bvc+iso 9001+2008+interpretation

Bureau Veritas Certification Interpretations

Expectations for Companies Certifying to ISO 9001:2008.

of 42

Interpretation of Jan 10 2010 Rev. level 7

Bureau Veritas Certification has established certain minimum expectations for companies who

wish to register their Quality Management Systems (QMS) to ISO 9001:2008. These expectations

are based upon our understanding of the requirements of the standard and the requirements for

third party registration/certification to the standard gained through our collective experience in

auditing quality management systems of many varied applications.

Additionally, The ISO Technical Committee (TC) has developed several guidance documents for

various requirements of ISO 9001:2008. These documents are available to the public via Internet

website http://www.bsi.org.uk/iso-tc176-sc2. These documents are referred to throughout this

document.

Auditor Notes:

This document is not intended to add to, minimize, or in any way modify the requirements of the

standard and the requirements for accredited certification to the standard. It is meant to be a

guidance tool for Bureau Veritas Certification auditors and clients providing common

understanding on the intent of the standard and certification requirements in addition to providing

clarification of the text. For organizations seeking registration/certification, this document provides

insight as to the expectations of Bureau Veritas Certification auditors.

In order to claim conformity with ISO 9001:2008, the organization has to be able to provide

objective evidence of the effectiveness of its processes and its quality management system.

Clause 3.8.1 of ISO 9000:2005 defines ‘Objective evidence’ as ‘Data supporting the existence or

verification of something’ and notes that ‘Objective evidence may be obtained through

observation, measurement, test or other means’. Objective evidence does not necessarily depend

on the existence of documented procedures, records or other documents, except where specifically

mentioned in ISO 9001:2008. In some cases, (for example, in clause 7.1{d} Planning of product

realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization to

determine what records are necessary in order to provide objective evidence.

This document has been updated to meet the ISO 9001:2008 requirements; the intent of the

standard did not change from 2000 to 2008. There were many “text” changes, mainly for clarity

and alignment to ISO 14001. BVC’s position is “there are no new requirements to ISO

9001:2008”. A currently certified company to ISO 9001:2000 would meet the intent of the 2008

revision and clients may not be required to make changes to their QMS based on the new text.

General text changes include, but are not limited to: alignment of ISO 14001, many notes have

been added for clarity and guidance, definition of product was added, process approach is required,

statutory requirements and legal requirements clarified, calibration (7.6) now called equipment

changed from devices, other subtle changes in text are listed below in detail, as needed.



of 42


ISO 9001:2008 Interpretations

Element 4: Quality Management System

4.1: General

Section 4.1 includes the general requirements that must be met in order to establish, implement

and continually improve the effectiveness of a quality management system meeting the

requirements of the standard. These requirements are referenced to and/or further defined in

subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.

Continual improvement of the effectiveness of the quality management system may be reflected in

a number of different areas. These may include:

�� Quality objectives;

�� Corrective and preventive actions;

�� Internal audits;

�� External audits;

�� Review of customer satisfaction surveys and associated action items;

�� Operation meetings producing improvement actions;

�� Actions initiated by suggestion programs;

�� Process Changes;

�� Infrastructure and environment changes;

�� Management Reviews

If continual improvement has become a way of life for a company, it is unlikely that a

demonstration of company wide continual improvement will come from only a few sources.

System deterioration would not necessarily lead to non-conformity if all actions were positive and

the improvement path is still evident and logical. The system would be questionable if the

company did not recognize it or had not reacted to the issues appropriately.

Note: It is the responsibility of the company to demonstrate improvement rather than the auditor to

look for it. Accordingly, it is a useful audit practice to ask management to identify any

improvement initiatives taken since the previous visit, and any planned for the future.



of 42


4.1 a) Process Determination, the 2000 revision used the term “identify” processes which is

defined as, “to give an identity” where 2008 uses the term “determine” the term determine is to

“move forward, impel, to use” the intent is that Top Management shall use the processes to operate

the business.

Bureau Veritas Certification auditors will expect to see a process model that explains the key

processes of the business and how each relates and links to the others. The depth of process

explanation may be as detailed as the company chooses, but should be based on its customer and

applicable regulations or statutory requirements, the nature of its activities and its overall corporate

strategy. In determining which processes should be determined and documented the organization

may wish to consider factors such as:

�� Effect on quality

�� Risk of customer dissatisfaction

�� Statutory and/or regulatory requirements

�� Economic risk

�� Effectiveness and efficiency

�� Competence of personnel

�� Complexity of processes

Bureau Veritas Certification promotes the identification of Customer Oriented Processes (COPS),

Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS) while defining

processes however, this is not a requirement. The auditor must see evidence that the organization

has determined their processes and interactions.

COPs may include: Sales, Purchasing, Manufacturing/Service, Design, etc. any process that affects

or interacts with the customer.

SOPs may include: calibration, maintenance, IT, finance, HR/Training, corrective action, audits,

etc. any process that “supports” other processes, typically across many processes.

MOPs may include: business planning, goal setting, management review and other meetings,

operating plans, customer satisfaction review, budgets, resource planning, etc. any process that is

formally conducted by the Top Management.

If the company calls it a “process” it shall be monitored for effectiveness (4.1, 8.4, 8.2.3)

The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support Package:

Guidance on the Concept and Use of the Process Approach for Management Systems, provides

basic information for understanding application of the process approach. The bulletin defines a

process as: A “Process” can be defined as a “Set of interrelated or interacting activities, which

transforms inputs into outputs”. These activities require allocation of resources such as people

and materials (http://www.bsi.org.uk/iso-tc176-sc2).

4.1 b) Sequence and interaction of these processes – The interactions of the processes must

somehow be described in the quality manual (4.2.2 c). The Auditor must see evidence that the



of 42


organization has determined their processes and that the interactions are also defined, all within the

quality manual. Subsequently, this includes the actual and technical inputs and outputs of the

processes to show their inter-relationship. Though, 4.2.2c requires the “description of the

interactions between the processes”, this shall include the process names and the inputs and

outputs of each process hence, interactions. The dictionary term for “interaction” is “how one

influences the other”. BVC agrees that the “description of the interactions of the processes” cannot

be done if the processes are not determined (names).

The organization is not required to produce system maps, flow charts, lists of processes etc. as

evidence to demonstrate that the processes and their sequence and interactions were determined.

Such documents may be used by organizations should they deem them useful, but are not

mandatory. Graphical representation such as flow-charting is perhaps the most easily

understandable method for describing interactions between processes. Other possible methods may

include: documentation prepared for implementation of the product management system (SAP,

SYMIX, MRP, etc…); deployment flowcharts; and pictorial diagrams.

The Completion of the Bureau Veritas Certification process matrix provides the relationship

between the organizations processes and the requirements of ISO9001:2008 by element and sub-

clause however does not show the interaction between the processes. If the organization chooses

to use the process matrix to show interaction, it must be supplemented with another method to

show process interaction. The Bureau Veritas Certification process matrix must be completed in

order to assist in the scheduling of the organizations audits in addition, Auditors do not define

processes, the organization does, Auditors do have to understand the relationship between a

companies processes, what they call them and what ISO elements pertain to those processes.

4.1 c) Criteria and methods needed to ensure that both the operation and control of these

processes are effective. This could be demonstrated with stated objectives, instructions and or

procedures as required for consistent output of the processes. This is the “Plan” part of PDCA.

4.1 d) Ensure the availability of resources and information necessary to support the operation

and monitoring of these processes. This may be through Management Review or other methods

for defining and determining resources. This is the “Do” part of PDCA.

4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to

requirements for monitoring, measurement, and analysis for needed improvement. The methods

employed and the timing of such analysis should be based upon priorities established by the

organization. Auditor expects to see measurable objectives established for each process. These

objectives should support the organization’s overall objectives. This is the “Check” part of

PDCA.

Note: this clause requires each defined process to be measured as applicable, monitored and

analyzed, as opposed to clause 8.2.3, which requires” suitable methods for monitoring and, where

applicable measurement” of the processes. “Monitoring of the processes” may be considered; “real

time” measurements of the flow of work i.e. inspection, test or verification that is relevant to the

real time verification of the product/service. “Measurement of the process” may be considered; the



of 42


overall process objectives, historical, current and planned, the data used to determine that the

overall objectives are met, typically is produced at the lower levels during the production/service

work flow. The “measurement” of the product is considered monitoring of the process”. BV

Auditors would not debate the difference between these terms, the intent is to assure that the

organization monitors/measures their processes for improvement and conformance to objectives

and or criteria.

4.1 f) Implement actions necessary to achieve planned results and continual improvement of these

processes – Same as described above. Auditor expects to see corrective action taken when

measurable objectives fall below target or defined action level however, a formal corrective action

is not always required, “corrections” can be made thru improvement plans and other methods

though, a significant departure from the objectives may require formal correction actions. This is

the “Act” part of the PDCA.

Outsourced Processes: Outsourced processes must be controlled by the organization and these

controls must be defined/described within their system. Organizations are required to identify the

controls they apply for any outsourced processes. The facility quality manual must identify if

outsource processes are applicable. In addition, the client shall have written documentation on

the methods used to control the outsourced process(es). Examples of some outsourced processes

are:

�� Process completed wholly or partially by a sister facility outside the scope of registration.

Such as corporate performing design, purchasing or customer related processes, this

includes management activities i.e. business planning, goal setting, resources, data analysis,

budgeting, etc. This may include the entire element or a subsection i.e. corporate completes

supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase

orders.

�� Processes completed by an outside vendor or subcontractor such as heat treating, plating,

calibration, painting, powder coating, etc. These types of processes may be controlled

under 7.4 Purchasing where a formal contract/PO may be the controls. If this is the case,

written documentation would be the purchasing documentation and records however, these

processes are required to be documented in the quality manual.

