Transitioning to ISO 9001:2008

Download Report

Transcript Transitioning to ISO 9001:2008

Transitioning to ISO 9001:2008 –
Considerations for Internal Auditors
Instructor: Don Wood, ISOmatrix Senior
Specialist
Review of Changes from
ISO 9001:2000 to ISO 9001:2008
High-level summary of changes



Emphasis on “product conformity to requirements” as the focus of the
QMS
Addition of “statutory and“ to clauses that previously only referenced
“regulatory” requirements
Changes in terminology







Measuring “equipment” vs.. “devices” – better alignment with ISO 9000:2005
“Determine” vs.. “identify” – implies that more review and analysis (especially
with regard to processes) should take place
Increased use of “Where applicable..”, placing more onus on
organizations to use judgment in how requirements are applied within
their QMS
Expanded use of notes to clarify the intent of requirements and provide
more examples for organizations to use
Numerous changes to improve grammar, flow and ease of translation
into other languages
Improved alignment with ISO 14001:2004
Updated references, both internally within ISO 9001:2008 and externally
to other management system and guidance standards
Transitioning to ISO 9001:2008
3
What didn’t change
 No new requirements for documented procedures

No requirements for documented procedures removed, either
 By most interpretations, no new requirements period, merely
minor modifications to existing requirements

Some of these modifications have implications for internal auditors
 No changes in the certification process
 No changes in the auditing process or auditing guidelines
Transitioning to ISO 9001:2008
4
Transitioning to ISO9001:2008
Maximum 24 month Implementation from Publication
Nov. 15, 2010
Existing ISO 9001:2009
certificates no longer valid
Nov. 15, 2008
ISO 9001:2008 released
12 Months
24 Months
Nov. 15, 2009
All NEW certificates must
be issued against
ISO 9001:2008
Maximum Allowed
Time to Upgrade
5
Key to summary of changes
Clause 0.3 Relationship with ISO 9004
ISO 9001:2000
ISO 9001:2008
The present editions of ISO 9001 and ISO 9004 have
been developed as a consistent pair of quality
management system standards which have been designed
to complement each other, but can also be used
independently. Although the two International Standards
have different scopes, they have similar structures in
order to assist their application as a consistent pair.
ISO 9001 specifies requirements for a quality management
system that can be used for internal application by
organizations, or for certification, or for contractual
purposes. It focuses on the effectiveness of the quality
management system in meeting customer requirements.
ISO 9004 gives guidance on a wider range of objectives of a
quality management system than does ISO 9001,
particularly for the continual improvement of an
organization's overall performance and efficiency, as well as
its effectiveness. ISO 9004 is recommended as a guide for
organizations whose top management wishes to move
beyond the requirements of ISO 9001, in pursuit of continual
improvement of performance. However, it is not intended for
certification or for contractual purposes.
Text removed from ISO 9001:2000
ISO 9001 and ISO 9004 are quality management system
standards which have been designed to complement each
other, but can also be used independently.
ISO 9001 specifies requirements for a quality management
system that can be used for internal application by
organizations, or for certification, or for contractual
purposes. It focuses on the effectiveness of the quality
management system in meeting customer requirements.
At the time of publication of this International
Standard, ISO 9004 is under revision. The revised
edition of ISO 9004 will provide guidance to
management for achieving sustained success for any
organization in a complex, demanding, and ever
changing, environment. ISO 9004 provides a wider
focus on quality management than ISO 9001; it
addresses the needs and expectations of all interested
parties and their satisfaction, by the systematic and
continual
improvement
of
the
organization’s
performance.
However, it is not intended for
certification, regulatory or contractual use.
Text added to ISO 9001:2008
Transitioning to ISO 9001:2008
6
Caution!
 What follows is NOT a complete summary of changes from
the 2000 to the 2008 version of ISO 9001
 Rather, this is a listing of changes we feel are of greatest
concern to internal auditors and their management
 Internal auditors MUST review ISO 9001:2008 in detail and
review ALL of the changes to ensure adequate competency
as auditors
 There are a number of excellent articles and summaries
available online
 Major certification bodies
 Quality Digest
 ASQ
 ISO
 Whittington Group
7
Clause 4.1 General requirements
ISO 9001:2000
ISO 9001:2008
The organization shall establish, document, implement
and maintain a quality management system and
continually improve its effectiveness in accordance with
the requirements of this International Standard.
The organization shall establish, document, implement
and maintain a quality management system and
continually improve its effectiveness in accordance with
the requirements of this International Standard.
The organization shall
The organization shall
a) identify the processes needed for the quality
management system and their application throughout
the organization (see 1.2),
a) determine the processes needed for the quality
management system and their application throughout
the organization (see 1.2),
b) determine the sequence and interaction of these
processes,
b) determine the sequence and interaction of these
processes,
c) determine criteria and methods needed to ensure
that both the operation and control of these processes
are effective,
c) determine criteria and methods needed to ensure
that both the operation and control of these processes
are effective,
d) ensure the availability of resources and information
necessary to support the operation and monitoring of
these processes,
d) ensure the availability of resources and information
necessary to support the operation and monitoring of
these processes,
e) monitor, measure and analyse these processes, and
e) monitor, measure where applicable, and analyse
these processes, and
f) implement actions necessary to achieve planned
results and continual improvement of these processes.
These processes shall be managed by the organization
in accordance with the requirements of this International
Standard.
f) implement actions necessary to achieve planned
results and continual improvement of these processes.
These processes shall be managed by the organization
in accordance with the requirements of this International
Standard.
Transitioning to ISO 9001:2008
8
Clause 4.1 General requirements (cont’d)
ISO 9001:2000
ISO 9001:2008
Where an organization chooses to outsource
any process that affects product conformity
with requirements, the organization shall
ensure control over such processes. Control
of such outsourced processes shall be
identified within the quality management
system.
Where an organization chooses to outsource any process that
affects product conformity to requirements, the organization shall
ensure control over such processes. The type and extent of
control to be applied to these outsourced processes shall be
defined within the quality management system.
NOTE Processes needed for the quality
management system referred to above
should include processes for management
activities, provision of resources, product
realization and measurement.
NOTE 1 Processes needed for the quality management system
referred to above include processes for management activities,
provision of resources, product realization, measurement,
analysis and improvement.
NOTE 2 An “outsourced process” is a process that the
organization needs for its quality management system and
which the organization chooses to have performed by an
external party.
NOTE 3 Ensuring control over outsourced processes does
not absolve the organization of the responsibility of
conformity to all customer, statutory and regulatory
requirements. The type and extent of control to be applied to
the outsourced process can be influenced by factors such as
a) the potential impact of the outsourced process on the
organization's capability to provide product that conforms to
requirements,
b) the degree to which the control for the process is shared,
c) the capability of achieving the necessary control through
the application of 7.4.
Transitioning to ISO 9001:2008
9
Impact of changes – 4.1 General requirements

