We are Charicon@@Best in Quality@@Customers Focused

A Quality Management System is a set of internal rules that are defined through documented information such as policies, procedures, records, and established processes. It defines an organization’s strategic direction aimed at meeting the defined requirements for products and services provided to customers.

To implement the Quality Management System, an organization needs to be specific on the product or service to be provided. For adequate process control, ISO 9001:2015 (Quality Management System – Requirements) is established to standardize the Quality Management System model.

ISO 9001:2015 is an internationally recognized set of requirements for creating the rules, policies, processes, and procedures to provide products and services that conform to define requirements and improve customer satisfaction.

The Quality Management System standard is provided by the International Organization for Standardization (ISO) to control the Quality Management System of organizations.

Adequate understanding of the requirements of the standard is paramount to its effective implementation.

This book is born out of the desire to establish an easy approach to achieve this.

1. It is a globally recognized system that builds global recognition of an organization.
2. Assurance of consistency in products and service delivery leading to reduced costs and shorter cycle times.
3. Adequate documentation and defined responsibilities resulting in knowledge retention and effective resource utilization.
4. Improved credibility, confidence, and organization’s image resulting in increased marketability and competitiveness.
5. Improvement of customer satisfaction resulting in increased possibility of repeat business.
6. Drive efficiencies towards fewer errors and reworks, which improves cost saving.
7. Improve evidence-based decision making through analysis of data resulting from monitoring and measurements of processes, leading to an improved organizational planning.
8. Ability to monitor the rate of improvements through consistent measurement of processes.
9. It creates a continual improvement culture in the parties interested in the organization.
10. Process monitoring and measurement identifies deficiencies and provides action plans to address them leading to minimized mistakes and fewer return of products.
11. Continual reporting of the Quality Management System to top management makes top management abreast with the direction and effectiveness of the processes which enhances evidence-based decision making.
12. Identification of risks and opportunities, taking actions to address them results in increased market capacity.
13. Elimination of warranty claims through consistent conformity of products to specified requirements.

0.1        TERMS AND DEFINITIONS

0.2        REFERENCES

1.0        INTRODUCTION TO QUALITY MANAGEMENT SYSTEM AND THE STANDARD

     1.1        General

     1.2        The standard – ISO 9001: 2015

     1.3        Verbal forms

2.0        QUALITY MANAGEMENT PRINCIPLES

     2.1        Customer focus

     2.2        Leadership

     2.3        Engagement of people

     2.4        Process approach

     2.5        Improvement

     2.6        Evidence-based decision making

     2.7        Relationship management

3.0        THE APPROACH

     3.1        Process approach

     3.2        Risk-based thinking

     3.3        The PDCA cycle

     3.4        The relationship between the PDCA cycle and the clauses

4.0        CONTEXT OF THE ORGANIZATION

     4.1        Understanding the organization and its context

     4.2        Understanding the needs and expectations of interested parties

     4.3        Scope of organization’s Quality Management System

     4.4        Quality management system and its processes

5.0        LEADERSHIP

     5.1        Leadership and commitment

     5.2        Customer focus

     5.3        The Quality Policy

     5.4        Roles, responsibilities and authorities

6.0        PLANNING

     6.1        Actions to address risks and opportunities

     6.2        Quality objectives

     6.3        Planning of changes

7.0        SUPPORT

     7.1        Resources

     7.2        Competence

     7.3        Awareness

     7.4        Communication

     7.5        Documented information

8.0        OPERATION

     8.1        Operational planning and control

     8.2        Requirements for products and services

     8.3        Design and development of products and services

     8.4        Control of externally provided processes, products and services

     8.5        Production and service provision

     8.6        Release of products and services

     8.7        Control of nonconforming outputs

9.0        PERFORMANCE EVALUATION

     9.1        Monitoring, measurement, analysis and evaluation

     9.2        Internal audit

     9.3        Management review

10.0     IMPROVEMENT

     10.1     Nonconformity and corrective action

     10.2     Continual improvement

Except otherwise stated with ‘*’, the definitions are in accordance with ISO 9000:2015(E).

1. ISO – International Organization for Standardization
2. CQI/IRCA – Chartered Quality Institute/International Register of Certificated Auditors
3. Quality Management System – Quality Management System
4. PDCA – Plan-Do-Check-Act
5. NC – Nonconformity
6. NCR – Nonconformity Report
7. CA – Corrective Action
8. CAR – Corrective Action Request
9. Quality – degree to which a set of inherent characteristics of an object fulfils requirements.
10. Audit – systematic, independent and documented process for obtaining objective evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
11. Audit Criteria – set of policies, procedures or requirements used as a reference against which objective evidence is compared.
12. Audit Evidence – records, statements of fact or other information, which are relevant to the audit criteria and verifiable.
13. Audit Finding – results of the evaluation of the collected audit evidence (3.13.8) against audit criteria.
14. Technical expert – person who provides specific knowledge or expertise to the audit team.
15. Observer – person who accompanies the audit team but does not act as an auditor.
16. Complaint – expression of dissatisfaction made to an organization, related to its product or service or the complaints-handling process itself, where a response or resolution is explicitly or implicitly expected.
17. Process – set of interrelated or interacting activities that use inputs to deliver an intended result.
18. Customer – person or organization that could or does receive a product or a service that is intended for or required by this person or organization.
19. Requirement – need or expectation that is stated, generally implied or obligatory.
20. Quality Requirement – requirement related to quality.
21. Statutory Requirement – obligatory requirement specified by a legislative body.
22. Regulatory Requirement – obligatory requirement specified by an authority mandated by a legislative body.
23. Conformity – fulfilment of a requirement.
24. Nonconformity – non-fulfilment of a requirement
25. Outsource – make an arrangement where an external organization (3.2.1) performs part of an organization’s function or process.
26. Procedure – specified way to carry out an activity or a process.
27. Organization – person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
28. Top Management – person or group of people who directs and controls an organization at the highest level.
29. Management – coordinated activities to direct and control an organization.
30. Quality Management – management with regard to quality.
31. Quality Assurance – part of quality management focused on providing confidence that quality requirements will be fulfilled.
32. Quality Control – part of quality management focused on fulfilling quality requirements.
33. Quality Improvement – part of quality management focused on increasing the ability to fulfil quality requirements.
34. *Root Cause Analysis – an approach for identifying the underlying causes of an incident so that the most effective solutions can be identified and implemented.
35. Management System – set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.
36. Quality Management System – part of a management system with regard to quality.
37. Interested Party – person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity.
38. External Provider (Supplier) – organization that provides a product or a service and is not part of the organization.
39. Continual Improvement – recurring activity to enhance performance.
40. Policy – intentions and direction of an organization as formally expressed by its top management.
41. Quality Policy – policy related to quality.
42. Traceability – ability to trace the history, application or location of an object.
43. Objective – result to be achieved.
44. Quality Objective – objective related to quality.
45. Output – result of a process.
46. *Input – information or data put into a process.
47. Product – output of an organization that can be produced without any transaction taking place between the organization and the customer.
48. Service – output of an organization with at least one activity necessarily performed between the organization and the customer.
49. Performance – measurable result.
50. Risk – effect of uncertainty.
51. Efficiency – relationship between the result achieved and the resources used.
52. Effectiveness – extent to which planned activities are realized and planned results are achieved.
53. Data – facts about an object.
54. Information – meaningful data.
55. Objective Evidence -data supporting the existence or verity of something.
56. Document – information and the medium in which it is contained.
57. Documented Information – information required to be controlled and maintained by an organization and the medium in which it is contained.
58. Specification – document stating requirements.
59. Quality Manual – specification for the Quality Management System of an organization.
60. Record – document stating results achieved or providing evidence of activities performed.
61. Verification – confirmation, through the provision of objective evidence, that specified requirements have been fulfilled.
62. Validation – confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.
63. Feedback – opinions, comments and expressions of interest in a product, a service or a complaints-handling process
64. Customer Satisfaction – customer’s perception of the degree to which the customer’s expectations have been fulfilled.
65. Competence – ability to apply knowledge and skills to achieve intended results.
66. Review – determination of the suitability, adequacy or effectiveness of an object to achieve established objectives.
67. Monitoring – determining the status of a system, a process, a product, a service or an activity.
68. Measurement – process to determine a value.
69. Measurement Process – set of operations to determine the value of a quantity.
70. Measurement Equipment – measuring instrument, software, measurement standard, reference material or auxiliary apparatus or combination thereof necessary to realize a measurement process.
71. Corrective Action – action to eliminate the cause of a nonconformity and to prevent recurrence.
72. Correction – action to eliminate a detected nonconformity.
73. Release – permission to proceed to the next stage of a process or the next process.

• ISO 9001: 2015 – Quality Management System Requirements.
• BS EN ISO 9000: 2015 – Quality management systems Fundamentals and vocabulary.
• ISO 19011: 2018-07 – Guidelines for Auditing Management Systems.
• ISO/ IEC 17025: 2017-11 – General Requirements for the Competence of Testing and Calibration Laboratories.
• ISO 31000: 2018-02 – Risk management — Guidelines.
• ISO/IEC 27000: 2018-02 – Information technology — Security techniques — Information security management systems — Overview and vocabulary.

1.1 General

Quality management system is a set of interrelated or interacting elements of an organization to establish policies, objectives and the processes to achieve those objectives with regards to quality. It is a system to direct and control the intentions and direction of an organization.

Quality Management System enables top management to optimize the use of resources, considering the long-term and short-term consequences of their decision. It provides the means for identifying actions to address intended and unintended consequences for the provision of products and services.

1.2 The standard – ISO 9001: 2015

ISO 9001:2015 is a standard that defines the Quality Management System requirements for organizations. It is an umbrella standard, for all other industrial management system standards.

ISO 9001:2015 has ten (10) clauses. Clauses 1 to 3 are not auditable because they contain the table of contents and relevant terms and definition. Clauses 4 to 10 are the auditable clauses of the standard and every organization that claims compliance to the standard must fulfill all the requirements of the standard applicable to them.

1.3 Verbal forms

In the International Standard, the verbal forms below imply:

• “shall” – a requirement to which an organization must comply to.
• “should” – a Suggestion that if implemented can improve the organization’s Quality Management System.
• “may” – The organization is permitted to decide whether or not to apply.
• “can” – It is acceptable if applied.

The Quality Management System standard, ISO 9001:2015 has established seven Quality Management System principles:

• Customer focus.
• Leadership
• Engagement of people.
• Process approach.
• Improvement
• Evidence-based decision making.
• Relationship management.

The aim of the Quality Management System is to meet customer requirements and to focus on exceeding customer expectations. Continual growth is sustained when an organization attracts and sustains the confidence of customers and other interested parties. Understanding current and future needs of customers and other interested parties is key to achieving sustained organizational growth. Hence, an organization should focus on the actions that strive to meet customer requirements.

Top management shall ensure that the relevant people are aware that the objective of the organization is to satisfy customers.

2.1.1 Steps to customer focus

• Identify your organization’s customers and their requirements.
• Identify the risks and opportunities associated with their needs and expectations and define actions to address them.
• Set quality objectives for your organization that focuses on the needs and expectations of your customers.
• Ensure that the people who perform activities that affect the fulfillment of customer needs and expectations are made aware of the importance of their contribution to meeting customers’ requirements.
• Continually monitor, measure and evaluate customer satisfaction and take appropriate actions to address non-fulfillment of requirements.
• Consistently monitor, measure and evaluate the performance of external providers whose activities can affect customers’ satisfaction.
• Establish good communication channels and relationship with customers.

Leadership directs and controls an organization in line with the organization’s strategic direction and engages people to achieve the organization’s set goals and objectives.

This results in efficient utilization of defined strategies, policies, processes and resources to achieve the organization’s objectives.

2.2.1 Steps to ensuring adequate leadership

• Define the strategic direction, policies and objectives of the organization.
• Communicate and ensure adequate understanding of the company’s quality policy and objectives.
• Support all levels of leadership for their roles through defined responsibilities, authorities and provision of resources.
• Engage people with the required education, training, experience, resources and authority for effective performance of relevant responsibilities.
• Encourage people’s performance through motivation and recognition of excellence.

Achieving the organization’s goals and objectives, requires the performance of people. At all levels and functions of the organization, competent people are engaged to enhance the organization’s ability to create and deliver value. The role of these people shall be recognized, they shall be empowered, supported, trusted and provided with the relevant competence to achieve the organization’s objectives.

2.3.1 Steps to ensure the engagement of suitable people

• Ensure that the people engaged are aware of and understand the importance of their individual contribution to the effectiveness of the Quality Management System.
• Delegate authorities and trust people, to enhance the ability to identify and take actions to address potential risk without fear.
• Encourage documentation and sharing of organizational knowledge.
• Encourage teamwork among personnel.
• Encourage people’s performance through motivation and recognition of excellence.
• Appraise people’s performance against planned arrangements and take corrective actions where necessary.

To achieve the conformity of products and services, production process is broken down into stages and their interactions defined. The stages are called processes, each having the capacity to fulfill the relevant requirements of the quality management system. Quality control checkpoints are established between these stages to monitor both the processes and the resulting outputs. Inputs, outputs, methods and criteria are defined for each of these stages.

At every stage, inputs are received, processed into outputs using the defined methods and fed into the next process as inputs, until the final output is realized. Quality control checkpoints are to ensure that outputs from each of the stages conform to requirements before they are fed as inputs into the next stage. This will ensure that the final product conforms to defined requirements.

2.4.1 Steps to ensure the adequacy of established processes

• Establish the processes and define their flow and interaction.
• Define the inputs, outputs, methods and criteria for each process.
• Set quality objectives for the processes.
• Engage competent people and assign the necessary responsibilities and authorities to drive the processes.
• Determine and provide the needed resources.
• Monitor and control the processes to ensure that planned arrangements are being achieved.
• Ensure that the documented information necessary for the conformity of products and services is available at the point use.
• Monitor, measure, analyze and evaluate the overall performance of the processes against defined criteria.
• Identify and take actions to address deviations, risks and opportunities which can affect the conformity of outputs from the processes and performance of the Quality Management System.