If an outsourced process is controlled through Purchasing there must be documented objective

evidence to ensure that these processes are being controlled beyond the basic purchasing

requirements, which are focused on controlling products not processes. The organization is

responsible to ensure that the outsourced process is meeting applicable requirements to ISO

9001:2008. Outsourced processes may be controlled through such

methods as (not limited to):

�� Internal Audits

�� Internal Agreements between two sites where only the audited site is under the scope of

registration (Interface Agreements – Bureau Veritas Certification terminology)

�� Process performance data review on an ongoing basis

�� Purchasing Process (see above)



of 42


NOTE 3 Ensuring control over outsourced processes does not absolve the organization of the

responsibility of conformity to all customer, statutory and regulatory requirements. The type and

extent of control to be applied to the outsourced process can be influenced by factors such as

a) the potential impact of the outsourced process on the organization’s capability to provide

product that conforms to requirements,

b) the degree to which the control for the process is shared,

c) the capability of achieving the necessary control through the application of 7.4.

I have been pushing to see an analysis of the outsourced process using the criteria above and in

determining the amount of control – quite honestly for some outsourced processes Purchasing

could be all that is needed and would be acceptable if the analysis showed it had low risk o f

impacting the system – just a thought.

ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on

'Outsourced Processes: An outsourced process can be performed by a supplier that is totally

independent from the organization, or which is part of the same parent organization (i.e. a

separate department or division that is not subject to the same quality management system). It

may be provided within the physical premises or work environment of the organization, at an

independent site, or in some other manner… The organization has to demonstrate that it

exercises sufficient control to ensure that this process is performed according to the relevant

requirements of ISO 9001:2008, and any other requirements of the organization’s quality

management system. The nature of this control will depend, among other things, on the

importance of the outsourced process, the risk involved, and the competence of the supplier to

meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).

TABLE A: Cross-linked references

4.1 General requirements Relevant further clauses

a) Determine the processes, including

outsourcing, needed for the quality

management system and their application

throughout the organization (see 1.2),

5.4.2 QMS planning

7.1 Planning of product realization

8.1 General

b) Determine the sequence and interaction of

these processes,

5.4.2 QMS planning

7.1 Planning of product realization

4.2.2 (c)

c) Determine criteria and methods needed to

ensure that both the operation and control

of these processes are effective,

7.1 (c)

7.3.3 (c)

7.4.1 (Criteria for selection)

7.5.2

d) Ensure the availability of resources and

information necessary to support the operation

and monitoring of these processes,

Whole of 6

e) Monitor, measure as applicable, and analyze

Whole of 8.2



of 42


these processes, and,

f) Implement actions necessary to achieve

planned results and continual improvement of

these processes.

These processes shall be managed by the

organization in accordance with the

requirements of this International Standard.

Where an organization chooses to outsource any

process that affects product conformity to

requirements, the organization shall ensure

control over such processes. The type and

extent of control to be applied to these

outsourced processes shall be defined within the

quality management system.

Whole of 5, 6, 7 and 8

4.2: Documentation Requirements

4.2.1: General

The Quality Management System (QMS) “documentation” shall include: 4.2.1 a-d

a) documented statements of a quality policy and quality objectives,

b) a quality manual,

c) documented procedures and records required by this International Standard, and

d) documents, including records, determined by the organization to be necessary to ensure the

effective planning, operation and control of its processes.

4.2.2: Quality Manual

Exclusions from the quality management system must be described and justified within the quality

manual (see 4.2.2 a). The documented procedures established for the quality management system

must be included or cross-referenced in the quality manual (see 4.2.2 b). A description of the

interaction between the organization’s processes needs to be identified in the quality manual (see

4.2.2 c). An organization cannot describe the interactions of the processes without defining the

processes themselves.

The applicable processes might include those relating to four general categories: 1) Management

Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and Monitoring.

Most companies will prefer to focus on their own COPS, MOPS, and SOPS.

Manual content and design - There are many ways of documenting the quality management

system and organizations should adopt the approach that is most useful for effective operation of



of 42


their system. BV takes the approach that ISO 9001:2008 is a “measurement” based standard not a

“documentation comprehensive standard” though, documentation is required for some of the ISO

elements and is used for many purposes and advantages. An organization must keep in mind, the

word “effectiveness” is stated 28 times in the standard therefore, measurements and monitoring

can be more critical than documents. Auditors must not strictly focus on documents and must

assure that the organization has measurement criteria to show effectiveness of the processes and

the QMS.

Examples may include, but no limited to:

�� Flowcharts;

�� Written text;

�� Diagrams;

�� System maps;

�� Process maps;

�� Process Turtles.

�� The company server with hyper-links

The quality manual may have many forms. Although many organizations structure their

documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A

quality manual doesn't have to exist as a separate document. The quality manual may:

�� Be a direct collection of QMS documents including procedures;

�� Be a grouping or a section of QMS documentation;

�� Be more than one document or level;

�� Be in one or more volumes;

�� Be a stand alone document or otherwise;

�� Be a collection of separate documents

�� Be electronic with hyper-links i.e. using process turtles/maps with links to each process

turtle leg or flow box.

The ISO 9001:2008 standard offers companies a possibility to establish effective, user-friendly

systems. This edition offers the current users a unique opportunity to streamline their quality

management system documentation.

A separate document "addressing" all the clauses of the standard is not required by the standard -

neither does the standard require the quality manual to "address" or "cover" the requirements of the

standard. The manual may be documented specifically to the organizations processes.

4.2.2 a) Scope – The organization may exclude portions of the standard that do not apply to their

quality management system due to the nature of the product or service that they supply. ISO

9001:2008 clearly limits and identifies which activities may be excluded, limited to clause 7 only.

The justification for exclusion and those considered not applicable must be clearly documented in

the quality manual. If, for example, design does not apply to the quality management system, the

standard stipulates (in section 1.2 Application) how a reduction in scope of the standard may be



of 42


justified and documented within the quality manual. Bureau Veritas Certification has defined

exclusion applicability to be within the clause Design and Development (7.3) only. All other

potential exclusions within section 7 must be identified as not applicable or not applicable at this

time with justification or explanation as to why it does not apply. In addition, if an organization

conducts these activities or is responsible by the customer to conduct these activities, they must be

part of the scope of certification. Design applies to product design, organizations cannot exclude

portions of design element 7.3, “it’s all or nothing”.

ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support

Package: Guidance on ISO 9001:2008 clause 1.2 'Application:

ISO 9001:2008 clause 1, Scope, defines the scope of the standard itself. This should not be

confused with the scope of the QMS, which is a term commonly used within the context of QMS

certification/registration to describe the organization and products to which the QMS applies

(http://www.bsi.org.uk/iso-tc176-sc2).

Auditor should discuss the difference between the scope of certification and the scope of the QMS

(i.e. what is on or will be on the organization’s certificate).

The scope of the QMS should be based on the nature of the organization's products and their

realization processes, the result of risk assessment, commercial considerations, and contractual,

statutory and regulatory requirements. Auditors shall assure, at every audit, that the scope of

certification is accurate to the actual activities conducted by the organization. The Auditor is

expected to review the certificate terminology and assure that the scope is accurate and is not

misleading to the customer. This includes factored items, as appropriate though, factored items

normally are not defined on the certificate, these items may influence the scope and activities.

If an organization chooses to implement a quality management system with a limited scope, this

should be clearly defined in the organization's Quality Manual and any other publicly available

documents to avoid confusing or misleading customers and end users (this includes, for example,

certification/registration documents and marketing material).

Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual

is applicable for all sites and that any changes are centrally controlled (see 4.2.3). Also required is

a centralized Management review (corporate), centralized internal audit system and corrective

action system. It is typical for a corporate scheme to have specific document and records

requirements for the sites however; sites may have their own controlled documentation at the local

level.

The auditor must verify the linkages between the Headquarters (central site) and the sites as well

as the individual site linkages to corporate. In most cases, specific linkages vary between sites. If

these linkages are not established and defined the organization does not meet multisite

requirements (per IAF MD-1) In addition, BV has instituted a methodology regarding corporate

schemes, we are attempting to conduct certification audits at the local sites first then at the

corporate site, this gives the Auditor evidence that the linkages are accurate and effective.



of 42


4.2.2 b) Documented Procedures – The manual must include reference to, at a minimum the six

required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may

reference other documentation but must list those required documents in some format. This may be

in the form of a link or other such reference.

The notes after sub clause 4.2.1 in ISO9001:2008 make it clear that where the standard specifically

requires a ‘documented procedure’, the procedure has to be established, documented, implemented

and maintained. It also emphasizes that the extent of the QMS documentation may differ from one

organization to another due to:

NOTE 1

Where the term “documented procedure” appears within this International Standard, this means

that the procedure is established, documented, implemented and maintained. A single document

may address the requirements for one or more procedures. A requirement for a documented

procedure may be covered by more than one document.

NOTE 2

The extent of the quality management system documentation can differ from one organization to

another due to

a) the size of organization and type of activities,

b) the complexity of processes and their interactions, and

c) the competence of personnel.

NOTE 3 The documentation can be in any form or type of medium.

4.2.2 c) Interaction between processes – This requirement ties closely to section 4.1 b), which is

discussed in the previous paragraphs. The interactions between the quality management system

processes do not have to be separately described, or illustrated, by charts, tables or maps. If an

organization chooses to use a process map to show interaction, just using boxes and arrows is not

sufficient – a description or other depiction is required for interactions. An example may be “

process turtles” with hyper links for each leg, links from a flow chart, cross-reference matrices,

etc. the intent is to determine the actual inputs and outputs of each process.

Although many organizations may choose such a format, it is not a mandatory method. Interaction

between processes may be described, for instance, by way of references and/or cross-references

within the procedures, where the procedures form part of the Quality Manual. If the procedures are

not included or referenced from the Quality Manual, then the manual can not be consider

acceptable to the standard requirements, the interactions can be in an appendix, addendum or hyper

linked to the manual if the system is electronic.

4.2.3: Control of Documents

A documented procedure is required for control of documents.



of 42


Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000

Introduction and Support Package: Guidance on the Documentation Requirements of ISO

9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).

4.2.3 a) Approve documents – procedure must identify the approval process.