Effect of changes




“Determine” vs.. “identify” processes – clearer intent, easier to translate
Subclause e) – removes requirement to “measure” ALL QMS processes. Now
organizations can use judgment as to where measurement of a process (vs..
monitoring and analysis) is warranted
Note 1 – expands scope of required QMS processes to include processes for
analysis and improvement
Outsourced processes




Expands definition – can include QMS processes performed by other entities within an
organization (i.e. corporate HQ, design centers, distribution centers) as well as by third
parties
Emphasizes point that organizations are held responsible for performance of outsourced
processes
Lists factors that should be considered in defining controls on outsourced processes
Auditing Considerations



Re: Subclause e) – The use of “Where applicable” here has implications for both
QMS design and auditing – more on this later in the presentation
Re: Note 1 – Auditors should ensure that processes for analysis and improvement
are defined within the QMS, and documented where deemed necessary
Re: Outsourced processes – Auditors should carefully review how their organization
has identified any outsourced processes, and how control of such processes is
identified within their QMS.
Transitioning to ISO 9001:2008
10
Clause 4.2.1 (Documentation Requirements) General
ISO 9001:2000
ISO 9001:2008
The quality management system documentation shall include
a) documented statements of a quality policy and quality
objectives,
b) a quality manual,
The quality management system documentation shall
include
a) documented statements of a quality policy and quality
objectives,
b) a quality manual,
c) documented procedures required by this International
Standard,
d) documents needed by the organization to ensure the
effective planning, operation and control of its processes, and
e) records required by this International Standard (see
4.2.4).
NOTE 1 Where the term “documented procedure” appears
within this International Standard, this means that the
procedure is established, documented, implemented and
maintained.
NOTE 2 The extent of the quality management system
documentation can differ from one organization to another
due to
a) the size of organization and type of activities,
c) documented procedures and records required by this
International Standard, and
d) documents, including records, determined by the
organization to be necessary to ensure the effective
planning, operation and control of its processes.
NOTE 1 Where the term “documented procedure” appears
within this International Standard, this means that the
procedure is established, documented, implemented and
maintained. A single document may address the
requirements for one or more procedures. A requirement
for a documented procedure may be covered by more
than one document.
NOTE 2 The extent of the quality management system
documentation can differ from one organization to another
due to
a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
b) the complexity of processes and their interactions, and
c) the competence of personnel.
c) the competence of personnel.
NOTE 3 The documentation can be in any form or type of
medium.
NOTE 3 The documentation can be in any form or type of
medium.
Transitioning to ISO 9001:2008
11
Impact of changes – 4.2.1 Documentation requirements - General
 Effect of changes


Emphasizes that both records required by ISO 9001:2008 AND
records deemed necessary by the organization are considered part
of an organization’s QMS documentation
With regard to “documented procedures” required by ISO
9001:2008, clarifies the intent that organizations can structure their
QMS documentation any way they choose – one procedure to
address a requirement for a documented procedure, or many
procedures, or one procedure to address multiple documented
procedure requirements (i.e. Document AND Record Control,
Corrective AND Preventive Action)
 Auditing Considerations