External and internal factors upon which the Quality Management System depends are constantly changing. For an organization to retain relevance, it must plan and take actions to address the effect of changes on the Quality Management System for the purpose of suitability, adequacy and effectiveness. A process might also deviate from planned arrangement and action is required to address such deviations. These planned actions are improvement actions for the Quality Management System. An organization must continually take such actions to stay relevant.

2.5.1 Steps for continual improvement

• Establish and drive quality objectives at all levels and functions of the organization and set Key Performance Indicators to monitor the objectives.
• Ensure activities are conducted in compliance with planned quality arrangements.
• Monitor, measure, evaluate, analyze, review and audit the planning, implementation, completion and results of process activities.
• Encourage people’s performance through motivation and recognition of excellence.
• Continually integrate results into the Quality Management System and its processes.

Decision making has both long-term and short-term impact on the ability of an organization to provide conforming products or services to customers. Hence it is important to understand the potential consequences of a decision on the overall performance of the Quality Management System. Decisions based on the analysis and evaluation of data and evident information are more likely to produce desired results.

An organization should base decision making on results and evidence of evaluations and analysis of data obtained from monitoring and measuring the Quality Management System processes.

The information generated by the Quality Management System shall be analyzed and used as the basis for decision making.

2.6.1 Steps to ensuring evidence-based decision making

• Monitor and measure the performance of the Quality Management System and its processes.
• Evaluate and analyze information and data collated using suitable statistical methods.
• Make results of evaluation available to relevant persons.
• Decide on improvement actions based on the results of evaluation results.

Good relationships with relevant interested parties are vital for an organization to succeed. Due to the potential impacts of interested parties on the effectiveness of the Quality Management System, an organization needs to manage relationships effectively and adequately with these interested parties to ensure optimum performance.

2.7.1 Steps to ensure adequate relationship management

• Determine relevant interested parties and define their requirements.
• Establish communications channels by defining who, when, what and where to communicate with the customer.
• Seek, collate and analyze customer feedback to measure performance and satisfaction of customers.
• Take actions to address necessary improvement actions.

The Quality Management System standard promotes the use of process approach when developing, implementing and improving the effectiveness of a quality management system.

The organization is broken into smaller units called the processes and each of the process strive to fulfil the requirements of the standard.

This is to enhance customer satisfaction by meeting customer requirements.

3.1.1 Process approach

The organization as a system is broken down into smaller entities called processes and each process is considered as an entity of its own with the capacity to fulfill the requirements of the Quality Management System as it relates to the process. A process receives inputs, process the inputs to generate outputs which are fed into the next process as inputs. Hence, the system is a colony of processes receiving inputs to generate outputs as inputs for the next process till the final outputs are delivered to the customer.

This improves the implementation of the Plan-Do-Check-Act at the process level, resulting in improved products and services conformity.

Process approach to products and services realization enhances the conformity of products and services as it gives room for quality control checks in-between outputs feeding as inputs into the next process till the outputs are finally delivered to the customer. The ability to trace the root cause of nonconformity, correct and implement a corrective action is enhanced.

The development of a Quality Management System, using the ISO 9001:2015 clauses and the PDCA cycle as a framework, will enable an organization to identify and integrate the processes needed to achieve customer satisfaction. This will improve risk-based thinking to continually monitor the Quality Management System processes, their interactions, risks and opportunities. The number of processes needed to be established for an organization depends on the nature of its activities and complexity.

The management system requirements are divided into four sequential stages: Plan, Do, Check, Act. Each stage is linked to the relevant requirements of ISO 9000:2015 clauses. The organization shall define the process inputs and outputs and shall ensure that each of the processes are in sequence and how they interact clearly defined.

Figure 1: Process approach to the Quality Management System.

Risk-based thinking

3.1.2 Risk is the effect of uncertainty, and any such uncertainty can affect the Quality Management System either positively or negatively. For the purpose of conformity to the requirements of the Quality Management System, an organization needs to plan and implement actions to address risks and opportunities by taking preventive actions to eliminate potential nonconformities, take corrective actions that are appropriate to the effects of the nonconformity to address any nonconformity that occur to prevent recurrence.

To be effective, an organization needs to think ahead to identify the potential nonconformity, identify the potential root-cause and take actions to prevent its occurrence before it happens. This results in greater efficiency and continual improvement of the Quality Management System.

3.2.1 The PDCA cycle

The PDCA cycle refers to the Plan – Do – Check – Act. The PDCA cycle can be applied to individual processes and the organization as a whole. To be able to meet the requirements for products and services, an organization needs to plan the activities of the relevant processes, do the plan, check the output of the doing against initial plan and take improvement actions to address deviations and observed opportunities.

Plan: Define the strategic direction, establish the policies and objectives, establish the processes, define the inputs and outputs requirements of the processes, determine the resources needed to deliver results that will meet the requirements for the products and services, identify and take actions to address potential risks and opportunities.

DO: Take action to provide the determined resources and make them available for use. Engage the resources provided to implement the planned arrangement, taking into consideration the criteria defined for the processes and the final output.

Check: Monitor, measure, analyze and evaluate processes and outputs against planned policies and objectives, planned output requirements and planned arrangement for the processes. The results of this evaluation will reveal areas of deviations and opportunities for improvement which will serve as a platform for improvement actions.

Act: Take appropriate actions to address the deviations and opportunities, to improve performance. Integrate the results of these actions into the Quality Management System by using the lesson learnt and determine improvement actions to plan again.

3.3.1 Relationship of the PDCA cycle to the standard

The Quality Management System standard is developed in line with the PDCA cycle. The figure below shows the relationship of the PDCA cycle with the Quality Management System standard.

Figure 2: Relationship of the PDCA cycle with the Quality Management System standard.

The broken square represents the Quality Management System enclosing the organization which is the big circle. At the middle of the circle is leadership. The leadership authority interacts with every stage of the Quality Management System for support and control.

The customer brings in requirements and together with the internally determined requirements, including statutory and regulatory requirements as inputs, the organization engages in planning of products or services realization process. The results of planning are put to use first by providing the required resources as determined. The resources provided are put to use based on the planned arrangement, to deliver the planned output.

The process is monitored to ensure conformity with the planned arrangement and the resultant output is checked against defined criteria as planned, to determine products conformity and possible deviations.

This is to ensure that a nonconforming product or service is not delivered to the customer. Results of checks may identify deviations and areas of possible improvements. Actions are taken to address the deviations and to improve the Quality Management System. The results of these actions are used to plan again for a more improved Quality Management System.

3.2.2 The clauses

Clause 4: Established the foundation and the platform for the organization.

Clause 5: Established leadership to plan, control and direct the organization.

Clause 6: Defined the process of planning.

These three makes up the planning stage of the PDCA cycle

Clause 7: Defined the provision of suitable and adequate resources to implement the plan.

Clause 8: Defined the application of the provided resources to implement the planned arrangement.

These two make up the DO stage of the PDCA cycle.

Clause 9: Defined the implementation of checks on the output from the process of implementation against planned criteria.

This is the CHECK stage of the PDCA cycle.

Clause 10: Defined the actions required to improve the Quality Management System from the results of evaluation.

This is the ACT stage of the PDCA cycle.

Diagrammatically, this can be represented as below.

Figure 3: Relationship of the PDCA cycle to the ISO 9001:2015 standard

The context of the organization refers to the purpose of the organization, the processes, factors that affect the purpose and the processes, the strategic direction of the organization and its suitability for the purpose.

An organization can express its context and purpose through a vision statement, mission statement, policies and objectives.

REQUIREMENT

4.1 The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.

The organization shall monitor and review information about these external and internal issues.

NOTE 1 Issues can include positive and negative factors or conditions for consideration.

NOTE 2 Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local.

NOTE 3 Understanding the internal context can be facilitated by considering issues related to values, culture, knowledge and performance of the organization.

EXPLANATION

The organization’s Quality Management System is continually being affected by issues which may either be external or internal. These issues affect the ability of the organization’s Quality Management System to achieve its purpose, objectives and strategic direction.

It is a requirement that these issues be determined, continually monitored and reviewed at relevant functions and levels of the organization for adequacy.

4.1.1 External and internal issues

       4.1.1.1 External Issues

The organization does not have control over these issues. They are issues emanating from external factors that affect the organization.

They are PESTLE:

P – Political issues: Issues arising from the results of political activities, decisions and resolutions such as government mandates, tenancy right, gender identity, foreign policy, taxation, death penalty, hate speech, gun control, right to vote, right to worship and education.

E – Economic issues: Issues arising from the results of economic activities such as market price, inflation, recession, foreign exchange, poverty, resources, prospects for growth, energy, labor, emerging markets, impact of new technologies.

S – Security issues: Issues arising from the effect of crime wave in the society such as terrorism, cyber-crime, disease pandemic, kidnapping, proliferation, armed robbery, information theft.

T – Technological issues: Issues arising from the effect of changes and advancement in technology such as user adoption challenges, vying for competitiveness, security vulnerabilities, acquisition cost, integration issues, backup and disaster recovery challenges.

L – Legal issues: Issues arising from governmental or non-governmental legislation such as corporate organizational agreements, workplace safety, confidentiality and privacy laws, social media, employment status, discrimination, illegal labor, intellectual property rights, industrial and statutory regulations, defective products and services, employment termination.

E – Environmental issues: Issues arising from the effects of physical and natural occurrences such as natural resources, global warming, sea level rise, greenhouse gas, technological awareness and adoption rates, globalization, demographic changes, climate changes., poor governance, biodiversity loss, pollution.

External issues may be influenced by:

• Culture, society, politics and regulatory requirements.
• Technology, innovation, industry requirements, market trends and requirements, suppliers and partners.
• Financial, economic, natural and competitive issues, whether international, national, regional or local.
• Safety and environmental conditions capable of affecting or being affected by the organization.

Sources of information relating to external issues may include:

• Register of identified external risks and the actions to address them.
• Feedback relating to products and services performance and lessons learned.
• Changes in legislation and regulation, including environmental and Health and Safety impacts.
• Records of new technology, new markets and trends, economic conditions, customer expectations.
• Reports on supplier intelligence, political considerations, investment opportunities, social factors etc.

 4.1.1.2 Internal Issues

The organization has control over these issues, and they vary depending on the nature, capacity, competence and compliance level of the organization.

They are SWOT.

S – Strength: Areas where the organization has comparative advantage.

W – Weaknesses: Areas where the organization has inability and is disadvantaged.

O – Opportunity for improvement: Areas where the organization has some level of ability but there is a need to do better.

T – Threats: Areas where there are possible dangers, and failure to address them will adversely affect the Quality Management System and the organization’s ability to provide conforming products and services.

An organization may be weak in an area where another organization has strength, this is why internal issues vary from one organization to the other.

Internal issues may be influenced by:

• Strategic direction.
• Policy and objectives.
• Organizational structure.
• Organizational activities.
• Types of products and services.
• Capabilities (people, knowledge, processes, systems).
• Working practices.
• Employment practices.
• Competence.
• Organizational knowledge.
• Performance.
• Location and conditions.
• Worker knowledge and skills.
• Value.
• Strategy.
• Culture.
• Quality, safety and environmental conditions capable of affecting or being affected by the organization.

Sources of information relating to internal issues may include:

• Organizational structure, identification of roles, responsibilities and governance arrangements.
• Identified internal risks and the actions to address them.
• Organizational capacity review and resource requirements.
• External reports such as customer feedback and complaints, which determine the performance of the organization.
• Feedback obtained from employees through opinion surveys.
• Organization’s mission, vision and core values.
• Organizations work ethics and codes of conduct.
• Information management processes for documenting and implementing organizational knowledge and lessons learned.

The log below may be useful to address identified issues.

Figure 4: Identified issues matrix

4.1.2 Monitoring and review

Due to continual changes in the issues that affect the Quality Management System, it is required that the organization continually monitor and review the information about these issues for suitability and adequacy. The review will warrant continual updating of these identified issues to make them effective.

REQUIREMENT

4.2 Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine:

a) the interested parties that are relevant to the quality management system.

b) the requirements of these interested parties that are relevant to the quality management system.

The organization shall monitor and review information about these interested parties and their relevant requirements.

EXPLANANTION

An interested party is not just the customer but any person, entity or organization that can affect, be affected by, or perceive itself to be affected by the organization’s Quality Management System and activities. They present significant risk to the organization’s ability to stay in business if their needs and expectations are not met, because of their impact on the organization’s ability to meet customer, statutory and regulatory requirements.

The organization needs to determine these interested parties, their needs and expectations and continually satisfy these expectations in order to retain the support of these interested parties that have significant impact on the organization’s sustainability.

4.2.1 Interested parties and their requirements

Interested parties can be categorized into:

Customer: Those the organization provides products or services for.

Employee: Those engaged by the organization to provide the required products and services.

Shareholder: A person who owns or owns a part of the organization.

Supplier: Those the organization purchase products and services from to do the job.

Society: Entities that have the social-economic and environmental controls that affect the organization’s Quality Management System.

These interested parties and their requirements must be determined. This is to facilitate meeting those requirements for the purpose of business continuity.

They may be identified from customers, partners, end users, external providers, owners, shareholders, employees, trade unions, government agencies, regulatory authorities, local community etc.

The log below may be useful to address these requirements.

Figure 5: Interested parties’ matrix

To determine the requirements of these interested parties, an organization may explore the following avenues: customer’s requests, documented information of contracts, experience from previous jobs, purchase/work orders and defined statutory and regulatory requirements.

Customer requirements may be determined through the following:

• Contract documents.
• Statutory and regulatory requirements.
• Requirements defined by the organization for its provision of products and services.

These may include customer feedback, complaints management, review of customer requirements, communication, conformity of products and services.

The requirements for local regulators may be determined through notices they issue.

The requirements for national regulators may be determined through one or more of the following.