4.2.3 b) Review and update – All management system documentation must be covered by some

review strategy. The procedure must identify a method on how and when all documents are

reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different

intervals / criteria and / or by different methods (i.e. – at each use, through internal audits, via

formal recalls and reviews, during training events where procedures are taken most literally, etc.),

review should be conducted by personnel competent to do so. Bureau Veritas auditors should

assess whether review methodology demonstrates effective document controls. Note – statutory /

regulatory and customer / industry requirements may also impact review methodology. A method

must be in place to show review was completed where there were no changes. Though a formal

record is not required, evidence of the methods conducted and the reviews have taken place must

be shown. Those documents that are updated must be put back through the organizations required

approval process (4.2.3 a).

4.2.3 c) Changes and current revision status – The procedure must identify how changes and

revisions to documents are identified. These must be identifiable for each document. How does the

user know what the changes are?

4.2.3 d) Availability of documents – procedure must identify how documents are made available to

employees. Auditor will expect to see that documents are readily available to employees through

out the facility at their points of use.

4.2.3 e) Documents are legible and readily identifiable – auditor will expect to see that documents

are maintained and remain legible and easily identifiable.

4.2.3 f) Documents of external origin – Documents of external origin are those that are produced

from outside the organization that are used by the organization in support of the quality

management system processes. The procedure must address if documents of external origin are

applicable and if so how these documents are controlled by the facility. The auditor expects to see

that controls are in place to ensure current versions are used and documents are controlled within

the facility furthermore, who in the facility has the experience/knowledge to understand the

external documents and applicability to the organization?

4.2.3 g) Obsolete documents – Procedure must address how obsolete documents are controlled to

prevent unintended use and if retained how these documents are identified.

Note: For multi-site/corporate certifications the auditor will expect to see that System

documentation and changes are centrally managed (usually performed at the headquarters location)

with further control of documents at the local level, as applicable.



of 42


4.2.4: Control of Records

Records required by the organization may be in any format deemed suitable for the organizations

method of operation. A documented procedure must be in place and define the controls needed for:

�� Identification – the procedure must identify the system/process is in place to identify

records. Have all required records been identified. Refer to Annex B of the ISO/TC 176/SC

2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the Documentation

Requirements of ISO 9001:2008.

�� Storage – where records are stored – specific location i.e. Quality filing cabinet in the QC

Laboratory, etc.

�� Protection – how individual records are protected i.e. tape back up every 24 hours (for

electronic records), fireproof safe, filing cabinet etc. Electronic records back-up is part of

the records procedure.

�� Retrieval – any special requirements for retrieval. Generally dependant on location and

protection. May be a request process.

�� Retention time – identification of how long each record will be maintained. The intent of

the standard is that after the defined retention time has been met, records would eventually

be disposed of, BVC poses the question to the Top Management, do they know how long

records are kept and can these records help or hinder in a legal case?

�� Disposition of records – method for disposing of records i.e. shredding, burned, trash

A spreadsheet or other document may be used to identify the above requirements.

Element 5: Management Responsibility

Note that this section has nine references to top management. This is defined in ISO 9000:2005,

3.2.7 as “person or group of people who directs or controls an organization at the highest level”.

It is therefore essential to examine top management’s commitment to, and support for, the QMS

(and to record objective evidence to support any conclusions reached). “Top Management” may be

the CEO, President, General Manager, etc. The Top Management of the firm relevant to the scope

of certification also, BVC would accept a “management team” if formal business decisions are

indeed a collect effort.

5.1: Management Commitment

It is necessary for auditors to obtain (and record) objective evidence of management commitment.

This would include:

5.1 a) Evidence that top management has communicated to the organization the importance

of meeting customer requirements as well as statutory and regulatory requirements. This can

be achieved through meetings, newsletters, bulletin boards, training records etc.



of 42


NOTE - statutory and regulatory requirements are broad based and include all applicable

requirements for processes, products and activities.

5.1 b) Top Management’s establishment of and input into, and commitment to, the quality

policy (its definition, delivery and maintenance) through management review or other

meetings or methods.

5.1 c) Documented quality objectives (for all processes).

5.1 d) Top Management’s active participation in management review meetings.

5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate

resources are available.

In short, how well they address requirements 5.2 through 5.6.

5.2: Customer Focus

Customer requirements and customer satisfaction are directly linked with the process approach

concept in the standard. Auditors will seek objective evidence to demonstrate that the customer

requirements are indeed being met, whether the satisfaction is revealed in customer survey results,

repeat sales or any other type of mechanism that would reveal trends and lead to improved

customer satisfaction. Management review minutes might be a record where Customer Focus is

addressed. You might also look at Quality plans and or product plans that include customer related

requirements.

5.3: Quality Policy

It is expected that there is evidence that Top Management fully embrace the quality policy. The

standard identifies five specific points which requires that top management ensures that the policy;

5.3 a) Is appropriate to the purpose of the organization

5.3 b) Includes a commitment to meeting requirements and to continual improvement of the

quality system

5.3 c) Provides framework for establishing and reviewing quality objectives

5.3 d) Is communicated and understood at appropriate levels in the organization

5.3 e) Is reviewed for continuing suitability.

Auditors must determine if the Quality Policy meets the intent and is understood, by

interviewing personnel at all levels. Although the exact policy does not need to be recited by

interviewees, the awareness of the quality policy and how their job affects the company



of 42


objectives should be determined. If personnel interviewed do not know what their measurable

objectives are and/or do not know what the organizational objectives are that they have a direct

effect on, the auditor would be further directed to evaluate managements communication of the

policy and objectives.

The Quality Policy must be documented anywhere within the organization, this could be done

electronically however, all personnel need access to it.

The Quality Policy does not have to include objectives but should create a framework for

establishing them. The Quality Policy should be stated in such a way that it aims toward continual

improvement. It should be reviewed and possibly revised to meet higher aspirations.

Bureau Veritas Certification does not require that the policy include the words “continual

improvement” in the written policy, however it must be ascertained that it is implied and known

through out the organization.

To meet the intent of this clause, the auditor would be looking for a clearly defined Quality Policy

that is sufficiently detailed to provide a framework for quality objectives that can be monitored for

continual improvement. An auditor would not want to see a vague policy, such as “Our Policy is to

Maintain Status Quo”. Furthermore, The policy shall be “real” and the objectives shall be

consistent with the policy meaning that, the policy shall be implemented and the objectives

cascaded throughout the QMS levels, also see 6.2.2d. Quality objectives may be the same as the

Business plan objectives, ISO 9001 is a formal business management standard however, the

business plan is not auditable by the Auditor, as applicable.

BVC Auditors intent is not just conformance to the requirements but also to assist an organization

in meeting their business objectives, better customer satisfaction and eventually more market

share, which, in time, brings more profits for the organization.

When interviewing top management, their input into, and commitment to, the quality policy needs

to be determined. Is it theirs, or have they clearly just signed something written for them by the

management representative?

Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.

5.4: Planning

5.4.1 Quality Objectives

Auditors must determine that the organization has developed measurable quality objectives for

relevant functions and levels of the organization. Bureau Veritas Certification expects overall

objectives to be established at the facility/corporate level and objectives established for each

identified process. Process objectives shall support the organization’s overall objectives.

The organization must establish what the “relevant functions” of the organization are, however at a

minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects, or



of 42


individual objectives would be at the discretion of organization. The auditor may want to ask what

criteria were used to determine if functions are relevant or not. It would be left up to the company

to determine if a cost or added value benefit would result from including or not including functions

of the operation when establishing quality objectives. The COPS may have more critical objectives

as opposed to internal audits or inspection processes; the intent of the standard is for the

organization to have the right measurement in the right place for the right reason.

If some functions or levels have been excluded, it may be necessary to explore, evaluate (and

record) the reasons for such omissions (which might be quite acceptable at that particular stage in

the continual improvement process).

The organization must identify quality objectives that can be measurable, such as “vendor on-time

rating”, “on-time delivery”, “all employees will have completed an ISO 9001 awareness class” and

“all machines will have clearly defined procedures on their usage.” If the objectives were not

measurable (including a time-based element where appropriate), they would not meet the intent of

the standard,

The objectives do not have to be defined in a specific document although the objectives are

required to be documented (see 4.2.1 a). Objectives can either be defined in associated procedures

or instructions, or could be recorded in meeting minutes such as management review records. The

organization must have a process to ensure that all the objectives are clear and communicated to all

employees who can influence the defined objective(s). The organization should be able to

demonstrate that the objectives are being measured and reviewed (see 4.2.4 and 8.5.1 and 8.4

analysis of data).

5.4.2: Quality Planning

Auditors have to use their judgment in evaluating the entire collected audit evidence in order to

assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning

was done, by interviewing the personnel involved in establishing or achieving specific quality

objectives.

Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements of

which were contravened, rather than to clause 5.4.2.

Determining effective and efficient planning may be found by evidence of:

�� All those planning activities undertaken to establish the QMS in accordance with clause

4.1, this would include new products, services and part numbers, etc.

�� The existence of an effective, documented, and implemented QMS that provides collective

evidence demonstrating that these planning activities have been performed effectively.

�� Deficiencies in the quality system that may indicate that these planning activities were not

quite effective.

�� The evidence and use of Strategic Plans, Business Plans, Management Review results,

Contingency Plans, Quality Objectives, any programs or plans, documented or not, such as

Minutes of meetings, Memos, Internal communications.



of 42


Where there is lack of documented evidence, an auditor may satisfy him/herself through

interviewing the personnel at those levels and functions involved in achieving particular objectives

to determine the level of planning.

Another methodology allowing audit of effective planning involves review of the progress in

implementation of such plans aimed at adhering to individual objectives.

5.5: Responsibility, Authority and Communication

5.5.1: Responsibility and authority

In order for the auditor to be satisfied that the intent of this element has been met, he/she may

review organization charts, job descriptions or a responsibility matrix. Identification of

responsibility and authority could be written into procedures and/or work instructions, as well. The

auditor may also use interviews of individuals to determine if responsibility and authority has been

communicated effectively.