Re: Note 1 – Auditors now have clear direction from ISO concerning
their organization’s freedom to be flexible in how they structure their
QMS documentation
Transitioning to ISO 9001:2008
12
Clause 4.2.3 Control of documents
ISO 9001:2000
ISO 9001:2008
Documents required by the quality management system
shall be controlled. Records are a special type of
document and shall be controlled according to the
requirements given in 4.2.4.
Documents required by the quality management system
shall be controlled. Records are a special type of
document and shall be controlled according to the
requirements given in 4.2.4.
A documented procedure shall be established to define
the controls needed
A documented procedure shall be established to define
the controls needed
a) to approve documents for adequacy prior to issue,
a) to approve documents for adequacy prior to issue,
b) to review and update as necessary and re-approve
documents,
b) to review and update as necessary and re-approve
documents,
c) to ensure that changes and the current revision
status of documents are identified,
c) to ensure that changes and the current revision status
of documents are identified,
d) to ensure that relevant versions of applicable
documents are available at points of use,
d) to ensure that relevant versions of applicable
documents are available at points of use,
e) to ensure that documents remain legible and readily
identifiable,
e) to ensure that documents remain legible and readily
identifiable,
f) to ensure that documents of external origin are
identified and their distribution controlled, and
f) to ensure that documents of external origin determined
by the organization to be necessary for the planning
and operation of the quality management system are
identified and their distribution controlled, and
g) to prevent the unintended use of obsolete
documents, and to apply suitable identification to them if
they are retained for any purpose.
g) to prevent the unintended use of obsolete documents,
and to apply suitable identification to them if they are
retained for any purpose.
Transitioning to ISO 9001:2008
13
Impact of changes – Control of documents
 Effect of changes


Subclause f) clarifies the intended scope of “external documents”
Improves alignment of 4.2.3 f) with its corresponding requirement in
ISO 14001:2004 (4.4.5 f)
 Auditing Considerations



Auditors should review controls on external documents. The focus
of this requirement is clearly on external documents pertaining to
“conformity to product requirements”. You may be over- (or under-)
controlling these documents
Examples may include customer-supplied drawings, customer
specifications and product standards, nationally-or-industry
recognized standards (i.e. ASTM, ASME, commodity-specific),
statutory/regulatory requirements (FMVSS, FAA, FDA)
Keep in mind – “documents” can be hard copy or electronic
Transitioning to ISO 9001:2008
14
Clause 6.2.1 (Human resources) General
ISO 9001:2000
ISO 9001:2008
Personnel performing work affecting
product quality shall be competent on the
basis of appropriate education, training,
skills and experience.
Personnel performing work affecting
conformity to product requirements shall
be competent on the basis of appropriate
education, training, skills and experience.
NOTE Conformity to product
requirements can be affected directly or
indirectly by personnel performing any
task within the quality management
system.
Transitioning to ISO 9001:2008
15
Impact of changes – Human resources - General
 Effect of changes

Emphasizes the definition of product quality as the degree of
conformance to product requirements

Clarifies the intended scope of competency, training and awareness
 Auditing Considerations

Ensure that this requirement is applied appropriately within your
organization:
 Employees that impact product quality, directly or indirectly
 Contract personnel that impact product quality, directly or indirectly
 Temporary personnel that impact product quality, directly or
indirectly
Transitioning to ISO 9001:2008
16
Clause 6.2.2 Competence, training and awareness
….(was Competence, awareness and training)
ISO 9001:2000
ISO 9001:2008
The organization shall
The organization shall
a) determine the necessary competence
for personnel performing work affecting
product quality,
a) determine the necessary competence for
personnel performing work affecting
conformity to product requirements,
b) provide training or take other actions to
satisfy these needs,
b) where applicable, provide training or
take other actions to achieve the
necessary competence,
c) evaluate the effectiveness of the
actions taken,
d) ensure that its personnel are aware of
the relevance and importance of their
activities and how they contribute to the
achievement of the quality objectives, and
e) maintain appropriate records of
education, training, skills and experience
(see 4.2.4).
c) evaluate the effectiveness of the actions
taken,
d) ensure that its personnel are aware of
the relevance and importance of their
activities and how they contribute to the
achievement of the quality objectives, and
e) maintain appropriate records of
education, training, skills and experience
(see 4.2.4).
Transitioning to ISO 9001:2008
17
Impact of changes – Competence, training and awareness
 Effect of changes

Again, “conformity to product requirements” vs.. “product quality”

Subclause b) – “where applicable”, allows organizations to use
judgment regarding the need for training or other actions



Long-term employees
Very simple tasks
Keeps focus on competence
 Auditing Considerations



Subclause b) – “Where applicable” – more on this later
“Competence” – “Demonstrated ability to apply knowledge and
skills” (ISO 9000:2005 3.1.6) – how is competence assessed? (vs.
simple delivery of training). This is often fertile ground for auditing
Good technique – assess process/product performance to
requirements, compare to training provided.
Transitioning to ISO 9001:2008
18
Clause 6.3 Infrastructure
ISO 9001:2000
ISO 9001:2008
The organization shall determine, provide
and maintain the infrastructure needed to
achieve conformity to product requirements.
Infrastructure includes, as applicable
The organization shall determine, provide and
maintain the infrastructure needed to achieve
conformity to product requirements.
Infrastructure includes, as applicable,
a) buildings, workspace and associated
utilities,
a) buildings, workspace and associated
utilities,
b) process equipment (both hardware and
software), and
b) process equipment (both hardware and
software), and
c) supporting services (such as transport or
communication).
c) supporting services (such as transport,
communication or information systems).
Transitioning to ISO 9001:2008
19
Impact of changes – 6.3 Infrastructure
 Effect of changes

