generic design (and can be easily proved by statistics), its practical reliability is often far less design dependent. This difference can be due to poor documentation, faulty operating procedures, operating the system beyond its design capability or operational abuses (e.g. personal – extended duty cycles – neglected maintenance – training, etc.). Each of these hazards will have a detrimental effect on the product/service.

COMPONENT RELIABILITY

FAULTY OPERATOR PROCEDURES EXTENDED DUTY CYCLE

PRODUCT DEPENDABILITY

OPERATIONAL ABUSES

TRAINING

TRAINING

PERSONNEL

EQUIPMENT RELIABILITY

DESIGN CAPABILITY

OPERATORS

PRODUCT AND SERVICE’S BASIC DESIGN

QUALITY PROCEDURES

FIG. 4.15

IN-SERVICE STAGE

RECORDS

In-service stage

For manufactured products, the problems associated with poorly trained, poorly supported or poorly motivated maintenance personnel with respect to reliability and dependability require careful assessment and quantification.

Author’s Hint According to recent studies completed by the Chartered Management Institute (CMI), the maintenance technician (or engineer) still remains the primary cause of reliability degradation during the in-service stage.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 110

ISO 9001:2015 Audit

110

The most important factor affecting the overall reliability of a modern product, nevertheless, is the increased number of individual components that are required in that product. Since most system failures are actually caused by the failure of a single component, the reliability of each individual component must be considerably better than the overall system reliability. Information obtained from in-service use and field failures is enormously useful (always assuming that it is entirely accurate, of course!) in evaluating a product’s performance during typical operating conditions. However, the main reason for accumulating failure reports from the field is attempts to improve the product. This can be achieved by analysing the reports, finding out what caused the failure and taking steps to prevent it from recurring in the future. Because of this requirement, quality standards for the maintenance, repair and inspection of in-service products have had to be laid down in engineering standards, handbooks and local operating manuals (written for specific items and equipment). These publications are used by maintenance engineers and should always include the most recent amendments. It is essential that Quality Assurance personnel also use the same procedures for their inspections.

Author’s Hint See Chapter 3, Section 3.7.3 (p. 209), for a typical example of an audit check sheet for the acceptance stage.

4.8.5 What is the difference between validation and verification? There is often confusion between a product being ‘validated’ and a product that has been ‘verified’. As shown in Fig. 4.16, validation has to do with the subject matter being the right subject (i.e. product meets the initial product requirement) as opposed to ‘verification’, which is concerned with the subject being right (i.e. the design output meets the requirements of the design input). For example, a product may have been verified as being compliant with a particular specification but is not validated for this application.

PRODUCT REQUIREMENT

FIG. 4.16

DESIGN INPUT

Validation and verification

DESIGN OUTPUT

DESIGN VERIFICATION

DESIGN VALIDATION

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 111

Background reminders for auditors

111

4.8.6 Supplier’s responsibilities The supplier’s prime responsibility must always be to ensure that anything – and everything – leaving their organisation, whether it is a document, product or service, conforms to the specific requirements of the purchaser – particularly with regard to quality.

Quality Assurance Team Quality

Quality Control

Assurance

Adherence Training

to standards

SUPPLIER’S RESPONSIBILITY Adherence Evaluation of sub contractors

FIG. 4.17

to rules and regulations

Supplier’s responsibilities

The supplier, therefore, is responsible for ensuring that: •







all managerial Staff, from the most junior to the most senior, firmly believe in the importance of Quality Control and Quality Assurance and understand how to implement them; managerial Staff create an atmosphere in which Quality Assurance rules are obeyed and not simply avoided just because they are inconvenient, time consuming, laborious or just too boring to bother with; there is an accepted training scheme to ensure that all members of the firm are regularly brought up to date with the ongoing and the latest requirements of Quality Assurance; there are trained Quality Assurance personnel available to oversee and make sure that Quality Control and Quality Assurance are carried out at all times and at all levels, within their premises.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 112

ISO 9001:2015 Audit

112

Lack of Quality Control and Quality Assurance can cause a supplier providing manufactured products to: • • • • • • • • • • •

replace scrapped material or have to rework unsatisfactory material; reinspect and reprocess material returned as unsatisfactory by the purchaser; lose money by having to send Staff to the purchaser’s premises to sort out their complaints of unsatisfactory labour; lose money through a major quality failure halting production; lose money through field repairs, replacements and other work having to be carried out under warranty; lose money by having to carry out investigations into claims of unsatisfactory work; lose money by having to investigate alternative methods of producing an article without quality failures; lose their image or reputation; lose market potential; have to acknowledge complaints, claims, liabilities and be subject to waste of human and financial resources, but most of all . . . lose customers!

4.8.7 Purchaser’s responsibilities Quite a number of problems associated with service or product quality are usually the fault of the purchaser! Obviously, the purchaser can only expect to get what they ordered. It is, therefore, extremely important that the actual order is not only correct, but also provides the supplier or manufacturer with all the relevant (and accurate) information required for completing the task. In the case of a manufactured product, this can be achieved by providing a drawing containing all the relevant details, such as: • • • • •

type of material to be used; the material’s grade or condition; the specifications that are to be followed; all the relevant dimensional data, sizes, tolerances etc.; reference to one of the accepted standards.

Author’s Hint Where possible, the graphic order/drawing should be to scale.

In the case of a service provider, the supplier must have the service specification fully defined, documented and agreed before work is commenced.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 113

Background reminders for auditors

113

Choice of manufacturer or supplier Quality

Quality Control

Assurance

Specifications

Design

PURCHASER’S RESPONSIBILITY

Drawing

FIG. 4.18

Contact

Purchaser’s responsibilities

By not insisting that the supplier abides by a set of recognised quality standards, the purchaser can be involved in: • • • • •

delays in being able to use the product or service and the possibility of the purchaser losing orders because of it; possible increases in their organisational, operational, maintenance downtime and repair costs; dissatisfaction with goods and services; health and safety aspects (now a mandatory requirement of ISO 9001:2015); lack of confidence in the supplier.

4.9 WHAT IS THE EFFECT OF ISO 9001:2015’S NEW REQUIREMENTS ON AUDITORS? In addition to the requirements replicated from the previous ISO 9001:2008 standard, auditors will now have to address the following.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 114

ISO 9001:2015 Audit

114

4.9.1 Context of the organisation (ISO 9001:2015 Clause 4) ISO 9001:2015

‘The organisation shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its Quality Management System’

Clause 4.1

This will prove invaluable to auditors, as it provides a clear and concise list of objectives to assess, including: • • • •

the organisation’s goals and intended outcomes; internal and external issues; the relevant stakeholders and their requirements; the scope of the management system.

Author’s Hint Auditors will also need to obtain evidence that the organisation’s Top Management are reviewing internal and external issues at periodic intervals.

Determining the scope of the Quality Management System ISO 9001:2015 Clause 4.3

‘The organisation shall determine the boundaries and applicability of the Quality Management System to establish its scope’

This clause should make it easier for auditors to audit management commitment, as the requirements are far more specific and the evidence required should be more obvious. However, having said that, auditors will need additional time to prepare for audits in order to confirm that the organisation has, in fact, reliably established the significant interests of relevant interested parties. Auditors will also need to ensure that the organisation has used an auditable process to identify these groups and that this process is revisited periodically, as the requirements of relevant interested parties may change over time.

Quality Management System and its processes ISO 9001:2015

‘The organisation shall:

Clause 4.4

• establish, implement, maintain and continually improve a Quality Management System, including the processes needed and their interactions; • maintain and retain documented information to support the operation of its processses’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 115

Background reminders for auditors

115

Auditors should note that ISO 9001:2015 now makes it a mandatory requirement for an organisation to have in place a fully implemented process-based Quality Management System that fully supports the operation of its processes, and that they retain documented information that provides confidence that the processes are being carried out as planned.

4.9.2 Leadership (ISO 9001:2015 Clause 5) ISO 9001:2015 Clause 5.1.1 ‘General’

‘Top Management shall demonstrate Leadership and commitment with respect to the Quality Management System’

This clause requires auditors to confirm that Top Management has full control of, and is totally committed to, the continual improvement of their organisation’s QMS as opposed to just delegating this responsibility to a ‘management representative’.

Author’s Hint For many auditors, this form of auditing will be a completely new experience and may require them to develop new and enhanced capabilities!

Customer focus ISO 9001:2015 Clause 5.1.2

‘Top Management shall demonstrate Leadership and commitment with respect to customer focus’

Auditors will need to ensure that Top Management can demonstrate that any risks and opportunities that could have a potential impact on the organisation’s capability of supplying products and services that fully meet their customer’s requirements (and any associated statutory or regulatory requirements) are fully covered by (for example) an internal quality audit procedure or other form of documented information.

Organisational roles, responsibilities and authorities ISO 9001:2015 Clause 5.3

‘Top Management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organisation’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 116

ISO 9001:2015 Audit

116

Auditors must ensure that Top Management have assigned responsibility and authority for ensuring that: • • • •

the Quality Management System conforms to the requirements of ISO 9001:2015; their processes are capable of delivering their intended output; promoting customer satisfaction is a priority; the integrity of the organisation’s QMS is retained during revisions or updates.

Author’s Hint In the 2015 version ISO 9001, the role of Management Representative has disappeared. This is an attempt to ensure that ownership of the QMS does not centre on a single individual and the responsibility for the overall control of quality within the organisation (or within a section of the organisation) can now be assigned to any role or split across several roles; and that at the end of the day, everyone is responsible for the quality of the organisation.

4.9.3 Planning (ISO 9001:2015 Clause 6) ISO 9001:2015 Clause 6.3 ‘Planning of changes’

‘When the organisation determines the need for changes to the Quality Management System, the changes shall be carried out in a planned manner’

This is a new requirement (brought about by the introduction of Annex SL for management systems), and auditors will now need to evaluate whether organisations have adopted a fully planned risk-based approach, addressing the risks and realising opportunities, and that any actions taken have been fully recorded.

Author’s Hint This risk-based methodology incorporates much of what was previously called ‘preventive action’, and requires organisations to determine those risks and opportunities that will have the potential to impact the operation and performance of their Quality Management System, in both a positive and a negative manner.

Quality objectives and planning to achieve them ISO 9001:2015 Clause 6.3 ‘Planning’

‘The organisation shall establish quality objectives at relevant functions and processes required for the Quality Management System’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 117

Background reminders for auditors

117

Auditors will need to ensure that organisations have documented information containing evidence that proves they are complying with these new requirements.

4.9.4 Support (ISO 9001:2015 Clause 7) ISO 9001:2015 Clause 7.1.1 ‘General’

‘The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the Quality Management System’

Auditors will need to confirm that an organisation has properly considered its need for both external and internal resources.

Environment for the operation of processes ISO 9001:2015 Clause 7.1.4 ‘Environment for the operation of processes’

‘The organisation shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services’

Auditors will now need to audit the organisation’s process environment as opposed to only its work environment (e.g. physical, social and psychological).

Monitoring and measuring resources ISO 9001:2015 Clause 7.1.5.1 ‘Monitoring and measuring resources – General’

‘The organisation shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements’

Auditors should ensure that if measurement traceability is required, that measuring instruments are subject to additional controls that are suitable and fit for purpose. Auditors should also ensure that documented information is being maintained for monitoring and measuring resources.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 118

ISO 9001:2015 Audit

118

Organisational knowledge ISO 9001:2015 Clause 7.1.6

‘The organisation shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services’

Auditors should ensure that organisations have identified the amount of organisational knowledge that is required to ensure continued conformity of their products and services, and that a system is in place to regularly monitor the situation as part of their quality managed system.

Awareness ISO 9001:2015 Clause 7.3

‘The organisation shall ensure that persons doing work under the organisation’s control are aware of the Quality Policy, relevant quality objectives, their contribution to the effectiveness of the Quality Management System and the implications of not conforming with the Quality Management System requirements’

Auditors must ensure that the organisation is able to provide evidence that these enhanced requirements are being met.

Communication ISO 9001:2015 Clause 7.4 ‘Communication’

‘The organisation shall determine the internal and external communications relevant to the Quality Management System’

Auditors should ensure that organisations are identifying external communications as well as internal communications that need to take place to ensure the smooth operation of their QMS (including the what, when, how and to whom this has to be communicated).

Documented information ISO 9001:2015 Clause 7.5.1 ‘General’

‘The organisation’s Quality Management System shall include documented information required by this International Standard; and that determined by the organisation as being necessary for the effectiveness of the Quality Management System’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 119

Background reminders for auditors

119

Following the removal of a mandatory requirement for organisations to possess a quality procedure for the control of documents, the only change for auditors is that they will now need to be more thorough in checking that an organisation’s documented information fully meets the requirements of ISO 9001:2015 and is totally adequate for their current and perceived future needs.

Author’s Hint Auditors should confirm, prior to commencing an audit, whether an electronic system is in place and ensure that the organisation has made necessary arrangements for them to have access to and use such systems.

4.9.5 Operations (ISO 9001:2015 Clause 8) ISO 9001:2015 Clause 8.1 ‘Operational planning and control’

‘The organisation shall plan, implement and control the processes needed to meet the requirements for the provision of products and services’

Author’s Hint There is nothing new in the requirement to plan and develop processes, except that in the 2015 edition of ISO 9001 this has now been expanded for the organisation to plan, implement and control these processes.

Auditors not only need to confirm that the organisation has planned its processes (including process inputs, outputs, resources, controls, criteria, process measurement and performance indicators), but that there exists auditable proof that it has actually implemented these processes.

Customer communication ISO 9001:2015

‘Communication with customers shall include:

Clause 8.2.1

• providing information relating to products and services; • handling enquiries, contracts or orders (including changes); • obtaining customer feedback and complaints; • handling and/or controlling customer property; • establishing specific requirements for contingency actions – when relevant’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 120

ISO 9001:2015 Audit

120

Auditors should note these changes and additional requirements and obtain evidence that processes have been fully implemented and controlled as planned.

Design and development of products and services ISO 9001:2015 Clause 8.3.1 ‘General’

‘The organisation shall establish, implement and maintain a design and development process that is appropriate to ensuring the subsequent provision of products and services’

Auditors first need to be able to verify whether the organisation’s QMS should or should not include design and development. If this is the case, then they will need to check the following aspects of this process: •



• •



Planning: Auditors need to ensure that the organisation has available a documented process and have retained documented information confirming that design and development requirements have been met. Inputs: Auditors need to verify that the organisation has addressed the specific new requirements set out for design and development inputs – especially those relating to resource requirements and the consequences of design or development failure. Controls: As there are no actual new requirements, auditors may use the approach that they used previously for ISO 9001:2008. Outputs: Auditors should note the additional requirement for documented information and the need for design outputs to reference monitoring and measuring requirements. Changes: As there are no new requirements, auditors may use the approach that they used previously for ISO 9001:2008.

Control of externally provided products and services ISO 9001:2015 Clause 8.4.1 ‘General’

‘The organisation shall ensure that externally provided processes, products and services conform to requirements’

Auditors should note the new requirement for an organisation to establish criteria to enable it to monitor the performance of external providers, and that this must be maintained as documented information. Auditors should also note the revised requirements – particularly those relating to outsourced processes.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 121

Background reminders for auditors

121

Property belonging to customers or external providers ISO 9001:2015 Clause 8.5.3

‘The organisation shall exercise care with property belonging to customers or external providers while it is under the organisation’s control or being used by the organisation’

Auditors should note the additional requirements to confirm that the controls relating to customer property have been extended to cover property from external providers.

4.9.6 Performance evaluation ISO 9001:2015 (Clause 9) Author’s Hint This new clause includes much what was in the previous ISO 9001:2008 Clause 8 – ‘Measurement, analysis and improvement’ (with the addition of evaluation, internal audit and management review) – and should be very useful for an auditor as it will enable them to benefit from a consistent set of requirements for checking results against plan.

Monitoring, measurement, analysis and evaluation ISO 9001:2015 Clause 9.1.1 ‘General’

‘The organisation shall determine what needs to be monitored and measured; what methods should be used; when it shall be performed; and when the results from monitoring and measurement shall be analysed and evaluated’

Auditors should note the additional requirement for organisations to confirm that their organisation has not simply evaluated the results of monitoring and measurement but also thoroughly analysed them in order to improve the effectiveness of both its process control and management system. It must also ensure that everything has been thoroughly documented.

Internal audit ISO 9001:2015 Clause 9.2.1

‘The organisation shall conduct internal audits at planned intervals to provide information on whether the Quality Management System conforms to the organisation’s own requirements for its Quality Management System and the requirements of this International Standard’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 122

ISO 9001:2015 Audit

122

This is a reiteration of ISO 9001:2008 Clause 8.2.2, except that it is now no longer a mandatory requirement for the organisation to possess a Quality Procedure for this activity.

Management review ISO 9001:2015 Clause 9.3.1 ‘General’

‘Top Management shall review the organisation’s Quality Management System, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organisation’

Auditors should note the revised requirements – particularly those relating to risks and opportunities, alignment of the QMS to the organisation’s overall strategic objectives and the explicit requirement for the organisation to use ‘trends and indicators’ to monitor the performance of its QMS.

4.9.7 Improvement (ISO 9001:2015 Clause 10) ISO 9001:2015 Clause 10.1 ‘General’

‘The organisation shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction’

Auditors should note the revised requirement that improvement of an organisation’s products need not be on a continual basis, but it does still need to be demonstrated that it is happening.

Nonconformity and corrective action ISO 9001:2015 Clause 10.2.1

‘When a nonconformity occurs, the organisation shall (as applicable) take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere; make changes to the Quality Management System, if necessary’

Auditors should confirm that if a nonconformity has been identified by an organisation, it has investigated (and removed/repaired/controlled) the cause of the nonconformity; seen whether other similar nonconformities actually do (or potentially could) exist and considered whether it needs to make changes to the wider system to prevent a recurrence.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 123

Background reminders for auditors

123

Continuous improvement ISO 9001:2015 Clause 10.3

‘The organisation shall continually improve the suitability, adequacy and effectiveness of the Quality Management System’

Auditors should ensure that organisations are using the outputs from their analysis, evaluation and management review processes to identify improvement opportunities and Quality Management System underperformance.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 124

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 125

PART 2

ISO 9001:2015 checklists

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 126

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 127

Introduction

Since the creation of ISO 9001, there are certain sections of the industry that see compliance auditing as being no longer ‘fashionable’, and performance auditing is the only way forward. Compliance auditing is, however, a mandatory requirement under Clause 9.2.1, which clearly states that: ISO 9001:2015 Clause 9.2.1

‘The organisation shall conduct internal audits at planned intervals to provide information on whether the Quality Management System conforms to the organisation’s own requirements for its Quality Management System and the requirements of this International Standard and is effectively implemented and maintained’

This is amplified in ISO 19011:2011 (‘Guidelines for auditing management systems’), which confirms that: ISO 19011:2011

‘Audit team members should review information relevant to their audit assignment and prepare work documents as necessary for reference and for recording audit proceedings. Such documents may include: • checklists and audit sampling plans; • forms for recording information, such as supporting evidence, audit findings and records of Meetings. The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit’

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 128

ISO 9001:2015 Audit

128

Whilst not always required by management system standards, audit checklists (composed of items relating to both compliance with the requirements of the standard and items that check the performance of the organisation’s processes) are just one tool available from the ‘auditor’s toolbox’. Most auditors will find it beneficial to audit from the organisation’s Quality Management System up to the ISO 9001:2015 standard’s requirements, as shown in the Preface of this book.

CONFORMANCE

Audit from the organisation's Quality Management System to the ISO 9001:2015 requirements

COMPLIANCE AND CONFORMANCE

ISO 9001:2015 requirements

Audit from the requirements of ISO 9001:2015 to the organisation’s Quality Management System

Organisation's Quality Management System FIG. 1

Example auditing approach

Alternatively, a checklist may be used to ensure that all the relevant ISO 9001:2015 requirements have been addressed in the management system. There are both advantages and disadvantages to using audit checklists. It depends on many factors, including customer needs, time and cost restraints, auditor experience and sector scheme requirements. Auditors should therefore assess the value of the checklist as an aid to an audit process and consider its use as a functional tool.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 129

Part 2: Introduction

129

ADVANTAGES OF USING AN AUDIT CHECKLIST Checklists, if developed for a specific audit and used correctly, can: • • • • • • • • • • • • • •

act as a sampling plan and time manager; be provided to the auditee ahead of the on-site audit; be used as an information base for planning future audits; ensure a consistent audit approach; ensure that adequate evidence is obtained; ensure that the audit scope is being followed; help an auditor to perform better during the audit process; help to ensure that an audit is conducted in a systematic and comprehensive manner; provide a means of communication and a place to record data for use for future reference; provide a repository for notes collected during the audit process (i.e. audit field notes); provide a record that the QMS was examined; provide objective evidence that the audit was performed; provide structure and continuity to an audit; but most importantly serve as a memory aid.

DISADVANTAGES OF USING AN AUDIT CHECKLIST When audit checklists are not available, or poorly prepared, the following disadvantages can happen and should be taken into consideration:

• • • • • •

checklists can be restrictive if used as the auditor’s only support mechanism; checklists should not be a substitute for audit planning; generic checklists, which do not reflect the specific organisational management system, may not add any value and may interfere with the audit; poorly prepared checklists can slow down an audit due to duplication and repetition; the focus of the checklist may be too narrow in scope to identify specific problem areas; an inexperienced auditor may not be able to clearly communicate what he is looking for; and Checklists can be seen as intimidating to the person(s) being audited!

There now follow a number of sections, in tabulated form, that have been constructed with the specific aim of assisting auditors to complete internal, external audits and third party audits against the requirements of ISO 9001:2015.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 130

ISO 9001:2015 Audit

130

2.1

ISO 9001:2015 Headings and structure

A complete listing of 10 clause and sub-clause headings that make up the ISO 9001:2015 standard, together with an indication of the actions an organisation would be expected to complete and which they should be audited against.

2.2

ISO 9001:2015 Explanation and likely documentation

A brief explanation of the specific requirements (i.e. the ‘shalls’) of each element of ISO 9001:2015, together with a description of the likely documentation that an organisation would need to have in place to meet the requirements.