• Contract documents from customers.
• Website review.
• Procurement of updated Acts from the relevant national regulators.

External providers requirements may be determined through:

• Feedback
• Where necessary company/supplier meetings.

These may include evaluations and revaluations, approvals, performance monitoring, market survey, work completion certificates, work permits, payment for products and services supplied.

The requirements for employees may be determined through:

• Opinion polls from employees.
• Management meetings.
• General meetings.
• One on one consultation with the superior.

They include but are not limited to authorization, job responsibilities, appraisals, training, support, resources to perform responsibilities, protection, remuneration.

The requirements of shareholders may be determined through shareholders’ board meetings which include issues on continual business profitability.

4.2.2 Monitoring and review

Due to continual changes in the organization’s interested parties and their requirements, it is required that the organization continually monitor and review the information relating to these interested parties for suitability and adequacy.

The review will warrant continual updating of these interested parties and their requirements for effectiveness.

REQUIREMENT

4.3 The organization shall determine the boundaries and applicability of the quality management system to establish its scope.

When determining this scope, the organization shall consider:

a) the external and internal issues referred to in 4.1;

b) the requirements of relevant interested parties referred to in 4.2;

c) the products and services of the organization.

The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its quality management system.

The scope of the organization’s quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system.

Conformity to this International Standard may only be claimed if the requirements determined as not being applicable do not affect the organization’s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.

EXPLANATION

Scope is the boundaries within which the Quality Management System is applicable to an organization. The scope of an organization’s registration and certification shall be clearly defined.

The activities covered by the organization’s Quality Management System, any exclusion to non-applicable requirements of the standards and the justification for non-applicability shall be documented in the quality manual.

This manual shall define the external and internal issues that affects the Quality Management System, relevant interested parties and their requirements, the type of products and services being provided by the organization, locations including remote locations where organization’s activities are performed, how risks and opportunities will be determined and addressed and how the organization intends to fulfill the requirements of the Quality Management System standard.

In considering the boundaries and applicability of the management system, the organization shall consider:

• The range of products and services.
• Different sites and their activities.
• Externally provided processes, products and services.
• Processes, operating procedures, work instructions, or site-specific documentation.

The manual shall define any exclusion which the organization considers as not applicable to the scope of its Quality Management System.

4.3.1 Exemptions in scope of the Quality Management System

An organization shall fully apply and fulfill all the requirements of the Quality Management System standard that are applicable within the defined scope of its Quality Management System to claim conformity to the Quality Management System standard.

Where a requirement of the Quality Management System standard is not applicable to the scope of an organization’s Quality Management System, the organization must be able to demonstrate its ability to enhance customer satisfaction and provide products and services not affected by the exclusion as a justification.

It is a requirement that an organization shall apply all the requirements of the standard except where the organization can provide justification or explanation as to why the non-applicable clause do not affect the conformity of its products and services.

REQUIREMENT

4.4.1 The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard.

The organization shall determine the processes needed for the quality management system and their application throughout the organization, and shall:

a) determine the inputs required and the outputs expected from these processes;

b) determine the sequence and interaction of these processes;

c) determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;

d) determine the resources needed for these processes and ensure their availability;

e) assign the responsibilities and authorities for these processes;

f) address the risks and opportunities as determined in accordance with the requirements of 6.1;

g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;

h) improve the processes and the quality management system.

4.4.2 To the extent necessary, the organization shall:

a) maintain documented information to support the operation of its processes;

b) retain documented information to have confidence that the processes are being carried out as planned.

EXPLANATION

The organization shall systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the policy and strategic direction. This shall be a process model that defines the key processes of the organization and how each relates and links to the other. The level of defining these processes and their interaction shall be based on customer, applicable regulations or statutory requirements, the nature of activities and strategy.

The organization shall map processes and functions to their inputs, process activities and outputs as it applies to each process.

This shall demonstrate:

• The understanding of the process approach and its implementation within the organization.
• The alignment of the Quality Management System with the context of the organization.
• The possibility of the management system achieving its intended results.
• The identification of the processes needed for the management system which may include process models, process grouping, process flow diagram.
• The Quality Management System processes, their sequence and interaction.
• The documented information to ensure effective operation and control of the processes, which may specify the applicable standard operating procedures, defined roles, required competencies, needed training, codes and standards.
• The expected inputs and outputs from each of the identified processes.
• The necessary criteria and methods to ensure effective operation and control of the processes, such as process monitoring and measurement requirements, performance indicators, set objectives, data collection, trend analysis and audit results.
• The defined activities and authority to control the processes such process reviews, frequency of reviews, continual improvement initiatives, meetings, risks and opportunities relating to the process, resource needs, training and competency.
• The approach to continual improvement and the action to address deviations.
• The process for documenting customer, statutory and regulatory requirements and their integration into the Quality Management System.

Evidence to demonstrate that the define requirements of the processes is being met may include:

• Established operating procedures.
• Quality manuals.
• Work instructions.
• Flow charts.
• Assigned responsibilities and authorities.
• Determined and addressed risks and opportunities.
• Provided resources.
• Maintained and retained documented information.
• Implemented monitoring and measurement activities based on defined criteria.
• Improvement activities of the Quality Management System and its processes.

Effective Quality Management System and its process may be demonstrated through:

Evaluation and improvement of the processes which may include quality management review, awareness of contractors and employees of the management system expectations, process key performance indicators, customer complaints and feedback, process internal nonconformities and internal audits. Required changes and improvements are implemented through corrections and corrective action processes and where applicable, procedures are reviewed.

Ensure that the documentation is created and maintained by the organization to support the operation of the processes. Such documentation may be in the form of a management system manual, staff handbook, documented procedures, work instructions, guidance material, data cards, physical samples, IT systems (including intranet and internet), templates and forms.

Documentations are identified and retained by the organization to demonstrate that the processes are being carried out as planned. They may be retained as physical hard copy records, electronic media (data servers, hard drives, compact discs, or flash drives etc.).

Specific documentations are created and maintained by the organization that include a description of relevant interested parties, scope of the management system including boundaries and applicability, description of the processes needed for the Quality Management System together with their sequence, interaction, application and assignment of responsibilities for the processes.

Internal audit of the organization’s Quality Management System to focus on process performance and effectiveness.

This shall give priority to the following:

• Reviewing the organization’s processes, their sequence and how they interact.
• Identifying the functions and their assigned responsibilities.
• Review of performance against requirements, focusing on processes that directly impact the customer.
• Review of the organization’s process for monitoring and measurement, validation and approval of processes, and process changes.
• Review of the availability of resources and the information required to operate and support associated activities, including appropriate training and competency of personnel.
• Review of process-based management techniques, including the examination of process measures that might include level of quality, output effectiveness, control limits, process capability determination.
• Review of any existing plans to ensure performance objectives and targets are monitored, measured, and analyzed in order to realize the planned activities and achieve the planned results.
• Review of all applicable action taken when objectives and targets are not met, to promote continual improvement.
• Pursuance of audit trails that address customer concerns or requests for corrective actions, performance against objectives, and relevant process controls.

The organization shall retain documented information to provide confidence that the processes are being carried out as planned.

The organization shall identify key processes and supporting processes.

Processes including design and development, operations, manufacturing, customer service and purchasing are key to customer satisfaction.

Supporting processes do not contribute directly to what the customer wants but do help the key processes to achieve their output. Support processes include human resources, finance, document control, training and facilities maintenance, etc.

To identify these processes, the organization shall need to consider how the workflows through the organization. Consider how the inputs and outputs to the key processes flow from one process to the next, what sub-processes might exist within it and how the support processes link in. Focus on the organization’s key processes and how the departments interface with each other. When defining the organization’s processes, the organization should try to keep it simple. Some supporting processes may be part of other key processes.

In determining which processes should be established and documented, the organization may consider:

• Effect on quality and conformity.
• Effect on the environment and infrastructure.
• Effect on safety and health.
• Risk of customer dissatisfaction.
• Statutory and regulatory requirements.
• Economic and cost risk.
• Effectiveness and efficiency.
• Competence of personnel.
• Complexity of processes.

After defining the processes and their interfacing interactions, the organization shall ensure that each process has the following defined:

• Owner(s) and participants of the processes.
• Procedures, work instructions, registers and forms.
• Inputs, process activities and outputs.
• Key performance indicators.
• Risks and opportunities.
• The sequence and interaction of processes.
• Monitoring and measurement controls.

The interactions shall include:

The sequence of activity flow, the inputs, process activities and outputs with the relevant verifications and validations for the processes.

The organization shall determine what will be done from inception of a job to final delivery to customer. It shall also determine the processes relevant to each stage of the product realization process including the supporting processes. This will depend on the size of the organization. The organizational structure shall be defined to include every role in the organization to give understanding of the flow pattern of authority and information.

The procedure for processing the inputs into outputs by each of the processes, the acceptance criteria against which the output must be checked for conformity, quality monitoring and measurements to be checked to ensure quality assurance and control, and the relevant quality checkpoints for each of the process shall be defined.

From the results of monitoring and measurements, statistical data are collated. It is a requirement that these data be analyzed and evaluated to determine performance. And where deviations are observed, improvement actions shall be implemented. The improvement actions may include procedure review, restructuring, change of technology, training, changes to process inputs, to ensure that the processes achieve their intended results.

The organization shall determine and provide the needed resources and define the authorities and responsibilities for every role. Taking actions to address potential risks and opportunities and evaluating the results of the processes to improve the Quality Management System.

Records of activities for these processes shall be retained to demonstrate full application of planned arrangements. The Quality Management System shall establish documents such as logs, forms, check sheets, registers and files relevant to each of the processes. The implementation of these documents forms the records to demonstrate effective implementation and compliance with planned arrangements of the Quality Management System.

Leaders must be accountable for the Quality Management System of the Organization. This is achieved through defining the organization’s strategic direction, establishing the required processes, setting policies and objectives, assigning roles and responsibilities, provision of adequate resources and support of the established processes to achieve the objectives of the Quality Management System.

REQUIREMENT

5.1.1 General

Top management shall demonstrate leadership and commitment with respect to the quality management system by:

a) taking accountability for the effectiveness of the quality management system;

b) ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization;

c) ensuring the integration of the quality management system requirements into the organization’s business processes;

d) promoting the use of the process approach and risk-based thinking;

e) ensuring that the resources needed for the quality management system are available;

f) communicating the importance of effective quality management and of conforming to the quality management system requirements;

g) ensuring that the quality management system achieves its intended results;

h) engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;

i) promoting improvement;

j) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

NOTE Reference to “business” in this International Standard can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence, whether the organization is public, private, for profit or not for profit.

5.1.2 Customer focus

Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that:

a) customer and applicable statutory and regulatory requirements are determined, understood and consistently met;

b) the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;

c) the focus on enhancing customer satisfaction is maintained.

EXPLANATION

Leadership and commitment to the development and implementation of the Quality Management System and the continual improvement of its effectiveness, may be demonstrated through:

• Validation of relevant policies, objectives, procedures and authorizations that affect the Quality Management System.
• Establishment of Quality Policy that aligns with the strategic direction of the organization.
• Establishment of Quality Objectives at relevant functions and levels of the organization to be monitored and evaluated for performance.
• The review and approval of process procedures, work instructions and policies to integrate the Quality Management System requirements into the organization’s business process.
• Conducting management reviews at planned intervals to appraise performance for the purpose of promoting improvement.
• Promoting risk-based thinking through the analysis, evaluations and corrective actions for customer complaints and feedback, internal audits, internal nonconformity reports, lesson learnt and management reviews.
• Determining risks and opportunities that affects the Quality Management System, taking actions to address them and integrating the actions into the Quality Management System.
• Establishing relevant controls and monitoring, to ensure that the Quality Management System achieves its intended results.
• Determining and providing adequate resources for the implementation of the Quality Management System plan, including equipment, manpower, environment, check sheets, methods, procedures, codes and standards relevant to each of the processes.
• Communicating the importance of effective quality management and of conforming to the Quality Management System requirements throughout the organization by way of policies, awareness training, meetings, inductions, seminars, and memos.
• Promoting the use of process approach by establishing relevant processes for the organization with their interactions adequately defined.
• Engaging, directing, and supporting people for the effectiveness of the Quality Management System through adequate recruitment, defined job responsibilities, and competency training.
• Supporting other relevant roles to demonstrate leadership at all levels by allocating authorities for the Quality Management System.

Customer focus

To demonstrate commitment to customer focus, the organization shall:

• Determine the statutory and regulatory requirements relevant to the organization’s scope of activities. These requirements shall be vigorously pursued for continual conformity.
• Determining the customers relevant to the Quality Management System and their requirements, taking actions to ensure that these requirements are continually met.
• Determine and consistently monitor risks and opportunities that can affect the conformity of products and services. Actions shall be taken to address these risks and opportunities with the effectiveness of these actions being analyzed and fed as input into the quality management reviews process for evidence-based decision making.
• Enhance customer satisfaction through the implementation of corrective actions, nonconformity process, customer feedback survey and complaints management process, training and retraining of personnel and acquisition of new technologies.
• Establishing an effective process of communication between the organization and the customer.

REQUIREMENT

5.2.1 Establishing the quality policy

Top management shall establish, implement and maintain a quality policy that:

a) is appropriate to the purpose and context of the organization and supports its strategic direction;

b) provides a framework for setting quality objectives;

c) includes a commitment to satisfy applicable requirements;

d) includes a commitment to continual improvement of the quality management system.

5.2.2 Communicating the quality policy

The quality policy shall:

a) be available and be maintained as documented information;

b) be communicated, understood and applied within the organization;

c) be available to relevant interested parties, as appropriate.

EXPLANATION

A quality policy is a top management document to express the directive of the top management of an organization with respect to quality. Quality policy is a tactical top management tool to ensure the accomplishment of the organization’s strategic direction.

To demonstrate leadership commitment to the Quality Management System, top management shall establish, implement and maintain a quality policy. The quality policy shall align with the context and purpose of the organization to promote the ability to achieve the strategic direction of the organization.