Subclause c) – “such as” list now includes information systems
 Auditing Considerations

Assess the impact of information systems on conformance to
customer, statutory and regulatory requirements and ensure that 6.3
requirements are appropriately addressed (if they’re not already)
Transitioning to ISO 9001:2008
20
Clause 7.2.1 (Customer-related processes) Determination of requirements
related to the product
ISO 9001:2000
ISO 9001:2008
The organization shall determine
The organization shall determine
a) requirements specified by the customer,
including the requirements for delivery and
post-delivery activities,
a) requirements specified by the customer,
including the requirements for delivery and
post-delivery activities,
b) requirements not stated by the customer
but necessary for specified or intended
use, where known,
b) requirements not stated by the customer
but necessary for specified or intended use,
where known,
c) statutory and regulatory requirements
related to the product, and
c) statutory and regulatory requirements
applicable to the product, and
d) any additional requirements determined
by the organization.
d) any additional requirements considered
necessary by the organization.
NOTE Post-delivery activities include, for
example, actions under warranty
provisions, contractual obligations such
as maintenance services, and
supplementary services such as
recycling or final disposal.
Transitioning to ISO 9001:2008
21
Impact of changes – 7.2.1 Determination of requirements related to the product
 Effect of changes


Subclauses c) and d) – clarifies intent of requirement
Note: Clarifies definition and gives examples of “post-delivery
services”; encourages consideration of entire product lifecycle
 Auditing Considerations

Ensure that any customer-required post-delivery services are
determined and reviewed during contract review/quotation
processes (or their equivalent in your organization)
Transitioning to ISO 9001:2008
22
Clause 7.3.1 (Design and development) Design and development planning
ISO 9001:2000
ISO 9001:2008
The organization shall plan and control the
design and development of product.
The organization shall plan and control the design and
development of product.
During the design and development
planning, the organization shall determine
During the design and development planning, the
organization shall determine
a) the design and development stages,
a) the design and development stages,
b) the review, verification and validation that
are appropriate to each design and
development stage, and
b) the review, verification and validation that are
appropriate to each design and development stage, and
c) the responsibilities and authorities for
design and development.
The organization shall manage the interfaces
between different groups involved in design
and development to ensure effective
communication and clear assignment of
responsibility.
Planning output shall be updated, as
appropriate, as the design and development
progresses.
c) the responsibilities and authorities for design and
development.
The organization shall manage the interfaces between
different groups involved in design and development to
ensure effective communication and clear assignment of
responsibility.
Planning output shall be updated, as appropriate, as the
design and development progresses.
NOTE Design and development review, verification
and validation have distinct purposes. They can be
conducted and recorded separately or in any
combination, as suitable for the product and the
organization.
Transitioning to ISO 9001:2008
23
Impact of changes – 7.3.1 Design and development planning
 Effect of changes

Emphasizes that organizations can structure the activities of review,
verification and validation in any means that suits them, so long as
these activities “…are appropriate to each design and development
stage…”
 Auditing Considerations


Auditors should ensure that the activities of design and development
review, verification and validation are suitable for their organization’s
modes of operation (keep in mind, all 3 activities are required at
some point in the design and development process).
This is especially important if you structured these activities around
your perception (or a CB auditor’s perception) of ISO 9001:2000’s
requirements, rather than what makes sense:
 To your organization
 For the products/services you provide
 For the level of responsibility your organization has for design and
development
Transitioning to ISO 9001:2008
24
Clause 7.3.3 (Design and development) Design and development outputs
ISO 9001:2000
ISO 9001:2008
The outputs of design and development
shall be provided in a form that enables
verification against the design and
development input and shall be approved
prior to release.
The outputs of design and development
shall be in a form suitable for verification
against the design and development input
and shall be approved prior to release.
Design and development outputs shall
Design and development outputs shall
a) meet the input requirements for design
and development,
a) meet the input requirements for design
and development,
b) provide appropriate information for
purchasing, production and for service
provision,
c) contain or reference product
acceptance criteria, and
d) specify the characteristics of the
product that are essential for its safe and
proper use.
b) provide appropriate information for
purchasing, production and service
provision,
c) contain or reference product acceptance
criteria, and
d) specify the characteristics of the product
that are essential for its safe and proper
use.
NOTE Information for production and
service provision can include details for
the preservation of product.
Transitioning to ISO 9001:2008
25
Impact of changes – 7.3.3 Design and development outputs
 Effect of changes


Grammatical
Emphasizes that preservation of product should be considered during
design and development outputs
 Auditing Considerations


Auditors should ensure that consideration is given to preservation of
product during design and development
Examples may include (as appropriate)