5.5.2: Management Representative

Responsibilities to include:

5.5.2 a) Ensuring that the processes needed for the quality management system are established,

implemented and maintained.

5.5.2 b) Reporting on the performance of the system to top management.

5.5.2 c) ensuring the promotion of awareness of customer requirements.

The resource designated as management representative shall be a member of the organization’s

management. The 2008 revision requires that the companies own Management be the MR

however, a consultant that conducts on-site work at the facilities on a continuing basis, can be

classified as the MR. Those consultants that show up annually for the ISO audit cannot be the

MR. The intent is that the organization and a member of, shall “own” the QMS, what type of

commitment is it if a consultant “owns” the system? The Auditor shall determine that the

Management Representative (employee or subcontractor) is a “member of management”. If the

designated management representative, particularly if from outside the organization such as a

consultant, operates in a part time mode, the management system must ensure continuity in

fulfilling the management representative responsibilities. It is highly recommended that the

company delegate one of it’s own management as the MR.

Promotion of customer awareness might include news releases, meetings, training, photographs,

models; examples of products demonstrating required visual attributes, do the employees know

where the products are used and if deficiencies to the products are found, how this may affect the

customer? We look for one individual to be the management representative in terms of defined



of 42


responsibility. However, implementation of those responsibilities may be in the form of a defined

and delegated team.

Note: The management representative is responsible for ensuring it happens – not making it

happen, which is the job of line management.

Note: For multi-site/corporate certifications the auditor will expect to see that there is a

management representative with overall responsibility across all sites for ensuring that

requirements are established, implemented, maintained, and for reporting on performance.

5.5.3: Internal Communication

Although there is no mandate for documenting methods for communication, the auditor will expect

to find evidence of communication through interviews with employees. Evidence could possibly

include the employees understanding of process linkage and effectiveness, customer satisfaction

levels, preventive and corrective action information, on time delivery, quality costs, returned

material, non-conformances the objectives for their processes and understanding how they

influence those objectives (6.2.2d). This could be communicated by access to the computer

network, an information board, newsletters, or even process routers, checklists, and

multifunctional meetings. The type and extent of the documentation will depend on the nature of

the organization’s products and processes, the degree of formality of communication systems and

the level of communication skills within the organization and the organization culture.

5.6: Management Review

5.6.1: Management Review - General

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification (Stage 1), a full round of Management Review meeting(s), including

documented evidence of all required inputs and outputs, must be completed prior to the

registration/certification audit (stage 2) note; a full internal audit cycle must be completed prior to

this review – see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must

include inputs (as appropriate) from each site (see the standard 5.6.2 a – g). Normally, the review

process is conducted at the headquarters location.

As of Jan 1 2009, all new certifications shall use a 2 stage audit process. Stage 1 is generally 25%

of the full mandays looking at the following evidence for effectiveness:

• Full management review meeting all 5.6.2 and 5.6.3

• Full round of internal audits, all defined processes must be audited

• 6 required procedures for meeting ISO intent and implementation

• All and any corrective actions and customer complaints and actions, no “open” internal

corrective actions are allowed.

• Quality manual review to meet all 4.2.2 a, b and c.

• All performance indicators i.e. objectives, targets and progress made towards them.



of 42


• Scope of certification, sites, employee count, codes are correct and any exclusions with

justification.

• The auditor would identify any issues that could be nonconforming at the stage 2 event.

• The stage 1 audit may be referred to as a “readiness review” where BV Auditors are

seeking evidence that the client is “ready” for stage 2, which is the fulfillment of the

registration audit days.

Note: Clients that are currently ISO certified will normally not have a stage 1, however a Stage 1

may be required where there are substantial changes to the clients management system,

Top management shall review the quality management system at planned intervals not only for

continuing suitability and effectiveness, but also adequacy. Additionally, this review shall include

assessing opportunities for improvement, the need for changes to the system, the quality policy,

and quality objectives.

These words are more prescriptive which cause a more proactive expectation and approach to

keeping the system current and useful and maintaining improvement activities. The auditor cannot

prescribe the intervals for reviews to occur, but can look for evidence that the frequency is

sufficient to accomplish the requirements of the standard. Although the dictionary would suggest

that suitable and adequate are the same, the standard seeks to distinguish both the system from a

global perspective of adequacy as well as the detailed suitability of the many processes that

comprise the system.

5.6.2: Management review input

The auditor will expect to see documented evidence that the (7) required inputs are discussed

during the review. Although a documented procedure for management review is not required,

records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs

are required in those records (see the standard 5.6.2 a – g). Evidence of cross functional input is

also expected, which means one person alone could do the review, but there would need to be

evidence of multifunctional input in the evaluation of the system and its status and actions

concluded by the Top Management.

For clarification purposes, 5.6.2a inputs are “results of audits” this includes Management to review

even the opportunities for improvement, not just nonconformities.

Furthermore, any business that conducts daily, weekly, monthly, etc. business meetings should

look at these meetings to see if they cover some of the management review items, typically, most

companies have these business meetings and meet most of the intent of management review

however, records are required.

5.6.3: Management review output

Output should focus on decisions and actions related to system improvement (5.6.3 a), product

improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect to

see that some documented conclusions have been developed. The output record must include

Deleted: ¶



of 42


evidence of action and progress for system improvement, customer requirements, resource needs

as it all relates to system health. It is important to note that a documented procedure may or may

not exist. It should also be noted that formal meetings for review may or may not happen and still

be compliant - such as in the case of being accomplished in stages; on going process review; or by

circulated documentation covering the system incrementally. There is no requirement for Top

Management to sit in a formal meeting; methods to suffice management review may be in the form

of i.e. emails, circulated agenda and topics with decisions by Top Management, escalation process,

etc.

Element 6: Resource Management

6.1: Provision of Resources

The intent of this section is to ensure that adequate resources are provided to continually improve

the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction

by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating

and determining resource needs. This may be through management review, production planning,

budget review, long range planning etc.

The auditor should determine that process activities are not prevented by a lack of resources.

Auditors may review instances where customer requirements were not met and determine if a lack,

or insufficiency, of any resources was causation factors of these instances. This requirement also

ties to paragraphs 5.1 and 5.6.3, which address management’s responsibility to determine and

provide necessary resources. Additionally, any clear evidence of resource problems links directly

to this section.

6.2: Human Resources

6.2.1: General

The standard requires that personnel be “competent”. This could be demonstrated by a person

being “qualified” however, “competence” is performance based, for example, a company could

test an employee and they pass the test however, they may still not be able to perform the required

job duties and meet the desired outputs or objectives. Competence may be based on appropriate

education, training, skills, experience, and/or demonstrated performance.

6.2.2: Competence, awareness and training

The intent of this section is to ensure that suitably competent people are performing the activities

as defined in the quality system. Evidence of the effectiveness of the training or other means of

providing competent employees must be available. Employees must be aware of the impact that

they have on the overall quality system. The auditor would expect employees to be able to

verbalize how their job activities contribute to the achievement of the quality objectives.



of 42


6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating

training and other activities aimed at ensuring employee competence. Identification of competency

is essentially a precursor to identification of training needs. The organization should determine

knowledge and/or skills an employee would need to be considered competent, in their opinion, to

perform a particular job. The company could then determine if the employee performing the job

possesses that knowledge or skill and, if not, consider it a training need. Changes in the business

and its environment may necessitate new competencies, which may not be available. Therefore the

identification of competencies may need to be revisited. There is no requirement for any particular

frequency of such re-review. Competency may be defined in a job description, position profile, or

by any other method or associated documents such as specific instructions or procedures. Usually

competency is determined during performance reviews, if the organization does not perform

reviews of this nature, other methods for determining personnel competence would need to be

defined and records verified.

6.2.2 b) Where applicable Provide training or take other actions - The requirement allows for

options other than training to obtain competent personnel. Training includes all those activities

where a learning opportunity needs to be satisfied. It may take a number of forms:

�� Classroom style, tutor led training;

�� Hands on experience training;

�� Shadowing

�� Individual or group coaching;

�� Mentoring;

�� Briefings;

�� Distance learning;

�� Technology based training (CD ROMS, web based etc);

�� Workshops.

Organizations will choose whichever form best suits their needs at any particular moment. Other

actions to bridge competence gaps might include:

�� Recruitment;

�� Outsourcing;

�� Acquisitions;

�� Use of experts and/or consultants.

�� Documented procedures or work instructions

All such means are acceptable as long as an organization has ensured the availability of the

competencies needed.

6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring

that the training or other activity has produced the desired result, this requirement is aimed at the

method of training, not necessarily the aptitude of the employee. This requirement could be met

in a variety of ways, including, but are not limited to:



of 42


�� Observation of personnel performing their duties;

�� Written or oral exams;

�� Assessment of employee in achieving learning objectives during the course of the

training program;

�� Audit of performance at work focusing, for example, on:

�� Productivity;

�� Reduction of rejects;

�� Efficiency;

�� Interviews with the persons;

�� Annual appraisal.

�� Performance reviews;

�� Discussions;

�� Evaluation of performance, quality or other indicators;

�� Cost reviews;

�� Customer satisfaction assessment (see 8.2.1).

6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities

(perhaps by internal communication – see 5.5.3) and how they contribute to the achievement of the

quality objectives - The requirement could be met in a variety of ways. Options include:

�� Training;

�� Memos, and/or meetings regarding the impact of various individual or departmental goals

on quality objectives;

�� Plant tours or briefings where an individual’s work and goals are shown as an integral part

of the larger processes;

�� Cross functional teams working towards quality objectives and reporting their progress to

their departments.

Any activity that allows individuals to understand how their efforts affect quality objectives may

satisfy this requirement. All personnel need to know the specific measurable objective(s) for the

process that they work in; they should also know what organizational objective their process

effects. They should be able to demonstrate that they know what the actual measurable is, their

progress towards that goal, what the plan is to achieve the goal. If they do not know the actual

numbers, they should be able to communicate the topics of the measurable and know where the

actual measurements are maintained or posted.