The Quality Management System documentation of an organization relates in the following way.

5.3.1 Establishing the quality policy

The quality policy shall be established by top management who shall be committed to the continual review of the quality policy for suitability, adequacy and effectiveness.

A quality policy shall contain the following elements:

• A description of the products and services provided by the organization with a commitment to quality delivery and customer satisfaction.
• A definition of the applicable requirements such as statutory and regulatory requirements, requirements of codes and standards, customers’ requirements, organizations defined requirements that shall be satisfied in products and services provision.
• A commitment to continually improve the Quality Management System for suitability, adequacy and effectiveness.
• A commitment for the quality policy to serve as a framework for setting quality objectives at relevant levels and functions of the organization.

Persons that perform activities that affect the Quality Management System shall adhere strictly to the requirements of the quality policy.

5.3.2 Communicating the quality policy

The quality policy shall be maintained as documented information and shall be made available to all interested parties.

Framed copies of the quality policy shall be communicated and displayed at strategic locations and offices for adequate understanding and application throughout the organization.

The quality policy may be made available to relevant interested parties through any of the following Media.

• Quality inductions.
• Tendering.
• Company website.
• Company general servers.

Relevant interested parties shall be made to understand the elements of the quality policy and shall implement its requirements within the Quality Management System. People’s level of understanding of the quality policy may be evaluated using oral interviews during quality induction and internal audits.

REQUIREMENT

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the quality management system conforms to the requirements of this International Standard;

b) ensuring that the processes are delivering their intended outputs;

c) reporting on the performance of the quality management system and on opportunities for improvement (see 10.1), in particular to top management;

d) ensuring the promotion of customer focus throughout the organization;

e) ensuring that the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented.

EXPLANATION

To demonstrate commitment to the Quality Management System, top management shall ensure that job responsibilities for every role in the organization are defined, communicated to the responsible persons and understood by the responsible persons. An organization is expected to maintain documented information which may be a procedure that defines the responsibilities for every role in the organization.

The assignment of relevant roles, responsibilities and authorities that affect conformity in the organization shall include the roles of top management, Management Representative (as appropriate), Line Managers, Departmental Managers, Supervisors, Process Owners, and Process Users.

5.4.1 Role

This is the function assumed or the part played by a person in an organization by virtue of the position the person occupies. Every role has its responsibilities but not every role has authority. Whether a role has authority or not is dependent on the level of the role and the complexity of the organization.

Relevant responsibilities and authorities shall be defined, communicated and understood within the organization.

5.4.2 Responsibilities

These are the duties or activities defined for a person to act independently in an organization by virtue of assigned position. Responsibilities shall be defined, communicated to and understood by relevant persons. Responsibilities shall be issued to a person at the point of engagement and during restructuring when a person’s position or role is changed.

Responsibilities shall define:

• The person’s name, job title or designation.
• Position of the role within the team, department and organization.
• Who the role reports to, and other key interactions.
• Key areas of responsibility, deliverables expected scope for progression and promotion.
• Required education and training, skills and personality traits necessary for growth.
• Location and travel requirements.
• Remuneration range and benefits accruable.
• The relevant approvals.
• Type of employment (permanent or contract).

For adequacy, collaboration is required between the manager of the relevant process and the human resources process to define the responsibilities.

5.4.3 Authorities

This is the power or right assigned to influence, control, direct, make decisions, approve or disapprove by virtue of a person’s position. Every role has responsibilities but not every role has authority. There are certain roles in an organization that must have authority to take decisions and make certain approvals.

It is the responsibility of top management to define and support these roles with the necessary authority for the effective execution of their responsibilities. The person responsible shall understand the level of assigned authority and make decisions within the limits of the authority.

5.4.4 Reporting the performance of the Quality Management System to Top Management

To ensure commitment, top management shall assign the responsibility and authority to monitor and control the Quality Management System to a person, sometimes referred to as the Management Representative (MR).

This person shall be responsible to ensure:

• That the organization’s Quality Management System conforms to the requirements of the Quality Management System standard. This conformity can be achieved through adequate monitoring, measurement, evaluation and analysis of the Quality Management System.
• That the processes are delivering their intended outputs by monitoring and measuring the processes and their outputs.
• Reporting of the performance of the Quality Management System and opportunities for improvement to top management by reporting the results of monitoring, measurement, evaluation and analysis through the quality management review process for the purpose of evidence-based decision making.
• The promotion of customer focus throughout the organization by determining applicable requirements and implementing corrective actions, nonconformity process, customer feedback survey and complaints management, training and retraining of personnel aimed at customer satisfaction.
• That the integrity of the Quality Management System is maintained when changes to the Quality Management System are made, by ensuring adequate planning, review, approval, monitoring of change implementation and evaluation of the effectiveness of the change processes.

A planned process is more likely to achieve desired results. An organization shall be able to plan its processes to implement and continually improve the Quality Management System to meet customer expectations.

REQUIREMENT

6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) give assurance that the quality management system can achieve its intended result(s);

b) enhance desirable effects;

c) prevent, or reduce, undesired effects;

d) achieve improvement.

6.1.2 The organization shall plan:

a) actions to address these risks and opportunities;

b) how to:

1) integrate and implement the actions into its quality management system processes (see 4.4);

2) evaluate the effectiveness of these actions.

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.

EXPLANATION

To give assurance that the Quality Management System can achieve its intended results, enhance desirable effects, prevent or reduce undesirable effect and achieve improvements, an organization shall take action to address risks and opportunities at every process level.

This may best be approached using the Plan-Do-Check-Act principle.

Figure 6: Plan-Do-Check-Act approach to addressing risks and opportunities.

In planning actions to address risks and opportunities, the organization shall consider the following sources.

• External and internal issues determined.
• Relevant interested parties and their requirements determined.

To achieve this, the organization shall:

• Determine and address risks that affect the Quality Management System.
• Promote risk-based thinking throughout the organization.
• Ensure risks are determined and appropriate actions are taken to address them.
• Plan actions to address risks, implement planned actions and evaluate the effectiveness of the actions taken.
• Control and contain the identified risks to prevent unintended escalation.
• Integrate the results of actions to address risks into the Quality Management System.
• Improve the Quality Management System by responding to risks as appropriate.

There is a close relationship between external and internal issues, interested parties and their requirements and actions to address risks and opportunities. For every interested party and requirements identified, there are related issues, and every issue has a potential risk or opportunity.

This relationship may be represented as below.

Figure 7: Relationship between Interested parties and risks.

Risks and opportunities may be obtained from:

• Minutes of meetings.
• Brain-storming activities.
• SWOT analysis of the organization’s Quality management System.
• Risk determination and evaluation records.
• Reports of customer feedback.
• Strategic planning documents.
• Planning, analysis and evaluation activities.
• Production inspections and service reviews.
• Competitor and market analysis.
• Marketing and sales data.
• Quality manual.
• Design and development reviews.
• Corrective actions.
• Non-conformance reports.
• Minutes of management review meetings.

It is required that an organization shall take action to address the risk or opportunity associated with every issue identified regarding interested parties. A better sequence is to identify relevant interested parties and their requirements, determine the issues associated with each of the identified interested parties, assess these issues for their potential risks or opportunities impact and take action to address the risks or opportunities. This will enhance the focus of actions to address risks and opportunities for the interested parties. A positive risk, results in an opportunity. Actions to address a risk shall be appropriate to the impact of the risk.

6.1.1 Determining risks and opportunities

To determine potential risks and opportunities, the organization shall:

• Determine relevant interested parties.
• Identify issues relating to these interested parties.
• Define the level of risk impact that requires actions to address it.
• Determine the risks associated with the identified issues.
• Evaluate the risk for potential impact level.
• Determine the source of the risk or opportunity.
• Determine the root cause of the risk or opportunity.
• Determine and plan action to address the risk or opportunity, giving a time limit.
• Assign responsibility, authority and resources to address the risk or opportunity.
• Implement planned action to address the risk or opportunity.
• Evaluate action to address risk or opportunity for effectiveness.
• Perform relevant validations.
• Document and maintain records of action to address risk or opportunity.
• Integrate the results of action into the Quality Management System.

The register below may be applied.

Figure 8: Risks and opportunities management matrix

6.1.2 Evaluating risks and opportunities

Actions to address risk shall be appropriate to the impact of the risk. To ensure this, there is a need to assess the risk for its risk impact. This will help to determine actions that will be appropriate to the impact of the risk.

To evaluate risk for its potential impact, the risk assessment matrix below is useful.

Figure 9: Risk assessment matrix

From the matrix, determine the likelihood rating of the risk. This refers to the frequency of occurrence of the risk. Determine the consequence rating of the risk and multiply the likelihood rating with the consequence rating to obtain the risk impact on the Quality Management System.

The risk impact can be categorized by the level of severity as critical, high, medium and low impact rating. Actions and responsibilities to address risks shall be appropriate to the severity of the risks.

Figure 10: Risk impact rating matrix

To determine the likelihood rating of a risk, an organization may apply the matrix below.

Figure 11: Risk occurrence assessment matrix

To determine the consequence rating of a risk, the matrix below may be applied.

Figure 12: Risk consequence assessment matrix

To determine the risk impact, the likelihood rating shall be determined from the occurrence assessment matrix and the consequence rating shall be determined from the risk consequence assessment matrix. Risk impact is the product of both likelihood rating and consequence rating of the risk.

From the risk impact rating matrix, low risk impact shall be managed by routine procedure or accepted by informed decision. Medium, high and critical risk impact shall be addressed as appropriate to the impact of the risk. For a likelihood rating of 4 and a consequence rating of 3, the risk impact is 12. From the risk impact rating matrix, this is high risk and shall be addressed by top management intervention.

Where a more substantial or coordinated response is required than the immediate risk owner can authorize or implement, such a risk shall be termed a critical risk and shall be escalated through established lines of management accountability to top management. The risk owner may provide key information such as statistical data on numbers of active hazards and risks, overdue actions, and others as appropriate.

The organization may recognize an opportunity as a circumstance that makes it possible to leverage positive factors and elements.

For example:

• Development of new products, services and processes.
• Development of new markets or increase market share.
• Improvement of the work environment.
• Improvement of productivity.
• Improvement of operational efficiency (reduction of resource use, reduction of waste, etc.).

Opportunities may be identified as positive effects of risks or a risk that is beneficial to the organization.

6.1.3 Taking actions to address risks and opportunities

Action to address risk shall be appropriate to the impact of the risk.

Some of the possible actions to address risks and opportunities may include:

• Avoiding a risk.
• Taking a risk in order to pursue an opportunity.
• Eliminating the source of a risk.
• Changing the likelihood or consequences of the risk on the Quality management system.
• Sharing the risk through the commitment of stakeholders.
• Retaining risk by informed decision.
• SWOT analysis by the organization as part of its business strategy to identify the internal risk and opportunities and action plans to address them.
• Formal business risk assessment performed by the organization taking into consideration its context, associated risk and opportunities and mitigation plan.
• Use of process approach by the organization to identify sources of input, activities, output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them.

To adequately address risks, one or more of the following may apply:

• Corrective action process.
• Nonconformity management process.
• Defining quality control checkpoints.
• Customer feedback survey and complaints management process.
• Training and retraining of personnel to achieve competency.
• Restructuring by redefining processes and their interactions or reassigning roles, responsibilities and authorities.
• Acquisition of new technologies.
• Engagement of people.
• Internal process review.
• Changes to methods and internally defined requirements.
• Subcontracting to competent and approved external providers.
• Communication with relevant interested parties.

The responsibilities and authorities to address the risk or opportunity shall be assigned.

These shall include:

• Responsibility to implement the planned action.
• Responsibility to verify the conformity of action taken.
• The responsibility to evaluate the effectiveness of the action taken.
• The authority to validate action taken.

Resources shall be adequately provided to include:

• Competent people.
• Required technologies and machinery fit for use.
• Measuring and testing equipment fit for use.
• Applicable environmental conditions.
• Applicable methods and procedures.

Planned action shall be implemented within the assigned time frame.

6.1.4 Integrating the results of planned actions into the Quality Management System

Results from actions to address risk and opportunities shall be integrated into the Quality Management System as appropriate through any of the following:

• Awareness training for relevant interested parties on the results of actions to address risks and opportunities.
• Review of procedures and work instructions to capture the changes resulting from actions to address risks and opportunities.
• Training of personnel to acquire any required additional competence.
• Procurement of new technologies.
• Re-assigning roles and responsibilities.
• Restructuring of processes and their interactions.

6.1.5 Evaluating the effectiveness of actions taken

Actions to address risks and opportunities shall be evaluated for effectiveness by comparing the results of the actions taken with the planned arrangement or criteria. The effectiveness of the actions taken shall be validated and where the results of the actions taken to address the risk and opportunity are found not to be effective, actions shall be reviewed and re-implemented. Internal audits may be used to evaluate the effectiveness of the actions taken.

Actions taken in addressing risks and opportunities shall form inputs into quality management review for the purpose of informed decision making.

REQUIREMENT

6.2.1 The organization shall establish quality objectives at relevant functions, levels and processes needed for the quality management system.

The quality objectives shall:

a) be consistent with the quality policy;

b) be measurable;

c) take into account applicable requirements;

d) be relevant to conformity of products and services and to enhancement of customer satisfaction;

e) be monitored;

f) be communicated;

g) be updated as appropriate.

The organization shall maintain documented information on the quality objectives.

6.2.2 When planning how to achieve its quality objectives, the organization shall determine:

a) what will be done;

b) what resources will be required;

c) who will be responsible;

d) when it will be completed;

e) how the results will be evaluated.

EXPLANATION

They are clear set measurable goals that are intended for increasing the value of an organization’s processes with a target for products and services conformity aimed at customer satisfaction.

An organization shall set quality objectives which are consistent with the quality policy, at relevant functions, levels and process of the organization. These quality objectives shall aim at achieving the organization’s corporate objectives and the strategic direction of the organization.