2.3

A complete checklist against the requirements of ISO 9001:2015

A series of checks, questions and reminders that can be used for conducting either internal, external or third party audits of an organisation’s Quality Management System.

2.4

Additional (general purpose) audit checks

A list of some of the most important questions that an external auditor would be likely to ask when assessing an organisation’s QMS for conformance to ISO 9001:2015.

2.5

Example stage audit check sheet

A list of the most important questions that an external auditor is likely to ask when evaluating an organisation for their: • • • •

design stage; manufacturing or production stage; acceptance stage; in-service stage.

2.6

Comparison between ISO 9001:2015 and ISO 9001:2008

A list of the 10 clauses and sub-clauses that make up ISO 9001:2015, cross-referenced to the previous 8 clauses contained in the ISO 9001:2008 standard.

2.7

Countercomparison between ISO 9001:2008 and ISO 9001:2015

A table showing how the previous 8 clauses from the 2008 edition of the standard have been included in the 10 clauses making up the ISO 9001:2015 publication.

2.8

Comparison between the 2015 versions of ISO 14001 and ISO 9001

An indication of how two of ISO’s main Management System Standards are closely related, now that they have been rewritten according to Annex SL.

Annex A

A selection of audit A small selection of forms, typically used by forms auditors.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 131

Part 2: Introduction

131

Author’s Hint To save you having to photocopy these checklists, explanations and questionnaires (and/or having to type them all out again), ‘unlocked’, fully accessible, non-pdf, soft copies of all these files are available to download from the author ([email protected]).

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 132

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 133

Section 2.1

ISO 9001:2015 Organisational responsibilities CONTENTS 4

Context of the organisation

136

4.1

Understanding the organization and its context

136

4.2

Understanding the needs and expectations of interested parties

136

Determining the scope of the Quality Management System

136

4.3.1

136

4.3

5

6

7

Quality Management System and its processes

Leadership

136

5.1

Leadership and commitment

136

5.2

Policy

137

5.3

Organizational roles, responsibilities and authorities

137

Planning

137

6.1

Actions to address risks and opportunities

137

6.2

Quality objectives and planning to achieve them

137

6.3

Planning of changes

138

Support

138

7.1

Resources

138

7.1.1 7.1.2 7.1.3 7.1.4 7.1.5 7.1.6

138 138 138 138 138 139

7.2

General People Infrastructure Environment for the operation of processes Monitoring and measuring resources Organisational knowledge

Competence

139

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 134

ISO 9001:2015 Audit

134

8

9

7.3

Awareness

139

7.4

Communication

139

7.5

Documented information

139

Operation

140

8.1

Operational planning and control

140

8.2

Requirements for products and services

140

8.3

Design and development of products and services

141

8.4

Control of externally provided processes, products and services

141

8.5

Production and service provision

142

8.6

Release of products and services

143

8.7

Control of nonconforming outputs

143

Performance evaluation

143

9.1

Monitoring, measurement, analysis and evaluation

143

9.2

Internal audit

144

9.3

Management review

144

10 Improvement

145

10..1 General

145

10.2 Nonconformity and corrective action

145

10.3 Continual improvement

145

As you will be aware, ISO 9001:2015 has been modelled around ISO Directive Annex SL, which is a high-level structure based on the Plan-Do-Check-Act methodology and which was developed to ensure that all future ISO management system standards would share a common format, irrespective of the specific discipline to which they relate. As almost one third of text is now common across all standards, this will be of enormous benefit for the integration of different systems, and hence to auditors. ISO 9001:2015 is the only standard to which an organisation can be certified as being compliant with the requirements for a Quality Management System. It includes all the key points from previous versions of ISO 9001 and integrates them into seven major generic business processes, namely:

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 135

ISO 9001:2015 Organisational responsibilities

4

Context of the organisation Understanding the organisation and its context Understanding the needs and expectations of interested parties Determining the scope of the Quality Management System Quality Management System and its processes

5

Leadership Leadership and commitment Policy Organisational roles, responsibilities and authorities

6

Planning Actions to address risks and opportunities Quality objectives and planning to achieve them Planning of changes

7

Support Resources Competence Awareness Communication Documented Information

8

Operation Operational planning and control Requirements for products and services Design and development of products and services Control of externally provided processes, products and services Production and service provision Release of products and services Control of nonconforming outputs

9

Performance evaluation Monitoring, measurement, analysis and evaluation Internal audit Management review

135

10 Improvement General Nonconformity and Corrective Action Continual Improvement In outline, the structure of the standard and an indication of the actions an organisation would be expected to complete – and which they could be audited against – is as follows.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 136

136

ISO 9001:2015 Audit

4 CONTEXT OF THE ORGANISATION The organisation needs to address the needs and expectations of interested parties and the scope of its Quality Management System.

4.1 Understanding the organisation and its context Organisations need to identify, monitor and review internal and external issues that are related to the purpose and strategic direction of their business and which could have an impact on their Quality Management System’s intended results.

4.2 Understanding the needs and expectations of interested parties Organisations need to determine which group or individuals (e.g. customers, endusers, suppliers, distributors, retailers and regulators, etc.) could be classified as ‘interested parties’. They then need to fully understand their individual requirements and ensure that their organisation is capable of consistently supplying products and services that continue to meet the needs of these interested parties, as well as associated applicable statutory and regulatory requirements.

4.3 Determining the scope of the Quality Management System The organisation needs to retain details of its corporate strategy, its aims, policies and objectives with regard to its business as documented information.

4.3.1 Quality Management System and its processes The organisation is required to establish, implement, maintain and continually improve its Quality Management.

5 LEADERSHIP The organisation must define its organisational roles, responsibilities and authorities.

5.1 Leadership and commitment Top Management needs to be fully committed to implementing an effective Quality Management programme.

5.1.1 Customer focus Top Management need to identify customer requirements in each important area of service or product delivery, and have a procedure in place for ensuring that customer requirements are fully understood and fulfilled.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 137

ISO 9001:2015 Organisational responsibilities

137

5.2 Policy Top Management need to develop an appropriate Quality Policy that supports their organisation’s purpose, sets quality objectives, satisfies all applicable requirements and guarantees continual improvement of their Quality Management System.

5.2.1 Establishing the Quality Policy The organisation’s Quality Policy needs to identify the main goals of its Quality Management System and explain why the organisation is adopting them.

5.2.2 Communicating the Quality Policy Top Management need to demonstrate their organisation’s commitment to interested parties by ensuring that all relevant statutory, regulatory and customer requirements are identified and met through the identification of any risks and opportunities that could affect the organisation’s ability to supply conforming products and services.

5.3 Organisational roles, responsibilities and authorities Effective communication and management can only be achieved if everyone knows what their responsibilities are and to whom they report. To accomplish this goal, Top Management will need to identify responsible parties and describe how much authority they have.

6 PLANNING Top Management need to consider how their organisation will prevent, or reduce, undesired effects (i.e. risks) and look for opportunities for improvement.

6.1 Actions to address risks and opportunities In accordance with the requirements of Annex SL, Top Management need to define and control those risks and opportunities that have the potential to impact on the operation and performance of their Quality Management System – both positively and negatively.

6.2 Quality objectives and planning to achieve them Top Management need to document a set of quality objectives that the organisation must meet (particularly with respect to the conformity) taking into account applicable customer, statutory and regulatory requirements of products and services and the enhancement of customer satisfaction.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 138

138

ISO 9001:2015 Audit

6.3 Planning of changes The organisation should ensure that it addresses and achieves the goals set out in its Quality Management System, and strives for continuous improvement and customer satisfaction.

7 SUPPORT The organisation needs to define and document its requirements for resources.

7.1 Resources 7.1.1 General Top Management need to determine – and then subsequently provide – the resources necessary to establish, implement, maintain and continually improve their Quality Management System. They will also have to determine whether these are available from existing internal resources or whether they need to be outsourced from an external provider.

7.1.2 People Top Management need to provide the people that their organisation must have in order to meet customer – as well as relevant statutory and regulatory – requirements, on a consistent basis.

7.1.3 Infrastructure Top Management need to identify and provide the infrastructure that their organisation requires in order to support process operations and to achieve conformity of products and services.

7.1.4 Environment for the operation of processes Top Management need to identify and maintain the environment that their organisation needs in order to meet the objectives set out in their Quality Management System.

7.1.5 Monitoring and measuring resources If an organisation uses monitoring or measuring equipment to demonstrate that its products and services conform to requirements, it must make sure that it provides the necessary resources and infrastructure to ensure that its monitoring and measuring results are valid.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 139

ISO 9001:2015 Organisational responsibilities

139

7.1.6 Organisational knowledge The organisation needs to ensure that it has the necessary knowledge resources available to respond to changing business environments and fluctuating customer needs and expectations.

7.2 Competence The organisation must determine the competency requirements for those people performing work under its control.

Author’s Hint Clause 7.2 refers to ‘People doing work under its control’ which, by definition, includes contract and agency people, as well as people performing processes and functions that have been outsourced to external providers.

7.3 Awareness People completing work under the organisation’s control (including subcontractors) are required to be aware of the organisation’s Quality Policy, quality objectives and the effectiveness of the organisation’s Quality Management System.

7.4 Communication Organisations need to decide on what, when, with and how they will communicate internally and externally regarding their Quality Management System.

7.5 Documented information The organisation will have to establish, document, implement, maintain and continually improve its documented information in accordance with the requirements set out in this standard.

7.5.1 General The organisation needs to document all the information detailed in the ISO 9001:2015 standard that is necessary for the effective operation of its Quality Management System.

7.5.2 Creating and updating An organisation’s documented information must be properly identified (e.g. title, date, author, reference number, etc.) and be in an appropriate format (e.g. language, software version, graphics etc.).

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 140

140

ISO 9001:2015 Audit

7.5.3 Control of documented information Documented information relevant to its Quality Management System needs to be made available throughout the organisation (e.g. via paper and/or electronic means) and its distribution, access, storage, retention, retrieval, use and eventual disposal properly managed.

8 OPERATION The organisation needs to plan, implement and control the processes required for the effective implementation of its Quality Management System.

8.1 Operational planning and control The important steps and processes that the organisation goes through in order to deliver its finished product or service must be planned and documented.

8.2 Requirements for products and services The identification, review and interaction with customers and customer requirements need to be planned.

8.2.3 Customer communication Organisations must ensure that their customers have (readily available) sufficient information regarding their product, the status of contract negotiations, handling of orders and how customers can provide feedback to them or express complaints. The organisation needs also to have in place procedures for the correct handling and/or treatment of customer property and any associated, specific, requirements.

8.2.4 Determining the requirements related to products and services Having determined what products and services will be offered to customers, the organisation needs to ensure that these are actually capable of meeting customer requirements.

8.2.5 Changes to requirements for products and services If any changes to the product or service are required, the organisation needs to ensure that that all associated documented information is amended and the relevant people are informed.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 141

ISO 9001:2015 Organisational responsibilities

141

8.3 Design and development of products and services The organisation needs to establish, implement and maintain a design and development process.

8.3.1 Design and development planning The organisation needs to clearly define the stages involved in the design and development process and identify the responsible parties and resources for each process stage.

8.3.3 Design and development inputs Organisations will need to take into consideration all the critical areas (e.g. performance, legal and regulatory requirements, together with any other requirements, such as industry, or organisation standard practices) that could affect the design and development of an effective product or service.

8.3.4 Design and development controls The organisation will need to show how it controls the design and development of products and services.

8.3.5 Design and development outputs The organisation needs to ensure that the output of design and development process meets specified input requirements.

8.3.6 Design and development changes Organisations need to identify and document any design and development change requests and analyse the proposed changes prior to implementation.

8.4 Control of externally provided processes, products and services Organisations must ensure that externally provided processes, products or services meet the organisation’s specified requirements.

8.4.1 General Organisations need to implement a controlled procedure for all processes, products and services provided by external sources.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 142

142

ISO 9001:2015 Audit

8.4.2 Type and extent of control The organisation needs to ensure that externally provided processes, products and services do not adversely affect the organisation’s ability to consistently meet customer and applicable regulatory requirements.

8.4.3 Information for external providers The organisation needs to provide external providers with adequate and accurate details of their requirements for the provision of any third party processes, products and services.

8.5 Production and service provision The organisation needs to have a process to cover all its production and service operations.

8.5.1 Control of production and service provision The organisation needs to ensure that all planning and production activities take place in a controlled environment.

8.5.2 Identification and traceability At all points in the production cycle, the product or service being provided must be capable of being easily identified both physically and via documented information.

8.5.3 Property belonging to customers or external providers Organisations will need to identify and protect any customer property that has been provided and maintain records of lost, damaged or unsuitable customer property.

8.5.4 Preservation Organisations need to maintain procedures for the handling, storage, packaging, preservation and delivery of parts and products throughout all processes.

8.5.5 Post-delivery activities The organisation needs to determine the nature and extent of any statutory, regulatory or customer post-delivery activities (i.e. requirements) it will have to undertake with respect to its provision of products and services.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 143

ISO 9001:2015 Organisational responsibilities

143

8.5.6 Control of changes Organisations need a method for controlling any unplanned changes in the provision of products and services, to ensure that these continue to meet their specified requirements.

8.6 Release of products and services Prior to release of a product or service, the organisation will (throughout their production process) monitor and measure that the product and service requirements have been met.

8.7 Control of nonconforming outputs Organisations will need to define and document procedures to control, identify and prevent the use of nonconforming products.

9 PERFORMANCE EVALUATION The organisation’s products and services need to be continually monitored, measured, analysed and evaluated to ensure that its management system is successfully implemented and maintained.

Author’s Hint This particular clause includes much of what was in the previous ISO 9001:2008 Clause 8, ‘Measurement, analysis and improvement’, with the addition of evaluation, internal audit and management review.

9.1 Monitoring, measurement, analysis and evaluation The organisation needs to monitor customer satisfaction and control its delivery of products and services.

Author’s Hint This is basically all about risk assessment whereby having determined when, how and what it needs to monitor and measure, the organisation can then make a decision on how best to carry out these activities in order to improve its Quality Management System.

9.1.1 General In order to determine that their Quality Management System is improving, organisations will have to develop some form of monitoring and measurement technique to measure its effectiveness.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 144

144

ISO 9001:2015 Audit

9.1.2 Customer satisfaction Organisations will need to determine how they intend to measure customer satisfaction against their organisation’s product or service.

9.1.3 Analysis and evaluation The organisation needs to introduce a risk management process that collects information on the functionality of its Quality Management System and analyses the information collected, in order to evaluate the effectiveness and efficiency of its system.

9.2 Internal audit In compliance with ISO 9001:2015, the organisation must complete internal audits at planned intervals in order to confirm that its Quality Management System meets requirements (both from the point of view of the eventual customer as well as system-specific requirements), and to examine its effectiveness.

9.3 Management review This clause covers how Top Management reviews the organisation’s Quality Management System on an organised basis.

9.3.1 General Top Management needs to conduct regular reviews of their Quality Management System at planned intervals in order to ensure its continuing suitability, adequacy and effectiveness.

9.3.2 Management review inputs The organisation will need to review any outstanding actions from previous audits and reviews, process performance, conformity of products and services, and address risks and opportunities.

9.3.3 Management review outputs The output from the management review meeting should be aimed at enabling Top Management to decide whether there are opportunities for improving the effectiveness of their Quality Management System.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 145

ISO 9001:2015 Organisational responsibilities

145

10 IMPROVEMENT Occasionally unwanted incidents can occur, and there is a need for some form of corrective action to address possible nonconformities and, at the same time, work towards continual improvement.

10.1 General The organisation needs to address nonconformity and introduce necessary corrective action and improvements to ensure that customer/regulatory requirements are met and that its Quality Management System is continually improved.

Author’s Hint All references to ‘preventive action’ have been removed for ISO 9001:2015 and replaced by ‘risk-based thinking’.

10.2 Nonconformity and corrective action When a nonconformity is identified, the organisation needs to take whatever action is necessary to control and correct the nonconformity.

10.3 Continual improvement The organisation shall work continually to improve its Quality Management System in terms of its suitability, adequacy and effectiveness.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 146

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 147

Section 2.2

ISO 9001:2015’s organisational requirements ISO 9001:2015 – explanation and likely documentation CONTENTS 2.2.1 Context of the organisation

148

2.2.2 Leadership

148

2.2.3 Planning

149

2.2.4 Support

149

2.2.5 Operation

150

2.2.6 Performance evaluation

152

2.2.7 Improvement

152

2.2 ISO 9001:2015 – EXPLANATION AND LIKELY DOCUMENTATION The following is a brief explanation of the specific requirements (i.e. the ‘shalls’) of each element of ISO 9001:2015, together with a description of the likely documentation that an organisation would need to have in place to meet the requirements.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 148

ISO 9001:2015 Audit

148

2.2.1 Context of the organisation Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

4

Context of the organisation

(Section title)

Quality Manual

4.1

Understanding the organisation and its context

Monitoring and reviewing external and internal issues that are relevant to the purpose and strategic direction of the organisation

Quality Procedures

4.2

Understanding the needs and expectations of interested parties

Definition of those interested parties that are relevant to the Quality Management System and their requirements

Core Business Process

4.3

Determining the scope of the Quality Management System

Defining the boundaries and applicability of the organisation’s QMS

Core Business Process

Supporting Process

Quality Management System and its processes

Establishing, implementing, Core documenting, maintaining Business and continually improving the Process organisation’s QMS

Quality Procedures

4.4

Quality Procedures

2.2.2 Leadership Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

5

Leadership

(Section title)

Quality Manual

5.1

Leadership and commitment

Demonstrating Leadership and commitment with respect to the QMS, and customer focus

Supporting Quality Process Procedures

5.2

Policy

Establishing, documenting, implementing, maintaining and disseminating the organisation’s Quality Policy

Supporting Quality Process Procedures

5.3

Organisational roles, responsibilities and authorities

Ensuring that the Core responsibilities and authorities Business for relevant roles are assigned, Process communicated and understood within the organisation

Supporting Process Quality Procedure

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 149

ISO 9001:2015’s organisational requirements

149

2.2.3 Planning Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

6

Planning

(Section title)

Quality Manual

6.1

Actions to address risks and opportunities

Determining the risks and opportunities that need to be addressed

Quality Procedure

Quality objectives and planning to achieve them

Establishing quality objectives at relevant functions, levels and processes needed for Quality Management

Core Business Process

Supporting Process

Planning of changes

Determining the need for changes to the QMS and how they should be carried out in a planned manner

Quality Procedure

Supporting Process

6.2

6.3

Supporting Processes Quality Procedures

Quality Procedures

Quality Procedures

2.2.4 Support Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

7

Support

(Section title)

7.1

Resources

Determining and providing Quality the resources (people, Procedure knowledge, infrastructure and environment) required for the establishment, implementation, maintenance and continual improvement of the QMS

Supporting Process

Determining the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the Quality Management System

Supporting Process

7.2

7.3

Competence

Awareness

Quality Manual

Quality Procedure

Ensuring that persons doing Quality work under the organisation’s Procedure control are aware of the Quality Policy, objectives, the importance of their contribution and the implications of not conforming with the QMS

Quality Procedures

Quality Procedures

Supporting Process Quality Procedures

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 150

ISO 9001:2015 Audit

150

2.2.4 Support continued Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

7.4

Communication

Determining the internal and external communications relevant to the QMS

7.5

Documented Information

The establishment of the Core organisation’s QMS (including Business the documented information Process required by ISO 9001:2015 and that determined by the organisation as being necessary for the effectiveness of their QMS)

Sub

Supporting Quality Process Procedure Supporting Process Quality Procedures

2.2.5 Operation Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

8

Operation

(Section title)

8.1

Operational planning and control

Planning implementing and Core controlling the processes Business needed to meet the Process requirements for the provision of products and services

Supporting Process

Ensuring that the organisation Quality is in regular contact with its Procedure existing and potential contacts and that it possesses the ability to meet their requirements for products and services to be offered to these customers

Supporting Process

Design and development of products and services

Establishing, implementing and maintaining a design and development process that ensures the appropriate provision of products and services

Core Business Process

Supporting Process

Control of externally provided processes, products and services

Ensuring that externally provided processes, products and services conform to requirements and do not adversely affect the

Supporting Quality Process Procedure

8.2

8.3

8.4

Requirements for products and services

Quality Manual

Quality Procedures

Quality Procedure

Quality Procedure

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 151

ISO 9001:2015’s organisational requirements

151

2.2.5 Operation continued Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

organisation’s ability to consistently deliver conforming products and services to its customers 8.5

Production and service provision

Ensuring that the organisation provides conformity of products and services under controlled conditions and exercises care with property belonging to customers or external providers

Supporting Quality Process Procedure

8.6

Release of products and services

Implementing planned arrangements, at appropriate stages, to verify that the product and service requirements have been met

Supporting Quality Process Procedure

8.7

Control of nonconforming outputs

Ensuring that products and services that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery

Supporting Quality Process Procedure

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 152

ISO 9001:2015 Audit

152

2.2.6 Performance evaluation Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

9

Performance evaluation

(Section title)

Quality Manual

9.1

Monitoring, measurement, analysis and evaluation

The determination of when and what needs to be monitored and measured, what system and/or facilities should be used for monitoring, measuring, analysing and evaluating the results

Core Business Process

Supporting Process

Internal audit

Conducting internal audits at planned intervals to evaluate whether their QMS conforms to ISO 9001:2015 and the organisation’s requirements, and is effectively implemented and maintained

Quality Procedure

Core Business Process

9.2

9.3

Management review

Quality Procedure

Supporting Process

Reviewing the organisation’s Quality Quality Management System, Procedure at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organisation

Supporting Process

2.2.7 Improvement Clause

ISO 9001:2015 Title

Explanation

Likely documentation Main

Sub

10

Improvement

(Section title)

Quality Manual

10.1

General

Determining and selecting opportunities for improvement and implementing any necessary actions to meet customer requirements and enhance customer satisfaction

Supporting Quality Process Procedures

10.2

Nonconformity and corrective action

When a nonconformity occurs, taking action to control and correct it

Quality Procedure

10.3

Continual improvement

Continually improving the suitability, adequacy and effectiveness of the QMS

Supporting Quality Process Procedures

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 153

Section 2.3

A complete checklist against the requirements of ISO 9001:2015 CONTENTS Introductory questions

156

4

Context of the organisation

156

4.1

Understanding the organisation and its content

156

4.2

Understanding the needs and expectations of interested parties

157

4.3

Determining the scope of the Quality Management System

157

4.4

Quality Management System and its processes

158

5

6

7

Leadership

160

5.1

Leadership and commitment

162

5.2

Policy

163

5.3

Organisational roles, responsibilities and authorities

165

Planning

166

6.1

Actions to address risks and opportunities

166

6.2

Quality objectives and planning to achieve them

167

6.3

Planning of changes

168

Support

168

7.1

Resources

168

7.1.1 7.1.2 7.1.3 7.1.4

168 169 170 170

General People Infrastructure Environment for the operation of processes

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 154

ISO 9001:2015 Audit

154 7.1.5 7.1.6

8

Monitoring and measuring resources Organisational knowledge

171 173

7.2

Competence

173

7.3

Awareness

174

7.4

Communication

175

7.5

Control of documented information

175

7.5.1 7.5.2 7.5.3

175 176 177

General Creating and updating Control of documented information

Operation

178

8.1

Operational planning and control

178

8.2

Requirements for products and services

179

8.2.1 8.2.2

179

8.2.3 8.2.4 8.3

8.4

8.5

Customer communication Determining the requirements for products and services Review of the requirements for products and services Changes to requirements for products and services

180 181 182

Design and development of products and services

182

8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6

182 183 184 186 187 187

General Design and development planning Design and development inputs Design and development controls Design and development outputs Design and development changes

Control of externally provided processes, products and services

188

8.4.1 8.4.2 8.4.3

188 189 189

General Type and extent of control Information for external providers

Production and service provision

190

8.5.1 8.5.2 8.5.3

191 191

8.5.4

Control of production and service provision Identification and traceability Property belonging to customers or external providers Preservation

192 192

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 155

A complete checklist against the requirements of ISO 9001:2015

8.5.5 8.5.6 8.6

9

Post-delivery activities Control of changes

155 193 194

Release of products and services

195

8.6.1

195

Control of nonconforming outputs

Performance evaluation

196

9.1

Monitoring, measurement, analysis and evaluation

196

9.1.1 9.1.2 9.1.3

196 197 198

General Customer satisfaction Analysis and evaluation

9.2

Internal audit

198

9.3

Management review

199

9.3.1 9.3.2 9.3.3

200 200 201

General Management review inputs Management review outputs

10 Improvement

202

10.1 General

202

10.2 Nonconformity and corrective action

203

10.3 Continual improvement

204

The following tables contain a series of checks and questions which can be used for conducting either internal, external or third party audits of an organisation’s Quality Management System for conformance to its own specific policies and requirements, or for compliance against the requirements of ISO 9001:2015.