6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to

include education, skills and experience, in addition to training, where appropriate. There are a

great variety of ways to record and provide evidence of training, education, skills and experience.

Records may include:

�� Diplomas;

�� Certificates;

�� Training log;

�� Annotations in shift logs;



of 42


�� Toolbox meeting notes;

�� Attendance lists;

�� Resumes;

�� Employment history;

�� Test results.

Such records may be filed in any location as long as the requirements of 4.2.4 are observed.

There is no requirement for a record of the “evaluation of effectiveness of training” however, an

Auditor would expect to see evidence that the effectiveness of training was evaluated.

6.3: Infrastructure

It is the organization’s management who determines the adequacy of the infrastructure provided by

the organization. Auditors will seek objective evidence to demonstrate that the necessary

infrastructure exists for the quality management system to be effectively implemented, for

improvement of its effectiveness, and for fulfillment of customer requirements. Auditor would

expect to see a process in place for maintenance of the building(s), equipment and any other

supporting services. This is generally the responsibility of the maintenance and IT departments.

The 2008 revision has expanded infrastructure to include information systems, which may be

considered a support process. Due to the ever changing electronic capabilities, IT may be

considered a high risk process and failure in this process i.e. server crash, servers down, etc. may

result in a loss of data and potentially directly affect the customer. Many companies rely on their

electronic systems to perform many of the companies’ activities. Organizations may look beyond

the nightly back-up controls and implement ‘real time” back-ups furthermore, it would be

appropriate for organizations to verify the integrity of the backed up data i.e. disaster recovery,

recall of data previously backed up, etc.

6.4: Work Environment

The organization must identify and manage all those factors of the work environment that are

needed to supply a conforming product. These factors may include among others:

Human Factors

�� Creative work methods;

�� Opportunities for greater involvement of personnel;

�� Safety rules and guidance;

�� Ergonomics;

�� Special facilities for people.

Physical Factors

�� Heat;

�� Noise;

�� Light;

�� Hygiene;

�� Humidity;



of 42


�� Cleanliness;

�� Vibration;

�� Pollution;

�� Airflow.

Different types of businesses and industry sectors may vary dramatically with regard to an

acceptable work environment, so it is the organization’s management who determines the

adequacy of the work environment provided by the organization.

For instance;

�� A training provider may need to ensure the training area is adequately lighted and

�� Some manufacturing facilities may require “clean rooms” or humidity-controlled areas.

�� Companies handling items easily damaged by electrostatic discharge may require special

flooring or equipment, and chemical storage areas may require special protective barriers.

As an additional example, an employee might perform a particular function that requires repetitive

wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the overuse of

the wrist could result in poor torque of screws resulting in a possible quality defect. The company

should identify such a situation and provide a means of eliminating the potential defect (i.e., air-

driven screwdrivers). Evidence could consist of records of decreased quality defects and/or

medical problems related to that activity.

Element 7: Product Realization

Exclusions/non-applicability can be claimed within element 7 only. “Exclusion” should only

be taken for clause 7.3 Design and Development and must be fully justified in the quality

manual. Other sections within element 7 may be claimed as “not applicable” or “not

applicable at this time” for example 7.6 calibration, 7.5.2 validation of processes, 7.4 purchasing,

etc. Furthermore, if product design is not excluded, no other portions of design can be excluded i.e.

all design requirements apply or none, relative to the scope of certification. There may be cases

where the company conducts portions of design for the customer, in these cases please consult

your registrar for clarity and amount of design activities, this may be considered a “service” not

product design however, this example would still be considered an out-sourced process, see 4.1

note 3 b; b) the degree to which the control for the process is shared,

7.1: Planning of product realization

An organization needs to plan in advance for how they will manufacture their product or deliver

their service. The plans need to take into account the product requirements and any quality

objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1

b), what type of monitoring and/or inspection activities should be put in place to ensure the

product or service will meet the requirements (7.1 c), and what types of records should be kept (7.1

Deleted: ¶



of 42


d). While the sub-clause does not state that the output of this planning must be documented, it does

state that it must be in a form suitable for the organization’s method of operations.

7.2: Customer Related Processes

7.2.1: Determination of requirements related to the product

This clause promotes an up-front determination of all requirements related to the product.

This includes requirements for “servicing” which are now included as “post-delivery activities”,

which implies anything that is provided after the customer has received the product (i.e. repair

and/or warranty work, installation, maintenance, etc.).

Specific to 7.2.1 (a)

Post delivery activities may include among others:

�� Product support

�� Servicing where applicable

Specific to 7.2.1 (b)

Auditors should determine how the organization was proactive in evaluating if there were any

additional requirements for the product or service’s intended use. If the organization determined

there were not any additional requirements this should be evident in associated records, if there

were additional requirements then evidence should be present how they were addressed in the

affected process i.e. design, purchasing, manufacturing.

The analogy that can be used here is a screwdriver, everyone knows the intended use of a

screwdriver, put in and take out screws. However with a screwdriver, there are requirements that

are not stated but are intended for use, such as using a screw driver to open paint cans, could be

used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the handle

should be nonconductive, but none of these requirements might be stated by the customer, but the

manufacturing organization would need to address these non-stated requirements for the

screwdriver’s intended use.

Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related to the

product (i.e., taking these requirements into account when designing a product or service). This

includes ensuring process control (i.e., ensuring that these requirements were met).

Statutory requirements are those that are stipulated by local/national governments that form part of

regional, national and international legislation.



of 42


Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health &

Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of

these. These requirements are not necessarily part of national legislation.

Compliance with regulatory requirements issued by national regulators (i.e. by The Rail Authority)

may be mandatory for those organizations to which they apply if a statutory instrument requires so.

Organizations are required to comply with a number of legal requirements to be allowed to

operate. Management must be aware of the requirements that apply to its products, processes and

activities and should include these requirements as part of the quality management system (ISO

9004:2005 – 5.2.3). Auditor must verify that these requirements are identified.

Auditors have to be aware that as the national legislation may apply to product intended for the

domestic market, in the case of export sales, organizations will be required to consider the

statutory and/or regulatory requirements in the target country that may apply to (a) product(s)

supplied.

Organizations are not required to maintain the lists of applicable statutory and/or regulatory

requirements, current revision of applicable external documents shall be maintained i.e. clause

7.3.2(b) and 4.2.3f. Organizations must ensure that they have adequate access to / or knowledge of

applicable statutory and regulatory requirements.

7.2.2: Review of requirements related to the product

The sub-clause mandates that the organization shall not issue a quotation or accept an order until it

has been reviewed to ensure requirements are defined and the organization has the capability to

meet the defined requirements. It goes on to require that records of the review and any subsequent

actions be maintained. If the customer does not provide their requirements in writing (i.e.,

telephone call), the requirements must be confirmed before they are accepted. If the requirements

are changed, all documents must be amended and relevant persons must be notified. A note is

included that covers situations such as internet sales where a formal review of each order is

impractical, stating, instead, that the review could cover the product information provided in

catalogs and advertising material.

The 2008 revision has expanded the definition of “ product”:

a) product intended for, or required by, a customer,

b) any intended output resulting from the product realization processes.

To clarify this changed text (b); this may include product for internal customers within the same

premises, the outputs of a product realization process form inputs to other processes i.e. internal

customer and internal supplier. In addition, customers may be other sister sites or corporate sites

7.2.3: Customer communication

The organization must establish effective arrangements for providing the customer with product

information (i.e., catalogs or advertising that adequately describe the product or service), means of



of 42


handling inquiries and orders, and a method for handling customer comments (both compliments

and complaints).

There is no potential for excluding section 7.2, as every organization has external customers.

Where an organization with a stand-alone QMS is part of a larger group or corporation, and is

taking orders solely from a central Group or Corporate Sales Organization outside its certified

scope and delivering them to a central Group or Corporate Distributor outside its certified scope,

then the Sales and Distribution organizations are technically external customers, invoking 7.2

routines.

7.3: Design and development

This clause addresses product/service development as well as (conceptual) design, so organizations

involved in product/service development will have to comply with all of section 7.3 of ISO

9001:2008.

Many companies perform some enhancements or minor reconfiguration of mature designs, and are

able to use the guidance of ISO 9004:2005 in order to address some or all of section 7.3 of ISO

9001:2008.

Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO

9001:2008. Such organizations may have to introduce a comprehensive design system or process,

however may have to address design and development as it is applicable to the organization. They

may have to address some or all sections of 7.3 to the extent that they apply furthermore, if the

organization is design responsible and outsourcers all of design, all records (5) of design shall be

maintained by the company that is design responsible.

Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package:

Guidance on ISO 9001:2008 clause 1.2 'Application' provides excellent guidance and examples on

this topic (http://www.bsi.org.uk/iso-tc176-sc2).

7.3.1 Design and development planning

Although the standard does not require a documented procedure, the design process needs to

demonstrate how the process is controlled and planned. The organization, however, will need to

provide some type of objective evidence as to what the planning activities include. This can be

accomplished with the use of time-lines, Gantt charts or any other planning method such as

Microsoft project manager. In addition the auditor should see objective evidence of how the

interfaces between other processes are managed, either through statements in associated

procedures, process mapping, matrix approach or in the time line planning.

7.3.2 Design and development inputs

The auditor will need to review evidence that the inputs (7.3.2 a – d) have been addressed based on

the nature of the product being produced, that they have been reviewed for adequacy and that



of 42


records are maintained of the activity. An organization may include Design personnel in the

contract review stage; these records may suffice the review of design input requirements.

7.3.3 Design and development outputs

The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been

verified against the design inputs. This can be accomplished by reviewing documents, plans, etc.

interfacing with the customer or internal processes and by comparison with past proven designs.

Outputs may also include product preservation methods, identification, packaging, service

requirements, etc. as appropriate.

7.3.4 Design and development reviews

Reviews shall be conducted in accordance to the time line or plan established at the beginning of

the design activity. Reviews shall show evidence that all activities required in each phase of the

design have been addressed or adjustments made. Records should show who attended the reviews

and that all concerned parties were present and that all actions were satisfied before proceeding

forward with the design process. The intent of design reviews with “representatives of functions

concerned” is that other parties in the organization “interact” with Design i.e. purchasing, quality,

manufacturing (design hand off), etc.