The focus of quality objectives shall be conformity of products and services and in meeting the expectation of the customer.

Top management quality objectives are established, and quality objectives are formulated for other relevant processes to achieve the top management quality objectives. This way, the top management quality objectives consistent with the quality policy are cascaded down to all process levels and functions.

The quality objectives shall be maintained as documented information, monitored, measured and evaluated for performance.

6.2.1 Establishing the quality objectives

Quality objectives shall:

• Be established at every relevant process level and function in the organization.
• Be consistent with the quality policy.
• Consider applicable requirements like statutory and regulatory requirements, customer requirements and internally defined requirements.
• Be relevant to conformity of products and services and to enhance customer satisfaction.
• Be monitored for effectiveness using key performance indicators to evaluate performance statistically.
• Be communicated to and understood by relevant people.
• Be continually updated as appropriate, whenever necessary.
• Maintain documented information on the quality objectives.

Quality objectives shall meet the SMART principle.

S – Specific: Addresses one issue, distinct and not ambiguous.

M – Measurable: Performance can be calculated from numeric data values.

A – Achievable: Should be feasible and can be actualized.

R – Realistic: Objectives shall address real situations and not imaginary or fictional.

T – Time bound: Assigned dates to complete actions on objectives and evaluation of performance.

To establish suitable objectives, three elements should come to mind:

1. What to be achieved.
2. The amount or level of it to be achieved.
3. The time when all planned actions to achieve the objective will be completed.

As an example, let us set a quality objective to meet these requirements.

Objective: To ensure not more than 5% of customer complaints for products delivered per month in the year.

The above objective is:

1. Specific to complaints for products delivered to customers.
2. Measurable by comparing the number of products delivered to customers and had complaints with the number of products delivered to customers for the month to achieve the target of less than 5%. This implies a minimum of 95% products conformity.
3. With the objective of a Quality Management System to exceed customer expectations, 95% product conformity is achievable.
4. The objective addresses a real situation associated with customer complaints and product conformity.
5. The quality objective is time bound as time has been defined to achieved it every month. This implies that the performance of this objective shall be evaluated at the end of every month.

This quality objective is SMART.

6.2.2 Planning actions to achieve the quality objectives

The planned actions to achieve quality objectives shall include:

• What will be done to achieve the objective?
• What resources will be required?
• Who will be responsible for achieving the objective?
• When will it be completed?
• How the results will be evaluated at the defined completion time.

Using the example above, let us see how these elements can be addressed.

What will be done: To ensure products conformity that will result in reduced customer complaints, the process needs to do the following:

• Ensure products’ requirements are adequately defined and understood.
• Review products requirements and ensure that deviations are resolved and agreed.
• Ensure the capacity to meet products requirements before committing to providing products.
• Perform process activities within agreed time.
• Assign the responsibilities of developing the product to competent and qualified personnel.
• Ensure the use of equipment that is calibrated (if necessary) and fit for use.
• Ensure the availability and application of the most recent versions of applicable product documented information.
• Use only qualified and approved external providers.
• Adequately implement all quality checks defined for every relevant stage of the product realization process.
• Continually communicate with customers on the progress of the product realization process.
• Complete all planned arrangements for product before delivering product to customer.
• Ensure full implementation of product’s defined post-delivery requirements.

If the above activities are performed, there is every tendency that the outputting products will conform and hence, the tendency for customer complaints will be reduced.

What resources will be required: Required resources for the product delivery include:

• Contract documents.
• Competent personnel.
• Suitable equipment.
• Suitable environment.
• Applicable standards, methods and procedures.
• Qualified external providers.
• Relevant forms and logs as records.
• Communication gadgets.
• Products consumables.

Who will be responsible: Responsibilities to ensure products conformity include:

• Project manager to supervise and validate product realization process.
• Quality representative to conduct quality checks.
• Technical experts to execute product realization process.

When it will be completed: The above quality objective has defined monthly as the timeline, hence the objective shall be completed at the end of every month in the year.

How the results will be evaluated: The key performance indicator to evaluate performance of that quality objective is:

See below for sample tool for planning process objectives.

Figure 13: Quality objectives planning.

6.2.3 Monitoring and evaluating the quality objectives

The parameters upon which the evaluation of the quality objectives depends shall be monitored and used to evaluate performance with regards to the quality objectives at the defined time.

From the example above, if at the end of a particular month, 50 products were delivered, out of which 2 had customer complaints, the percentage performance for the month will be calculated as follows:

Performance =

This will be 4% performance for the month.

Comparing this to the 5% maximum target set, this implies the quality objective was achieved.

However, if out of the 50 products delivered, 4 had customer complaints, The percentage performance for the month will be:

Performance =

Which is 8% performance for the month.

Comparing this to the set 5% maximum target, this implies the quality objective was not achieved.

There is a need therefore to implement corrective action to prevent recurrence of failure.

The evaluation will be conducted at the end of every month for the whole year.

The log below will be a useful plan to evaluate quality objectives whether they are planned for monthly, quarterly, bi-annual or annual basis. 

Figure 14: Quality objectives KPI evaluation matrix

Striving to achieve the quality objective and taking actions to address failures results in continual improvement of the Quality Management System and the ability to satisfy the customer.

6.2.4 Actions to address failures

When a failure to achieve a quality objective is observed, corrective action shall be implemented to prevent recurrence of the failure.

This action shall include:

• A root-cause analysis to determine the cause of the failure.
• Proposing and implementing corrective action to prevent recurrence.
• Validation and evaluation of the corrective action to determine if the cause of the failure has been eliminated.
• Implementing the results of the corrective action in working toward achieving the quality objective.

6.2.5 Reporting performance

Results of monitoring and evaluation of quality objectives shall form inputs into the quality management review process for evidence-based decision making by the top management.

REQUIREMENT

When the organization determines the need for changes to the quality management system, the changes shall be carried out in a planned manner (see 4.4).

The organization shall consider:

a) the purpose of the changes and their potential consequences;

b) the integrity of the quality management system;

c) the availability of resources;

d) the allocation or reallocation of responsibilities and authorities.

EXPLANATION

Every change to the Quality Management System, whether process, interaction, documented information, input or output shall be planned.

The organization shall define its arrangements for amending documented information and communication of changed requirements such as updated contract review records, amended work orders and contracts, memos, change notices, quality plans, together with communication to relevant interested parties (persons within or outside the organization that may be impacted by the change).

A change to the Quality Management System might be necessitated by transition in Quality Management System requirements, government and legal policies, environmental and societal changes, security issues, economic and technological trends, observed risks and opportunities. An organization shall take responsibility for such changes with adequate consideration for the purpose of the changes and their potential consequences on the integrity of the Quality Management System. The availability of resources, the allocation or reallocation of responsibilities and authorities shall be planned.

Figure 15: Change planning

6.3.1 Planning the change

It is a requirement that every change to the Quality Management System shall be planned. A change to the Quality Management System means every little change no matter how small.

Some examples of changes to the Quality Management System include revision to documented information, restructuring, procurement of new technologies, changes to products and services requirements, changing of external provider, use of alternative methods in product realization process, changes to process interaction, changes to projects requirements, changes to the scope of activities, changes to process inputs and outputs, changes to acceptance criteria of inputs and outputs, changes to actions to address risks and opportunities, all shall be planned and implemented as planned.

In planning a change, an organization shall identify and evaluate the purpose for the change. The organization shall be able to determine the potential consequences of the change and take appropriate actions to address the consequences. The capacity to provide the resources needed for the change shall be considered. Responsibilities and authorities needed for the change shall be assigned to competent people.

These responsibilities and authorities will include, to determine the need and effect of the change, allocation of resources, implementing the change, monitoring the change for conformity, verifying the change to ensure planned results and to approve and validate the change.

6.3.2 Change process:

• Identify the need for change.
• Plan and review the change to include:
• Purpose of change.
• Effect and consequence of change.
• The integrity and state of the Quality Management System.
• Availability of resources.
• Allocation or reallocation of responsibilities and authorities.
• Communicate planned changes to relevant authorities for approvals.
• Assign responsibilities to implement change.
• Implement the change.
• Evaluate outcome of change against original plan.
• Implement any necessary correction.
• Conduct training.
• Integrate change into the Quality Management System.

Let us consider some examples of change.

1. Restructuring: Our affected person is an operations supervisor who has been promoted to the position of operations manager. This is a change to the Quality Management System and must be adequately planned, executed, monitored and verified for adequacy and effectiveness.

To achieve this, the organization shall:

• Identify the need for the change. The need could be that the managerial position is vacant.
• Determine the effect of the change on the Quality Management System by considering:
• If the affected person has all the requisite competence, experience, training and qualifications to handle the managerial position. If not, what are the training and qualifications needed to enable him to handle the position effectively?
• Does the organization have the facilities to give the required competence training in-house or is there a need to source external providers? If there is a need to source external providers, have the external providers been qualified to meet the Quality Management System requirements?
• How long will it take to provide this person with the required competence and how will this timeline affect productivity and delivery?
• Is there an alternative to manage the process while working on the competence of this personnel or should the organization hire another person who already has the requisite competence? What are the cost implications for both options and what are the accruing benefits in the long run?
• Are the funds or resources to run this process available? How are the resources going to be disbursed?
• Who will have the responsibility for each of the activities to be performed?
• The supervisory role that this person will be leaving, who will take charge? The person to take over the role of the supervisor is also leaving a role behind, who handles that role?
• Identify all the people that will be involved in this chain of changes and their relevant competence and take action to address all.
• Plan the change process, defining acceptance criteria for every stage.
• Assign responsibilities for the change.
• Implement the change in line with planned arrangement.
• Review and validate the change, taking action to address any deviation.
• Update relevant documented information such as organograms, job responsibilities, authorizations, personnel records etc.
• Integrate change into the Quality management System.
• Retain records of change management.

Document change: Our affected document is a standard operating procedure. The change might be necessitated by current realities.

To review and revise the procedure, the organization shall:

• Identify the need for the change.
• Determine the availability of the required resources and competent knowledge for the review.
• Request approval from relevant persons to implement document change.
• Assign the responsibilities and authorities for the review and approval.
• Implement review as planned and communicate to relevant person for quality review.
• Perform quality review to meet the requirements of the Quality Management System.
• Communicate for relevant approvals. The role that performed the original approval shall also perform the approval of the reviewed document.
• Review and approve any affected documented information.
• Conduct training on the change for all relevant people.
• Communicate approved document for implementation.
• Retain records of change management

6.3.3 Implementing the change

• Identified resources shall be provided and the change executed as planned.
• Relevant verifications shall be performed to ensure planned results are achieved.
• Change shall be approved as required and integrated into the Quality Management System.
• Relevant training on the change shall be conducted.

6.3.4 Evaluating the effectiveness of change

Change shall be monitored, measured and evaluated to ensure it is delivery intended results for the Quality Management System.

Having completed plans for the Quality Management System, the relevant resources to implement the planned arrangement shall be provided including support for the relevant roles that will affect the implementation of the planned arrangement.

Top management shall demonstrate commitment to the Quality Management System by ensuring adequate provision of these resources.

REQUIREMENT

7.1.1 General

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system.

The organization shall consider:

a) the capabilities of, and constraints on, existing internal resources;

b) what needs to be obtained from external providers.

7.1.2 People

The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.

7.1.3 Infrastructure

The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes and to achieve conformity of products and services.

NOTE Infrastructure can include:

a) buildings and associated utilities;

b) equipment, including hardware and software;

c) transportation resources;

d) information and communication technology.

7.1.4 Environment for the operation of processes

The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.

NOTE A suitable environment can be a combination of human and physical factors, such as:

a) social (e.g. non-discriminatory, calm, non-confrontational);

b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective);

c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).

These factors can differ substantially depending on the products and services provided.

7.1.5 Monitoring and measuring resources

7.1.5.1 General

The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements.

The organization shall ensure that the resources provided:

a) are suitable for the specific type of monitoring and measurement activities being undertaken;

b) are maintained to ensure their continuing fitness for their purpose.

The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources.

7.1.5.2 Measurement traceability

When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be:

a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information;

b) identified in order to determine their status;

c) safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results.

The organization shall determine if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary.

7.1.6 Organizational knowledge

The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.

This knowledge shall be maintained and be made available to the extent necessary.

When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.

NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by experience. It is information that is used and shared to achieve the organization’s objectives.

NOTE 2 Organizational knowledge can be based on:

a) internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned from failures and successful projects; capturing and sharing undocumented knowledge and experience; the results of improvements in processes, products and services);

b) external sources (e.g. standards; academia; conferences; gathering knowledge from customers or external providers).

EXPLANATION

7.1.1 General

Resources requirement may be determined through any of the following:

• A comprehensive annual budget.
• Periodic assessment/surveys of the Quality Management System processes.
• Requirements defined by the customer as well as those of applicable statutory and regulatory bodies.
• Results from the evaluation of risks and opportunities.
• Current capability assessment.
• Current needs and technological advancement.

Resources provided shall cover all areas of the Quality Management System (operations, improvements, people, infrastructure, information, support, outsourcing) with a view to ensuring:

• The effective implementation and continual improvement of the Quality Management System.
• Improvement of customer satisfaction through products and services conformity.

7.1.2 People

The organization shall engage and allocate its staff in order to achieve the required outcome depending on its size. The Human Resources Manager shall define the competencies required for each position and ensure that new employees hold the required and current qualifications, certificates and licenses for the position to which they are engaged.

To ensure that the best manpower is selected to meet the job requirements, all permanent and contract employees shall be selected on the basis of their skills, experience and competence.

The recruitment and selection process shall be as defined below:

• Identify staffing needs, consider options such as permanent, transfer or contract staff.
• Define the tasks to be undertaken.
• Define the responsibilities of the position.
• Define the skills and experience required.
• Draw up the contractual terms considering the employment terms and conditions.
• Advertise the vacancy internally and externally, as appropriate.
• Ensure that the interview and selection panel is suitably qualified.
• Draw up a short list of candidates.
• Interview shortlisted candidates.
• Take up references.
• Make an offer of employment and arrange a start date.
• Liaise with the payroll department.
• Arrange employee induction, orientation and introductions.