Author’s Hint As some of the ISO 9001:2015 clauses have similar requirements, rather than giving you a cross-reference to look at (e.g. ‘see section xyz’) I have deliberately duplicated some of the checks and questions in some of the sections to enable you to select a particular area that you wish to audit and then to have the relevant checks and questions immediately available.

Note: ‘If’ you have any additional checks that you use and which you think might be of use to other readers (i.e. which could be included in a future revision of this book), I would very much appreciate a quick e-mail ([email protected]) giving me some details of these checks or a topic that needs amplifying, perhaps.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 156

ISO 9001:2015 Audit

156

INTRODUCTORY QUESTIONS Typical auditor’s questions

Remarks

Are you certified or registered to ISO 9001:2015? If not, do you work in compliance with the standard’s requirements and recommendations? Do your products and services need to comply with the requirements of standards other than ISO 9001:2015? If so what are they? How do you demonstrate your ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements? How do you enhance customer satisfaction?

Do you possess processes for improvement of your overall system? Do these processes provide assurance of conformity to customer and applicable statutory and regulatory requirements?

4 CONTEXT OF THE ORGANISATION 4.1 Understanding the organisation and its content Typical auditor’s questions What is the the scope of your QMS?

Does it address the needs and expectations of interested parties? Do you possess a formalised quality process for identifying, monitoring, reviewing and resolving internal and external issues? Do you complete regular internal reviews for the enhancement and improvement of your overall QMS?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 157

A complete checklist against the requirements of ISO 9001:2015

4.2 Understanding the needs and expectations of interested parties Typical auditor’s questions

Remarks

How do you prepare your inventory of products and services you intend to provide to customers? How do you identify potential customers that are relevant to your products and services and your QMS? How do you determine the exact, overall and specific requirements of these interested parties? Do you have a formal process for this activity?

4.3 Determining the scope of the Quality Management System Typical auditor’s questions How did you establish your QMS? What is the scope of your QMS? Does this scope take into account all of the internal and external issues you could face? Does it include the requirements of relevant interested parties? Does the scope cover all of the products and/or services you intend to supply? Is it capable of identifying internal and external issues that could affect your organisation’s QMS? Does the QMS include details of your organisation’s business processes? Do you have a specific document (i.e. such as a Quality Manual) that describes your organisation’s quality policies, procedures and practices? Does this document address each requirement contained in the ISO 9001:2015 standard?

Remarks

157

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 158

ISO 9001:2015 Audit

158

4.4 Quality Management System and its processes Typical auditor’s questions Have Top Management fully accepted responsibility for, and demonstrated their commitment to, your QMS? How do they establish, implement and maintain your QMS? How do they increase employee awareness and involvement in the QMS? Does your QMS include a Mission Statement? Does this Mission Statement cover all of your organisation’s objectives for quality and its commitment to quality? Does your QMS totally comply with the requirements of ISO 9001:2015, or are there some exclusions? How do you ensure compliance with all the relevant statutory and safety requirements? How do you continually improve your QMS and its processes and interactions? How do you increase employee awareness and involvement in the QMS? Are all of your Staff trained to the requirements listed in the company’s Quality Manual? Who is responsibility for overseeing the QMS? Is it delegated to someone from Top Management and if so, who is this? Are details of your QMS available in a Quality Manual or some other form of ‘documented information’? How did you identify the processes required for your management systems? How do you ensure that these processes meet the requirements of ISO 9001:2015? How did you determine the sequence and interaction of these processes? How do you ensure availability of resources? How do you ensure availability of information required to support these processes? How do you monitor, measure and analyse these processes?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 159

A complete checklist against the requirements of ISO 9001:2015

4.4 Quality Management System and its processes (continued) Typical auditor’s questions How do you ensure the effective operation and control of these processes? Is each organisational activity defined and controlled by a Quality Process? Are these regularly reviewed and continually improved? Who has overall responsibility and authority for processes? Do you maintain and retain documented information to support the operation of your processes? What processes do you have available? Does this include the requirement for a Core Business Process? Do you have a separate process available to ensure that your products and services conform to customer requirements? Are processes available that will enable customer requirements to be met and quality objectives achieved? Are processes available for management activities, provision of resources, product or service realisation and measurement? How do you determine which inputs are required and what outputs are expected from each process? How do you determine the parameters, sequence, interaction and inter-relationship of processes? How do you determine the resources required for each process? What methods do you use to ensure effective operation and control of processes? Are your processes self-assessed? How do you ensure that risks and opportunities that could affect your supply of conforming products and services are identified and properly addressed? Do you possess a specific process for risks and opportunities? How do your decide whether there are risks and opportunities for improvement?

Remarks

159

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 160

ISO 9001:2015 Audit

160

4.4 Quality Management System and its processes (continued) Typical auditor’s questions

Remarks

How do you ensure that your Risk Process is clearly understood by the whole organisation? Do you outsource any process that could affect product conformity to requirements? When an outsourced process affects product conformity, how do you ensure control over such processes and where is this documented in the QMS?

5 LEADERSHIP Typical auditor’s questions Who has overall responsibility for coordinating, directing, and controlling the organisation? Is this Top Management? Is Top Management totally involved in the establishment, implementation and maintenance of an effective QMS that will achieve these objectives? How does Top Management show its commitment to the development and implementation of the QMS – and if so, how? What evidence does Top Management provide to show its commitment to continually improving the effectiveness of its QMS? How does Top Management ensure that the organisation is aware of: • the importance of meeting customer requirements? • meeting statutory and regulatory requirements? What evidence can Top Management provide that it has established a Quality Policy? What evidence can Top Management provide that quality objectives are established? What evidence can Top Management provide that they conduct management reviews? What evidence can Top Management provide that the availability of resources is established and maintained? Who is responsible for overseeing the QMS? Is it delegated to someone from Top Management and if so, who is this?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 161

A complete checklist against the requirements of ISO 9001:2015

5 LEADERSHIP (continued) Typical auditor’s questions Is Leadership and commitment, with respect to the QMS, clearly demonstrated? How do you ensure your organisation’s management system achieves its intended outcomes? How do you ensure that you have the necessary resources available? How do you allocate the necessary resources? How do you increase employee awareness and involvement in the QMS? Does Top Management ensure that everyone within the organisation has a responsibility for the continual improvement for the QMS and if so, how do they achieve this? Does the QMS include details of the organisation’s business processes as well as their associated procedures? How are the needs and expectations of customers and potential customers identified and met? How do they ensure that the customer, and applicable statutory and regulatory requirements, are agreed, understood and consistently met? Are processes available that will enable customer requirements to be met and quality objectives achieved? How are the ongoing effectiveness of your organisation’s quality policies and quality objectives evaluated? Who is responsible for managing, performing and verifying that the end product or service meets the organisation’s quality requirements? Who is responsible for identifying and assessing market competition and recognising opportunities and weaknesses? Who decides what the financial and future competitive advantages are? Does the organisation have sufficient knowledge of the statutory and regulatory requirements, and are they capable of implementing them?

Remarks

161

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 162

ISO 9001:2015 Audit

162

5.1 Leadership and commitment Typical auditor’s questions Do Top Management demonstrate Leadership and commitment with respect to ‘customer focus’? How do Top Management guarantee that their organisation consistently provides products and services that conform to customer requirements, and do these meet applicable statutory and regulatory requirements and (of prime importance!) enhance customer satisfaction? Does Top Management assume responsibility for demonstrating their organisation’s commitment to its customers? How do you ensure customer requirements are determined and fulfilled? How do you ensure that customer and all relevant statutory and regulatory requirements are identified, and met? How are the needs and expectations of customers and potential customers identified and met? Does the organisation have auditable proof that all of the customer’s requirements are (and have been) fully met? How do you ensure that customer satisfaction is identified and maintained? Are procedures available describing resource management, contract review, management review and financial business plans? How do you ensure that risks and opportunities that could affect your ability to supply conforming products and services are identified and properly addressed?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 163

A complete checklist against the requirements of ISO 9001:2015

5.2 Policy Typical auditor’s questions What is your (i.e. Top Management’s) Quality Policy? What is the aim of this Quality Policy? Have Top Management fully accepted responsibility for, and demonstrated their commitment to, their QMS? Have Top Management established quality policies and quality objectives for the organisation, and do these assist the organisation in applying its resources to achieve these results? Does this policy provide a framework for setting quality objectives and include a commitment to satisfying applicable requirements? How does your Quality Policy provide a commitment to complying with requirements? How do you ensure that the Quality Policy is appropriate to the purpose of the organisation? Does it include a commitment to continual improvement of the organisation’s QMS? Are these quality policies appropriate to the purpose and context of their organisation and do they support its strategic direction? How does your Quality Policy provide a framework for establishing and reviewing quality objectives? Does this Quality Policy include clear responsibilities for each activity and development task? Is this Quality Policy totally relevant to their organisational goals and does it take into account the expectations and needs of the customer? How do you ensure that your Quality Policy is communicated and understood and applied within the organisation? How is your Quality Policy reviewed for continuing suitability? Is it available to other interested parties (e.g. small businesses, multinationals, government departments, industry and trade associations)? Is your organisation’s Quality Policy available in a Quality Manual or some other type of ‘documented information’?

Remarks

163

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 164

ISO 9001:2015 Audit

164

5.2 Policy (continued) Typical auditor’s questions Does your QMS include a Mission Statement that covers your organisation’s objectives for quality and its commitment to quality? Does your QMS totally comply with the requirements of ISO 9001:2015, or are there some exclusions? How do you ensure compliance with all the relevant statutory and safety requirements? Is each organisational activity defined and controlled by a Quality Process, Procedure or Plan? Are these Processes, Procedures and Quality Plans regularly reviewed? Are all of your Staff trained to the requirements listed in the company’s Quality Manual? Is the organisation’s approach to quality also appropriate for customers and potential customers? How do you maintain your focus on enhancing customer satisfaction? How do you ensure that you consistently provide products and services that conform to customer requirements? How do you ensure that your organisation delivers the right product or service on time, to the agreed specifications and within budget?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 165

A complete checklist against the requirements of ISO 9001:2015

5.3 Organisational roles, responsibilities and authorities Typical auditor’s questions Has Top Management assigned roles, responsibilities and authorities to people for the effective implementation and continual improvement of their QMS? Who from Top Management has been tasked with preserving the integrity of the QMS while it is in the process of revision? Who is responsible for overseeing your organisation’s QMS? Is it delegated to someone from Top Management and if so, who is this? Do you possess documented information containing clearly defined job descriptions and responsibilities? Do you have organisation charts showing lines of communication defining these roles? Do Top Management continually review the organisation’s resources to ensure that adequate Staff, equipment and materials are available to meet customer requirements? How do Top Management ensure that everyone in the organisation is responsible for the quality? Have all Staff been allocated authority to perform their allocated responsibilities, and do they have a share in the responsibility for identifying non-compliance or possible improvements? Are these instances recorded so that corrective action can be taken, both to rectify the immediate situation and to prevent recurrence?

Remarks

165

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 166

ISO 9001:2015 Audit

166

6 PLANNING 6.1 Actions to address risks and opportunities Typical auditor’s questions How do you determine risks and opportunities that will have the potential to impact on the overall operation and performance of their QMS – both positively and negatively? How do you identify the possibility of risks occurring during the design, production, manufacture, supply, installation, usage and maintenance of a product or service? How do you identify the causes of potential nonconformances? How do you decide whether the risk is acceptable or whether it is serious enough to warrant treatment? Do you have the availability of a regular ongoing and comprehensive internal auditing programme? Do you adopt a risk-based approach when planning the workflow of your business? How do you reduce the need for corrective actions later on? How do you treat or modify these risks so as to achieve acceptable risk levels? What action do you take to eliminate the cause of nonconformities in order to prevent recurrence? What preventative measures do you use?

How do you ensure that those preventive actions are appropriate to the effects of the nonconformities encountered? Do you have a quality process or procedure for risk analysis? Do you have a Project Risk Register to monitor, track and review risks?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 167

A complete checklist against the requirements of ISO 9001:2015

6.2 Quality objectives and planning to achieve them Typical auditor’s questions Have Top Management documented a set of quality objectives that the organisation must meet? Do they address conformity of products and services and the enhancement of customer satisfaction? Do they take into consideration the current and future requirements of the organisation? Are they consistent with the organisation’s Quality Policy? Do they define the quality objectives of the company and those responsible for achieving these objectives? Who will be responsible for this activity? How do you ensure that quality objectives are measurable and consistent with the Quality Policy? Have adequate resources and infrastructure been determined and implemented? Are these quality objectives relevant to the various levels and functions within the organisation? Are they relevant to conformity of products and services and the enhancement of customer satisfaction? Do they take into account all applicable requirements (customer, statutory and regulatory)? Do they include a commitment to continual improvement? Do they cover product and service requirements? How do you ensure that quality objectives are established within the organisation? Are these objectives periodically reviewed? Are they communicated throughout the organisation? Are any changes, problems, enhancements recorded for future reference?

Remarks

167

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 168

ISO 9001:2015 Audit

168

6.3 Planning of changes Typical auditor’s questions

Remarks

When there is a need to make a change (i.e. to processes, resources, responsibilities, methodologies, procedures, etc.), are these completed in a planned and controlled manner? How do you ensure that the integrity of the QMS is maintained when planned changes are made (and implemented) to the system? Are all proposed changes thoroughly reviewed and agreed by Top Management? Have Top Management developed processes and procedures to define and plan the way that your organisation is run? Do these include: • current and future requirements; • the markets served; • the output from previous management reviews; • current product and process performance?

7 SUPPORT 7.1 Resources 7.1.1 General Typical auditor’s questions How do you determine the resources required to implement and maintain your QMS? Have you provided the necessary resources that are required by your QMS? Do these ‘resources’ include natural resources, tangible resources (e.g. support facilities) as well as intangible resources (e.g. intellectual property)? How do you ensure that these resources continually improve the effectiveness of the QMS? Do you have a separate process to control the products and services provided by your suppliers?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 169

A complete checklist against the requirements of ISO 9001:2015

7.1.2 People Typical auditor’s questions How do you determine and provide the persons necessary for the effective implementation of your QMS and the operation and control of its processes? How do you ensure that personnel performing work affecting product quality are competent on the basis of appropriate education, training, skills and experience? How do you ensure that all personnel are trained and experienced to the extent necessary to undertake their assigned activities and responsibilities effectively? What records are maintained of personnel education, training, skills and experience? How do you ensure that adequate training (or other actions) is taken to satisfy these needs? How do you evaluate the effectiveness of the actions taken to develop personnel competence? How do you ensure that personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives? Do you provide career planning and on-the-job training? Do you encourage innovation and effective teamwork?

Do you make full use of all available information technology? How do you measure people’s satisfaction?

Remarks

169

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 170

ISO 9001:2015 Audit

170

7.1.3 Infrastructure Typical auditor’s questions

Remarks

How do you define, provide, develop, implement, evaluate and consider your requirements in terms of product or service performance, customer satisfaction and controlled improvement? How do you determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services? For example: • buildings, workspace and associated utilities? • process equipment, both hardware and software? • supporting services, such as transport or communication? Do you have available: • policies, procedures and regulatory documents stating organisation and customer requirements? • project plans identifying the human resources required to complete the task?

7.1.4 Environment for the operation of processes Typical auditor’s questions What is your definition of a ‘suitable work environment’? How do you identify, provide and maintain an environment that meets the requirements necessary for the operation of your processes? Does your work environment currently assist in achieving conformity of products and services? Does your organisation possess a specific process or procedure for the work environment, and does this meet the requirements of management systems? Are the following human factors (e.g. work methodologies, achievement and involvement opportunities, health and safety rules and guidance, ergonomics, etc.) and physical factors (e.g. heat, hygiene, vibration, noise, humidity, pollution, light, cleanliness and air flow) considered in this process? How do you ensure that your work environment not only motivates, satisfies and increases the performance of people but also enhances the performance of the organisation?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 171

A complete checklist against the requirements of ISO 9001:2015

7.1.5 Monitoring and measuring resources Typical auditor’s questions Do you have to use monitoring or measurement to demonstrate that your products and services conform to requirements? (If the answer is ‘no’, disregard the remainder of this sub-section.) Do you have to provide the necessary resources for monitoring and measuring results? Or are these subcontracted or not required for a particular range of products and services? How do you determine what type of monitoring and measurement needs to be undertaken? What processes are established to ensure that monitoring and measurement can be carried out in a manner that is consistent with the requirements specified in ISO 9001:2015? How do you ensure that the monitoring and measuring devices provide evidence of conformity of product and service requirements? How do you ensure that measuring equipment is adjusted and/or readjusted as necessary? How do you ensure that measuring equipment is calibrated and verified at specified intervals (or prior to use) against measurements traceable to international or national measurement standards? Do you possess a workshop standard? If so, is this regularly calibrated from a recognised national calibration centre? What records do you maintain where no such standards exist? How is the calibration status of measuring equipment identified? Is the calibration status placed on the actual measuring device? How is measuring equipment safeguarded from adjustments that would otherwise invalidate the measurement result?

Remarks

171

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 172

ISO 9001:2015 Audit

172

7.1.5 Monitoring and measuring resources (continued) Typical auditor’s questions How is measuring equipment protected from damage and deterioration during handling, maintenance and storage? How do you assess and record the validity of the previous measuring results when the equipment is found not to conform to requirements? What action do you take when the validity of the previous measuring results is found not to conform to requirements? What records of calibration and verification are maintained? How (and when) do you ensure that computer software (used in the monitoring and measurement of specified requirements) is confirmed? How do you ensure that your monitoring and measurement devices produce valid and reliable results? What controls do you have in place to ensure that equipment (including software) used for proving conformance to specified requirements is properly maintained? Is all production equipment (including machinery jigs, fixtures, tools, templates, patterns, gauges, computers and any related software) stored correctly and satisfactorily protected between use to ensure their bias and precision? Is any software that is used for measuring and monitoring of specified requirements validated prior to use? What controls do you have in place to ensure that equipment (including software) used for proving conformance to specified requirements is properly maintained?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 173

A complete checklist against the requirements of ISO 9001:2015

7.1.6 Organisational knowledge Typical auditor’s questions

Remarks

How do you determine what knowledge is necessary for the operation of your processes and what is necessary for achieving conformity of products and services? Do you have a specific process for capturing and preserving knowledge and learning with regard to both the product and service and your organisation’s QMS? Is organisational knowledge held as some form of documented information within the workplace? How is this organisational knowledge disseminated when necessary? Is organisational knowledge based on internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services)? Or: Is organisational knowledge based on external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers)?

7.2 Competence Typical auditor’s questions How do you ensure that personnel performing work affecting product quality are competent on the basis of appropriate education, training, skills and experience? What records are maintained of personnel education, training, skills and experience?

Remarks

173

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 174

ISO 9001:2015 Audit

174

7.3 Awareness Typical auditor’s questions How do you ensure that people completing work under your control (including subcontractors) are aware of your organisation’s Quality Policy and any quality objectives that are relevant to them? How do you ensure that they are aware of how they will be contributing to the effectiveness of the QMS and what the implications would be of them not conforming to your organisation’s QMS? Is there a need for some additional system or contractspecific training? Do all Staff have a responsibility for identifying and recommending the training needs of others and for ensuring that all employees allocated specific tasks are suitably qualified and experienced to execute those tasks? Do Top Management draw up a Training Plan which covers the organisation’s policies and objectives? Do you have available introductory programmes for new people and periodic refresher programmes for people already trained? Does this training emphasise the importance of meeting requirements and the needs of customers and other interested parties? Have you an established procedure for the assignment of personnel on the basis of competency, qualification, training, skill and experience? How do you determine the necessary competence for personnel performing work affecting product quality? How do you ensure that adequate training (or other actions) is taken to satisfy these needs? Do you provide appropriate training yourselves or is this outsourced? How do you ensure that personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives? Are they able to perform their tasks with the minimum amount of supervision?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 175

A complete checklist against the requirements of ISO 9001:2015

7.4 Communication Typical auditor’s questions

Remarks

What internal and external communications are relevant to your QMS? What communication processes have been established within the organisation to promote awareness of QMS policies and requirements? What communication processes have been established for the information of subcontractors and suppliers etc.? How do you communicate the effectiveness of your organisation’s QMS? Is this via notice boards, in-house journals/magazines, audio-visual or e-information? Or: Is this via team briefings and organisational meetings?