7.3.5 Design and development verification

The 2008 revision added a note:

NOTE Design and development review, verification and validation have distinct purposes. They

can be conducted and recorded separately or in any combination, as suitable for the product and

the organization.

Design verification basically means that the product can be produced as designed and that output

meets the intended inputs. Additionally it should show that the organization has the capability to

produce the product with existing equipment and has the personnel competencies or has the ability

to train or subcontract the required capabilities.

7.3.6 Design and development validation

Validation has to ensure capability of meeting “intended use where known” as well as specified

requirements, and has been completed prior to delivery and implementation wherever practicable

(typically as a prototype or first article). In most organizations they can’t rely on the customer to

perform the validation, the lack of a negative response from the customer does not meet the intent

of this clause. The organization shall have records that the product designed will meet defined user

needs prior to delivery of the product to the customer, as appropriate. Methods of validation could

include simulation techniques, proto-type build and evaluation, comparison to similar proven

designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity

should be planned, executed with records maintained as defined in the planning activity in 7.3.1.



of 42


7.3.7 Design and development changes

Design and development changes (after the original verification and validation) have to be

“verified and validated as appropriate” (as well as reviewed) and to “include evaluation of the

effect of changes on constituent parts and products already delivered”. If the organization chooses

not to perform re-verification and re-validation on every design change, then the auditor should

expect to see some very well defined criteria as to when the activity needs to occur. This includes

any changes that do not affect fit, form or function.

7.4: Purchasing

7.4.1 Purchasing Process

It would be extremely uncommon for purchasing to be excluded from the quality management

system (i.e., perhaps applying to such situations as small consultancies using no subcontractors,

and using proprietary office materials and equipment that do not directly impact on product or

service performance, or work conducted for the government/contractors – but not to many other

situations).

Where procurement is centrally controlled by a corporate procurement organization outside the

scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its

entirety. The audited organization is certainly responsible for providing purchasing information

(7.4.2) to the corporate procurement organization, and for verification of purchased product (7.4.3)

– and perhaps participating in the re-evaluation process. In the event that a corporate office or

other entity, outside the scope of registration, performs any sections of purchasing this shall be

considered an outsourced process per requirements identified in section 4.1. Bureau Veritas

Certification auditors would expect to see a documented agreement in place (i.e. an Interface

Agreement) between the organization and the supplier.

Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a

process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not

required, records of evaluation and actions arising from the evaluation are required to be

maintained. “re-evaluation” may be considered on-going monitoring of performance however,

suppliers that have new products requested by the company, may require a new evaluation.

7.4.2 Purchasing Information

Purchasing information may take many forms however is generally a purchase order or requisition.

The auditor will expect to see that the information clearly describes the product to be purchased as

well as any other requirements, including as appropriate:

7.4.2 a) the approval of products, procedures, processes and equipment.

7.4.2 b) the qualification requirements of personnel.



of 42


7.4.2 c) the QMS requirements. I.e. ISO 9001 certified, ISO 17025 certified or other specific QMS

requirements including statutory and regulatory, as appropriate.

7.4.3 Verification of Purchased Product

Auditor will expect to see a process is in place to verify that purchased product meets

requirements. This may take many forms depending on the product. Auditor will verify that these

requirements are known and being accomplished. This may include receiving inspection and

testing, visual inspection, receipt of certificates of conformance etc. In the event verification will

take place at the suppliers premises the method for doing so must be stated in the purchasing

information. Based on supplier performance, receiving verification may be limited to the review of

quantity, part numbers and visual for freight damage, as appropriate.

7.5 Production and Service Provision

7.5.1: Control of product and service provision

There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of

suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their

quality management system. The non-applicability of these items must be justified in the quality

manual (4.2.2 a) and must not “affect the organization’s ability, or responsibility to provide

product that meets customer and applicable statutory and regulatory requirements” (1.2).

The auditor will expect to see that production activity is well defined and understood. This is

generally ascertained through interviews with employees on the production floor, review of

documentation and observations. The auditor will verify the following at a minimum:

7.5.1 a) the information describing the characteristic of the product. This may be in the form of a

work order, travelers, schedule, quality plan, etc.

7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any

format (electronic or paper); instructions may simply be included on the work order or travelers.

Instructions do not have to be documented and could simply be provided through training, one

may think that an Engineering drawing is a work instruction for production; it is also a record of

design. The auditor will review Control of Documents, 4.2.3 as applicable.

7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is

suitable for the process and that it is maintained. The auditor will investigate how equipment is

maintained and how malfunctions are handled. This may be in conjunction with Infrastructure

6.3.

7.5.1 d - e) the availability of suitable monitoring and measuring equipment and the

implementation of monitoring and measurement. Measuring and monitoring may require record

keeping i.e. operator log sheets, inspection sheets, routers or other documentation. Documentation

will be reviewed as applicable per Control of Records 4.2.4.



of 42


7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor

will expect to see that release, delivery and post delivery activities are defined. This may include

release to the next process or for shipment to customers.

7.5.2: Validation of processes for production and service provision

This clause applies exclusively to “special processes” – and not to all the processes of the quality

management system in general.

This clause may be considered within the quality management system as not applicable. Any

organization that does not have any “special processes” can clearly note this clause as not

applicable.

Where “special processes” have been identified, Bureau Veritas Certification auditors will expect

to see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that:

7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewed and

approved.

7.5.2 b) the equipment used and the personnel involved are qualified.

7.5.2 c) specific methods and procedures are used (may require documentation).

7.5.2 d) records are maintained.

7.5.2 e) re-validation is performed for those instances where, for example, a deficiency is found.

As an example, it may be determined that an individual is actually not qualified to perform a

particular “special process”. Training may be provided to improve the individual’s skills,

following which the individual’s qualifications should be re-validated to ensure they are capable of

providing the planned results.

7.5.3: Identification and traceability

Organizations cannot completely exclude 7.5.3. Despite the phrase “where appropriate”, no

organization can wholly claim non-applicability for “identification”. However, traceability can be

identified as not applicable where it is not a requirement of the customer, the product regulatory

requirements, or of the organization itself. This has been expanded to include configuration

management as meeting traceability, as appropriate.

The auditor will expect to see that product is identified (as appropriate) and its status with regards

to monitoring and measuring (conforming or not) is identified throughout the product realization

processes. Where traceability is a requirement, the auditor will expect to see that the organization

is controlling and recording the unique identification of the product. This documentation is a

required record per Control of Records 4.2.4.



of 42


7.5.4: Customer property

The auditor will expect to see that the organization has clearly identified any and all customer

property. The auditor will verify that the organization has established a process to protect customer

property. Further a process must be established for contacting the customer when these items are

lost, damaged or otherwise found unsuitable for the process. This communication to the customer

must be maintained as a Quality Record 4.2.4.

Customer property may include (not limited to):

�� Components supplied for inclusion into the product.

�� Packaging material

�� Transport

�� Intellectual property – drawings, specifications etc.

�� Equipment or tools

�� The 2008 standard expanded this requirement to include personal information i.e. credit

card info, bank data, proprietary, confidential, social securities numbers, etc.

7.5.5: Preservation of product

Auditor will expect to see that adequate measures are taken to protect/preserve product during

internal processing and delivery to the intended destination. The preservation process must include

the following: As a note, preservation, packaging and other product specific handling methods

may be an output of the product design process.

�� Identification - this is relative to 7.5.3 – Identification and Traceability however for

preservation of product it is a requirement and not “as applicable”. Auditor will expect to

see that all products are clearly identified.

�� Handling - auditor will verify that suitable handling methods are implemented throughout

the processes. This may include bulk handing using moving equipment or physical contact

where handling may influence product conformity.

�� Packaging - auditor will expect to see that methods have been established for packaging

product to preserve integrity.

�� Storage - auditor will expect to see that product is stored in locations and in a manner to

safe guard product.

�� Protection – auditor will verify that appropriate measures are in place to protect product.

This may vary widely depending on the product.

7.6: Control of monitoring and measuring Equipment



of 42


Companies with no measuring equipment can claim non-applicability for this (as addressed from

paragraph 3 of section 7.6 of the standard onwards).

The clause addresses all measuring equipment that is used for product acceptance, and

reconfirmation of computer software as necessary. The first two paragraphs address monitoring

and measuring equipment and can be applicable to service companies as well as manufacturing

organizations. For example, in a training organization, where consistency of evaluating and

grading trainees (the product) needs to be assured, then calibration may be applicable.

The auditor will expect to see a process is in place to determine required measuring and

monitoring to be accomplished as well as the equipment needed to provide evidence of

conformity. Many facilities use calibration software including a calibration master list of all

equipment. While this is not required, all equipment requiring calibration must be identified and

shall:

7.6 a) be calibrated or verified at specific intervals or prior to use. equipment must be calibrated

using measurement standards traceable to international or national measurement standards. Where

there is no standard available for the device the basis for calibration or verification must be

recorded. Auditor expects to see that traceable standards are used and where applicable have not

expired. Where calibration is completed by an outsourced process i.e. vendor, the records of

traceability must be reviewed.

7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that equipment

found to be out of calibration are adjusted/re-adjusted by qualified personnel and the validity of the

previous measuring results are accessed when equipment is found to be out of calibration and

appropriate action is taken (may include recall of product). Auditor will expect to see that a

process is in place to provide traceability of each piece of equipment to the process/product that

the equipment was used on. The results of calibration and verification are required to be

maintained as quality records.

7.6 c) be identified to show calibration status. Auditor will expect to see that each piece of

equipment is identified in such a way that the user can determine that the device has current

calibration, this may be accomplished by the equipment unique serial number traceable to the

calibration record however, the calibration status label is a good practice. Other methods may be

used however must clearly identify the calibration status. Where the environment is not conducive

to the use of stickers, status may identified by color-coding, identification number with associated

calibration record, and/or calibrated prior to every use.