Storage areas
Bins, totes transport methods used in process
Handling methods
Packaging and packaging methods
Transport and logistics methods and services (inbound and outbound)
Transitioning to ISO 9001:2008
26
Clause 7.5.3 (Production and service provision) Identification and traceability
ISO 9001:2000
ISO 9001:2008
Where appropriate, the organization shall
identify the product by suitable means
throughout product realization.
Where appropriate, the organization shall
identify the product by suitable means
throughout product realization.
The organization shall identify the product
status with respect to monitoring and
measurement requirements.
The organization shall identify the product
status with respect to monitoring and
measurement requirements throughout
product realization.
Where traceability is a requirement, the
organization shall control and record the
unique identification of the product (see
4.2.4).
NOTE In some industry sectors,
configuration management is a means by
which identification and traceability are
maintained.
Where traceability is a requirement, the
organization shall control the unique
identification of the product and maintain
records (see 4.2.4).
NOTE In some industry sectors,
configuration management is a means by
which identification and traceability are
maintained.
Transitioning to ISO 9001:2008
27
Impact of changes – 7.5.3 Identification and traceability
 Effect of changes


Clarifies the intent that product shall be identified with respect to its
monitoring and measurement status during all phases of product
realization
Grammatical
 Auditing Considerations

Ensure that product is identified with respect to monitoring and
measurement status during all stages of product realization, for
example:





Receiving
Storage
In-process
Final inspection
Shipping
Transitioning to ISO 9001:2008
28
Clause 7.5.4 (Production and service provision) Customer property
ISO 9001:2000
ISO 9001:2008
The organization shall exercise care with
customer property while it is under the
organization's control or being used by the
organization. The organization shall
identify, verify, protect and safeguard
customer property provided for use or
incorporation into the product. If any
customer property is lost, damaged or
otherwise found to be unsuitable for use,
this shall be reported to the customer and
records maintained (see 4.2.4).
NOTE Customer property can include
intellectual property.
The organization shall exercise care with
customer property while it is under the
organization's control or being used by the
organization. The organization shall
identify, verify, protect and safeguard
customer property provided for use or
incorporation into the product. If any
customer property is lost, damaged or
otherwise found to be unsuitable for use,
the organization shall report this to the
customer and maintain records (see
4.2.4).
NOTE Customer property can include
intellectual property and personal data.
Transitioning to ISO 9001:2008
29
Impact of changes – 7.5.4 Customer property
 Effect of changes


Grammatical
Note – adds personal data. This is in response to increasing
concerns over identity theft and security
 Auditing Considerations

Auditors should review controls on customer’s personal data and
ensure that adequate safeguards and security provisions are in
place.
 Access to this data is adequately controlled
 Procedures are in place to notify customers if this data is lost (or
presumably, stolen)
 Legal and customer requirements are addressed
Transitioning to ISO 9001:2008
30
Clause 7.6 Control of monitoring and measuring equipment (was Control of
monitoring and measuring devices)
ISO 9001:2000
ISO 9001:2008
The organization shall determine the monitoring and
measurement to be undertaken and the monitoring and
measuring devices needed to provide evidence of
conformity of product to determined requirements (see
7.2.1).
The organization shall establish processes to ensure that
monitoring and measurement can be carried out and are
carried out in a manner that is consistent with the
monitoring and measurement requirements.
Where necessary to ensure valid results, measuring
equipment shall
a) be calibrated or verified at specified intervals, or prior to
use, against measurement standards traceable to
international or national measurement standards; where
no such standards exist, the basis used for calibration or
verification shall be recorded;
b) be adjusted or re-adjusted as necessary;
c) be identified to enable the calibration status to be
determined;
d) be safeguarded from adjustments that would invalidate
the measurement result;
e) be protected from damage and deterioration during
handling, maintenance and storage.
The organization shall determine the monitoring and
measurement to be undertaken and the monitoring and
measuring equipment needed to provide evidence of
conformity of product to determined requirements.
The organization shall establish processes to ensure that
monitoring and measurement can be carried out and are
carried out in a manner that is consistent with the
monitoring and measurement requirements.
Where necessary to ensure valid results, measuring
equipment shall
a) be calibrated or verified, or both, at specified intervals,
or prior to use, against measurement standards traceable
to international or national measurement standards; where
no such standards exist, the basis used for calibration or
verification shall be recorded (see 4.2.4);
b) be adjusted or re-adjusted as necessary;
c) have identification in order to determine its
calibration status;
d) be safeguarded from adjustments that would invalidate
the measurement result;
e) be protected from damage and deterioration during
handling, maintenance and storage.
Transitioning to ISO 9001:2008
31
Clause 7.6 Control of monitoring and measuring equipment (was Control of
monitoring and measuring devices) – cont’d
ISO 9001:2000
ISO 9001:2008
In addition, the organization shall assess and
record the validity of the previous measuring
results when the equipment is found not to
conform to requirements. The organization
shall take appropriate action on the
equipment and any product affected. Records
of the results of calibration and verification
shall be maintained (see 4.2.4).
When used in the monitoring and
measurement of specified requirements, the
ability of computer software to satisfy the
intended application shall be confirmed. This
shall be undertaken prior to initial use and
reconfirmed as necessary.
NOTE See ISO 10012-1 and ISO 10012-2 for
guidance.
In addition, the organization shall assess and
record the validity of the previous measuring
results when the equipment is found not to
conform to requirements. The organization
shall take appropriate action on the equipment
and any product affected.
Records of the results of calibration and
verification shall be maintained (see 4.2.4).
When used in the monitoring and measurement
of specified requirements, the ability of
computer software to satisfy the intended
application shall be confirmed. This shall be
undertaken prior to initial use and reconfirmed
as necessary.
NOTE Confirmation of the ability of
computer software to satisfy the intended
application would typically include its
verification and configuration management
to maintain its suitability for use.
Transitioning to ISO 9001:2008
32
Impact of changes - 7.6 Control of monitoring and measuring equipment