7.5 Control of documented information 7.5.1 General Typical auditor’s questions How do you retain documented information for the effective operation of your QMS? How do Top Management ensure that all documented information is properly protected against improper use, loss of integrity and loss of confidentiality? Does your organisation’s QMS include all of the documented information required by ISO 9001:2015? Does it include all of the documented information required to ensure effective planning, operation and control of your processes? Is this documented information contained in a Quality Manual? If not, how is it retained?

Remarks

175

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 176

ISO 9001:2015 Audit

176

7.5.2 Creating and updating Typical auditor’s questions How do you ensure that documents are readily identifiable? Is your documented information properly identified and described (e.g. title, date, author, reference number, etc.) and in an appropriate format (e.g. language, software version, graphics, etc.)? Is all of your documented information made available throughout the organisation (e.g. via paper and/or electronic means) when and where needed? If your documented information is maintained via some form of electronic format, how is the integrity of your documented information maintained? Do you have access controls (i.e. passwords/logins), authorisation levels? Do you use anti-virus software to protect your documented information? If so which version? Do you make use of electronic signatures? If so, how are these recorded and controlled? How do you approve documents for adequacy prior to issue? How do you ensure that documents are periodically updated and (where necessary) reapproved? Do you complete regular quality audit reviews of your documented information? If so, how? How are document changes identified? How is the current revision status of documents identified? How do you ensure that only the relevant versions of applicable documents are available at points of use? Is all QMS documented information reviewed and approved for suitability and adequacy? How do you ensure that documents remain legible?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 177

A complete checklist against the requirements of ISO 9001:2015

7.5.3 Control of documented information Typical auditor’s questions Does your QMS include statements regarding your organisation’s Quality Policy and quality objectives with regard to the control of documented information? Who is responsible for the maintenance and supervision of the QMS and its associated Quality Policy, processes, procedures, plans and instructions regarding the control of documented information? How do you ensure that the documented information from your QMS documents is fully controlled? Have you an established (documented) procedure that defines the controls needed? Who ensures that the appropriate items, at the correct revision levels, are issued (or at least made available) to all who need them within the organisation? How do you control the distribution of documents of external origin? How do you prevent the unintended use of obsolete documents? If obsolete documents have been retained for any purpose, how are they identified? How are documents from an external origin identified? Is there a separate procedure for controlling records of inspections and audits etc.? If so: • have you an established and documented procedure to define the controls needed for the identification, storage, protection, retrieval, retention time and disposition of quality records? • how do you ensure that these records shall remain legible, readily identifiable and retrievable? • what controls have you in place to ensure that all these records are maintained? How are your copies of support documentation, such as national and international standards, codes of practice, etc. maintained? Who is responsible for ensuring that appropriate documents are available within the organisation and that these are issued and maintained at the correct revision levels? Do you contact external suppliers of documentation on a regular basis to ascertain that the documents held by the organisation remain current?

Remarks

177

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 178

ISO 9001:2015 Audit

178

8 OPERATION 8.1 Operational planning and control Typical auditor’s questions How do you determine whether the quality objectives and requirements for the product are appropriate? How do you determine the need to establish processes? How do you plan and develop the processes? How do you ensure that the planning of product and/or service realisation is consistent with the requirements of the other QMS processes? To ensure product and service realisation, have you considered all of the various process steps (i.e. activities, workflow, control measures, training needs, equipment, methodologies, information, materials and other resources) that are required and which have an effect on the output? How do you determine the amount of verification, validation, monitoring, inspection and test activities that is required? How do you determine what records are needed to provide evidence that the realisation processes and resulting product meet requirements? What is the output from these planning activities? Does your QMS have any ‘realisation processes’ that are a result of the products and services you offer? Does your QMS include any other management processes (i.e. not directly associated with your products and services) that need to be considered? How can you be sure that your processes ensure that products and services will satisfy the requirements of customers? Which QMS document specifies the product realisation processes? Have you identified and planned all of the production, installation and servicing processes that directly affect quality? Do you have a separate Quality Plan that describes how the QMS processes are applied for a specific product, service, project or contract?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 179

A complete checklist against the requirements of ISO 9001:2015

8.1 Operational planning and control (continued) Typical auditor’s questions

Remarks

Do you possess procedures to ensure that these processes are completed under controlled conditions? Have you a Quality Plan to manage these processes? Is a Quality Plan used to address any risks and opportunities that may have an impact on your organisation’s processes? Do you have procedures available to ensure that there is an appropriate system for the maintenance of equipment? To ensure a continuing process capability, do you have records of all these procedures? And are they maintained, controlled and fully documented?

8.2 Requirements for products and services 8.2.1 Customer communication Typical auditor’s questions How do you publicise and provide information relating to products and services? How do you determine exactly what the customer wants in terms of product specification, availability, delivery, support, etc.? How do you process contracts and/or order handling? What information do you need in order to enable you to decide whether you have sufficient resources to complete the contract and satisfy customer requirements? How do you handle amendments to customer-required products and services? Are the lines of communication between the customer and the organisation clearly defined? How do you deal with customer feedback? How do you handle customer complaints? How do you evaluate customer views and perceptions? How do you obtain customer feedback relating to products and services? How do you handle and/or control customer property? Do you possess Quality Procedures for these?

Remarks

179

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 180

ISO 9001:2015 Audit

180

8.2.2 Determining the requirements for products and services Typical auditor’s questions How can you be certain that they know exactly what the customers’ (current and future) requirements are? How do you determine requirements not stated by the customer but necessary for specified or intended use? How do you determine whether there are any additional requirements relevant to the product? What influences your choice of what statutory and regulatory requirements are relevant? How do you use this knowledge to identify the best products and services to offer customers? What process do you use to enable you to decide what products and services to offer (i.e. to the customer as well as those considered necessary by the organisation)? How can you be sure that the organisation can meet the claims for the products and services it offers? Do you have a specific process for ‘customer feedback’ or do you merely obtain and discuss the views and perceptions of the customer? What lines of communication do you have with the customer? How do you review the requirements related to the product or service? Is this review conducted prior to giving a commitment (e.g. submission of tenders, acceptance of contracts or orders, acceptance of changes to contracts or orders) to supply a product or provide a service to the customer? How do you ensure that these requirements are defined? How do you ensure that your organisation has the ability to meet the defined requirements? How do you ensure that any contract and/or order requirements differing from those previously expressed are resolved? How do you review specific requirements set by the customer – particularly those concerning delivery and post-delivery?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 181

A complete checklist against the requirements of ISO 9001:2015

8.2.3 Review of the requirements for products and services Typical auditor’s questions What records of the results of this product requirements review (and actions arising from the review) are maintained? Do you retain documented information from the results of the review? What happens if a customer does not provide a documented statement of requirement? How do you confirm customer requirements before acceptance? How do you handle Internet sales?

Are you able to ascertain from these negotiations if there are any new requirements for the products and services? What process do you use for this customer activity?

Do you use a specific document template for contracts? If so, who does this belong to? Where can it be obtained/downloaded from? Does the contract specify what portions can be deleted and what additional conditions have to be inserted? Does the contract need to specify the use of Quality Plans, quality programmes, quality audit plans and other relevant technical specifications? What do you specifically look for when you review the contract before signature? If a customer provides no documented statement of requirement, how do you confirm and document the requirements before acceptance? If servicing is to be provided, or is required as part of the contract, does the supplier establish procedures for controlling and authenticating the quality of the service performed?

Remarks

181

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 182

ISO 9001:2015 Audit

182

8.2.4 Changes to requirements for products and services Typical auditor’s questions

Remarks

What happens if the product requirements are changed? If there is a need for a change to the customer’s requirements, how is the relevant documented information amended? If product requirements have changed, how are the appropriate personnel made aware of the changed requirements?

8.3 Design and development of products and services 8.3.1 General Typical auditor’s questions How do you establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services? Do you have the availability of a process to control design and development stages within your organisation? How do you determine: • what the customer needs; • what the boundaries are (e.g. customer requirements); • how the organisation is going to achieve this; • how long it will take; • who will undertake the task; • who will check and verify the product?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 183

A complete checklist against the requirements of ISO 9001:2015

8.3.2 Design and development planning Typical auditor’s questions How do you plan and control the design and development of a product or service? How do you determine the necessary stages of the design and development of a product or service? How (and when) do you review, verify and validate the design and development stage? How do you ensure that design and development planning results in a clear assignment of responsibility? How do you ensure that the planning output is updated as the design and development progresses? Have you established, implemented and maintained a design and development process? Is this process appropriate to ensure the subsequent provision of products and services? How do you ensure that that the designer is fully aware of the exact requirements of the deliverable and has a sound background knowledge of all the proper standards, information and procedures that will be required? When the design criteria have been clarified, are these documented and recorded in the design plan and used for reference throughout the design process? Does the level of detail on the design plan contain sufficient detail to control the design process in accordance with the customer’s requirements? Where items require interpretation (e.g. positioning, practicality, maintainability, etc.), are these reviewed prior to design finalisation? If changes are made to either the design inputs or outputs, how are these reviewed, controlled and identified in order to ensure that conformity to requirements is maintained?

Remarks

183

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 184

ISO 9001:2015 Audit

184

8.3.3 Design and development inputs Typical auditor’s questions Do you have a documented process for the design and development stage of products and services? Do you have a separate marketing section (or person) that is responsible for determining the need for a product or service and for estimating the market demand? Is the marketing section responsible for defining and reviewing market readiness, field support and production capability? Is the marketing section responsible for and capable of translating the user requirements into technical language sufficient to enable the design Staff to convert the requirements into practical designs and specifications? Does this enable production, testing, maintenance and servicing to be technically and economically possible? How do you ensure that the design and development inputs are functional and meet performance requirements? Does this require you to maintain records of these inputs derived from previous (similar) designs or developments? Do you have available details of all the relevant standards, specifications and specific customer requirements that are going to be used during production? How do you ensure that the design and development inputs are applicable to statutory and regulatory requirements? Do you have an approved control system for ‘special processes’ that cannot easily be inspected on completion of the product (e.g. welding) or a service? How do you ensure that the design and development inputs include (where applicable) information derived from previous similar designs? How do you ensure that these inputs include other requirements essential for design and development? How do you review the design and development inputs for adequacy?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:29 Page 185

A complete checklist against the requirements of ISO 9001:2015

8.3.3 Design and development inputs (continued) Typical auditor’s questions How do you ensure that requirements are complete, unambiguous and do not conflict with each other? Are all Staff capable of undertaking their tasks correctly? How do you ensure that the design office maintains a close relationship with the manufacturing and production sections so that it can be aware of their exact requirements, their problems and their component preferences, etc.? Does the design office have available complete listings of all the appropriate components, parts and materials that are going to be utilised? Is it fully briefed concerning their reliability, availability, maintainability, safety, acceptability and adequacy? How do you ensure that the design department is aware of recent developments, new technologies and advances in both materials and equipment that are available on the market and applicable to that particular product or service? Are designers aware of the implications of the statutory national, European and international legal requirements for health and safety that could place constraints on their designs? Does the design office use standard software programs and CAD packages to produce accurate information either by list, graph or drawing?

Remarks

185

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 186

ISO 9001:2015 Audit

186

8.3.4 Design and development controls Typical auditor’s questions How do you ensure that the design and development outputs have met the design and development input requirements? Do you ensure that systematic reviews of design and development are performed at suitable stages? How do you evaluate these reviews and ensure that the design and development meets requirements? Problems are identified? Necessary actions are proposed? How do you ensure that participants in these reviews include representatives of all the functions concerned with the design and development stage(s) being reviewed? How do you documented information that records the results of these reviews? How do you implement the actions recorded from these reviews? How do you ensure that design and development verification and validation are performed in accordance with planned arrangements? What records are maintained of design and development verification and validation together with (where applicable) follow-up actions? Do you use risk assessment tools such as FMEA, FTA, reliability assessment, simulation techniques, etc. to assess the potential for, and the effect of, possible failures in products and/or processes? Are periodic reviews completed throughout the design process (e.g. preliminary, intermediate and final) with the aim of confirming that design and/or development objectives being met?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 187

A complete checklist against the requirements of ISO 9001:2015

8.3.5 Design and development outputs Typical auditor’s questions

Remarks

How do you ensure that the design output meets the design input requirements? How do you ensure that the design and development outputs provide the appropriate amount of information for purchasing, production and service provision? How do you ensure that the design and development outputs contain (or reference) product or service acceptance criteria? How do you ensure that the design and development outputs specify the characteristics of the product or service that are essential for its safe and proper use? Does the design office maintain a link with the production or manufacturing section so that it can assist in the analysis of failures, swiftly produce solutions and forestall costly work stoppages? What sort of documented information is retained from the design and development stage?

8.3.6 Design and development changes Typical auditor’s questions How do you identify design and development changes? How do you ensure that design and development changes are reviewed? Verified? Validated? And approved before implementation? How do you evaluate the effect of the changes on constituent parts and delivered product? What records are maintained following a review of changes? How are any necessary actions resulting from this review implemented and recorded? Are all changes subject to an agreed change control procedure? Is the design output reviewed and approved by Top Management before being provided to the customer for approval and use?

Remarks

187

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 188

ISO 9001:2015 Audit

188

8.4 Control of externally provided processes, products and services Typical auditor’s questions

Remarks

Do you have a specific Quality Process for the purchase of materials, products and services from suppliers and third parties? Do you maintain a list of approved suppliers and subcontractors? How do you evaluate and select suppliers and subcontractors? Is there a definite, clear-cut procedure for doing this?

8.4.1 General Typical auditor’s questions What controls do you have in place to ensure purchased products and services are of an acceptable standard? Have you specific criteria for the selection, evaluation and re-evaluation of suppliers? Do you evaluate and select suppliers based on their ability to supply products and other services in accordance with the organisation’s requirements? How do you monitor the performance of external providers? Do you retain the results of the evaluation, reevaluation and performance of external providers as documented information?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 189

A complete checklist against the requirements of ISO 9001:2015

8.4.2 Type and extent of control Typical auditor’s questions

Remarks

How do you control the suppliers and purchase of their products and services? How do you ensure that the purchased product or service meets specified purchase requirements? Do you perform verification inspections at the supplier’s premises? Or do you have an in-inspection test that you can use at your own premises? Do you complete inspection and tests on all incoming products and services that are received from a third party? If a supplier uses subcontractors, how do you ensure that they can also be relied on to produce a quality product or service? Are detailed in-inspections always performed on major components? How do you check consumable items (e.g. low-cost items such as lightbulbs, duplicating paper, etc.)? Are these only checked for correct identity, correct quantity and any signs of damage? How do you guard against incoming material being used or processed before it has been inspected or otherwise verified to confirm that it is up to the specified requirements?

8.4.3 Information for external providers Typical auditor’s questions Are you aware of what details need to be provided to a supplier to ensure that the purchased product conforms to your specified purchase requirements? Have you established a process for ensuring that sufficient and correct details about the product or service are provided when placing an order with an external provider? Do your purchasing documents contain: • complete and accurate particulars of the required product and/or service? • the approval and qualification requirements? • the requirements of your organisation’s QMS? • what sort of verification agreement will be used? • how quality disputes will be settled?

Remarks

189

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 190

ISO 9001:2015 Audit

190

8.5 Production and service provision Typical auditor’s questions

Remarks

How do you ensure that production and service provision is carried out under controlled conditions?

Do you possess a documented procedure for controlling the way in which you provide your products and services and the activities that need to be performed to produce them? If there are any production or supply processes whose results cannot be verified by subsequent monitoring or measurement, can these processes be initially validated and then periodically re-evaluated?

8.5.1 Control of production and service provision Typical auditor’s questions How do you control the way in which you provide your products and services? What activities do you need to complete in order to produce a product or deliver a service? How do you identify the requirements for product and service realisation and ensure that you have the ability to comply with contractual requirements? How do you ensure the availability of information describing the characteristics of products and services? How do you ensure the availability of any necessary Work Instructions? How do you ensure that only suitable equipment is used? How do you ensure the availability (and correct use) of monitoring and measuring devices is maintained? How do you ensure that monitoring and measurement provisions are correctly implemented? How do you validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 191

A complete checklist against the requirements of ISO 9001:2015

8.5.1 Control of production and service provision continued Typical auditor’s questions

Remarks

How do you validate processes where deficiencies become apparent only after the product is in use or the service has been delivered? How do you ensure that these processes achieve planned results? What arrangements have been established for these processes? Do you have a process to confirm whether design outputs meet your organisation’s design goals? Do you have a process for examining and confirming that your products and services meet customer needs and expectations?

8.5.2 Identification and traceability Typical auditor’s questions How do you ensure the conformity of your products and services? How can you tell the status of a product or service during all stages of its design and delivery? Does your organisation maintain documented procedures for identifying products and services (hardware, software, documents and/or data) throughout all stages of production, delivery, receipt and installation? Is this process documented and reviewed for its continued applicability on a regular basis? How do you identify the product and service status with respect to monitoring and measurement requirements? Where traceability of the product or service is a requirement, how do you control and record its unique identification? Are nonconforming items placed in a reject area or marked as ‘reject for review’ (or similar)? Is the status of work in progress clearly indicated by markings or associated documented information recording the inspections undertaken and their acceptability?

Remarks

191

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 192

ISO 9001:2015 Audit

192

8.5.3 Property belonging to customers or external providers Typical auditor’s questions

Remarks

How do you ensure proper care of all customers’ and other external providers’ property while it is under your organisation’s control? How do you identify, verify, protect and safeguard customer and other external providers’ property provided for use or incorporation into the product? Do you have a documented procedure for the control of customer property? Are sub-assemblies or components that have been supplied to your organisation by the purchaser as part of the contract subject to a Goods Inwards inspection? What procedures have you for handling any property that is lost, damaged or otherwise found to be unsuitable for use? What procedures do you follow for reporting such losses and damages, etc. to the customer or other external providers? And are these records maintained in the form of documented information? What happens if the property includes ‘intellectual property’?

8.5.4 Preservation Typical auditor’s questions How do you ensure that the conformity of products and services is preserved during internal processing and delivery to the intended destination? What procedures are available to ensure that preservation includes the product or service’s identification, handling, packaging and protection? How do you ensure that the constituent parts of a product or service are preserved during internal processing and/or delivery? Are written instructions and procedures for the handling, identification and storage of documentation, materials, components, parts, sub-assemblies and completed items established and made available? Do these instructions contain details of quarantine areas or bonded stores and how they should be used, together with methods of cleaning, preserving and packaging?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 193

A complete checklist against the requirements of ISO 9001:2015

8.5.4 Preservation (continued) Typical auditor’s questions

Remarks

Do you maintain documented procedures for identifying products and services throughout all stages of production, delivery, receipt, installation and ‘aftersales service’? Have you a procedure for identifying individual products, services (or batches) where there is a need for any special requirements (i.e. associated with software, electronic media, hazardous materials, specialist personnel, products or materials) arising from the nature of the product or service which are unique or irreplaceable? Do you attach a manufacturer’s/supplier’s part number or description label to identify any material or equipment that cannot be obviously identified? If a product or service has a serial number, how is this recorded?

8.5.5 Post-delivery activities Typical auditor’s questions What release activities are in place for the control of production and service provision? What delivery activities are in place for the control of production and service provision? What post-delivery activities are in place for the control of production and service provision? How do you determine and implement a customer’s, product and regulatory requirements regarding postdelivery activities? Do you have a procedure or an individual Quality Plan to cover additional post-delivery activities such as: • actions under warranty provisions? • contractual obligations regarding maintenance services? • supplementary services such as recycling or final disposal?

Remarks

193

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 194

ISO 9001:2015 Audit

194

8.5.6 Control of changes Typical auditor’s questions Do you possess a documented procedure showing how you are capable of continuously producing a quality product or service? How do you identify design and development changes? How are the records of design and development changed? How do you ensure that design and development changes are: • reviewed; • verified; • validated; • approved before implementation? How do you evaluate the effect of the changes on constituent parts and delivered product? What records are maintained following a review of changes? How are any necessary actions resulting from this review implemented and recorded?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 195

A complete checklist against the requirements of ISO 9001:2015

8.6 Release of products and services 8.6.1 Control of nonconforming outputs Typical auditor’s questions What methods do you employ to prevent the use or delivery of nonconforming products as well as their storage and disposal? Do you have a formal documented procedure for a nonconforming product or service? How do you ensure that a product or service which does not conform to requirements is identified and controlled to prevent its unintended use or delivery? Are there any controls and related responsibilities and authorities for dealing with a nonconforming product or service? How do you ensure that a detected nonconformity is eliminated? Are there any circumstances when you would authorise the use of a nonconforming product or service? Do you ever release a nonconforming product or service under a concession rule? Who authorises these concessions?

Do you keep records of all nonconformities and any subsequent actions taken (including concessions obtained)? When a nonconforming product or service is corrected, is it then subject to re-verification to demonstrate conformity to the requirements? What do you do when a nonconforming product or service is detected after delivery or use?

Remarks

195

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 196

ISO 9001:2015 Audit

196

9 PERFORMANCE EVALUATION Typical auditor’s questions

Remarks

How do you determine what, how and when things are to be monitored, measured, analysed and evaluated? When do you conduct internal audits to ensure that your management system conforms to the requirements of your QMS as well as customers? How do you ensure that your management system is successfully implemented and maintained? Do you conduct management reviews to see whether they are, and can remain, suitable, adequate and effective? Do you have a quality process for risk assessment?