Initial training requirements shall be identified through this process and recorded using an employee competency assessment form. A training file shall be developed to assist in identifying and tracking employee training requirements and to verifying that the personnel have received the planned training.

7.1.3 Infrastructure

The Company shall provide standard structures in terms of building space, laboratories, workshops, and offices with general working utilities such as computers, lighting, air conditioners, cabinets, furniture, and other office equipment.

Appropriate and suitable test and measuring equipment shall be provided and maintained as required.

Vehicles suitable for the organization’s operations shall be provided for the management of the organization’s activities.

Communication or information systems shall be provided.

Equipment, including hardware and software shall be provided and made fit for purpose.

7.1.4 Environment

The organization shall ensure that suitable work environment needed of achieve conformity to products and services is provided, by ensuring:

• Adequate illumination in the work environment with good lighting, ventilation, safe passageways, stairs and corridors.
• Basic environmental, health and safety conditions for maximum productivity using safety gadgets and PPEs.
• Good office layouts to optimize material movement, handling, and value-added use of floor space.
• General state of cleanliness and order, consistent with good working environment.
• Offices shall be enclosed and provided with air conditioners to eliminate noise from the external environment.
• Adequate work ethics policies shall be established to protect people from discrimination and confrontation.
• Safe working equipment, tools and process shall be provided.
• Safe methods of work practices shall be adopted.
• Provision of training and instruction.
• Cascading of information to employees.
• Provision of safe means of handling, storage, use and transportation of equipment, materials and chemicals.

The organization shall ensure that the suitable environmental condition for every operation is determined and provided. Equipment shall be cultured within the defined environmental condition (temperature, humidity, dust, vibration and noise). See below sample logs.

Figure 16: Temperature monitoring log

Figure 17: Humidity monitoring log

The environmental condition includes:

Social environment:

• An environment that entrenches peace and cordial interpersonal relations, where people are not bullied, degraded and discriminated against shall be provided.
• An environment where people are free to work in harmony within the limits of their responsibilities and stress free.

Psychological environment:

• Work hours shall be planned to avoid burnout through over exertion. Job responsibilities shall not be such that will induce emotional and physical stress on the workforce.
• Every decision whether financial, restructuring, assigning responsibilities that can adversely affect the emotional stability of people shall not be allowed.
• Excessive multitasking shall not be allowed.

Physical environment:

• It shall be clean and a suitable temperature for human existence shall be provided.
• Places of work shall be adequately lighted and noise ingress shall be prevented. Where noise cannot be avoided, the right noise control PPEs shall be provided.
• People shall not be allowed to work where access to air is limited. Where people must work in such an environment, air gadgets shall be provided. In work environments where air is contaminated either by fumes, gases or dust, adequate PPEs to keep people safe shall be provided.
• People shall not be exposed to sources of heat or radiation during operations.
• Food, water, working tools and environment, PPEs, and every gadget required for operations of the Quality Management System shall be fit for use.

7.1.5 Monitoring and measuring resources

Monitoring and measuring equipment needed to ensure valid and suitable results shall be adequately determined and provided. When the standard talks about the validity of results, it is referring to the accuracy of measurement results.

The validity of measurement results is dependent on:

• The suitability of the equipment used.
• The environment under which the equipment is being used is relative to the environmental condition defined for the equipment.
• The expertise of the person doing the measurement.

Since the validity of such measurement results are relevant to the conformity of products or services, it is important that these factors upon which result validity depends are taken seriously.

Monitoring and measuring equipment shall be specific to the intended monitoring and measurement activities and shall be maintained at regular intervals.

Monitoring and measuring equipment shall be monitored for continual suitability through equipment calibration status logs and established maintenance plans. Where applicable, their integrity shall be measured against standard references. Parts shall be replaced/repaired and/or routinely maintained as per manufacturers’ manual.

Where measurement traceability is a requirement for measurement instruments, the organization shall ensure that the:

• The equipment is calibrated or verified at specified intervals, or prior to use. Equipment shall be calibrated using measurement standards traceable to international or national measurement standards. Where there is no such standard available, the basis for calibration or verification shall be recorded.
• Equipment is adjusted as necessary in accordance with the manufacturer’s instructions. Records shall be retained as evidence that equipment found to be out of calibration is adjusted or re-adjusted by qualified personnel. The validity of previous measurement results accessed when the equipment was found to be out of calibration shall be reassessed and appropriate action taken.
• Equipment is identified to enable calibration status to be determined. Every equipment shall be identified in such a way that the user can identify the calibration status of the equipment. This may be accomplished by the equipment unique serial number traceable to the calibration record. However, calibration status labels or stickers is good practice. Any convenient method may be used but we shall clearly identify the calibration status of the equipment. Where the environment is not conducive to use of stickers, status may be identified by color-coding, identification number with associated calibration record, or calibrated prior to every use.
• Equipment is safeguarded from adjustment, which may invalidate results. The organization shall ensure that persons who are not calibration experts do not adjust equipment. Equipment may be verified prior to use, however any adjustments made to equipment shall meet all requirements for the adjustment of the equipment. Methods to safeguard equipment may include locking materials for setscrews, tamper-proof seals, limited entrance to equipment areas, and other methods.
• Equipment is protected from damage during handling, maintenance and storage. The organization shall ensure that measuring equipment is handled and stored in a manner to protect the equipment from damage.
• The validity of results from a non-confirming device are re-checked with a conforming device.
• Devices are calibrated by external providers certified to ISO 17025 management system.
• Records of calibration and verification are maintained and easily available.
• Computer software which is used for monitoring and measuring is validated prior to initial use and records maintained.
• Computer software used for monitoring and measuring is re-validated where necessary and records maintained.

Where measurement traceability is not required, the organization shall verify that the monitoring and measuring equipment used are suitable and documented information is maintained in order to demonstrate suitability of monitoring and measuring equipment.

Records of maintenance and calibration shall be documented and retained as evidence of compliance.

7.1.5.1 Suitability of equipment

Equipment shall be suitable for the intended use. When monitoring or measuring is used to verify the conformity of products and services to requirements, the organization shall ensure that the monitoring and measuring equipment determined and provided are suitable for the intended monitoring or measuring activity. Equipment shall only be used to perform the specific monitoring and measuring activity for which it is designed.

7.1.5.2 Equipment maintenance

Equipment shall be maintained to ensure continuing fitness for purpose and shall be implemented with a plan. Where such maintenance is not possible with a plan because of the nature of the equipment or the type of measurement, an organization shall be able to demonstrate how the equipment is maintained.

Records of maintenance shall be retained. These records will include equipment maintenance plans with evidence of adequate implementation, equipment calibration monitoring logs with calibration certificates to demonstrate implementation of calibration, intermediate check plans and implemented intermediate check sheets to demonstrate implementation of the plan.

Equipment shall be stored and used in suitable environments, considering factors such as temperature, humidity, dust, vibration and noise which can affect the validity of measurement results.

The samples of logs below are aids to equipment maintenance, calibration and history tracking.

Figure 18: List of equipment

Figure 19: Equipment maintenance plan

Figure 20: Equipment history log

7.1.6 Measurement traceability

Calibration shall be done against measurement standards whose traceability is to international, national and manufacturer’s measurement standard. Where such a traceable standard is not available, calibration or verification shall be done using competent personnel as per validated calibration procedures.

7.1.6.1 Equipment calibration

The calibration intervals and the maintenance plan for monitoring and measuring equipment shall be established based on:

• The stability and ruggedity of the equipment.
• The nature of activity for which the equipment is used.
• The degree of usage of the equipment.
• The equipment manufacturer’s recommendation.
• The regulatory requirements for the equipment.
• The requirement of the customer.

An organization shall define its calibration interval for monitoring and measuring equipment. However, regulatory, manufacturer and customer’s requirements supersede internally defined requirements. Equipment shall be calibrated and/or verified as appropriate to ensure they are fit for use. See sample calibration monitoring log.

Figure 21: Equipment calibration monitoring log

Equipment calibration certificates shall be maintained for monitoring and measurement equipment.

A calibration certificate shall be verified to include at least the following information:

• A title such as Calibration Certificate.
• The name and address of the laboratory where the equipment was calibrated.
• The location of performance of the calibration activities, including when performed in the organization’s facility or at sites, or in associated temporary or mobile facilities.
• A unique identification that all its components are recognized as a portion of a complete report and a clear identification of the end. This is achieved by page numbering.
• The name and contact information of the organization that owns the calibrated equipment.
• The identification of the method used for the calibration.
• A description, unambiguous identification, and, when necessary, the condition of the equipment after calibration. These should include the equipment name, serial number and make.
• The date of performing the calibration activity.
• The date of issue of the calibration certificate.
• A statement to the effect that the results relate only to the equipment calibrated.
• The results of calibration with, where appropriate, the units of measurement.
• Any additions to, deviations, or exclusions from the method of calibration.
• The identification of the person(s) authorizing the calibration certificate.
• A clear identification when results are from external providers.
• The uncertainty of the measurement result presented in the same unit as that of the measurand or in a term relative to the measurand (e.g., percent).
• The conditions (e.g., environmental) under which the calibrations were made that have an influence on the measurement results.
• A statement identifying how the measurements are metrologically traceable to national or international standards.
• The results before and after any adjustment or repair, if available.
• Where relevant, a statement of conformity with requirements or specifications.
• Where appropriate, opinions and interpretations.

7.1.6.2 Status of equipment

The status of equipment shall be identified and monitored in an equipment calibration log and where applicable, a calibration tag is also placed on the equipment.

The monitoring involves:

• Regular check-up in accordance with calibration schedule.
• Calibration by means of reference standard instrument.
• Random checks and withdrawal of equipment found not calibrated or unfit for use.
• Adequate storage of equipment in suitable environmental conditions.
• The process manager is responsible for ensuring that listed monitoring and measuring equipment are calibrated as scheduled.

7.1.6.3 Safeguarding equipment

Measuring equipment shall be safeguarded from adjustments that would invalidate the measurement result by using seals and password protection.

Measuring equipment shall be protected from damage and deterioration by ensuring proper storage condition, handling and use of competent personnel for either operation or maintenance.

7.1.6.4 Validity of previous results

When equipment is found to be out of calibration or nonconforming, the equipment will be put out of use and labelled as such, until repair and calibration are conducted. Any monitoring or measuring activity affected shall be labelled and re-checked for conformity. Records of the results of calibration and verification shall be maintained.

7.1.7 Organizational knowledge

Every organization has knowledge specific to it. This knowledge is gained from years of experience, intellectual materials, lessons learned from failures and successes, results of improvements, results of research, codes and standards, conferences, learning from customers and external providers.

Though this knowledge is specific to the organization, it is actually possessed by the man that has learned it. If such knowledge is not documented, it will leave with the man who has the knowledge. It is therefore a requirement of the standard that knowledge be documented.

Organizational knowledge may be defined as information combined with experience, context, interpretation, and insights that are useful when making decisions and taking action specific to an organization’s Quality Management System. There is a strong link between organizational knowledge and the competence of employees, competence being peoples’ ability to apply knowledge to their work.

Examples of organizational knowledge include:

• Documented information regarding a process, product or service such as
• Operating procedures.
• Work instructions.
• Lessons learnt document.
• Documented quality manual.
• Standards.
• Journals.
• Operating manuals.
• Specifications, codes and standards.
• The experience of skilled people operating their processes.
• Mentoring and coaching by more experienced employees.
• Knowledge of technologies and infrastructure relevant to the organization, etc.

An organization shall identify the internal and external knowledge necessary to ensure its continual product conformity. The established organizational knowledge shall be communicated as necessary and shall be maintained and retained in accordance with Clause 7.5 of the Quality Management System standard.

In determining the organizational knowledge, the organization shall consider internal and external sources.

A. Sources of internal knowledge

Sources of internal knowledge includes the organization intellectual property, knowledge gained from experience and coaching, lessons learnt from failures and successes, capturing and sharing undocumented knowledge and experience, the results of improvements in processes, products and services.

Organizational knowledge shall be maintained and made available to the extent necessary. When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.

Evidence of internal knowledge necessary for the operation of processes and to achieve products and service conformity include:

• Contract review requirements.
• Maintained and retained documented information to demonstrate the operation of processes.
• Records of monitoring and measuring resources.
• Competence records of personnel, training records, training feedback.
• Operational planning and control process documents and records.
• Supplier evaluation and monitoring records.
• Change control records.
• Product non-conformity records.
• Corrective action records.
• Quality policy.
• Quality Objectives.
• Identification and traceability records.
• Records of the release of products and services.
• Quality Management System performance and effectiveness evaluation records.
• Internal audit programs and reports.
• Minutes of management review meetings.

B. Sources of external knowledge

Sources of external knowledge may include other ISO International standards, research papers, webinars from conferences, knowledge gathered from or about customers, stakeholders or other external parties.

External organizational knowledge may be gathered from sources such as:

• Lessons learnt from non-conformities, corrective actions, and the results of improvement.
• Gathering knowledge from customers, suppliers and partners.
• Benchmarking against competitors.
• Capturing knowledge existing within the organization through mentoring and succession planning.
• Sharing knowledge with relevant interested parties to ensure sustainability of the organization.
• Knowledge from conferences, attending trade fairs, networking seminars, or other external events.