Effect of changes
 “Equipment” vs. “Device” – this change in terminology is now consistent throughout
ISO 9001:2008
 Subclause a) – clarifies that in some cases, both calibration and verification may be
necessary in order to ensure that equipment provides valid results
 Subclause e) – intent is to further clarify that identification of calibration status need
not be physically present on measurement equipment (i.e. an ID number or serial
number traceable to a calibration database has long been acceptable)
 Note – clarifies the intent of software verification requirements

Auditing Considerations
 Review the definitions in ISO 9000:2005; the intent is that the definition of
“measuring equipment” encompasses “measuring instruments”, which includes
measuring “devices”
 Re: subclause a) – ensure that both calibration and verification are appropriately
utilized in their organization
 Re: software – If you use measuring equipment that relies on software to provide
results, review the note and ensure that:


Appropriate procedures are in place to verify the validity of the results the software provides
Appropriate configuration management procedures are in place (think version control, for
those of you not involved in aerospace or medical devices)
Transitioning to ISO 9001:2008
33
Clause 8.2.1 (Monitoring) – Customer satisfaction
ISO 9001:2000
ISO 9001:2008
As one of the measurements of the
performance of the quality management
system, the organization shall monitor
information relating to customer perception as
to whether the organization has met customer
requirements. The methods for obtaining and
using this information shall be determined.
As one of the measurements of the
performance of the quality management
system, the organization shall monitor
information relating to customer perception as
to whether the organization has met customer
requirements. The methods for obtaining and
using this information shall be determined.
NOTE Monitoring customer perception can
include obtaining input from sources such
as customer satisfaction surveys, customer
data on delivered product quality, user
opinion surveys, lost business analysis,
compliments, warranty claims and dealer
reports.
Transitioning to ISO 9001:2008
34
Impact of changes – 8.2.1 Customer satisfaction
 Effect of changes

Gives examples of potential sources of information regarding
“…customer perception as to whether the organization has met
customer requirements.”
 Auditing Considerations

Ensure that your organization is using appropriate methods to
determine customer satisfaction. The note provides examples of
data which may be reviewed.
Transitioning to ISO 9001:2008
35
Clause 8.2.2 (Monitoring) – Internal audit
ISO 9001:2000
ISO 9001:2008
The organization shall conduct internal audits at planned intervals to
determine whether the quality management system
The organization shall conduct internal audits at planned intervals
to determine whether the quality management system
a) conforms to the planned arrangements (see 7.1), to the
requirements of this International Standard and to the
a) conforms to the planned arrangements (see 7.1), to the
requirements of this International Standard and to
quality management system requirements established by the
organization, and
the quality management system requirements established by the
organization, and
b) is effectively implemented and maintained.
b) is effectively implemented and maintained.
An audit programme shall be planned, taking into consideration the
status and importance of the processes and areas to be audited, as
well as the results of previous audits. The audit criteria, scope,
frequency and methods shall be defined. Selection of auditors and
conduct of audits shall ensure objectivity and impartiality of the audit
process. Auditors shall not audit their own work.
An audit programme shall be planned, taking into consideration the
status and importance of the processes and areas to be audited, as
well as the results of previous audits. The audit criteria, scope,
frequency and methods shall be defined. The selection of auditors
and conduct of audits shall ensure objectivity and impartiality of the
audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and
conducting audits, and for reporting results and maintaining
records (see 4.2.4) shall be defined in a documented procedure.
A documented procedure shall be established to define the
responsibilities and requirements for planning and conducting
audits, establishing records and reporting results.
The management responsible for the area being audited shall
ensure that actions are taken without undue delay to eliminate
detected nonconformities and their causes. Follow-up activities shall
include the verification of the actions taken and the reporting of
verification results (see 8.5.2).
Records of the audits and their results shall be maintained
(see 4.2.4).
NOTE See ISO 10011-1, ISO 10011-2 and ISO 10011-3 for
guidance.
The management responsible for the area being audited shall
ensure that any necessary corrections and corrective actions
are taken without undue delay to eliminate detected
nonconformities and their causes. Follow-up activities shall include
the verification of the actions taken and the reporting of verification
results (see 8.5.2).
NOTE See ISO 19011 for guidance.
Transitioning to ISO 9001:2008
36
Impact of changes – 8.2.2 Internal Audit
 Effect of changes


Better grammar and flow
Updated reference to auditing guidance standards; better alignment
with ISO 14001:2004
 Auditing Considerations