9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General Typical auditor’s questions Do you have documented procedures to ensure product and service conformity, improvement and the analysis of customer satisfaction? What procedures have you available to ensure customer satisfaction? How do you determine what needs to be monitored and measured? What procedures have you available to ensure effective measurement and monitoring of product and service processes? What methods for monitoring, measurement, analysis and evaluation do you employ in order to ensure valid results? How do you analyse and evaluate the results from monitoring and measurement? Do you use statistical techniques to determine the potential variability of a product or service?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 197

A complete checklist against the requirements of ISO 9001:2015

9.1.2 Customer satisfaction Typical auditor’s questions How do you ensure customer satisfaction?

Do you have a Quality Process to determine and evaluate customer satisfaction? Do you also have processes to gather, analyse and make effective use of all customer-related information as one of the measurements of performance of the QMS? Do these processes address important factors like conformance to requirements, meeting the needs and expectations of customers, price and delivery of a product or service, and overall customer satisfaction? How do you monitor information relating to customer perception as to whether the organisation has fulfilled customer requirements? How do you determine what needs to be monitored and measured? What methods do you use for obtaining and using this information? What methods for monitoring, measurement, analysis and evaluation do you employ in order to ensure valid results? How do you analyse and evaluate the results from monitoring and measurement? What procedures have you available to ensure effective measurement and monitoring of product and processes? What procedures do you possess for the improvement of your organisation’s QMS?

Remarks

197

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 198

ISO 9001:2015 Audit

198

9.1.3 Analysis and evaluation Typical auditor’s questions

Remarks

How do you analyse and evaluate the data and information arising from the monitoring and measurement process? Do you use statistical analysis? Data analysis? Performance testing and defect analysis or review and design verification? Does data assist you in defining the suitability and effectiveness of your QMS? How do you make use of these data to evaluate where continual improvements to the QMS can be made?

9.2 Internal audit Typical auditor’s questions Do you have a formal documented procedure for conducting internal audits? When do you conduct internal audits? What is the aim of these audits? How do you ensure that the QMS conforms to the requirements of ISO 9001:2015? How do you plan your audit? Does this planning take into consideration the status and importance of the processes and areas to be audited as well as the results of previous audits? How do you select the auditors to conduct these audits? How do you ensure that they are impartial? How do you ensure that they do not audit their own work? How are the results of internal audits reported? What documented information do you keep as a record from internal audits? How do you make certain that the management responsible for the area being audited: • ensures that actions are taken without undue delay? • eliminates detected nonconformities and their causes? Do follow-up activities include the verification of the actions taken? How are the verification results reported?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 199

A complete checklist against the requirements of ISO 9001:2015

9.3 Management review Typical auditor’s questions Do Top Management conduct regular reviews of the QMS at planned intervals to ensure that it continues to meet the requirements of ISO 9001:2015? Do these reviews include new items relating to context as well as risk and opportunities? Are they aimed at ensuring the continued suitability, adequacy, effectiveness and alignment with the strategic direction of the organisation?

Remarks

199

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 200

ISO 9001:2015 Audit

200

9.3.1 General Typical auditor’s questions

Remarks

What is the prime aim of these management reviews? As well as being a record of what was reviewed, does this document include: • decisions made regarding the need to change any aspect of the QMS? • the level of resources required to support the operation of the organisation’s QMS? Are these reviews also aimed at confirming whether the organisation’s policies and objectives remain effective and continue to provide customer satisfaction? Do they provide details of current performance, client feedback and opportunities for improvement? As a result of these reviews: • what likely changes to the management system have been identified? • what changes to the organisation’s quality policies and objectives have been made? Is auditable documented information retained as a record of these management reviews?

9.3.2 Management review inputs Typical auditor’s questions What information is used as an input to management reviews? How are the management reviews planned and carried out? Do they consider actions from previous management reviews? Are changes in internal and external matters that are relevant to the QMS taken into consideration? Does the review include customer satisfaction and feedback from relevant interested parties? Is process performance and conformity of products and services reviewed for possible improvement?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 201

A complete checklist against the requirements of ISO 9001:2015

9.3.2 Management review inputs (continued) Typical auditor’s questions

Remarks

Are monitoring and measurement results, nonconformities and corrective actions included in the risk analysis process? How do you ensure the effectiveness of actions taken to address risks and opportunities for improvement? How do you ensure that you have an adequacy of resources? How do you audit the performance of external providers?

9.3.3 Management review outputs Typical auditor’s questions What are the anticipated and actual outputs from management reviews? Do they: • provide opportunities for improvement? • indicate the need for changes to the Quality Management System? • indicate additional resource needs? How are the results of management reviews of the QMS documented? Do they provide an objective record of the organisation’s capability to produce quality products and services that meet the policies and requirements of your organisation’s QMS? Do they provide a process for improved product, service and process performance?

Remarks

201

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 202

ISO 9001:2015 Audit

202

10 IMPROVEMENT Typical auditor’s questions

Remarks

Do you have an agreed process for pursuing potential opportunities that could enhance your organisation’s capability of meeting customer requirements and enhancing customer satisfaction?

10.1 General Typical auditor’s questions What methods are employed to continually improve the effectiveness of your QMS? How do you ensure that appropriate corrective action is taken to eliminate the cause of nonconformities in order to prevent them recurring? How do you determine and select opportunities for improvement? What methods do you use to improve customer satisfaction? How do you ensure that you are capable of continuing to meet individual and specific customer requirements? How do you prevent the use, or delivery of, nonconforming products as well as their storage and disposal? Do you have a documented procedure to identify and control the use and delivery of nonconforming products? How does your organisation control corrective and preventive actions and ensure the continual improvement of its product?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 203

A complete checklist against the requirements of ISO 9001:2015

10.2 Nonconformity and corrective action Typical auditor’s questions Have you an established procedure for identifying the product or service (i.e. from drawings, specifications or other documents) during all stages of production, delivery and installation? When a nonconformity occurs, what action do you take to control and correct it? Do you have a documented procedure for this corrective and preventative action? Does this documented procedure define requirements for: • reviewing nonconformities (including customer complaints)? • determining the causes of nonconformities? • evaluating action to ensure that nonconformities do not recur? • determining and implementing action needed? • recording of the results of action taken? • reviewing corrective action taken? What action do you take to eliminate the cause of nonconformities in order to prevent recurrence? How do you ensure that those corrective actions are appropriate to the effects of the nonconformities encountered? Do you analyse all processes, work operations, concessions, quality records, service reports and customer complaints to eliminate the causes of nonconforming products? Do you retain documented information to record the nature of the nonconformities? As well as any subsequent actions taken and the results of any corrective action? Are all nonconforming products and services clearly identified and kept completely separate from all other acceptable (conforming) products? How do you initiate preventive actions, change any designs and specifications or work methods? How do you ensure that the responsibilities for corrective action are clearly assigned to personnel and that these responsibilities are carried out properly?

Remarks

203

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 204

ISO 9001:2015 Audit

204

10.2 Nonconformity and corrective action (continued) Typical auditor’s questions

Remarks

What controls are applied to ensure that suitable corrective actions are taken and that the existing (as well as the modified) work, methods and designs are effective and suitable? Do you implement and record (i.e. as documented information) changes in procedures that result from this corrective action? If there are any permanent changes resulting from this corrective action, are these suitably recorded in Work Instructions, manufacturing processes, product specifications and in the organisation’s QMS? Do you have a ‘concession scheme’ that can be applied to a nonconforming product or service? Does your organisation have a ‘bonded store’ to house unacceptable products and services inside your premises and where all incoming material is placed pending inspection?

10.3 Continual improvement Typical auditor’s questions How do you improve the suitability, adequacy and effectiveness of your QMS processes and procedures? How do you use the outputs from your analysis and evaluation processes (see sub-clause 9.1.3) to identify areas of underperformance and opportunities for improvement? Have you documented procedures to identify, manage and improve them? How do you ensure that appropriate corrective action is taken to eliminate the cause of nonconformities in order to prevent them recurring?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 205

Section 2.4

Additional (general purpose) check sheets CONTENTS 4.1

Quality Management System

207

4.2

Documented information requirements

208

4.3

Management commitment

210

4.4

Customer focus

211

4.5

Quality Policy

211

4.6

Planning

212

4.7

Responsibility, authority and communication

212

4.8

Management review

213

4.9

Provision of resources

214

4.10 Human resources

214

4.11 Infrastructure

215

4.12 Work environment

216

4.13 Planning and product realisation

216

4.14 Customer-related processes

218

4.15 Design and development

219

4.16 Purchasing

222

4.17 Production and service provision

223

4.18 Control of monitoring and measuring devices

227

4.19 Monitoring and measurement

229

4.20 Auditing

230

4.21 Control of nonconforming products and services

231

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 206

ISO 9001:2015 Audit

206 4.22 Analysis of data

233

4.23 Improvement

234

The following is a list of some of the most important questions that an external auditor would be likely to ask when assessing an organisation’s QMS for compliance with ISO 9001:2015.

Author’s Hint Although the format of these questions is based on the organisation using a Quality Manual to hold the detailed requirements of their QMS, it does not exclude them being used against any other type of documented information that an organisation wishes to choose.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 207

Additional (general purpose) check sheets

207

4.1 QUALITY MANAGEMENT SYSTEM Typical auditor’s questions (Quality Management System) Who is responsible for ensuring that your organisation’s QMS meets the requirements of ISO 9001:2015? And does it? What type of format (i.e. hardcopy or softcopy) does your QMS use? Who is responsible for ensuring that your Quality Manual accurately holds the detailed requirements of their QMS? Do the processes generated as part of the QMS actually meet the requirements actually stated in the Quality Manual? Are written procedures in all areas of the QMS unambiguous, understandable (simple enough so that the intended user has sufficient guidance to assure that quality is maintained) and do they specify methods and criteria? How does documented information ensure that products and services conform to specified requirements? How does the QMS identify and ensure that new ideas and techniques that affect quality are verified before being introduced? How does the QMS ensure that adequate resources are available to attain and maintain the level of quality detailed in the Quality Manual and/or any Quality Plans? How is the QMS represented in contract and new product developments? Who is responsible for identifying requirements and risks that are at the frontiers of organisational or known technology? How are they controlled?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 208

ISO 9001:2015 Audit

208

4.2 DOCUMENTED INFORMATION REQUIREMENTS Typical auditor’s questions (documented information requirements) How are new procedures generated if required? Are written procedures in all areas of the QMS unambiguous, understandable (simple enough so that the intended user has sufficient guidance to assure that quality is maintained) and do they specify methods and criteria? What procedures describe how the documented information defined in quality requirements is controlled? Do the procedures generated as part of the QMS meet the requirements stated in the Quality Manual? Who is responsible for ensuring that quality documentation is available and issued to the relevant work areas in the appropriate form and in time? Who prepares and updates procedures? Who authorises the issue date? Who reviews and approves documented information for adequacy, and are they suitably trained, experienced and equipped to do so? With whose authority is quality documented information approved? In approving the quality document, is the approval authority using recorded information from past experience and, if so, what proof is there? How are changes to the quality documents implemented, recorded and approved, and is the approval authority the same as for the original issue? How is the use of superseded documented information controlled and is there any confusion as to what the issue is? When are copies of obsolete documented information destroyed, and by whom? (Check to ensure that only the authorised issue is available for use.) How are the original and subsequent versions of the documented information distributed? Is their receipt acknowledged and should it be? How does the user of documented information know what the current version should be?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 209

Additional (general purpose) check sheets

209

4.2 DOCUMENTED INFORMATION REQUIREMENTS (continued) Typical auditor’s questions (documented information requirements) Who establishes the correct revision of documented information if the current issue is not to be used? Where are master copies of documented information stored, and are there any unauthorised modifications? Who is responsible for the master copy? Who coordinates changes to project documentation? Is there only one person responsible and, if not, is the route clearly defined? When are changes to the contracted scope of work reviewed and by whom? How are these changes retained as documented information? How are the changes to documented information concerning the design, and which affect the initial requirements, reviewed and what mechanism is there to ensure that these are in the customer’s interest? If documented information is derived from a standard format, who is responsible for it and do all the users know how to request a change? Are copies of documented information reissued after every change has been included? If not, who decides when the documented information will be reissued and is this time period acceptable to the user of the document? How are customer requests to change documented information reviewed and recorded? How does the documented information system ensure that the relevant information is made available to an Inspector (or relevant authority) for verification when they need it? Which procedure (or procedures) defines the need to keep records to demonstrate the achievement of quality determined? Who is responsible for generating quality records, and is the method of control adequately defined in instructions? Does the information on the quality record conform to the requirement as defined in the procedures and, if not, how does it deviate? Where quality records are required to be compiled by suppliers to demonstrate their achievement of quality, how is this requirement specified and met?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 210

ISO 9001:2015 Audit

210

4.2 DOCUMENTED INFORMATION REQUIREMENTS (continued) Typical auditor’s questions (documented information requirements)

Remarks

Where are quality records kept, for how long, and is the environment suitable to prevent loss or degradation? How are quality records accessed and is it possible to analyse them in order to identify trends? Who defines for how long the quality record should be kept, and does this period conflict with any contractual or legal requirements? How can it be demonstrated that the retention of quality records shows that the QMS is effective? What system is available to pass quality records to the customer when required to demonstrate the achievement of quality? Who is responsible for disposing of quality records, and are they disposed of effectively? Has adequate documented information been produced to support the product or service during its expected life and how is this requirement specified?

4.3 MANAGEMENT COMMITMENT Typical auditor’s questions (management commitment) Who is responsible for ensuring that the Quality Policy is understood and implemented? How is the Quality Policy used to set objectives and who is involved in the decision-making? Who determines that the quality policies are compatible with other organisation objectives?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 211

Additional (general purpose) check sheets

211

4.4 CUSTOMER FOCUS Typical auditor’s questions (customer focus)

Remarks

Who reviews a contract’s documented information for adequacy, and are problem areas resolved? Are there procedures for contract review, and are the records readily available and complete? How are the differences between the tender and the contract identified and reviewed? How are the in-house activities affecting the customer coordinated and agreed with the customer, before, during and after the contract? Do the same procedures apply to all contracts and is this evident? When are customer-specific standards identified and who controls them, and are they available for the use of the designer? How are products, services and documented information requiring final approval or certification identified for the organisation or customer use? How are customer requests to change documented information reviewed and recorded? How are the changes to the design, which affect the initial requirements, reviewed and what mechanism is there to ensure that these are in the customer’s interest? What methods exist for the customer to specify and carry out their own inspection?

4.5 QUALITY POLICY Typical auditor’s questions (Quality Policy) How is the Quality Policy used to set objectives, and who is involved in the decision-making? Who determines that the quality policies are compatible with other organisation objectives? Who is responsible for ensuring that the Quality Policy is understood and implemented? How is the QMS represented in contract and new product developments?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 212

ISO 9001:2015 Audit

212

4.6 PLANNING Typical auditor’s questions (Planning)

Remarks

How is the Quality Policy used to set objectives, and who is involved in the decision-making? How does the QMS identify and ensure that new ideas and techniques that affect quality are verified before being introduced? Who is responsible for identifying requirements and risks that are on the frontiers of organisational or known technology? How are they controlled? How are new procedures generated if required? Who is responsible for clarifying or defining quality standards for the acceptability of a product or service, and how are these levels demonstrated? How is the compatibility of procedures supporting the QMS established and maintained through revisions? How does the QMS exercise continuous and adequate control over areas affecting quality? Are written procedures in all areas of the QMS unambiguous, understandable (simple enough so that the intended user has sufficient guidance to assure that quality is maintained) and do they specify methods and criteria? Who has the authority to make decisions on the acceptability of the levels of quality achieved? When is the need for a Quality Plan identified? Who produces it and how are the contents validated?

4.7 RESPONSIBILITY, AUTHORITY AND COMMUNICATION Typical auditor’s questions (responsibility, authority and communication) Who determines that the quality policies are compatible with other organisational objectives? Who has the defined authority to implement quality policies and objectives, and has he/she sufficient authority to fulfil this task?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 213

Additional (general purpose) check sheets

213

4.7 RESPONSIBILITY, AUTHORITY AND COMMUNICATION (continued) Typical auditor’s questions (responsibility, authority and communication)

Remarks

Who is responsible for identifying, reviewing and recommending solutions to minimise or prevent quality-related problems, and how is this achieved? Who is responsible for ensuring that the organisation’s Quality Manual meets the requirements of the QMS and ISO 9001:2015? Who has the authority to make decisions on the acceptability of the levels of quality achieved? Who is responsible for ensuring that the Quality Policy is understood and implemented? Who is responsible for ensuring that quality documentation is available and issued to the relevant work areas in the appropriate form and on time? Who is responsible for identifying requirements and risks that are at the frontiers of organisation or known technology, how are they controlled and how are new procedures generated if required?

4.8 MANAGEMENT REVIEW Typical auditor’s questions (Management review) How often is the organisation’s Quality Policy reviewed and revised? Who completes this review and is that person (or persons) suitably placed in the organisation to do so? How often and by whom is the QMS reviewed for adequacy, and how is its performance quantified and reported? Who reviews quality objectives to ensure that they are achieved, or instigates action in order to implement them? Is the review process effective and how is action monitored? Is there documented information available that provides evidence of the review process?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 214

ISO 9001:2015 Audit

214

4.9 PROVISION OF RESOURCES Typical auditor’s questions (Provision of resources)

Remarks

How does the QMS ensure that adequate resources are available to attain and maintain the level of quality detailed in the Quality Manual and/or any Quality Plans?

4.10 HUMAN RESOURCES Typical auditor’s questions (Human resources) How does the QMS ensure that adequate human resources are available to attain and maintain the level of quality detailed in the Quality Manual and/or any Quality Plan? Who sets the qualification and experience requirements for job functions and in which procedure are they defined? Where personnel performing job functions do not meet the identified requirements, how are their training needs identified? Having identified the need for training, who is responsible for training and who is responsible for ensuring that these needs are met? Who is responsible for ensuring that records of qualification and experience are maintained to reflect the current qualifications and experience of personnel? How are the training needs of new recruits identified? What training is given on commencement of employment, and is it adequate? When personnel are redeployed, are they given adequate training in order to perform their new function? Who is responsible for reviewing records of qualification to ensure that any new training needs are identified? Are all personnel, on a need-to-know basis, aware of the QMS and are they aware of how to suggest changes to it? Are all levels of management aware of the organisation’s policies affecting their functions and, specifically, what the organisation’s policy with respect to quality is? Is everyone within the organisation totally committed to the continual improvement of quality and quality management?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 215

Additional (general purpose) check sheets

215

4.11 INFRASTRUCTURE Typical auditor’s questions (Infrastructure) How do you define, provide, develop, implement, evaluate and consider your infrastructure requirements in terms of product or service performance, customer satisfaction and controlled improvement? How do you determine what buildings, workspace and associated utilities are required? How do you determine what process equipment, both hardware and software, is required? How do you determine what supporting services, such as transport or communication, are required? Who identifies the need for a special production or manufacturing process, and have they adequately defined it? How do you maintain the infrastructure necessary for the operation of its processes to achieve conformity of products and services? What systems are in place for ensuring adequate maintenance of production equipment? Who is responsible for ensuring that workmanship standards are adequate to process new or modified products and services? What reference is made to workmanship standards in Quality Processes and procedures?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 216

ISO 9001:2015 Audit

216

4.12 WORK ENVIRONMENT Typical auditor’s questions (Work environment)

Remarks

Who determines, develops and evaluates what work environment is required? Does your work environment currently assist in achieving conformity of products and services? Does your organisation possess a specific process or procedure for the work environment, and does this meet the requirements of management systems? How do you ensure that your work environment not only motivates, satisfies and increases the performance of people but also enhances the performance of the organisation? What systems are in place for ensuring adequate maintenance of production equipment? Who is responsible for ensuring that workmanship standards are adequate to process new or modified products?

4.13 PLANNING AND PRODUCT REALISATION Typical auditor’s questions (Planning and product realisation) Have procedures been generated to ensure that incoming products and services are verified before being released for use? Who inspects or otherwise tests the performance of an incoming product or service before approving it for use, and are they aware of the required acceptance criteria? How are acceptance criteria specified and is there adequate equipment to ensure that these are met? How are products and services, which are not verified, marked? How are products and services, which do not need to be verified, identified and if they subsequently fail what mechanism is available to recall them for verification? How is the past performance of suppliers recorded, and is it available for the person taking a decision on the need to validate the incoming product?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 217

Additional (general purpose) check sheets

217

4.13 PLANNING AND PRODUCT REALISATION (continued) Typical auditor’s questions (Planning and product realisation) What is done with incoming documented information to substantiate that the product or service meets specified requirements? How are inspection and test points for work-inprogress identified, and who carries out the validation? Who monitors the development processes to ensure that the equipment is fit for purpose, and how is this implemented? Who is responsible for identifying products and services that fail to meet their specified requirements, and how are these controlled? What mechanism is there to ensure that all specified tests have been performed and that the results are acceptable? How are the requirements for final inspection and test specified? Who verifies that completed products and services are fit for use? How are test and inspection records held, are they accessible and do they meet any contractual and legal requirements? Who is responsible for identifying requirements and risks that are at the frontiers of organisational or known technology? How are they controlled? How are new procedures generated if required? When is the need for a Quality Plan identified? Who produces it and how are the contents validated? Are the people assigned to the validation and verification adequately trained and equipped? When appropriate, do all test and inspection records carry the signature or initials of the person performing the validation? How does the person carrying out the inspection or test know what documented information they need and its relevant issue? Where relevant, have all test and inspection methods been adequately defined?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 218

ISO 9001:2015 Audit

218

4.14 CUSTOMER-RELATED PROCESSES Typical auditor’s questions (Customer-related processes) Are there procedures for contract review, and are the records readily available and complete? Who reviews the contract documents for adequacy, and are problem areas resolved? Who generates and controls contract-specific procedures and standards, and does the customer approve them? How are the activities leading up to a tender presentation or quotation coordinated? Who generates the tender specification, and are they aware of all pertinent information? Are order acceptance meetings held and, if so, who attends them? How are key project personnel identified and informed of their role in the contract? What evidence is there that the Project Manager has issued all the necessary documentation as detailed in the procedures, and was it issued in a timely manner? How are verbal orders handled?