Evidence of knowledge necessary for the operation of processes and to achieve products and service conformity include:

• Records of using the Plan-Do-Check-Act approach to address organizational knowledge.
• Records of top management providing the leadership and direction for establishing strategies to use organizational knowledge, policies and objectives to maximize the value derived from organizational knowledge.
• Records of identified scope of organizational knowledge relevant to its business and related risks and opportunities associated with each type of organizational knowledge.
• Records of defined process needed to manage organizational knowledge (identify, obtain, accumulate, store, communicate, use, maintain, protect and evaluate) the performance of organizational knowledge management against objectives.
• Records of defined roles, authority and responsibilities for organizational knowledge process activities.
• Records of determined competency requirements, appropriate training provided and awareness for all employees using organizational knowledge.
• Records of established processes for communication, participation and consultation.
• Records of determining the nature and extent of documentation required to manage organizational knowledge.
• Records of identified applicable regulatory and other requirements.
• Records of defined organizational knowledge change management process.
• Records of implementing the organizational knowledge plan.
• Records of tracking organizational knowledge performance measures.
• Records of investigating loss, irretrievability or theft of organizational knowledge.
• Records of evaluating compliance to applicable regulatory requirements.
• Records of maintaining appropriate records of organizational knowledge management activities.
• Records of reviewing data from CHECK stage and determined improvement actions.
• Records of verifying achievement of organizational knowledge goals and objectives.

7.1.7.1 Maintaining the knowledge

It is a requirement that the organization determines the knowledge required for the effective operations of its processes. That is, the organization, after determining its Quality Management System processes, shall determine what knowledge shall be documented for the effective operation of each of the processes. This knowledge is documented as procedures that shall be maintained and made readily available at the point of use.

No system is static, new learning abounds daily and so the changes and increase in the knowledge acquired. With the changing trend of learning and knowledge acquired that affects the Quality Management System, the established knowledge shall be continually reviewed and revised for suitability, adequacy and effectiveness.

7.1.7.2 Changes and updates

The standard requires that when addressing changes, needs and trends, the organization shall consider the already documented knowledge to determine its adequacy or the need to acquire new knowledge. Having acquired the new knowledge, the organization shall review and update the documented knowledge to capture the new knowledge gained. That way, the organizational knowledge is continually improved and retained for use.

REQUIREMENT

The organization shall:

a) determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system;

b) ensure that these persons are competent on the basis of appropriate education, training, or experience;

c) where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;

d) retain appropriate documented information as evidence of competence.

NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

EXPLANATION

The person doing work that affects the Quality Management System shall be competent.

No matter the acquired technology, methods and established processes, if the process is driven by incompetent persons, the outputs will definitely be nonconforming and even the technology will be messed up. It is therefore a requirement by the standard that people doing work that affects the Quality Management System be competent.

To achieve this, it is necessary to determine and document the competence for every role and engage persons with the right competencies to fill the roles.

The organization shall ensure that all staff doing work under the organization’s control are competent, and that evidence of continuing competence is maintained. Maintain documented information shall include skills matrix, training records, personnel files, CVs, job descriptions, authorization, etc.

See below sample logs.

Figure 22: Personnel list

Figure 23: Authorization matrix

The organization shall take steps such as training to acquire necessary competence.

To establish and maintain a competency-based training plan, the following steps shall be considered:

• Identify competency-based training needs.
• Prepare the training materials.
• Conduct and evaluate the training.

The organization shall determine the necessary competence of person(s) doing work under its control that affect its quality performance and ensure that these competencies are possessed by the people doing work under the organization’s control, including the organization’s own personnel, contractors and outsourced personnel working either on site or off site.

Training alone is not sufficient to demonstrate competence, this shall be demonstrated through appraisals, tests, observations, output results, etc.

Where the people are found not to be competent, the organization is required to take necessary action to acquire the needed competence. The actions taken shall be evaluated for effectiveness in improving competence to the required level. Examples of actions may include remedial training, recruitment or the use of external persons with the required competence.

7.2.1 Training plan

Line Managers and Supervisor should develop, implement and monitor a training plan for the workers in their teams, based on the outcome of the Training Needs Analysis. Training plans shall be reviewed regularly to ensure that they are up to date and meet current needs.

Training shall be scheduled and prioritized according to the needs of the work area unless required for the commencement of work, or where the work requires a license, certificate of competency or accreditation to perform the job.

See below sample training plan.

Figure 24: Training plan and matrix

7.2.2 Training needs analysis

The first step to acquiring personnel competency needs is to develop a competency-based training program. In addition to existing workers, new hires, temporary workers and outside contractors shall be included when identifying training needs. The organization shall demonstrate through an approved training plan that the training needs for workers are identified.

Line Managers and Supervisors shall determine the training required for workers under their supervision. This is to fill the gap in training, knowledge, competence and skills of each person. Where skill deficiencies are identified or when competencies expire, appropriate training, retraining and supervision shall be provided prior work. Gaps in training, knowledge or competence shall be identified and filled.

Line Managers and Supervisors shall continually monitor the ability of all their workers and evaluate their competencies through appraisals at defined intervals. Appropriate training requirements can be further identified through this process using a Competency Appraisal Form. The completed appraisal documents shall be passed on to the Human Resources Manager for review and any new training needs that are identified are added to the training plan. It should be noted that performance evaluations are considered confidential information between the employee, supervisor and Human Resources.

Though some personnel may have the same job, the type or level of training may differ according to the person’s past education, training, and experience. Training may be as simple as on-the-job training conducted by more experienced members of the team, formal training, including classroom instruction and training provided by external consultants.

Line Managers and Supervisors shall be responsible for:

• Nominating training mentor.
• Devising basic training plan.
• Ensure training is provided.
• Evaluating the effectiveness of the training through the appraisal process.

Training records shall be updated when competence is attained.

A register containing information on the specified levels of education, training, and experience shall be established for each employee whose work impacts customer satisfaction.

7.2.3 Determining necessary competence

The competences of persons performing work that affects the Quality Management System and the conformity to products and services may be determined through either or a combination of the followings:

• Job specifications.
• Work/purchase orders.
• Forecast management and succession needs.
• Changes to organizational processes, tools, and equipment.
• Customer as well as applicable statutory and regulatory requirement.
• Competency appraisal/assessment of persons to perform specific task.
• Evaluation of the organization’s business plan.
• Applicable technology and methods.

7.2.4 Personnel competency

A person’s competency shall be based on appropriate education, training, or experience. The key word here is “OR”.

Meaning, a person may be qualified for a role on the basis of his academic qualification even without professional training or experience, because these can be acquired on the job.

It also means a person may be qualified for a role by virtue of his professional training targeted on that role even without having the academic qualification or experience because a targeted training gives the relevant knowledge for any role.

Lastly, a person may be qualified for a role based on his years of experience. However, this does not negate the capacity of an organization to define all three requirements for a role.

7.2.5 Acquiring necessary competence

Where a do not have the necessary competence required for a role or a person occupies a position for which he/she do not have the required competence, the organization shall take actions to acquire the necessary competence and evaluate the effectiveness of the actions taken.

Possible actions may include:

• Training to acquire the relevant competence.
• Reassigning of the role to personnel with the required competence.
• Engagement of person with the required competence.
• Subcontracting the role to an external provider.

By the standard, correction shall be made by ensuring that every personnel occupying a position for which he/she is not qualified is trained to acquire the relevant competence and where training is not feasible, the affected person shall be relieved of his/her duties in that role.

This clause also requires that people doing work that affects the Quality Management System be trained and retrained regularly because new methods and new technologies are evolving daily. And the requirements for each role are continually changing. It is therefore a requirement that people doing work that affects the Quality Management System be trained regularly to remain relevant.

Having taken action to address the competency need, it is a requirement that the effectiveness of the action taken be evaluated. This may be done through performance evaluation.

7.2.6 Retaining evidence

Appropriate records to demonstrate competence and of action taken to address competence shall be retained.

These records may include qualification certificates, training certificates, training plans, training attendances, evidence of evaluation depending on the method of evaluation, appraisal records.

REQUIREMENT

The organization shall ensure that persons doing work under the organization’s control are aware of:

a) the quality policy;

b) relevant quality objectives;

c) their contribution to the effectiveness of the quality management system, including the benefits of improved performance;

d) the implications of not conforming with the quality management system requirements.

EXPLANATION

Persons doing work under the organization’s control (Interested parties – Customers, Employees, Shareholders, Society and Suppliers) shall be aware of:

1. The quality policy.

This may be achieved through:

• Quality inductions at the point of engagement.
• Displaying the quality policy in strategic places and in offices of the organization.
• Regular quality awareness program.
• Making the quality policy available on the company’s website.
• Communicating the policy as relevant.

2. Relevant quality objectives.

This may be achieved through:

• Displaying the quality objectives in strategic places and in offices of the organization.
• Training on the process of setting, monitoring and evaluating the quality objectives.
• Regular quality awareness program.
• Regular meetings to discuss performance with regards to the quality objectives.

3. Their contribution to the effectiveness of the Quality Management System, including the benefits of improved performance and the implications of not conforming with the Quality Management System requirements.

This may be achieved through:

• Quality inductions at the point of engagement.
• Regular quality awareness program.
• Ensuring that adequate job responsibilities and authorities are defined and communicated.
• Operating procedures and relevant work instructions are made available at the point of use.
• Regular meetings to discuss performance with regard to the Quality Management System.
• Recognizing and appreciating excellence.
• Rebuking failures.

The content of awareness training may include items covered in induction training, specific training, toolbox talks or any other quality, environmental, or health and safety issues that affect employees in the workplace.

Training techniques may include short training segments supplemented with videos and hands-on demonstrations that address key elements of the Quality Management System. Other methods may include communication via electronic bulletin boards, posters, newsletters and informational meetings.

Awareness training is intended to provide an overview of the organization’s quality policy, objectives and targets, and overall Quality Management System.

All new personnel (workers, contractors and temporary staff) shall receive induction briefings and periodic Quality Management System awareness training.

REQUIREMENT

The organization shall determine the internal and external communications relevant to the quality management system, including:

a) on what it will communicate;

b) when to communicate;

c) with whom to communicate;

d) how to communicate;

e) who communicates.

EXPLANATION

The organization shall determine the communication that is relevant to its Quality Management System, whether with the external interested parties or the internal interested parties. Communication within processes, across processes and with the external parties shall be an on-going activity as much as official works are concerned.

The organization shall define:

• What to communicate.
• When to communicate.
• With whom to communicate.
• How to communicate.
• Who communicates.

To achieve this, the organization shall provide the relevant gadgets for communication both with the external interested parties or the internal interested parties. Information security and integrity shall also be considered.

The matrix below may be a sample.

Figure 25: Communication matrix

7.4.1 Internal communication

As appropriate for internal communication, the following communication media may apply.

• General noticeboard within the Company.
• Internal memos.
• Letters.
• Inter-office memoranda.
• Meeting.
• Internet.
• Intercom telephone lines.
• Face-to-Face interaction.

7.4.2 External communication

On external communications, designated persons shall function as focal points for communication. Such communications are necessitated during customer enquiry, technical clarifications, delivery of service, business meetings, seminars, campaigns, marketing, customer feedback and complaints.

Communications with the external may be achieved through any of the following media.

• Website.
• Webmail.
• Phone. conversation.
• Letters.
• Face-to-face visits/interview.
• Customer feedback forms.

Where appropriate, records of communication should be maintained.

REQUIREMENT

7.5.1 General

The organization’s quality management system shall include:

a) documented information required by this International Standard;

b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.

NOTE The extent of documented information for a quality management system can differ from one organization to another due to:

— the size of organization and its type of activities, processes, products and services;

— the complexity of processes and their interactions;

— the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information, the organization shall ensure appropriate:

a) identification and description (e.g. a title, date, author, or reference number);

b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic);

c) review and approval for suitability and adequacy.

7.5.3 Control of documented information

7.5.3.1 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

a) distribution, access, retrieval and use;

b) storage and preservation, including preservation of legibility;

c) control of changes (e.g. version control);

d) retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended alterations.

NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

EXPLANATION

A document is an information and its supporting medium. The Quality Management System standards require a documented system of information. This therefore implies that a documented system needs to be established, implemented, documented, maintained and retained.

7.5.1 Hierarchy of documented information

Quality Management System documentation may be broken down into four hierarchies.

• Documented statements of quality policy and quality objectives.
• Quality manuals.
• Documented procedures and work instructions.
• Quality records (forms, logs, reports, registers, drawings, etc.).

All the documented information required by the International Standard and the documented information determined by the organization as being necessary for the effectiveness of the Quality Management System falls within these categories.

Figure 26: Documentation hierarchy

1. Quality policy and objectives

The organization’s quality policy and objectives are at the peak of the Quality Management System. The quality policy shall be appropriate to the purpose and context of the organization and shall support its strategic direction. The quality objectives shall be consistent with the quality policy.

2. Quality manual

The Quality Manual is next in the hierarchy of the Quality Management System documentation. The manual outlines the scope of the organization’s Quality Management System, quality policy, quality objectives, organization’s structure, relevant processes, service provision requirements as well as the relevant documented information required. It defines the integration of the International Standard into the organization’s Quality Management System.

3. Operating procedures and work instructions

Third in the hierarchy are standard operating procedures and work instructions, they define the organization’s activities and identify the type of quality records to be generated for each activity. They also define the interrelationship of personnel who are involved in related activities and the required verifications and validations.

Work instructions gives the comprehensive details of the sequence of Quality Management System related activities including the materials, equipment, and documents to be used, how the activities are to be controlled and the resulting documentation required.

4. Quality records.

The fourth level of documentation is the forms used to provide records of compliance with the Quality Management System requirements. They provide evidence to demonstrate conformity to planned arrangements of the organization. Data resulting from process monitoring and measurement are documented as records.

These records are evaluated and reviewed to determine the suitability, adequacy and effectiveness of the organization’s Quality Management System.

7.5.2 Importance of documented information

Some of the importance of an organization’s documented information includes:

• Documented information is a tool for transmitting and communicating information. The type and extent of the organization’s documented information shall depend on the nature of the organization’s products and processes, the degree of communication formality and the level of communication skills within the organization.
• They provide evidence of conformity to the requirements of the Quality Management System.
• Provision of evidence for the fulfillment of planned arrangements.
• It is a knowledge sharing tool.
• To propagate and preserve the organization’s knowledge gathered from experiences.