ISO 19011:2002 provides guidance in auditing (1st, 2nd and 3rd
party) for both the ISO 9001 and ISO 14001 standards. Use of this
document is STRONGLY recommended.
Transitioning to ISO 9001:2008
37
Clause 8.2.3 (Monitoring) – Monitoring and measurement of processes
ISO 9001:2000
ISO 9001:2008
The organization shall apply suitable
methods for monitoring and, where
applicable, measurement of the quality
management system processes. These
methods shall demonstrate the ability of the
processes to achieve planned results.
When planned results are not achieved,
correction and corrective action shall be
taken, as appropriate, to ensure
conformity of the product.
The organization shall apply suitable methods
for monitoring and, where applicable,
measurement of the quality management
system processes. These methods shall
demonstrate the ability of the processes to
achieve planned results. When planned
results are not achieved, correction and
corrective action shall be taken, as
appropriate.
NOTE When determining suitable
methods, it is advisable that the
organization consider the type and extent
of monitoring or measurement appropriate
to each of its processes in relation to their
impact on the conformity to product
requirements and on the effectiveness of
the quality management system.
Transitioning to ISO 9001:2008
38
Impact of changes – 8.2.3 Monitoring and measurement of processes
 Effect of changes

Clarifies the intent of the requirement; provides detail of the
rationale for monitoring and measurement of QMS processes
 Auditing Considerations

Auditors should review process monitoring and measurement to
ensure the appropriate application (don’t forget the changes in 4.1
concerning process monitoring and, where appropriate,
measurement!)
Transitioning to ISO 9001:2008
39
Clause 8.5.2 (Improvement) Corrective action
ISO 9001:2000
ISO 9001:2008
The organization shall take action to
eliminate the cause of nonconformities in
order to prevent recurrence. Corrective
actions shall be appropriate to the effects of
the nonconformities encountered.
The organization shall take action to
eliminate the causes of nonconformities in
order to prevent recurrence. Corrective
actions shall be appropriate to the effects of
the nonconformities encountered.
A documented procedure shall be
established to define requirements for
A documented procedure shall be
established to define requirements for
a) reviewing nonconformities (including
customer complaints),
a) reviewing nonconformities (including
customer complaints),
b) determining the causes of
nonconformities,
b) determining the causes of
nonconformities,
c) evaluating the need for action to ensure
that nonconformities do not recur,
c) evaluating the need for action to ensure
that nonconformities do not recur,
d) determining and implementing action
needed,
d) determining and implementing action
needed,
e) records of the results of action taken (see
4.2.4), and
e) records of the results of action taken (see
4.2.4), and
f) reviewing corrective action taken.
f) reviewing the effectiveness of the
corrective action taken.
Transitioning to ISO 9001:2008
40
Impact of changes – 8.5.2 Corrective action
 Effect of changes


“Causes” vs.. “cause” – recognizes that nonconformities may have
multiple causes; better alignment with clause 8.5.3 Preventive
action
Subclause f) – clarifies intent that the effectiveness (was the
planned result achieved?) of corrective actions must be reviewed
 Auditing Considerations

Good opportunity to review the EFFECTIVENESS of corrective
actions – were the actions taken successful in eliminating the
cause(s) of nonconformities?
Transitioning to ISO 9001:2008
41
Clause 8.5.3 (Improvement) Preventive action
ISO 9001:2000
ISO 9001:2008
The organization shall determine action to
eliminate the causes of potential
nonconformities in order to prevent their
occurrence. Preventive actions shall be
appropriate to the effects of the potential
problems.
The organization shall determine action to
eliminate the causes of potential
nonconformities in order to prevent their
occurrence. Preventive actions shall be
appropriate to the effects of the potential
problems.
A documented procedure shall be
established to define requirements for
A documented procedure shall be established
to define requirements for
a) determining potential nonconformities and
their causes,
a) determining potential nonconformities and
their causes,
b) evaluating the need for action to prevent
occurrence of nonconformities,
b) evaluating the need for action to prevent
occurrence of nonconformities,
c) determining and implementing action
needed,
c) determining and implementing action
needed,
d) records of results of action taken (see
4.2.4), and
d) records of results of action taken (see
4.2.4), and
e) reviewing preventive action taken.
e) reviewing the effectiveness of the
preventive action taken.
Transitioning to ISO 9001:2008
42
Impact of changes – 8.5.3 Preventive action
 Effect of changes

Subclause f) – clarifies intent that the effectiveness (was the
planned result achieved?) of preventive actions must be reviewed
 Auditing Considerations

Good opportunity to review the EFFECTIVENESS of corrective
actions – were the actions taken successful in eliminating the
cause(s) of POTENTIAL nonconformities?
Transitioning to ISO 9001:2008
43
Bibliography
Bibliography – now refers to current editions of referenced standards, new standards
referenced and standards withdrawn since the publication of ISO 9001:2000.
New Standards
ISO 10001:2007, Customer satisfaction - Guidelines for codes of conduct for organizations
ISO 10002:2004, Customer satisfaction - Guidelines for complaints handling in organizations
ISO 10003:2007, Customer satisfaction - Guidelines for dispute resolution external to organizations
ISO 10019:2005, Guidelines for the selection of quality management system consultants and use of their services
ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing
IEC 61160:2006, Design review
ISO 90003:2004, Software engineering - Guidelines for the application of ISO 9001:2000 to computer software
New Editions
ISO 9004:200x, Managing for the sustained success of an organization - A quality management approach
ISO 10005:2005, Quality management systems - Guidelines for quality plans
ISO 10006:2003, Quality management systems - Guidelines for quality management in projects
ISO 10007:2003, Quality management systems - Guidelines for configuration management
ISO 10012:2003, Requirements for measurement processes and measuring equipment
ISO/TR 10013:2001, Guidelines for quality management system documentation
ISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefits
ISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000
ISO 14001:2004, Environmental management systems - Requirements with guidance for use
IEC 60300-1:2003, Dependability management - Part 1: Dependability management systems
Withdrawn Standards
ISO 9000-3:1997 (replaced by ISO 90003:2004)
ISO 10011-1: 1990 (replaced by ISO 19011:2002)
ISO 10011-2: 1991 (replaced by ISO 19011:2002)
ISO 10011-3:1991 (replaced by ISO 19011:2002)
ISO 10012-1:1992 (replaced by ISO 10012:2003)
ISO 10012-2:1997 (replaced by ISO 10012:2003)
Transitioning to ISO 9001:2008
44
Impact of changes - Bibliography
 Effect of changes