How are the differences between the tender and the contract identified and reviewed? Do the same procedures apply to all contracts and is this evident? How is the requirement for design documented information identified, and does this take into consideration the need for training? Who receives and reviews documented information from other departments – the customer, technical authority (national safety requirements) – affecting the design requirements, and what action is taken if the information is unclear or ambiguous?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 219

Additional (general purpose) check sheets

219

4.14 CUSTOMER-RELATED PROCESSES (continued) Typical auditor’s questions (Customer-related processes)

Remarks

When are customer-specific standards identified, who controls them, and are they available for the use of the designer? How is the documented information concerning products and services that require final approval or certification identified for organisational or customer use? How are customer requests to change documents reviewed and recorded? How are the changes to the design which affect the initial requirements reviewed, and what mechanism is there to ensure that these are in the customer’s interest? What methods exist for the customer to specify and carry out their own inspection?

4.15 DESIGN AND DEVELOPMENT Typical auditor’s questions (Design and development) Do procedures exist to control and verify the design activities to ensure the design requirements are specified and met? What method of design planning is used, and does it identify the need for personnel and equipment that are required? How is the requirement for design documented information identified, and does this take into consideration the need for training? Are there any examples of revised design plans and, if so, why were they modified? Who receives and reviews documented information from other departments – the customer, technical authority (national safety requirements) – affecting the design requirements, and what action is taken if the information is unclear or ambiguous? Are conflicts and additions to the initial design specification resolved with the person responsible for generating the requirement and, if so, how are unresolved issues progressed?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 220

ISO 9001:2015 Audit

220

4.15 DESIGN AND DEVELOPMENT (continued) Typical auditor’s questions (Design and development) How are changes to the design specification and documented information communicated to other departments? Who is responsible for defining and subsequently updating the distribution list for design documented information? Is the design specification broken down into smaller units of work and, if so, how are the units related to ensure adequacy when integrated into the whole? How is the design validated (tested) to ensure that it performs as specified, and are these tests traceable to the customer requirements or national standards? Are the design results reviewed and, if so, are they planned and retained as documented information? If design review meetings are held, who attends them and what evidence is there that a critical review of the results was carried out? How are unacceptable test results identified and what action is taken to resolve the situation? Where external test houses are required to perform validation, how are these selected, the test specified and the results formatted? Are suitably qualified and experienced personnel assigned to the validation of the design? Where do the design change requests originate from, how are they reviewed, and is affected documented information quarantined until a decision is made as to the required action to be taken? How are approved design changes incorporated into the relevant documented information, and are those who need to know informed of the pending changes? How is the effect of introducing a design change on the product specification assessed to ensure that no degradation of its performance is introduced? How is superseded design documented information identified and removed from other relevant areas? How are necessary design changes affecting the contract agreed with the customer and, if so, at what point does this happen?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 221

Additional (general purpose) check sheets

221

4.15 DESIGN AND DEVELOPMENT (continued) Typical auditor’s questions (Design and development) When are customer-specific standards identified, who controls them and are they available for the use of the designer? Are members of the design function aware of the procedures and standards that they should be using and, if so, how can they identify the correct issue? Are suitably qualified and experienced Staff allocated to the design and verification activities? How is the documented information concerning products and services that require final approval or certification identified for the organisation or customer use? When was the design documented information, as detailed in the procedures, produced and has it all been adequately controlled? How are completed designs identified, and are there any methods of identifying the product status? Has adequate documented information been produced to support the product during its expected life, and how is this requirement specified? Who is responsible for setting design standards and specifications, and are all those who need to know aware of these requirements? What opportunities are there for designers to assess the requirements and capabilities of the functions that will realise their design, and are they aware what they are? How are amendments to the purchase orders controlled and authorised, and what reference is made to the initial purchase order? How are design or specification changes controlled and implemented?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 222

ISO 9001:2015 Audit

222

4.16 PURCHASING Typical auditor’s questions (Purchasing) What procedures do you possess to cover purchasing activities? How are prospective suppliers assessed with respect to quality and other requirements? What are they? Who keeps records of supplier performance, and are these records available for purchasing decisions? What action is taken if a non-approved supplier is selected for an order? What data is included on the purchase order, and does it meet customer and organisation requirements? Who reviews the purchase order to ensure that it adequately specifies the product? Who determines the quality standards to be defined for the order? Who is responsible for approving the purchase order before release to the supplier, and is this valuedependent? When does the requirement to verify products during manufacture get defined on the purchase order? Are any validation stages notified to the organisation and, if so, how? What methods exist for the customer to specify and carry out their own inspection? How are amendments to the purchase orders controlled and authorised, and what reference is made to the initial purchase order? How are designs or other requirement changes communicated to suppliers, and are these instructions clear? What routes are available for suppliers to resolve queries, and what method of progress is used? How are product and/or service acceptance criteria defined to ensure that these meet specified requirements?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 223

Additional (general purpose) check sheets

223

4.17 PRODUCTION AND SERVICE PROVISION Typical auditor’s questions (Production and service provision) Who verifies that purchaser (or customer) supplied products and services are fit for purpose? What method of validation is used and has it been specified? Who determines whether specific instructions are required for the maintenance of purchaser-supplied products during storage, and how are the instructions implemented? Where are products that fail to meet specified requirements stored, and how are they identified? Who prepares specific project instructions for the testing of customer supplied products? If there are no written instructions for testing, how is the product validated? How are inspections of stored items recorded? Who receives them and reviews them to ensure that unsatisfactory test results are analysed and action taken to resolve the situation? How are purchaser-supplied products stored, and are they segregated to identify those that are not fit for use? Are products reinspected prior to use and, if not, how is the product validated to ensure that it is still satisfactory for use? Who resolves problems with the customer with respect to products that are unfit or are not available for use? What records are kept? Have special storage and inspections been specified by the customer, and how can you be sure that these are correct and adequate? Are products clearly identified at all stages of the process? How are products in storage identified?

How are visually identical parts with different characteristics identified?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 224

ISO 9001:2015 Audit

224

4.17 PRODUCTION AND SERVICE PROVISION (continued) Typical auditor’s questions (Production and service provision) Who determines the need to identify products, and are instructions issued to define what the products should be traceable to? How are the requirements for traceability recorded, and are the instructions explicit? How are the requirements determined for traceability on a product/batch which may cause the loss of life, serious injury or loss of production, who is assigned this responsibility and are they suitably trained and experienced? How is the batch/product marked to ensure that it is uniquely identified, and do all associated documents carry the same reference? How is traceability assured throughout the life of the product? When are the production/installation processes identified that need to be controlled in order to assure the required level of quality? Who is responsible for these processes, and can they demonstrate that adequate validation and verification takes place to ensure the correct manufacturer? Who identifies the need for Work Instructions and are they responsible for updating them to take into account new working practices and techniques? Where are the Work Instructions filed? Are they under control and are the people who are expected to use them aware of them? Who has been nominated to ensure that the finished product meets its process requirements, and do they have detailed acceptance criteria for assessing the work? Who is responsible for ensuring that workmanship standards are adequate to process new or modified products? What reference is made to workmanship standards in instructions? When the end product of a process can neither be verified nor validated at its completion, do procedures exist in order to accept it during work-in-progress and what records are available to prove this?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 225

Additional (general purpose) check sheets

225

4.17 PRODUCTION AND SERVICE PROVISION (continued) Typical auditor’s questions (Production and service provision) Who identifies the need for a special manufacturing process and have they adequately defined it? Who is responsible for discussing special processes with the customer/supplier before an order is accepted or placed? If the process requires a controlled environment, who has specified its acceptance limits and has it been documented and controlled to these requirements? Have the people who have been assigned process duties been adequately trained and equipped to perform the task, and is there sufficient space to carry out the work? How is reprocessing controlled, and does it follow the same process or do other Work Instructions apply? How can you show that the Work Instructions and other documented information and data are at the correct issue, and are there any unauthorised additions? How are design or specification changes controlled and implemented? What systems are in place for ensuring adequate maintenance of production equipment? What method of identification is used to ascertain the inspection or test status of a product, and does it provide adequate information? Have all the specified inspections/tests been carried out, who has performed them and are they suitably authorised to do so? Where are test and inspection records stored, and are they easily traceable to the product? Who has the authority to remove a test or inspection indicator? Have detailed instructions with respect to defining the status been written?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 226

ISO 9001:2015 Audit

226

4.17 PRODUCTION AND SERVICE PROVISION (continued) Typical auditor’s questions (Production and service provision) Who is responsible for defining the acceptable test status? Has provision been made for entering a new status as a result of retesting/inspecting the product? What methods of indicating product status are used by suppliers, and are they acceptable? Who identifies the requirements for handling, storage and packaging, and how are they specified? Who is responsible for ensuring that the handling, storage and packaging requirements are met and, if any validation is required, how is it done? How can damage due to inappropriate handling or storage be detected and have procedures been written to ensure that periodic reinspection, when required, is carried out to ensure fitness for purpose? Where a storage area has been set up, do methods of receiving and despatching products exist and are all relevant Staff knowledgeable? How is a product or service item authorised to enter and leave the storage areas? Does the product or service item maintain its identity at all stages of handling, storage, packing and delivery, and is there evidence to support this? Who specifies packaging standards, are there any specific contract requirements and who is responsible for the final packing? How are environmental conditions considered when determining requirements to ensure the preservation of quality? Who defines the path for the processing of the product or service item, and do these instructions define all the relevant processes to be followed? Who is responsible for stores records and do they adequately define the current stockholding? How are different batches or versions of the same product or service item identified, stored, packed and delivered, and is there any scope for confusion?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 227

Additional (general purpose) check sheets

227

4.17 PRODUCTION AND SERVICE PROVISION (continued) Typical auditor’s questions (Production and service provision)

Remarks

Who is responsible for ensuring that servicing meets specified requirements and how is this achieved? What procedures exist to define the manner of servicing and reporting? Who is responsible for generating instructions to ensure that the servicing or after sales support is adequately defined, and who is responsible for ensuring that this information is in a suitable format? Who is responsible for seeing that adequate back-up is available to ensure that installed and accepted equipment is supported? How are requests for support on sites handled, and are all queries responded to in a timely manner? How is feedback from servicing handled, and how is this feedback coordinated?

4.18 CONTROL OF MONITORING AND MEASURING DEVICES Typical auditor’s questions (Control of monitoring and measuring devices) Who determines which measuring or test equipment needs to be calibrated, and how are acceptance limits established and documented? Who decides the period of validity for the calibration and is there any provision for subsequently changing it based on past records? How is equipment used for indicating rather than measuring identified, and has it been calibrated? How are the measurement requirements specified and, if appropriate, is the type of test equipment specified in instructions? How is the measurement uncertainty specified, and are operators aware of what this should be for the work being carried out?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 228

ISO 9001:2015 Audit

228

4.18 CONTROL OF MONITORING AND MEASURING DEVICES (continued) Typical auditor’s questions (Control of monitoring and measuring devices) How is the national standard to which the equipment is to be calibrated specified and, if no suitable standard exists, how is it specified? Who is responsible for ensuring that new or reclassified equipment is included in a calibration schedule and how is he informed? What action will be taken if an item sent for calibration fails to meet the specified requirements? Where appropriate, is it possible to identify the calibration status of inspection equipment used to demonstrate the adequacy of the product or service? How is it possible to identify the test or inspection equipment used to demonstrate the adequacy of the product or service? How is equipment not requiring calibration identified, and is it ever used to demonstrate the acceptability of products or services? Who is responsible for ensuring that all calibrated equipment is maintained and stored in a suitable environment so as not to invalidate the calibration? Have any special control conditions been defined for calibrated equipment, and should it be used under environmentally controlled conditions? How is the calibrated equipment checked prior to use to ensure that it is fit for the intended purpose? How are adjustments, which can negate the validity of the calibration results, set or identified to prevent unauthorised adjustments? What procedures are in place to control the management and calibration of inspection, measuring and test equipment?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 229

Additional (general purpose) check sheets

229

4.19 MONITORING AND MEASUREMENT Typical auditor’s questions (Monitoring and measurement) Have procedures been generated to ensure that incoming products and services are verified before being released for use? Who inspects or otherwise tests the performance of incoming products and services before approving them for use, and are they aware of the required acceptance criteria? How are acceptance criteria specified, and is there adequate equipment to ensure that these are met? How are items marked which are not verified? How are items identified which do not need to be verified and, if they subsequently fail, what mechanism is available to recall them for verification? How is the past performance of suppliers recorded, and is it available for the person taking a decision on the need to validate the incoming product? What is done with incoming documentation to substantiate that the product meets specified requirements? How are inspection and test points for work in progress identified, and who carries out the validation? Who monitors manufacturing processes to ensure that the equipment is fit for purpose, and how is this implemented? Who is responsible for identifying products or services that fail to meet their specified requirements, and how are these controlled? What mechanism is there to ensure that all specified tests have been performed and that the results are acceptable? How are the requirements for final inspection and tests specified? Who verifies that completed products are fit for use? How are test and inspection records held, are they accessible and do they meet any contractual and legal requirements? Are the people assigned to the validation and verification adequately trained and equipped?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 230

ISO 9001:2015 Audit

230

4.19 MONITORING AND MEASUREMENT (continued) Typical auditor’s questions (Monitoring and measurement)

Remarks

When appropriate, do all test and inspection records carry the signature or initials of the person performing the validation? How does the person carrying out the inspection or test know what documentation they need, and its relevant issue? Where relevant, have all test and inspection methods been adequately defined? How effective is the QMS, and can this be demonstrated?

4.20 AUDITING Typical questions How are audits planned and programmed? Does the programme cover the whole QMS? How are the requirements for an audit defined, and are these instructions supported by procedures? Who determines the need for an audit and on what basis do they reach their decision? What action is taken after an audit? How are nonconformities found during an audit resolved, and are the relevant managers involved? How are audit reports controlled and are they circulated to the relevant managers? How does the QMS identify that timely corrective actions are taken as a result of an audit? When the corrective action is not effective, who is responsible for resolving the situation? How are auditors selected, and are they suitably trained to carry out an audit? Are all auditors independent of the activity that they are auditing, and how can this be demonstrated? When carrying out the audit, how are the following assessed: structure, personnel, material, resources and product of the activity, and are they?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 231

Additional (general purpose) check sheets

231

4.20 AUDITING (continued) Typical questions

Remarks

How are the results of the audit programme reviewed? How does the audit programme demonstrate that the QMS is effective? Who is responsible for compiling and distributing a ‘close-out report’? How, if at all, are the results of previous audits used to structure the audit of the same or similar function? Who is responsible for setting the period between audits, and are these periods flexed as a result of past performance or inferred nonconformance identified whilst auditing other activities?

4.21 CONTROL OF NONCONFORMING PRODUCTS AND SERVICES Typical auditor’s questions (Control of nonconforming product) How are products and services identified which do not meet their specified requirement? In what environment is the nonconforming product or service stored, and is the marking adequate? What documentation is available to identify where the product or service fails to meet specified requirements? Who is responsible for reviewing the documentation in order to recommend a remedial action? Whilst a decision is being taken, how are other products and services which may also fail to meet specified requirements identified and segregated? What procedures define the control of a nonconforming product or service process? How is remedial action documented and can the product or service be identified to any such document?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 232

ISO 9001:2015 Audit

232

4.21 CONTROL OF NONCONFORMING PRODUCTS AND SERVICES (continued) Typical auditor’s questions (Control of nonconforming product) How are nonconforming products and services which are reworked identified and processed, and how can you tell? Where no remedial action is possible and the product or service must be disposed of, how is this accomplished and is the routine adequate to prevent further use? If the product or service is reclassified or accepted as is, how is this documented and is the status of the product obvious? Are written instructions available as to the required acceptance criteria of the reworked product or service, and how are the revised tests/inspections recorded? When nonconformity affects the customer or other suppliers, how are they involved in the decisionmaking and approval process? How do departments carry out an in-depth consideration of major items which fail to meet specified requirements, and who decides what is a major item? When are records of nonconforming products and services reviewed to determine any trends, and is there any evidence to support this? Where do nonconformance reports go for investigation? How effective is the corrective action, and is it adequate?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 233

Additional (general purpose) check sheets

233

4.22 ANALYSIS OF DATA Typical auditor’s questions (Analysis of data) Who determines the need to use statistical methods to establish the level of quality achieved, and are the methods directly related to a standard? Who is responsible for gathering data for statistical techniques, is the amount of data specified and is this what is collected? Who processes the data and are statistics produced in a timely manner, reviewed and analysed so as to provide an indication of the situation? How are statistical data and results controlled, and is this adequate? Who is responsible for reviewing the statistical techniques and the method of data collection? Who has documented the methods of statistical techniques being used? Who is responsible for ensuring that the statistical techniques in use are suitable? What procedures define the manner of application of statistical techniques?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 234

ISO 9001:2015 Audit

234

4.23 IMPROVEMENT Typical auditor’s questions (Improvement) How often is the organisation’s Quality Policy reviewed and revised, by whom, and is he suitably placed in the organisation to do so? How often and by whom is the QMS reviewed for adequacy, and how is its performance quantified and reported? Who reviews quality objectives to ensure that they are achieved or instigates action in order to implement them? Is the review effective and how is action monitored?

Is documented information available that provides evidence of the review process? Who investigates the cause of nonconformity and the subsequent actions taken? Who is responsible for ensuring that potential causes of nonconformity are identified and action taken to ensure that recurrences do not take place? How are customer complaints handled, and is there a method of routing them for analysis by the organisation’s nominated authority? How are corrective actions controlled, and is the method of control adequately defined? What system is available to update procedures to ensure that nonconformities are rectified and preventive measures introduced, and are all people who need to be aware of this informed? How are changes to methods implemented and recorded? What procedures control the processes of corrective action and preventive action, and what records are available?

Remarks

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 235

Section 2.5

Example stage audit checks

CONTENTS 2.5.1 Design stage

236

2.5.2 Manufacturing or production stage

238

2.5.3 Acceptance stage

239

2.5.4 In-service stage

240

The following is a list of the most important questions that an external auditor is likely to ask when evaluating an organisation for its: • • • •

design stage; manufacturing stage; acceptance stage; in-service stage.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 236

ISO 9001:2015 Audit

236

2.5.1 DESIGN STAGE Item 1

Requirements

Related item

Remark

1.1 Information

Has the customer fully described their requirement? Has the customer any mandatory requirements? Are the customer’s requirements fully understood by all members of the design team? Is there a need to have further discussions with the customer? Are other suppliers or subcontractors involved? If yes, who is the prime contractor?

1.2 Standards

What international standards need to be observed? Are they available? What National standards need to be observed? Are they available? What other information and procedures are required? Are they available?

1.3 Procedures

Are there any customer-supplied drawings, sketches or plans? Have they been registered?

2

Quality Procedures

2.1 Procedures manual

Is one available?

2.2 Planning implementation and production

Is the project split into a number of Work Packages? If so:

Does it contain detailed procedures and instructions for the control of all drawings within the drawing office?

• are the various Work Packages listed? • have Work Package Leaders been nominated? • is their task clear? • is their task achievable? • is a time plan available? • is it up to date? • is it regularly maintained? • is it relevant to the task?

3

Drawings

3.1 Identification

Are all drawings identified by a unique number? Is the numbering system strictly controlled?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 237

Example stage audit checks

237

2.5.1 DESIGN STAGE (continued) Item

Related item

Remark

3.2 Cataloguing

Is a catalogue of drawings maintained? Is this catalogue regularly reviewed and up to date?

3.3 Amendments and Is there a procedure for authorising the modifications issue of amendments to drawings? Is there a method for withdrawing and disposing of obsolete drawings? 4

Components

4.1 Availability

Are complete lists of all the relevant components available?

4.2 Adequacy

Are the selected components currently available and adequate for the task? If not, how long will they take to procure? Is this acceptable?

5

Records

4.3 Acceptability

If alternative components have to be used how are they assessed regarding their acceptability to the task?

5.1 Failure reports

Has the design office access to all records, failure reports and other relevant data?

5.2 Reliability data

Are reliability data correctly stored, maintained and analysed?

5.3 Graphs, diagrams, plans

In addition to drawings, is there a system for the control of all graphs, tables, plans, etc.? Are CAD facilities available? (If so, go to 6.1)

6

Reviews and audits

6.1 Computers

If a processor is being used: • are all the design office personnel trained in its use? • are regular back-ups taken? • is there an anti-virus system in place?

6.2 Manufacturing division

Is a close relationship being maintained between the design office and the manufacturing division?

6.2 Manufacturing division’s requirements

Is notice being taken of the manufacturing division’s exact requirements, their problems and their choices of components, etc.?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 238

ISO 9001:2015 Audit

238

2.5.2 MANUFACTURING OR PRODUCTION STAGE Author’s Hint Although this section is primarily aimed at the manufacture of a product, it is equally applicable to another department providing services – for example, a design office supplying data for the software engineers to design an IT product and service. Item 1

Degree of quality

Related item

Remark

1.1 Quality Control procedures

Are Quality Control procedures available? Are they relevant to the task? Are they understood by all members of the manufacturing team? Are they regularly reviewed and up to date? Are they subject to control procedures?

1.2 Quality Control checks

What quality checks are being observed? Are they relevant? Are there laid down procedures for carrying out these checks? Are they available? Are they regularly updated?

2

Reliability of product design

2.1 Statistical data

Is there a system for predicting the reliability of the product’s design? Is sufficient statistical data available to be able to estimate the actual reliability of the design, before a product is manufactured? Is the appropriate engineering data available?

2.2 Components and parts

Are the reliability ratings of recommended parts and components available? Are probability methods used to examine the reliability of a proposed design? If so, have these checks revealed design deficiencies such as: • assembly errors? • operator learning, motivational, or fatigue factors? • latent defects? • improper part selection?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 239

Example stage audit checks

239

2.5.3 ACCEPTANCE STAGE Item 1

Related item Product performance

Remark Does the product or service perform to the required function? If not what has been done about it?

2

Quality level

2.1 Workmanship

Does the ‘workmanship’ of the product or service fully meet the level of quality required or stipulated by the user?

2.2 Tests

Is the product or service subjected to environmental tests? If so, which ones? Is the product or service field tested as a complete system? If so, what were the results?