7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in place to

ensure that users outside the calibration process do not adjust equipment. Equipment may be

verified prior to use however any adjustments made to equipment must meet all requirements of

this section. Methods to safeguard may include; locking materials for setscrews, tamper-proof

seals, limited entrance to calibration areas, and other methods.



of 42


7.6 e) be protected from damage during handling, maintenance and storage. Auditor will expect to

see that measuring equipment are handled and stored in a manner to protect the equipment from

damage.

Clause 8: Measurement, Analysis and Improvement

8.1: General

The means (i.e. ‘processes’) and resources for accomplishing the three (3) requirements must be

planned for and implemented. The processes must address four (4) different, but related, aspects:

1) Monitoring (i.e. examination, information and data collection, and reporting) at the process

level.

2) Measurement (i.e. determination and comparison of ‘performance indicators’ against ‘actuals’

against ‘knowns’, or against expectations and requirements – i.e. inspections, tests, product and

process audits, systems audits, SPC, etc.) at the local level.

3) Analysis (review of data, evaluation of results and variances, causation analysis, application of

statistical techniques, etc.) at the process and local levels.

4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement, etc.) This

would include changing the goals and objectives to a higher level.

The various techniques, methodologies, resources, tools (including statistical techniques), and

applicable procedures need to be determined for these Measurement, Analysis and Improvement

‘processes’. This is not for an organization to state that there is no need to use a statistical

technique, if there is variability in their process or product characteristics, then there is a need for

the use of a statistical technique.

Fulfillment of the requirements in Section 8 is important if the organization is to fully embrace and

effectively apply the principles of the “Process Model” and the “Plan Do Check Act” model. The

word “process” for measurement, monitor, analysis and improvement does not mean that these are

a defined process in the quality manual. The intent is; that there needs to be methods, techniques

and actions related to these topics.

8.2: Monitoring and Measurement

8.2.1: Customer Satisfaction

It is recognized / understood that Customer Satisfaction is:

�� A viable, effective (albeit partial) measurement of the performance (merits, benefits,

adequacy, suitability, effectiveness, etc.) of the quality system.

�� An objective, goal, expectation of the quality system.



of 42


ISO 9000:2005, 3.3.5 defines the “Customer as the organization or person that receives a

product.” The examples stated are; “consumer, client, end-user, retailer, beneficiary and

purchaser”. It is intended that the customer satisfaction measurements be focused on external

customer but in addition can include internal customers. Internal customer satisfaction measures

can be contained in the establishment of the organizations defined internal process measurable

objectives. Measuring only internal customer satisfaction would not meet the intent of this clause

and must include all interested parties where appropriate.

Customer Satisfaction is determined by the organization measuring its customer’s perception as to

whether they have satisfied their customers’ requirements – and may be somewhat subjective or

‘qualitative’ as much as ‘quantitative’. Customer complaints are a common indicator of low

customer satisfaction but their absence does not necessarily imply high customer satisfaction.

Simply capturing customer complaints and product returns will only gauge ‘dissatisfaction’ –

which does not fully meet the intent of the clause and will not satisfy these requirements. The

organizations management should analyze the implications of the absence or existence of customer

complaints.

Process definition is needed. The various techniques, methodologies, tools, resources, etc. (forms,

surveys, frequency, targeted customers, responsibilities, external survey service companies,

benchmarking, etc.) and applicable procedures need to be determined for:

1) Obtaining customer satisfaction information (i.e. identifying, collecting, monitoring and

reporting various data/information)

2) Using customer satisfaction information (analyzing, understanding and responding to – i.e.

making changes, corrections, enhancements and improvements to the

products/services/quality system)

NOTE (added for 2008 revision)

Monitoring customer perception can include obtaining input from sources such as customer

satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost

business analysis, compliments, warranty claims and dealer reports.

Regarding these methods, organizations are required to analyze all data pertaining to the

customer’s perception and determine a measurement of effectiveness for satisfaction.

The requirements in 8.2.1 interrelate closely with those in sub-clauses:

�� 5.2 Customer Focus (…. with aim of enhancing customer satisfaction.)

�� 8.4 a) Analysis of Data – customer satisfaction

�� 8.5.1 Continual Improvement (via analysis of data)

�� 5.6.2 b) Management Review Input – customer feedback

�� 7.2.3 Customer Communication – customer feedback & complaints

8.2.2: Internal Audit



of 42


IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification, a full round of internal audits, including documented evidence that all

processes and sections of the standard have been audited, must be completed “prior to” the

registration/certification audit being conducted. For multi-site/corporate certifications all processes

performed at each site must be included in the initial round of internal audits. It is an expectation

that internal audit planning and the evaluation of the internal audit results across all sites will be

performed by the headquarters location (i.e. centrally managed). The results of this evaluation are

to be presented during the management review process (see 5.6). The organization shall have

documented conclusions based on the outcomes of all process, product and system audits in terms

of the effectiveness of the QMS based on audit results. This may be in a stand-alone document

(e.g. Annual Audit Report) or be a part of the management review records. The conclusions should

be based on the audit team leader’s conclusions along with the audit team.

Auditor will expect to see a documented procedure developed that defines responsibilities and

requirements for planning and conducting audits, reporting results and maintaining records (see

4.2.4). The Auditor must make a determination if the internal audit process is effective in

maintaining the integrity of the quality management system. A statement indicating the level of

effectiveness must be included in the summary section of the Bureau Veritas Certification audit

report. In the event the auditor cannot state that the audit process is effective, a nonconformance

should be raised.

Internal audits shall be planned based on the status and importance of the processes executed, in

other words more emphasis (time audited) on those processes that have a direct or significant

impact on the achievement of the organizational goals. In addition, previous audit results must be

considered in the scheduling of future internal audits. Auditor will expect to see a schedule (plan)

that has been developed considering the status and importance of the processes, previous audit

results, and selection/assignment of auditors to ensure objectivity/impartiality (auditors can not

audit their own work). Bureau Veritas Certification expects the internal audit process and internal

audit schedules will reflect the process approach. If the organization only has an audit schedule

based on the clauses of the standard, then this will not be considered acceptable, would not be

reflective of the process approach, not based on the status and importance of the processes or

reflect previous audit results. In all likelihood this will result in a nonconformance to the standard

against 8.2.2.

Furthermore, “status” includes the performance of the processes based on achievement of goals

and objectives, problems in the process, complaints and excessive variation in a process, etc.

“Importance” is based on the activities that have the most impact to the customer,

regulatory/statutory requirements, legal, process that affects the product directly i.e. one may say

that product design and sales is more important than IT or receiving inspection, it would be logical

to assess sales and product design more often than IT, as appropriate.

The auditor must see evidence that the audits include the requirements of ISO 9001:2008 as well

as the requirements established by the organization. Nonconformances raised during the audit must

be addressed without undue delay by the management of the area/process being audited. The



of 42


auditor will expect to see that a process is in place to ensure that actions taken are implemented to

eliminate the nonconformance and the cause. A process must be in place for follow up to ensure

that the action(s) taken were effective. The results must be recorded. Auditors would expect to see

that nonconformances follow the requirements of 8.5.2. However, there is no requirement to have

one corrective action system and therefore it is acceptable to have a separate process for audit

nonconformances as long as requirements for corrective actions 8.5.2 are being met.

Requirements of 8.2.2 interrelate closely with those in sub-clauses:

�� 5.6.2 a) Management Review Input – results of audits

�� 8.5.1 Continual Improvement (via use of audit results)

�� 8.5.2 Corrective Action (to eliminate deficiencies found in the audit)

�� 8.5.3 Preventive Action (resulting from audit, analysis and observations)

8.2.3: Monitoring and Measurement of Processes

Applicable processes need to be identified in the Quality Manual, along with a description of the

interaction between those processes. The applicable processes might include those relating to four

general categories: 1) Management Activities, 2) Resource Management, 3) Product Realization,

and 4) Measurement and Monitoring, but most companies will prefer to focus on their own

particular COPS, MOPS, and SOPS.

Fulfillment of the requirements in this sub-clause is important if the organization is to fully

embrace and effectively apply the principles of the “Process Model”, the “Plan Do Check Act”

model.

The requirements of 8.2.3 interrelate closely with those in sub-clauses:

�� 4.2.2 c) Quality Manual (include a description of interaction between processes)

�� 5.4.1 quality objectives (at relevant functions and levels i.e. processes)

�� 5.6.2 a) Management Review Input (process performance)

�� 8.5.1 Continual Improvement (via analysis of data)

�� 4.1 e & f) General Requirements – (to implement, measure, monitor, Analyze and

continually improve the processes).

The organization should identify monitoring, and, where appropriate, measurement methods to

evaluate process performance. The organization should incorporate these measurements into

processes and use the measurements in process management. Measurements of process

performance should cover the needs and expectations of interested parties in a balanced manner.

Examples (from ISO 9004:2000) might include:

�� Process capability

�� Reaction time

�� Cycle time or throughput

�� Measurable aspects of dependability



of 42


�� Yield

�� The effectiveness and efficiency of the organization’s people

�� Utilization of technologies

�� Waste reduction

�� Cost allocation and reduction

The intent of this sub-clause is to monitor/measure processes with the quality objectives stated in

5.4.1.

8.2.4: Monitoring and Measurement of Product

The organization must show evidence that a process (method, techniques, formats, etc) is in place

to monitor and measure the characteristics of product to verify that requirements are being met.

This must be accomplished at appropriate stages of the product realization process and must be

defined as required per Planning of Product Realization 7.1. Auditor will verify that records are

maintained to provide evidence of conformity and indicate the person(s) authorizing the release of

products. The release of product or delivery of service must not be completed until the planned

requirements (7.1) have been met. “Release” of product may include, according to product

planning and the verification stages, release to the next operation, release to an internal customer,

release to final customer, etc.

For product release or service delivery, the planning requirements may be waived, but must be

approved by relevant authority and by the customer as appropriate.