None
 Auditing Considerations

The referenced standards provide excellent guidance into the
intents of ISO 9001:2008. Auditors are strongly advised to
understand these guidance documents – you’ll be a better auditor
for it!
Transitioning to ISO 9001:2008
45
Auditing “Where
Appropriate/Where
Applicable…”
Auditing “Where Appropriate/Where Applicable…” Clauses


Many auditors prefer “black and white” requirements – “where
applicable” implies judgment. What to do? How do auditors assess
applicability of and conformity with a requirement in the absence of a
definite “shall”
The ISO 9000 Auditing Practices Group and the International
Accreditation Forum (IAF), an affiliate organization of ISO, has
published two relevant white papers on the subject.


Determination of the “where appropriate” processes
Auditing the “where appropriate” requirements
In ISOmatrix’s opinion, the same logic applies to “where applicable”
as “where appropriate”
 The source documents are available at
http://isotc.iso.org/livelink/livelink/fetch/2000/2122/138402/138403/35414
60/customview.html?func=ll&objId=3541460&objAction=browse&sor
t=name
 Keep in mind, these are guidance documents, NOT ISO 9001
requirements or standards

47
Auditing ““Where Appropriate/Where Applicable…” Clauses
“Determination of the “where appropriate” processes” –
Summary
 If there are conflicts between the auditee’s understanding of
process applicability and the auditor’s, it’s the auditor’s
responsibility to understand the auditee’s point of view.
 Auditors should NOT impose their own point of view
WITHOUT OBJECTIVE EVIDENCE TO SUPPORT THEIR
POINT OF VIEW that a requirement is not met!!!
 The issue may be conflicts in understanding the organization’s
terminology vs. ISO’s – use ISO 9000:2005 as a reference to
resolve these conflicts wherever possible
 Don’t forget Clause 1.2 – Applicability!
 ISOmatrix suggests considering the impact of the process or
requirement on product conformity to requirements,
statutory/regulatory compliance and customer satisfaction
48
Auditing ““Where Appropriate/Where Applicable…” Clauses
“Auditing “where appropriate” requirements ” – Summary
 The organization should carefully consider the applicability of
the “where appropriate” requirements during implementation
 Impact on product conformity to requirements, statutory and
regulatory compliance and customer satisfaction (remember
Clause 1.1?)
 Auditors should look at these requirements in light of the
organization’s QMS scope – how will these requirements
impact the QMS’ ability to fulfill this scope?
 “Does this requirement add value to this element of
confidence, without the ‘where appropriate’ being
addressed?”
 “Does it increase the risk that the organisation cannot meet
its customer requirements? (This may be more than a
specific set of customer requirements, as it can include the
demands and expectations of end users, consumers, or the
supply chain).”
49
Auditing ““Where Appropriate/Where Applicable…” Clauses
“Auditing “where appropriate” requirements ” – Summary (cont’d)
 Individuals responsible for the selection of internal auditors should
consider whether the auditor has the necessary technical
competence to make these determinations – the use of “technical
experts” per ISO 19011 may be necessary
 Auditors should consider the impact of the “where appropriate”
requirements on how processes are defined and implemented, and
the process outputs.


If the requirement is NOT considered “appropriate”, it’s recommended
that the audit provide objective evidence to support that the system is
effective and customer requirements are consistently met.
ISOmatrix adds – consider the performance of the system and process.
Review monitoring (and where applicable, measurement) of the
associated process. Is the process effective and efficient in the
absence of conformance to this requirement?
50
Listing of “Where Appropriate/Where Applicable…” Clauses
 Where appropriate
 7.4.2 Purchasing Information
 7.5.3 Identification and traceability
 Where applicable
 4.1 e) General requirement (New for 2008)
 6.2.2 b) Competence, training and awareness (New for
2008)
 7.3.2 Design and development inputs
 8.2.3 Monitoring and measurement of processes
 8.2.4 Monitoring and measurement of product
 8.3 Control of nonconforming product (New for 2008)
51
Questions and Answers
Transitioning to ISO 9001:2008
52
ISOmatrix
ISOmatrix, Inc.
www.isomatrix.com
805-435-1203
[email protected]
Transitioning to ISO 9001:2008
53
Thank You!!!
Transitioning to ISO 9001:2008
54