3

Reliability

3.1 Probability function

Are individual components and modules environmentally tested? If so, how?

3.2 Failure rate

Is the product or service’s reliability measured in terms of probability function? If so, what were the results? Is the product or service’s reliability measured in terms of failure rate? If so, what were the results?

3.3 Mean time between failures

Is the product or service’s reliability measured in terms of mean time between failures? If so, what were the results?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 240

ISO 9001:2015 Audit

240

2.5.4 IN-SERVICE STAGE Item 1

System reliability

Related item

Remark

1.1 Basic design

Are statistical methods being used to prove the product or service’s basic design? If so, are they adequate? Are the results recorded and available? What other methods are used to prove the product’s basic design? Are these methods appropriate?

2

Equipment reliability

2.1 Personnel

Are there sufficient trained personnel to carry out the task? Are they sufficiently motivated? If not, what is the problem?

2.1.1 Operators

Have individual job descriptions been developed? Are they readily available? Are all operators capable of completing their duties?

2.1.2 Training

Do all personnel receive appropriate training? Is a continuous on-the-job training programme available to all personnel? If not, why not?

2.2 Product or service dependability

What proof is there that the product or service is dependable? How is product dependability proved? Is this sufficient for the customer?

2.3 Component reliability

Has the reliability of individual components been considered? Does the reliability of individual components exceed the overall system reliability?

2.4 Faulty operating procedures

Are operating procedures available? Are they appropriate to the task? Are they regularly reviewed?

2.5 Operational abuses

Are there any obvious operational abuses? If so, what are they? How can they be overcome?

2.5.1 Extended duty cycle

Do the Staff have to work shifts? If so, are they allowed regular breaks from their work?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 241

Example stage audit checks

241

2.5.4 IN-SERVICE STAGE (continued) Item

Related item

Remark Is there a senior shift worker? If so, are their duties and responsibilities clearly defined? Are computers used? If so, are screen filters available? Do the operators have keyboard wrist rests?

2.5.2 Training

Do the operational Staff receive regular on-the-job training? Is there any need for additional inhouse or external training?

3

Design capability

3.1 Faulty operating procedures

Are there any obvious faulty operating procedures? Can the existing procedures be improved upon?

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 242

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 243

Section 2.6

Comparison between ISO 9001:2015 and ISO 9001:2008 The main change between the two editions of this standard is that in accordance with the requirements of Annex SL, ISO 9001:2015 now consists of 10 clauses instead of the previous 8, but as can be seen from the following table, much of the new 2015 standard was already available in the previous 2008 version.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 244

ISO 9001:2015 Audit

244

Comparison between ISO 9001:2015 and ISO 9001:2008 ISO 9001:2015 Clause

Equivalent ISO 9001:2008

Clause No.

Clause

Clause/No.

1

Scope

1 Scope

2

Normative Reference

2 Normative Reference

3

Terms and Definitions

3 Terms and Definitions

4

Context of the Organisation

N/A

4.1

Understanding the organisation and its context

None (although in spirit this requirement was found under 1.1)

4.2

Understanding the needs and expectations of interested parties

None (although in spirit this requirement was found under 1.1)

4.3

Determining the scope of the Quality Management System

None (although this content was previously specified under 4.2.2)

4.4

Quality Management System and its processes

4.1

5

Leadership

N/A

5.1

Leadership and commitment

5.1, 5.2

5.2

Policy

5.3

5.3

Organisational roles, responsibilities and authorities

5.5.1

6

Planning

N/A

6.1

Actions to address risks and opportunities

None (although this new requirement extracts ideas previously found in 8.5.3, 5.4.2 and 7.1)

6.2

Quality objectives and planning to achieve them

5.4.1

6.3

Planning of changes

5.4.2

7

Support

N/A

7.1

Resources

6.1

7.1.1

General

6.1

7.1.2

People

6.2

7.1.3

Infrastructure

6.3

7.1.4

Environment for the operation of processes

6.4

7.1.5

Monitoring and measuring resources

7.6

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 245

Comparison between ISO 9001:2015 and ISO 9001:2008

245

Comparison between ISO 9001:2015 and ISO 9001:2008 (continued) ISO 9001:2015 Clause

Equivalent ISO 9001:2008

Clause No.

Clause

Clause/No.

7.1.6

Organisational knowledge

None

7.2

Competence

6.2

7.3

Awareness

6.2

7.4

Communication

5.5.3

7.5

Documented Information

4.2.3, 4.2.4

7.5.1

General

4.2.3, 4.2.4

7.5.2

Creating and Updating

4.2.3, 4.2.4

7.5.3

Control of Documented Information

4.2.3, 4.2.4

8

Operation

N/A

8.1

Operational planning and control

7.1

8.2

Requirements for products and services

7.2

8.2.1

Customer communication

7.2.3

8.2.2

Determination of requirements related to products and services

7.2.1

8.2.3

Review of requirements related to products and services

7.2.2

8.2.4

Changes to requirements for products and services

7.2.2

8.3

Design and development of products and services

7.3

8.3.1

General

None (although this requirement extracts ideas previously found in 7.3 at large)

8.3.2

Design and development planning

7.3.1

8.3.3

Design and development inputs

7.3.2

8.3.4

Design and development controls

7.3.4, 7.3.5, 7.3.6

8.3.5

Design and development outputs

7.3.3

8.3.6

Design and development changes

7.3.7

8.4

Control of externally provided processes, products and services

7.4.1

8.4.1

General

7.4.1

8.4.2

Type and extent of control

7.4.1, 7.4.3

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 246

ISO 9001:2015 Audit

246

Comparison between ISO 9001:2015 and ISO 9001:2008 (continued) ISO 9001:2015 Clause

Equivalent ISO 9001:2008

Clause No.

Clause

Clause/No.

8.4.3

Information for external providers

7.4.2

8.5

Production and service provision

7.5.1, 7.5.2

8.5.1

Control of production and service provision

7.5.1, 7.5.2

8.5.2

Identification and traceability

7.5.3

8.5.3

Property belonging to customers or external providers

7.5.4

8.5.4

Preservation

7.5.5

8.5.5

Post-delivery activities

7.5.1, 7.2.1

8.5.6

Control of changes

4.2.3, 5.4.2, 7.3.7

8.6

Release of products and services

8.2.4

8.7

Control of nonconforming outputs

8.3

9

Performance evaluation

N/A

9.1

Monitoring, measurement, analysis and evaluation

8.1, 8.2

9.1.1

General

8.1, 8.2

9.1.2

Customer satisfaction

8.2.1

9.1.3

Analysis and evaluation

8.4

9.2

Internal audit

8.2.2

9.3

Management review

5.6

10

Improvement

N/A

10.1

General

8.3, 8.5

10.2

Nonconformity and Corrective Action 8.3, 8.5.2

10.3

Continual Improvement

Bold font = main clause number

8.5.1.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 247

Section 2.7

Counter-comparison between ISO 9001:2008 and ISO 9001:2015 The following table provides an indication of how the previous 8 clauses from the 2008 edition of the standard have been included in the 10 clauses making up the ISO 9001:2015 publication.

Counter-comparison between ISO 9001:2008 and ISO 9001:2015 Existing ISO 9001:2008 Clause Number

ISO 9001:2015 Clause Number

4 Quality Management System (Section title)

N/A

4.1 General Requirements

4.4 Quality Management System and its processes

4.2.2 Quality Manual

None (a Quality Manual is no longer specifically required, but the content previously found in a Quality Manual is now specified under Clauses 4.3 Determining the Scope of the Quality Management System, 7.5.1 General and 4.4 Quality Management System and its processes)

4.2.3 Control of Documents

7.5 Documented Information, 7.5.1 General, 7.5.3 Control of Documented Information, 8.5.6 Control of changes

4.2.4 Control of Records

7.5 Documented Information, 7.5.1 General, 7.5.3 Control of Documented Information, 8.5.6 Control of changes

5 Management Responsibility (Section title)

N/A

5.1 Management Commitment

5.1 Leadership and commitment

5.2 Customer Focus

5.1 Leadership and commitment

5.3 Quality Policy

5.2 Policy

5.4.1 Quality Objectives

6.2 Quality objectives and planning to achieve them

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 248

ISO 9001:2015 Audit

248

Counter-comparison between ISO 9001:2008 and ISO 9001:2015 (continued) Existing ISO 9001:2008 Clause Number

ISO 9001:2015 Clause Number

5.4.2 Quality Management System Planning

6.2 Quality objectives and planning to achieve them, 6.3 Planning of changes

5.5.1 Responsibility and Authority

5.3 Organisational roles, responsibilities and authorities

5.5.2 Management Representative

None (this position has been eliminated)

5.5.3 Internal Communication

7.4 Communication

5.6 Management Review

9.3 Management review

6 Resource Management (Section title)

N/A

6.1 Provision of Resources

7.1 Resources, 7.1.1 General

6.2 Human Resources

7.1.2 People, 7.2 Competence, 7.3 Awareness

6.3 Infrastructure

7.1.3 Infrastructure

6.4 Work Environment

7.1.4 Environment for the operation of processes

7 Product Realisation (Section title)

N/A

7.1 Planning of Product Realisation

8.1 Operational planning and control

7.2 Customer Related Processes

8.2 Requirements for products and services

7.2.1 Determination of Requirements Related to the Product

8.2.2 Determination of requirements related to products and services, 8.5.5 Post-delivery activities

7.2.2 Review of Requirements Related to the 8.2.3 Review of requirements related to Product products and services 7.2.3 Customer Communication

8.2.1 Customer communication

7.3 Design and Development

8.3 Design and development of products and services

7.3 Design and Development

8.3.1 General

7.3.1 Design and Development Planning

8.3.2 Design and Development planning

7.3.2 Design and Development Inputs

8.3.3 Design and Development Inputs

7.3.3 Design and Development Outputs

8.3.5 Design and Development outputs

7.3.4 Design and Development Review

8.3.4 Design and Development controls

7.3.5 Design and Development Verification

8.3.4 Design and Development controls

7.3.6 Design and Development Validation

8.3.4 Design and Development controls

7.3.7 Design and Development Changes

8.3.6 Design and Development changes

7.4.1 Purchasing Process

8.4 Control of externally provided products and services, 8.4.1 General, 8.4.2 Type and extent of control

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 249

Counter-comparison between ISO 9001:2008 and ISO 9001:2015

249

Counter-comparison between ISO 9001:2008 and ISO 9001:2015 (continued) Existing ISO 9001:2008 Clause Number

ISO 9001:2015 Clause Number

7.4.2 Purchasing Information

8.4.3 Information for external providers

7.4.3 Verification of Purchased Product

8.4.2 Type and extent of control

7.5.1 Control of Production and Service Provision

8.5 Production and service provision, 8.5.1 Control of production and service provision

7.5.2 Validation of Processes for Production and Service Provision

8.5 Production and service provision, 8.5.1 Control of production and service provision

7.5.3 Identification and Traceability

8.5.2 Identification and traceability

7.5.4 Customer Property

8.5.3 Property belonging to customers or external providers

7.5.5 Preservation of Product

8.5.4 Preservation

7.6 Control of Monitoring and Measurement Equipment

7.1.5 Monitoring and measuring resources

8 Measurement, Analysis, and Improvement (Section title)

N/A

8.1 General

9.1.1 General

8.2 Monitoring and Measurement

9.1 Monitoring, measurement, analysis and evaluation

8.2.1 Customer Satisfaction

9.1.2 Customer satisfaction

8.2.2 Internal Audit

9.2 Internal audit, measurement, analysis

8.2.3 Monitoring, and Measurement of Processes

9.1 Monitoring, evaluation

8.2.4 Monitoring and Measurement of Product

8.6 Release of products and services

8.3 Control of Nonconforming Product

8.7 Control of nonconforming outputs, 10.1 General, 10.2 Nonconformity and Corrective Action

8.4 Analysis of Data

9.1.3 Analysis and evaluation

8.5.1 Continual Improvement

10.1 General, 10.3 Continual Improvement

8.5.2 Corrective Action

10.2 Nonconformity and Corrective Action

8.5.3 Preventive Action

None (although in spirit this requirement is found in Clauses 6.2.1 and 6.2.2)

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 250

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 251

Section 2.8

Comparison between the 2015 versions of ISO 14001 and ISO 9001 The following table provides an indication of how two of ISO’s main Management System Standards are closely related now that they have been rewritten according to Annex SL. Over the next few years all of the other Management System Standards will also reflect this similarity.

Comparison between the 2015 versions of ISO 14001 and ISO 9001 ISO 14001:2015

ISO 9001:2015

4. CONTEXT

4. CONTEXT

4.1 Understanding the organisation and its context

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the environmental management system

4.3 Determining the scope of the Quality Management System

4.4 Environmental management system

4.4 Quality Management System and its processes

5. LEADERSHIP

5. LEADERSHIP

5.1 Leadership and commitment

5.1 Leadership and commitment 5.1.1 General 5.1.2 Customer Focus

5.2 Environmental policy

5.2 Policy 5.2.1 Establishing the Quality Policy 5.2. Communicating the Quality Policy

5.3 Organisational roles, responsibilities and authorities

5.3 Organisational roles, responsibilities and authorities

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 252

ISO 9001:2015 Audit

252

Comparison between the 2015 versions of ISO 14001 and ISO 9001 (continued) ISO 14001:2015

ISO 9001:2015

6. PLANNING

6. PLANNING

6.1 Actions to address risks and opportunities

6.1 Actions to address risks and opportunities

6.1.1 General 6.1.2 Environmental aspects 6.1.3 Compliance obligations 6.1.4 Planning action 6.2 Environmental objectives and planning to achieve them

6.2 Quality objectives and planning to achieve them

6.2.1 Environmental objectives 6.2.2 Planning actions to achieve environmental objectives 6.3 Planning of changes 7. Support

7. Support

7.1 Resources

7.1 Resources 7.1.1 General 7.1.2 People 7.1.3 Infrastructure 7.1.4 Environment for the operation of processes 7.1.5 Measurement traceability 7.1.6 Organisational knowledge

7.2 Competence

7.2 Competence

7.3 Awareness

7.3 Awareness

7.4 Communication

7.4 Communication

7.4.1 General 7.4.2 Internal communication 7.4.3 External communication 7.5 Documented information

7.5 Documented information

7.5.1 General

7.5.1 General

7.5.2 Creating and updating

7.5.2 Creating and updating

7.5.3 Control of documented information

7.5.3 Control of documented information

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 253

Comparison between the 2015 versions of ISO 14001 and ISO 9001

253

Comparison between the 2015 versions of ISO 14001 and ISO 9001 (continued) ISO 14001:2015

ISO 9001:2015

8. OPERATIONS

8. OPERATIONS

8.1 Operational planning and control

8.1 Operational planning and control

8.2 Emergency preparedness and response

8.2 Requirements for products and services 8.2.1 Customer communication 8.2.2 Determining the requirements for products and services 8.2.3 Review of the requirements for products and services 8.2.4 Changes to requirements for products and services 8.3 Design and development of products and services 8.3.1 General 8.3.2 Design and Development planning 8.3.3 Design and Development inputs 8.3.4 Design and Development controls 8.3.5 Design and Development outputs 8.3.6 Design and Development changes 8.4 Control of externally provided processes, products and services 8.4.1 General 8.4.2 Type and extent of control 8.4.3 Information for external providers 8.5 Production and service provision 8.5.1 Control of production and service provision 8.5.2 Identification and traceability 8.5.3 Property belonging to customers or external providers 8.5.4 Preservation 8.5.5 Post-delivery activities 8.5.6 Control of changes 8.6 Release of products and services

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 254

ISO 9001:2015 Audit

254

Comparison between the 2015 versions of ISO 14001 and ISO 9001 (continued) ISO 14001:2015

ISO 9001:2015 8.7 Control of nonconforming outputs

9. EVALUATION

9. PERFORMANCE EVALUATION

9.1. Monitoring, measurement, analysis and evaluation

9.1. Monitoring, measurement, analysis and evaluation

9.1.1 General

9.1.1 General

9.1.2 Evaluation and compliance

9.1.2 Customer satisfaction 9.1.3 Analysis and evaluation

9.2 Internal Audit

9.2 Internal audit

9.3 Management Review

9.3 Management Review 9.3.1 General 9.3.2 Management Review inputs 9.3.3 Management Review outputs

10. IMPROVEMENT

10. IMPROVEMENT 10.1 General

10.1 Nonconformity and corrective action 10.2 Continual improvement 10.3 Continual improvement Bold font = shared requirement

10.2 Nonconformity and corrective action

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 255

Annex A

A selection of audit forms

CONTENTS 1

Annual quality audit schedule

256

2

Internal audit plan

256

3

Audit checklist

257

4

Audit programme

258

5

Cross-check and correspondence form

259

6

Elements covered and outstanding

262

7

Audit observation sheet

265

8

Audit report form

266

9

Corrective action request

267

10

Audit summary report

268

11

Audit action item list

269

12

Corrective action log

270

The following is a small selection of forms typically used by auditors.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 256

ISO 9001:2015 Audit

256

1 ANNUAL QUALITY AUDIT SCHEDULE Function/ Department

Jan

Administration and finance

Feb

Mar

Apr

May

x

Drawing office

Jun

Jul

Aug

Sep

Oct

x x

Workshops

x x

x

Stores

Nov Dec

x x

x

x x

2 INTERNAL AUDIT PLAN Audit Reference No.: __________________

File No.: _________________

Purpose of audit:

Scope of audit:

Lead auditor assigned: Location(s) of audit: Unit or area to be audited: Reference documents: Team members:

Date of audit: __________________

Anticipated duration of audit: ____________________________

Time of opening meeting: ____________________________

Anticipated time of closing meeting: ____________________________

Facilities requested:

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 257

Annex A: A selection of audit forms

257

3 AUDIT CHECKLIST

Item no.

Function/process audited: ___________________________________________

Audit no.: ____________________

Document references: ___________________________________________

Audit date: ____________________

Audit questions

Result

Notes/observations

Page ___ of ___

Date prepared: __________________________

Reference

Prepared by: ______________________________

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 258

ISO 9001:2015 Audit

258

4 AUDIT PROGRAMME Timetable

Team A

0900–0930

Opening meeting

0930–1030

Managing director Quality Policy Management review

Team B

Auditee participation Senior management and department heads

Laboratory 1

Technical director

Review of: 1030–1100

Document control Non-conformity

Laboratory 2

Department heads

1100–1200

Purchasing

Laboratory 2

Department heads

1200

LUNCH

1330–1500

Purchasing

Laboratory 2 (cont.)

Department heads

1500–1600

Personnel training

Electrical test house

Department heads

1600–1700

Commercial/Sales

Calibration service

Department heads

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 259

Annex A: A selection of audit forms

259

5 CROSS-CHECK AND CORRESPONDENCE FORM CORRESPONDENCE Clause No

ISO 9001:2015 Title

1

Scope

2

Normative Reference

3

Terms and Definitions

4

Context of the Organisation (Section title)

4.1

Understanding the organisation and its context

4.2

Understanding the needs and expectations of interested parties

4.3

Determining the scope of the Quality Management System

4.4

Quality Management System and its processes

5

Leadership (Section title)

5.1

Leadership and commitment

5.2

Policy

5.3

Organisational roles, responsibilities and authorities

6

Planning (Section title)

6.1

Actions to address risks and opportunities

6.2

Quality objectives and planning to achieve them

6.3

Planning of changes

7

Support (Section title)

7.1

Resources

7.1.1

General

7.1.2

People

7.1.3

Infrastructure

7.1.4

Environment for the operation of processes

7.1.5

Monitoring and measuring resources

Quality Manual

Business Process

Quality Procedure

Work Instruction

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 260

ISO 9001:2015 Audit

260

5 CROSS-CHECK AND CORRESPONDENCE FORM (continued) CORRESPONDENCE Clause No

ISO 9001:2015 Title

7.1.6

Organisational knowledge

7.2

Competence

7.3

Awareness

7.4

Communication

7.5

Documented Information

7.5.1

General

7.5.2

Creating and Updating

7.5.3

Control of Documented Information

8

Operation (Section title)

8.1

Operational planning and control

8.2

Requirements for products and services

8.2.1

Customer communication

8.2.2

Determination of requirements related to products and services

8.2.3

Review of requirements related to products and services

8.2.4

Changes to requirements for products and services

8.3

Design and development of products and services

8.3.1

General

8.3.2

Design and development planning

8.3.3

Design and development inputs

8.3.4

Design and development controls

8.3.5

Design and development outputs

8.3.6

Design and development changes

Quality Manual

Business Process

Quality Procedure

Work Instruction

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 261

Annex A: A selection of audit forms

261

5 CROSS-CHECK AND CORRESPONDENCE FORM (continued) CORRESPONDENCE Clause No

ISO 9001:2015 Title

8.4

Control of externally provided processes, products and services

8.4.1

General

8.4.2

Type and extent of control

8.4.3

Information for external providers

8.5

Production and service provision

8.5.1

Control of production and service provision

8.5.2

Identification and traceability

8.5.3

Property belonging to customers or external providers

8.5.4

Preservation

8.5.5

Post-delivery activities

8.5.6

Control of changes

8.6

Release of products and services

8.7

Control of nonconforming outputs

9

Performance evaluation (Section title)

9.1

Monitoring, measurement, analysis and evaluation

9.1.1

General

9.1.2

Customer satisfaction

9.1.3

Analysis and evaluation

9.2

Internal audit

9.3

Management review

10

Improvement (Section title)

10.1

General

10.2

Nonconformity and corrective action

10.3

Continual improvement

Quality Manual

Business Process

Quality Procedure

Work Instruction

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 262

ISO 9001:2015 Audit

262

6 ELEMENTS COVERED AND OUTSTANDING The following is a checklist used by auditors to confirm that the client’s QMS fully covers the requirements (i.e. clauses) of ISO 9001:2015. Clause No.