8.3: Control of Nonconforming Product

The Auditor will verify that a documented procedure has been developed to define the controls,

responsibilities and authorities for dealing with nonconforming product. Product that does not

meet requirements must be identified and controlled. The auditor will expect to see that

nonconforming product is clearly labeled and segregated to prevent unintended use.

“Labeling” may include; marked areas where NC product is stored/segregated, a shop router that

has annotations regarding NC product, red tags, an electronic system that puts product on hold or

other status to assure the product is not used, and other methods that meet this intent.

It is important to note that requirements may extend beyond delivery of product, and/or to the

point or time of use (i.e. during shipment/transit, until received and accepted at the customer, while

on consignment at customer’s facility, etc.) This also suggests that the organization may be

responsible to “take action”, even after use of the product has begun i.e. recall of product.

Appropriate objective evidence (quality records) must be maintained.

Requirements of 8.3 interrelate with those in sub-clauses:

�� 8.2.1 Customer Satisfaction (possible impact upon)

�� 8.4 b) Analysis of Data (information relating conformance to product requirements)



of 42


�� 8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the

action shall be appropriate to the effects)

There are only four possibilities auditors should see as dispositions of nonconforming product, 1-

scrap, 2- rework or repair, 3- re-grading of the product, or 4 – use with the concession of the

customer or relevant authority i.e. Engineering (if Design responsible, form, fit and function),

regulatory body, etc. and records maintained. Obviously reworked or repaired product requires

subsequent verification prior to release.

8.4: Analysis of Data

The Auditor will expect to see that the organization has developed a process (method, techniques,

format, etc.) to identify, collect and analyze various data and information from both internal and

external sources (i.e. quality records, monitoring and measuring results, process performance

results, quality objectives, internal audit findings, customer surveys and feedback, 2nd or 3rd-party

audit results, competitor and benchmarking information, product test results, complaints, supplier

performance information, etc., etc.). This ‘input’ (information and data) should reflect upon the

adequacy, suitability, and effectiveness of the Quality Management System and its processes. The

‘output’ (result of the analysis) must provide information (understanding, insight, awareness,

confidence, knowledge of, etc.) about:

�� Customer Satisfaction / Perception.

�� Product Conformance

�� Process performance

�� Product / Process Characteristics

�� Trends in Products / Processes

�� Opportunities for Preventive Action

�� Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))

Other potential or useful options might include:

�� Need for Corrective Action

�� Opportunity for Improvement

�� Competition

��

Requirements of 8.4 interrelate with those in sub-clauses:

�� 5.6.2 Management Review Input

�� 8.5.1 Continual Improvement

�� 8.5.2 Corrective Action

�� 8.5.3 Preventive Action

Furthermore, any “record with data” that is established, may be considered for analysis. Records

are evidence of quality system performance and should be analyzed for potential improvements.



of 42


8.5: Improvement

8.5.1: Continual Improvement

Distinction must be made between ‘continual’ and ‘continuous’ improvement. Unlike continuous

improvement (which must be constant, steady and always positive), continual improvement may

show signs of dwells, momentary setbacks, delays or slight reversal, shows process variation –

provided the overall trend is positive/improving.

The auditor will expect to see a process method, techniques, formats, etc. is in place for

establishing and implementing continual improvement. Significant or sustained lack of

improvement must be met with corrective action (i.e. ‘get well plan’) – unless the undesirable

condition is expected/predicted – resulting from a conscious/deliberate decision by management

(i.e. willingness to accept a temporary setback in productivity while new equipment/ processes are

introduced.)

Drivers, or impetus for continual improvement must come from the use of (as a minimum):

�� The quality policy

�� Quality objectives

�� Audit results

�� Analysis of data

�� Corrective actions

�� Preventive actions

�� Management review

Requirements of 8.5.1 interrelate with those in clauses / sub-clauses:

� 5.4.1 Quality Objectives

� 5.4.2 Quality system planning

�� 5.6.2 g) Management Review Input (recommendations for improvement)

�� 5.6.3 a - b) Management Review Output (improvement of system, processes and product)

�� 8.4 Analysis of Data

�� 8.5.2 Corrective Action

�� 8.5.3 Preventive Action

Note: it is the responsibility of the company to demonstrate improvement rather than the auditor to

look for it. Accordingly, it is a useful audit practice to ask management to identify any

improvement initiatives taken since the previous visit, and also any planned for the future.

8.5.2: Corrective action

Corrective action is action taken to PREVENT the recurrence of actual problems. When a problem

occurs, organizations invariably take remedial or containment action, or implement



of 42


CORRECTION to contain or fix the immediate problem. Corrective action (as addressed in ISO

9001:2008 8.5.2) is any subsequent action to address the root cause and prevent recurrence.

The auditor will verify that a documented procedure is in place to define the requirements for

corrective action:

8.5.2 a) Reviewing nonconformities – auditor will expect to see a process is in place for

identifying nonconformities (types) and reviewing them to determine if the nonconformity requires

corrective action. The section specifically identifies customer complaints however other sections

such as internal audits, nonconforming product, monitoring and measurement of processes

reference corrective action. Sources from ISO 9004:2000 include:

�� Customer complaints

�� Nonconformity reports

�� Internal audit reports

�� Output from management review

�� Output from data analysis

�� Outputs from satisfaction measurements

�� Relevant quality management system records

�� The organizations people

�� Process measurements

�� Results of self assessment

The 2008 revision added “causes” plural, the intent is the companies may determine several causes

for one issue, if several causes are cited, then actions to each cause must be in place. How the

organization handles and documents the actions are up to the company however, must meet the

intent of the 8.5.2 a-f.

8.5.2 b) Determining causes – auditors will expect to see that a process is in place for determining

root cause. BV has determined that root cause analysis has been a long term issue, many

companies struggle with formal root cause analysis and it is imperative that Auditors (BV) assure

organizations have some type of formal method in place to assure the actual cause has been

determined. Though, ISO 9001 does not require a specific method for root cause, Auditors must

assure that organizations have an effective method to determine root cause. Organizations must

realize the importance of root cause, if the actual cause is not determined, then there is a high

probability that the nonconformance will recur. Methods for root cause may include; 5-whys,

fishbone, FMEA, six sigma, brainstorming, quality circles, reliability analysis, and more. Auditors

must assure that the organization has determined root cause and that the issues are not recurring.

8.5.2 c) Evaluating action needed to prevent recurrence – auditor will expect to see evidence that

action(s) are evaluated and developed to prevent the nonconformance from recurring.

8.5.2 d) Implementing action – evidence that actions are implemented. There is no requirement for

time however auditor will expect to see evidence that actions are taken in a timely manner.



of 42


8.5.2 e) Maintaining records - corrective actions are required to be maintained as quality records

per 4.2.4.

8.5.2 f) Reviewing the effectiveness of the action taken – auditor will expect to see a process in

place for reviewing completed corrective action to ensure that the action taken was effective in

correcting the nonconformity.

Note: The organization may choose to maintain one document for both corrective and preventive

action. While this is acceptable, Bureau Veritas Certification believes that the processes are unique

and should be documented separately.

Note: Organizations are free to use their own terminology (i.e., many define corrective action as

the fix and preventive action as the subsequent cure). There is no problem with this – provided

they are not claiming that this “preventive action” (i.e., after the event) meets the requirements of

8.5.3 (action taken before the event). For example, some corrective action systems use a form and

one portion of the form is “action to prevent recurrence” this is not a preventive action according

to 8.5.3 and does not meet the intent of preventive action.

Note: For multi-site/corporate certifications auditors will expect to see that evaluation of corrective

actions across all sites is being performed and analyzed (A “centralized” location is the BVC

requirement, the appropriate location would be at headquarters/corporate offices where Top

Management reviews the status of all corrective actions, including each site within the scope), this

would be an input to management review (see 5.6.2).

8.5.3: Preventive action

The auditor will verify that a documented procedure is in place to define the requirements for

preventive action:

8.5.3 a) Determining potential nonconformities and their causes - auditor will expect to see

evidence that a process is in place for determining potential nonconformities. This may include

many methods. Sources from ISO 9004:2000 include:

�� Use of risk analysis tools.

�� Review of customer needs and expectation.

�� Market analysis.

�� Management review output.

�� Output from data analysis.

�� Satisfaction measurements.

�� Process Measurements.

�� Lessons learned from past experience.

�� Results of self-assessment.

�� Processes that provide early warning of approaching out-of-control operating conditions.



of 42


8.5.3 b) Evaluating action needed to prevent occurrence – auditor will expect to see evidence that

action(s) are evaluated and develop to prevent the occurrence of potential nonconformances.

8.5.3 c) Implementing action – evidence that actions are implemented. There is no requirement for

time however auditor will expect to see evidence that actions are taken in a timely manner.

8.5.3 d) Maintaining records - preventive actions are required to be maintained as quality records

per 4.2.4.

8.5.3 e) Reviewing action taken – auditor will expect to see a process in place for reviewing

completed preventive action to ensure that the action taken was effective.

Preventive action is action taken to PREVENT the occurrence of potential problems. The

organization might welcome some auditor guidance on terminology. Many companies (especially

small companies with simple systems) are struggling to identify opportunities to satisfy 8.5.3, as

most of the standard is, in fact, focused on prevention. Anything related to evaluation of risk and

related actions, or action to prevent an early dip in a trend graph becoming a problem can be

accepted as objective evidence of compliance – as well as clear up-front preventive initiatives, of

course.

Preventive action systems and continual improvement systems are very similar for example; a

company may identify an improvement initiative and “prevent” the occurrence of something

however, the steps in 8.5.3 must be recorded as evidence.

Reviewed By Authorized By Rev Date Rev # Location Change History

Ralph

McLouth Zach Pivarnik

Prev

8/30/05

Rev

5/9/05

6 BMS

Update name change BVQi to Bureau

Veritas Certification. Changes to

sections: Outsource Processes, 4.2.2 c),

4.2.3 b),

7.6 c) and 8.2

Jeff Rodgers Ralph

McLouth 1/26/10 7 BMS

Updates to the ISO 9001:2008 revision,

updates included throughout this

document are text changes and

examples/guidance statements.