ISO 9001:2015 Title

1

Scope

2

Normative Reference

3

Terms and Definitions

4

Context of the Organisation (Section title)

4.1

Understanding the organisation and its context

4.2

Understanding the needs and expectations of interested parties

4.3

Determining the scope of the Quality Management System

4.4

Quality Management System and its processes

5

Leadership (Section title)

5.1

Leadership and commitment

5.2

Policy

5.3

Organisational roles, responsibilities and authorities

6

Planning (Section title)

6.1

Actions to address risks and opportunities

6.2

Quality objectives and planning to achieve them

6.3

Planning of changes

7

Support (Section title)

7.1

Resources

7.1.1

General

7.1.2

People

7.1.3

Infrastructure

7.1.4

Environment for the operation of processes

7.1.5

Monitoring and measuring resources

7.1.6

Organisational knowledge

7.2

Competence

7.3

Awareness

7.4

Communication

7.5

Documented Information

7.5.1

General

Covered (Yes/No)

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 263

Annex A: A selection of audit forms

263

6 ELEMENTS COVERED AND OUTSTANDING (continued) Clause No.

ISO 9001:2015 Title

7.5.2

Creating and Updating

7.5.3

Control of Documented Information

8

Operation (Section title)

8.1

Operational planning and control

8.2

Requirements for products and services

8.2.1

Customer communication

8.2.2

Determination of requirements related to products and services

8.2.3

Review of requirements related to products and services

8.2.4

Changes to requirements for products and services

8.3

Design and Development of products and services

8.3.1

General

8.3.2

Design and Development planning

8.3.3

Design and Development inputs

8.3.4

Design and Development controls

8.3.5

Design and Development outputs

8.3.6

Design and Development changes

8.4

Control of externally provided processes, products and services

8.4.1

General

8.4.2

Type and extent of control

8.4.3

Information for external providers

8.5

Production and service provision

8.5.1

Control of production and service provision

8.5.2

Identification and traceability

8.5.3

Property belonging to customers or external providers

8.5.4

Preservation

8.5.5

Post-delivery activities

8.5.6

Control of changes

8.6

Release of products and services

8.7

Control of nonconforming outputs

9

Performance evaluation (Section title)

9.1

Monitoring, measurement, analysis and evaluation

9.1.1

General

Covered (Yes/No)

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 264

ISO 9001:2015 Audit

264

6 ELEMENTS COVERED AND OUTSTANDING (continued) Clause No.

ISO 9001:2015 Title

9.1.2

Customer satisfaction

9.1.3

Analysis and evaluation

9.2

Internal audit

9.3

Management review

10

Improvement (Section title)

10.1

General

10.2

Nonconformity and Corrective Action

10.3

Continual Improvement

Covered (Yes/No)

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 265

Annex A: A selection of audit forms

265

7 AUDIT OBSERVATION SHEET

AUDIT OBSERVATION SHEET Section or project to be audited: Reason for audit: Audit No.:

Date:

Auditor:

Sheet ___ of ___

Serial No.

Observation/supporting evidence Action required

YES/NO

Circulation:

Attached sheets: Signed: Name: Date:

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 266

ISO 9001:2015 Audit

266

8 AUDIT REPORT FORM

AUDIT REPORT FORM Section or project audited: Reason for audit: Audit no.:

Date:

Auditor:

Sheet __ of __

Audit area(s): Reference document(s): Summary: Audit observation sheet number

Observation number

Comments

Prepared:

Name:

Date:

Agreed:

Name:

Date:

Circulation:

Attached sheets:

Corrective action requirement

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 267

Annex A: A selection of audit forms

267

9 CORRECTIVE ACTION REQUEST

CORRECTIVE ACTION REQUEST CAR NO:

REASON

Date:

Internal Audit:

Initiator:

External Audit:

Auditor(s):

Customer Complaint:

Audit area(s):

Product nonconformity:

Reference document(s):

Other: PROBLEM

Describe the problem:

Possible root cause:

Management Representative approval:

ACTION PLAN Estimated completion date: Actual completion date: Verification of effectiveness (record of evidence that corrective action has been effective or referenced to a new CAR) Have associated documents been updated as necessary? Signed: Date: .

YES / NO

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 268

ISO 9001:2015 Audit

268

10 AUDIT SUMMARY REPORT

AUDIT SUMMARY REPORT To: An audit of the ___________ process within the Quality Management System was performed on ______________________ Departments involved in the audit included:

The auditors included:

A summary of the findings is given below: CAR:

Brief description

Observations are recorded on the attached Audit Action Item List Opportunities for improvement included:

Examples of continual improvement noted since the last audit included:

Thank you very much for your cooperation in making this audit a success. Please remember that Corrective Action Requests are due back to me with proposed action items and estimated completion dates by______________.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 269

Annex A: A selection of audit forms

269

11 AUDIT ACTION ITEM LIST

AUDIT ACTION ITEM LIST Action item

Audit date

Assigned to

Action taken

Date completed

Verification date

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 270

ISO 9001:2015 Audit

270

12 CORRECTIVE ACTION LOG

CORRECTIVE ACTION LOG CAR no.

Date

Assigned to

Estimated completion date

Actual completion date

Planned verification date

Actual verification date

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 271

Abbreviations and acronyms AFNOR ANAB ANSI

Association Français de Normalisation (French Institute for Standardisation) ANSI–ASQ National Accreditation Board American National Standards Institute

BSI

British Standards Institution

CAD CAR

Computer-aided Design Corrective Action Request

FMEA FR FTA

Failure Mode and Effects Analysis Failure Rate Fault Tree Analysis

HSE

Health and Safety Executive (UK)

ISO IT

International Organisation for Standardisation Information Technology

MSS MTBF

Management Systems Standards Mean Time Between Failures

OHS OHSAS OJT

Occupational Health and Safety Occupational Health & Safety Assessment Series On-the-Job-Training

PAS PDCA PF

Publicly Available Specifications Plan-Do-Check-Act Probability Function

QA QC QM

Quality Assurance Quality Control Quality Manual

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 272

Abbreviations and acronyms

272

QMS QP

Quality Management System Quality Procedure

RAMS RMP

Reliability, Availability, Maintainability and Safety Risk Management Programme

TC TQM TS

Technical Committee Total Quality Management Technical Specifications

UK UKAS

United Kingdom United Kingdom Accreditation Service

WI

Work Instruction

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 273

Reference Standards for Quality Management System Number ISO 9000 ISO 9001 ISO 9004 ISO 10001 ISO 10002 ISO 10003 ISO 10004 ISO 10005 ISO 10006 ISO 10007 ISO 10008 ISO 10018 ISO 19011

Title Quality Management Systems – Fundamentals and vocabulary Quality Management Systems – Requirements Managing for the sustained success of an organisation – A quality management approach Quality management – Customer satisfaction – Guidelines for codes of conduct for organisations Quality management – Customer satisfaction – Guidelines for complaints handling in organisations Quality management – Customer satisfaction – Guidelines for dispute resolution external to organisations Quality management – Customer satisfaction – Guidelines for monitoring and measuring Quality management - guidelines for Quality Plans Quality Management Systems – Guidelines for quality management in projects Quality Management Systems – Guidelines for configuration management Quality management – Customer satisfaction – Guidelines for business-to-consumer electronic commerce transactions Quality management – Guidelines on people involvement and competence Guidelines for quality and/or environmental management systems auditing

Complete copies of these standards are available from ISO Member Countries in their own languages. The British version (e.g. BS EN ISO 19011) can be obtained, by post, from Customer Services, BSI Standards, 389 Chiswick High Road, London W4 4AL. Note: Extracts from UK standards reproduced in this book are by kind permission of the British Standards Institute.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 274

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 275

Glossary of terms used in Quality Management standards Acceptable quality level: A measure of the number of failures that a production

process is allowed. Usually expressed as a percentage. Accreditation: Certification, by a duly recognised body, of facilities, capability,

objectivity, competence and integrity of an agency, service or operational group or individual to provide the specific service(s) or operation(s) as needed. Assemblies: Several pieces of equipment assembled by a manufacturer to constitute

an integrated and functional whole. Audit: Systematic, independent and documented process for obtaining evidence

and evaluating it objectively to determine the extent to which audit criteria are fulfilled. Audit team: One or more auditors conducting an audit, one of whom is appointed

as leader. Certification: The procedure and action by a duly authorised body in determining,

verifying and attesting in writing to the qualifications of personnel, processes, procedures or items in accordance with applicable requirements. Certification Body: An impartial body (governmental or non-governmental)

possessing the necessary competence and reliability to operate a certification system, and in which the interests of all parties concerned with the functioning of the system are represented. Company: Term used primarily to refer to a business first party, the purpose of

which is to supply a product or service. Compliance: An affirmative indication or judgement that a product or service has

met the requirements of the relevant specifications, contract or regulation. Also the status of meeting the requirements. Conformance: An affirmative indication or judgement that a product or service

has met the requirements of the relevant specifications, contract or regulation. Also the status of meeting the requirements. Contract: Agreed requirements between a supplier and customer transmitted by

any means.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 276

276

Glossary

Customer: Ultimate consumer, user, client, beneficiary or second party. Customer satisfaction: Customer’s opinion of the degree to which a transaction

has met the customer’s needs and expectations. Defect: Non-fulfilment of a requirement related to an intended or specified use. Design and development: Set of processes that transforms requirements into

specified characteristics and into the specification of the product realisation process. Distributor: An organisation that is contractually authorised by one or more

manufacturers to store, repack and sell completely finished components from these manufacturers. Document: Information and its support medium. Documented Information: Information that the organisation will be required to

keep, control and maintain. Environment: All of the external physical conditions that may influence the

performance of a product or service. Equipment: Machines, apparatus, fixed or mobile devices, control components and

instrumentation thereof and detection or prevention systems which, separately or jointly, are intended for the generation, transfer, storage, measurement, control and conversion of energy for the processing of material and which are capable of causing an explosion through their own potential sources of ignition. In-process inspection: Inspection carried out at various stages during processing. International Organisation for Standardization (ISO): Comprises the national

standards bodies of 162 member countries whose aim is to coordinate the international harmonisation of national standards. Item: A part, a component, equipment, sub-system or system or defined quantity

of material or service that can be individually considered and separately examined or tested. Maintenance: The combination of technical and administrative actions that are

taken to retain or restore an item to a state in which it can perform its stated function. Management: Coordinated activities to direct and control an organisation. Management system: The establishment of policies and objectives to achieve ISO

9001:2015 objectives. Manufacturer: An organisation that carries out or controls such stages in the

manufacture of components or assemblies.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 277

Glossary

277

Material: A generic term covering equipment, stores, supplies and spares which

form the subject of a contract. Nonconformity: Non-fulfilment of a requirement. Organisation: A single person or a group of people who achieve their objectives

by using their own functions, responsibilities, authorities and relationships. It can be a company, corporation, enterprise, firm, partnership, charity, association or institution either privately or publicly owned. It can also be an operating unit that is part of a larger entity. Organisational structure: Orderly arrangement of responsibilities, authorities and

relationships between people. Procedure: Describes the way to perform an activity or process. Product: Result of a process that does not include activities that are performed at

the interface between the supplier (provider) and the customer. Note: There are four agreed generic product categories: • • • •

hardware (e.g. engine mechanical part); software (e.g. computer program); services (e.g. transport); processed materials (e.g. lubricant).

Hardware and processed materials are generally tangible products, while software or services are generally intangible. Most products comprise elements belonging to different generic product categories; whether the product is then called hardware, processed material, software or service depends on the dominant element. Project: Unique process, consisting of a set of coordinated and controlled activities

with start and finish dates, undertaken to achieve an objective conforming to specific requirements, including the constraints of time, costs and resources. Quality: The totality of features and characteristics of a product or service that

bear upon its ability to satisfy stated or implied needs. Quality Assurance: The assembly of all planned and systematic actions necessary

to provide adequate confidence that a product, process or service will satisfy given quality requirements. Quality characteristic: Essential characteristics of a product, process or system

derived from a requirement. Quality Control: The operational techniques and activities that are used to fulfil

requirements for quality. Quality loop: Conceptual model of interacting activities that influence the quality

of a product or service in the various stages, ranging from the identification of needs to the assessment of whether these needs have been satisfied.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 278

Glossary

278

Quality Manager: A person who is nominated by Top Management to be respon-

sible for the organisation’s Quality Management System (also sometimes referred to as the Chief Inspector). Quality Management: That aspect of the overall management function that

determines and implements the Quality Policy. Quality Management System: System to establish a Quality Policy and quality

objectives. Quality Management System review: A formal evaluation by Top Management

of the status and adequacy of the Quality Management System in relation to Quality Policy and new objectives resulting from changing circumstances. Quality Manual: Document specifying the Quality Management System of an

organisation and setting out the quality policies, systems and practices of an organisation. Quality Plan: Document specifying the Quality Management System elements and

the resources to be applied in a specific case. Quality Policy: The overall quality intentions and direction of an organisation as

regards quality, as formally expressed by Top Management. Quality Procedure: A description of the method by which quality system activities

are managed. Quality Process: A system which uses resources to transform inputs into outputs. Quality System: The organisational structure, responsibilities, procedures,

processes and resources for implementing Quality Management. Requirement: Need or expectation that is stated, customarily implied or obligatory. Review: Activity undertaken to ensure the suitability, adequacy, effectiveness and

efficiency of the subject matter to achieve established objectives. Service: Is the result of a process that includes at least one activity that is carried

out at the interface between the supplier (provider) and the customer. For example, a service might be: • • •

an activity performed on a customer-supplied tangible product (e.g. the repair of a car) or an intangible product (e.g. preparation of a tax return); the delivery of a tangible product (e.g. in the transportation industry); the delivery of an intangible product (e.g. the delivery of knowledge) or the creation of ambience for the customer (e.g. in the hospitality industry).

Shall: This auxiliary verb indicates that a certain course of action is mandatory. Should: This auxiliary verb indicates that a certain course of action is preferred

but not necessarily required.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 279

Glossary

279

Supplier: The organisation that provides a product to the customer.

In a contractual situation, the supplier may be called the contractor. The supplier may be, for example, the producer, distributor, importer, assembler or service organisation. The supplier may be either external or internal to the organisation. Top Management: Person or group of people who direct and control an

organisation at the highest level. Work Instruction: A description of how a specific task is carried out.

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 280

This page intentionally left blank

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 281

Books by the same author ISO 9001:2015 for Small Businesses (sixth edition) The new edition of this top-selling Quality Management book now includes: • •





Relevant examples that put the concepts and requirements of the standard into a real-life context. Down-to-earth explanations to help you determine what you need to work in compliance with and/or achieve certification to ISO 9001:2015. An example of a complete, generic, Quality Management System consisting of a Quality Manual plus a whole host of Quality Processes, Quality Procedures and Work Instructions. Access to a free, software copy of this generic QMS file (available from the author) to give you a starting point from which to develop your own documentation.

Routledge ISBN-13: 978-1-138-02583-7

ISO 9001:2015 Audit Procedures (fourth edition) – this book Fully revised, updated and expanded, this 4th edition provides access to methods for auditing an organisation’s Quality Management System against the requirements of ISO 9001:2015. Although primarily aimed at showing how auditors from small businesses can complete management reviews and internal, external and third party quality audits, this book will prove invaluable to professional auditors. Containing an overview of the changes made to the 2015 edition of ISO 9001 and how these will affect the way in which audits will need to be completed in future, the book also

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 282

282

Books by the same author

includes access to free copies of checklists, explanations and questionnaires (available from the author) that can be used for internal, external and/or third party audits of an organisation’s Quality Management System. Routledge ISBN-13: 978-0-415-70390-1

ISO 9001:2015 in Brief (fourth edition) Now in its 4th edition, this book is particularly aimed at students, newcomers to Quality Management Systems and the busy executive, with the overall intention of providing them with a user-friendly, very simplified explanation of the history, the requirements and the benefits of the new standard. Using this book as background material will also enable organisations (large or small) to quickly set up an ISO 9001: 2015-compliant Quality Management System for themselves – at minimal expense. Routledge ISBN-13: 978-1-138-02586-8

How to Convert from ISO 9001:2008 to ISO 9001:2015 The publication of ISO 9001:2015 in September 2015 signalled the start of a three-year transition period during which those organisations wishing to move to the new version of the standard were required to make changes to their existing Quality Management Systems. ‘How to Convert from ISO 9001:2008 to ISO 9001:2015’ provides step-by-step advice to help you through the transition and realise the benefits of ISO 9001:2015. It maps out a framework which guides you through the options and alternatives, ensuring that you have the knowledge and information you require to seamlessly make the necessary transition. Herne European Consultancy Ltd ISBN-13: 978-0-992-75850-9

Quality Management System for ISO 9001:2015 (fourth edition) The Quality Management System contained in this e-Book is probably the most complete ISO 9001:2015 compliant

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 283

Books by the same author

283

example of a generic Quality Management System (QMS) that can, with very little trouble, be suitably customised to suit all types of organisations – no matter whether they are manufacturers, suppliers or end users. Consisting of a Quality Manual (supported by the four main Quality Processes, 31 Quality Procedures and 16 Work Instructions) this QMS covers every element of the standard and is guaranteed to meet (and sometimes exceed) the requirements of ISO 9001:2015. This is an excellent resource for any small or medium sized business looking to work towards ISO certification, without having the expense of a consultant doing the work for you. Herne European Consultancy Ltd ISBN-13: 978-0-992-75851-6

Auditing Quality Management Systems (fourth edition) Auditing Quality Management Systems is the result of more than four decades’ experience as auditors of all major international standards used by Integrated Management Systems. It is a comprehensive e-Book containing a series of audit checksheets and forms that are required to conduct either a simple internal audit or an external assessment of an organisation against the formal requirements of ISO 9001:2015. Note: also includes ‘Background notes for auditors’ Herne European Consultancy Ltd ISBN-13: 978-0-992-75852-3

MDD Compliance using Quality Management Techniques The Medical Device Directive (MDD) is difficult to understand and interpret, but this book covers the subject superlatively. In summary, the book is a good reference for understanding the MDD’s requirements and would aid companies of all sizes in adding these requirements to an existing QMS. Butterworth Heinemann ISBN-13: 978-0-750-64441-9

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 284

284

Books by the same author

Building Regulations in Brief (eighth edition) This eighth edition of the most popular and trusted guide to the building regulations is the most comprehensive revision yet. It reflects all the latest amendments to Building Regulations, Planning Permission and the Approved Documents A,B,C, H, K, P, Regulation 7, incorporating all amendments up to December 2013 (including the changes to Leaflets L1A and L2A regarding the conservation of heat and energy in new buildings which came into effect April 2014). This new edition also contains details of the new national planning guidance system and initiatives to speed up the planning process, such as the new online planning application process. It contains an updated list of fees for planning consents and provides guidance on the changes to permitted development rights in Agricultural, Business and Residential buildings which came into force on 1 October 2013. Giving practical information throughout on how to work with (and within) the regulations, this book enables compliance in the simplest and most cost-effective manner possible. The no-nonsense approach of Building Regulations in Brief cuts through the confusion and explains the meaning of the regulations; consequently it has become a favourite for anyone involved in the building industry, as well as those planning to have work carried out in their home. Routledge ISBN: 978-0-415-72171-4

Wiring Regulations in Brief (third edition) Tired of trawling through the Wiring Regs? Perplexed by Part P? Confused by cables, conductors and circuits? Then look no further! This handy guide provides an onthe-job reference source for electricians, designers, service engineers, inspectors, builders, students and DIY enthusiasts. Topic-based chapters link areas of working practice – such as cables, installations, testing and inspection, special locations – with the specifics of the regulations themselves. This allows quick and easy identification of the official requirements relating to the situation in front of you. The requirements of the regulations, and of related standards, are presented in an informal, easy-to-read style that strips away confusion. Packed with useful hints and tips, and highlighting the most important or mandatory requirements, this book is a concise reference on all aspects of the 17th edition of IEE Wiring Regulations and Part P of the Building Regulations. Spon Press ISBN-13: 978-0-415-52687-6

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 285

Books by the same author

285

Water Regulations in Brief Water Regulations in Brief is a unique reference book, providing all the information needed to comply with the regulations in an easy-to-use, full-colour format. Crucially, unlike other titles on this subject, this book doesn’t just cover the Water Regulations, it also clearly shows how they link in with the Building Regulations, Water Bylaws and Wiring Regulations, providing the only available complete reference to the requirements for water fittings and water systems. Structured in the same logical, time-saving way as the author’s other bestselling ‘. . . in Brief’ books, Water Regulations in Brief will be a welcome change to anyone tired of wading through complex, jargon-heavy publications in search of the information they need to get the job done. Butterworth Heinemann ISBN-13: 978-1-856-17628-6

Scottish Building Standards in Brief Scottish Building Standards in Brief takes the highly successful formula of Ray Tricker’s previous ‘In Brief’ series and applies it to the requirements of the Building (Scotland) Regulations 2004. With the same no-nonsense and simple-to-follow guidance – but written specifically for the Scottish Building Standards – it’s the ideal book for builders, architects, designers and DIY enthusiasts working in Scotland. Routledge ISBN-13: 978-0-750-68558-0

Quality and Standards in Electronics A manufacturer or supplier of electronic equipment or components needs to know the precise requirements for component certification and quality conformance to meet the demands of the customer. This book ensures that the professional is aware of all the UK, European and international necessities, knows the current status of these regulations and standards, and where to obtain them. Newnes ISBN-13: 978-0-750-62531-9

6763 ISO 9001 AUDIT-PT_156x234 mm 21/05/2016 15:30 Page 286

286

Books by the same author

Environmental Requirements for Electromechanical and Electronic Equipment This is the definitive reference containing all of the background guidance, typical ranges, details of recommended test specifications, case studies and regulations covering the environmental requirements for designers and manufacturers of electrical and electromechanical equipment worldwide. Newnes ISBN-13: 978-0-750-63902-6

CE Conformity Marking CE Conformity Marking can be regarded as a product’s trade passport for Europe. It is a mandatory European marking for certain product groups to indicate conformity with the essential health and safety requirements set out in the European Directive. This book contains essential information for any manufacturer or distributor wishing to trade in the European Union. Practical and easy to understand. Butterworth Heinemann ISBN-13: 978-0-750-64813-4

And for those who would like to relax with some cooking recipes – based on cider and apples!

The Cyder Book A unique combination of an historical overview of cider making through the ages, the cider-making process and a collection of recipes using cider and cider apples. Herne European Consultancy, Ltd ISBN-13: 978-0-954-86476-7