7.5.2.1 Documented information required by the international standard

The organization’s Quality Management System shall include documented information required by the ISO 9001:2015 International Standard.

From the fourth clause of the standard, we have identified several documented information required by the standard, some of which includes:

• Scope of the Quality Management System.
• Documented information necessary to support the operation of processes.
• External and internal issues.
• Interested parties and their requirements.
• Actions to address risks and opportunities.
• Quality policy.
• Quality objectives.
• Job responsibilities and authority.
• Statutory and regulatory requirements.

It is a requirement that the organization shall establish, document, maintain and retain all the documents that are relevant to the international standard.

7.5.2.2 Documented information determined as being necessary by the organization

Also, the organization’s Quality Management System shall include documented information determined by the organization as being necessary for the effectiveness of the Quality Management System.

Depending on the scope of the organization’s activities, complexity of the established processes and the competence of engaged persons, the organization may see the need to establish other documented information not defined by the standard.

Such documented information may include:

• Standard operating procedures.
• Applicable codes and standards.
• Work and test instructions.
• Specifications.
• Check sheets.
• Material Safety Data Sheets and signs.
• Logs and registers.
• Forms.
• Drawings and charts.
• Competency records.
• Complaints management records.
• Customers’ feedback evaluation records,
• Nonconformity and corrective action control records,
• Training records.
• Internal audits records.
• Management review records.
• Equipment maintenance records.
• Organization charts.
• Process maps, process flow charts and descriptions.
• Documents containing internal communications.
• Production schedules.
• Approved supplier lists.
• Test and inspection plans.
• Quality plans.
• Quality manuals.
• Strategic plans.
• Tags and so on.

These are necessary for the effective performance of the Quality Management System and shall be established, documented, maintained and retained by the organization.

7.5.2.3 Documented information to demonstrate the evidence of compliance to the Quality Management System

Documented information needed to be retained by the organization for the purpose of providing evidence of results achieved may include:

• Documented information to the extent necessary to have confidence that the processes are being conducted as planned.
• Evidence of fitness for the purpose of monitoring and measuring resources.
• Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist).
• Evidence of competence of persons doing work under the control of the organization that affects the performance and effectiveness of the Quality Management System.
• Results of the review and new requirements for products and services.
• Records needed to demonstrate that design and development requirements have been met.
• Records on design and development inputs.
• Records of the activities of design and development controls.
• Records of design and development outputs.
• Design and development changes, including the results of the review and the authorization of the changes and necessary actions.
• Records of the evaluation, selection, monitoring of performance and re‐evaluation of external providers and any actions arising from these activities.
• Evidence of the unique identification of the outputs when traceability is a requirement.
• Records of property of the customer or external provider that is lost, damaged or otherwise found to be unsuitable for use and of its communication to the owner.
• Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken.
• Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s).
• Records of nonconformities, the actions taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity.
• Results of the evaluation of the performance and the effectiveness of the Quality Management System.
• Evidence of the implementation of the audit program and the audit results.
• Evidence of the results of management reviews.
• Evidence of the nature of nonconformities and any subsequent actions taken.
• Results of any corrective action.

7.5.3 Documentation requirements

Interested parties and their requirements are continually changing. This affects the organization’s Quality Management System and its ability to provide conforming products and services. This requires the continual improvement of the Quality Management System.

To ensure the effectiveness of the organization’s Quality Management System and its continual improvement, documented information relevant to the Quality Management System shall be continually created and updated.

7.5.4 Creating and updating

To establish a documented information, the following steps may apply:

• Identify the need to establish documented information.
• Prepare the documented information in the organization’s standard documentation template.
• Refer to organization’s documented information numbering procedure and the document controller to assign a unique number to the document.
• Identify the documented information by assigning a document title.
• Assign a revision number and a revision date to the document.
• Insert the names of the document originator, reviewer, approver and the applicable date.
• Number all the sheets or pages of the documented information.
• Communicate the documented information for review and approval by relevant authorities.
• Communicate approved documented information for implementation.

7.5.4.1 Document dentification

An organization’s documented information shall include the follow as a minimum:

• Name of organization.
• Logo of organization.
• Document title.
• Document control number which shall be a unique number assigned to the document.
• Revision number
• pagination
• Date of Revision

The document may also include if applicable:

• Issue number.
• Volume number.
• Last update date.
• The name and signature of document originator.
• The name and signature of document reviewer.
• The name and signature of document approver.
• Any other control, as necessary.

7.5.4.2 Document format

The organization shall ensure that documented information is established, maintained and retained in the appropriate format.

The appropriate format includes:

Language: The language of the documented information shall be the official language in use and understood in the organization.

Software version: Documented information for an organization shall be in the appropriate software version that is accessible to all its interested parties.

Graphics: Organization’s documented information shall be in the appropriate font and font size as defined for the organization. Spacing and margins shall be as defined for the organization’s Quality Management System and the information contained shall be legible.

Media: The medium (whether in paper or electronic format) for establishing, documenting, maintaining and retaining an organization’s documented information shall be appropriate and usable to all relevant interested parties.

7.5.4.3 Review and approval

The organization shall develop and maintain a dedicated master document control register. This shall contain the traceability and control information for every relevant documented information for the organization’s Quality Management System. Only approved relevant documented information shall be captured in the master document register.

See sample below.

Figure 27: Master document register

Below is the process of documented information review:

• Document originator shall submit the document to line manager or superior officer for review.
• The line manager or superior officer checks the document for suitability and adequacy.
• Communicate document for quality review and control.
• Communicate document to the approving authority for approval.
• Communicate approved document for implementation.

Documents produced by Suppliers, Customers, Subcontractors shall be reviewed and controlled according to the requirements for the control of documents of external origin.

7.5.5 Control of documented information

Organization’s Quality Management System documentation shall be controlled.

They shall be controlled to ensure that:

• The documented information is available and suitable for use where and when it is needed.
• The integrity of the documented information is maintained and protected from authorized or unintended alteration.
• The confidentiality of the documented information is maintained by ensuring that the information is kept within the privy of those the information is meant for only. Information shall be protected from getting into the wrong hands.
• The documented information is not misused or used for the wrong purposes.

To achieve this, the organization shall consider the following for its documented information:

7.5.5.1 Availability and suitability

Documented information shall be available where and when needed. The available documented information shall be suitable for use. This is achieved by ensuring that only the most recent versions of documented information are made available at the point of use, unless approved otherwise by the relevant authorities.

Distribution of documented information shall be controlled to prevent information getting into the wrong hands. The organization shall ensure that provided information are being used for the intended purposes only and any improper use shall be adequately addressed.

An organization shall have the capacity to easily retrieve documented information whether stored or distributed to safeguard the integrity of the information.

Documented information may be distributed according to a defined document distribution matrix.

Copies of the documented information whether in paper or electronic format may be distributed as defined in the matrix.

Figure 28: Master documents distribution matrix

Documents distributed as hard copies outside the organization may be distributed under the cover of transmittal by ensuring the following:

• Produce the required numbers of documents to be distributed.
• Prepare a document transmittal listing all the documents to be distributed.
• Assign reference number to the transmittal sheet for traceability.
• Distribute the documents under the cover of the transmittal.
• File copies of transmittal sent and received.
• Update the documented information distribution register.

7.5.5.2 Access and storage

Documented information shall be stored in such a way as to prevent deterioration, loss of integrity or loss of confidentiality. The organization shall ensure that access to documented information shall be by adequate authorization using master document distribution matrix. The matrix shall define who should have access to a particular document.

Documented information may be stored either in hard copy or electronically. They shall be physically or electronically filed by a method that eases accessibility and retrieval by the user. Hard copy documented information may be stored in box files in filing cabinets. Critical information in hard copies may be scanned and backed up electronically.

Electronic documented information and data files should be backed up on a regular basis to prevent the loss of information due to equipment malfunctions or human error. Such backups may be either to the corporate organization server or external hard disk, whichever is feasible.

7.5.5.3 Control of change

When there is need to change or update (review and revise) an existing documented information, the review shall go through the management of change process. The need for documented information update shall be approved by the relevant authorities.

The need for change may arise from:

• Change in customer needs.
• Change in statutory and regulatory requirements.
• Change in work scope and activities.
• Acquisition of new technology.
• Acquisition of new knowledge.
• Change in working environment.

Whenever there is a change to any of the factors that affect the conformity of products and services or the integrity of the Quality Management System, the affected documented information shall be updated to capture the change.

To perform an update, the integrity of the documented information shall be considered. After the change, the documented information shall pass through relevant reviews and approvals for suitability and adequacy. The authority to approve a changed documented information shall not be lower than the authority that approved the superseded version.

When a change is made to documented information, the superseded documented information shall be mopped from the system and replaced with the current version of the documented information, to prevent unintended use of the obsolete version.

Records of change management shall be retained as evidence.

7.5.5.4 Retention and disposal

Documented information is retained or archived for future reference prior to disposal. Documented information shall be retained in accordance with defined requirements. The defined requirements may be from statutory and regulatory requirements, customer requirements or organization’s defined requirements in that other.

At the expiration of the retention period and possible approval from the relevant authorities, documented information may be disposed by shredding, burning or transfer to other location for archiving as may be determined by the organization’s requirement.

7.5.5.5 Documents of external origin

Documents received from external interested parties such as external providers, customers or society are called documents of external origin. Such documents shall be identified and controlled. The identification shall be a unique number assigned to the document where the document external originator does not assign a unique number to the document.

But where a unique number is assigned to the document by the external originator, that unique number may be adopted. The control may be through the organization’s stamp, signed and dated.

7.5.5.6 Document protection

Documented information shall be safeguarded to prevent unintended alteration, to ensure information confidentiality and integrity. This may be achieved through access control, application of passwords, use of read-only document formats, use of systems antivirus, document distribution control, effective retrieval and adequate disposal of documented information.

This is the practical application of defined principles, processes, procedures, methods, resources and controls to achieve planned results.

Having set up the processes and their interactions for the Quality Management System, established the policies, objectives and roles, provided the needed resources for the performance of the Quality Management System, the organization need to put all to work to achieve the organization’s objective.

This is the essence of the DO in the Plan – DO – Check – Act cycle.

REQUIREMENT

The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by:

a) determining the requirements for the products and services;

b) establishing criteria for:

1) the processes;

2) the acceptance of products and services;

c) determining the resources needed to achieve conformity to the product and service requirements;

d) implementing control of the processes in accordance with the criteria;

e) determining, maintaining and retaining documented information to the extent necessary:

1) to have confidence that the processes have been carried out as planned;

2) to demonstrate the conformity of products and services to their requirements.

The output of this planning shall be suitable for the organization’s operations.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary.

The organization shall ensure that outsourced processes are controlled (see 8.4).

EXPLANATION

Operations planning is the process of establishing, expanding or improving the core day-to-day processes and practices of an organization’s business activities. It refers to the determination and provision of every requirement needed to deliver conforming products and services to the customer.

The organization shall undertake risk analysis, study key performance processes and ensure that the results of actions arising from risk management are incorporated into key products and processes. The organization shall develop the capabilities, training, qualifications, procedures and work instructions necessary to execute planned arrangements to ensure product conformity.

Ensuring suitable production facilities, equipment, inspection, handling and servicing capabilities are available to achieve contract or customer requirements. Ensuring that environmental factors such as lighting, housekeeping, contamination, handling equipment, temperature compensation and process licensing are managed in such a way as to comply with customer and regulatory requirements.

The primary planning documents for an organization’s products and services is the standard operating procedure. In planning, the procedure shall define the inputs, the outputs, the process of converting the inputs to outputs, storage requirements, handling requirements, transportation requirement, records keeping requirements, verification and validations requires, post-delivery requirements and others as may be applicable.

The procedure shall establish the criteria for accepting the product realization process and the acceptance of the final product or service. By this, the procedure shall define a clear methodology for the step-by-step process performance. It shall define the quality checkpoints for verifying the process and the criteria for products conformity. This process shall be conducted as defined.

The procedure shall define the resources needed to ensure products and services conformity. These resources shall include authority for products or process validation, authority for product or process verification, competency for work performance, equipment specific to work performance, environment required for valid process performance, measuring and testing requirements with the applicable tools, timelines for performance of relevant stages.

The procedure shall define how and when to implement the relevant controls to meet the defined process acceptance criteria. This has to do with quality assurance and quality control activities to ensure the conformity of products and services to defined criteria.

The procedure shall identify the relevant forms, logs, registers or other documentation that shall be implemented in the course of process performance as evidence of conforming process implementation.

Having determined these documents, it is a requirement that these documents be implemented as defined in the procedure and records of such implementation shall be retained in line with records control procedure. This is to demonstrate the conformity of products and services to requirements and to show confidence that the processes have been conducted as planned. Lack of these records as evidence implies that the Quality Management System planned arrangement has not been implemented. All process activities and performance shall be documented in the defined forms and logs as records to demonstrate evidence of conformity to defined requirements.

Operational personnel shall execute the process and production plans as per instructions and in the sequence presented to them. When required, they shall stop work if they identify any discrepancies or deviation in product, planning or instructions and shall report the deviation to their immediate supervisor, and make input into process improvement or corrective action.

The output of this planning shall be suitable for the organization’s operations. This implies that the process procedure shall suit the process activities and performance. The procedure shall define exactly what the organization does, and the organization shall do exactly what the procedure says. If the procedure says one thing and what the organization does on the actual is different, this becomes a nonconformity because the organization is driving a procedure that is not suitable for its processes. This is the reason for the continual review of process procedures. Procedures shall be continually reviewed to capture exactly what the organization does at present.

The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. A change to the organization’s planned procedure is a direct change to the Quality Management System of the organization. As a requirement, such changes must be controlled to prevent unintended adverse effects on the organization’s Quality Management System and products conformity. This shall go through a change management process.

The organization shall identify the need for the change, evaluate the effect of the change, identify the relevant resource for the change, identify all other documents that will be affected by the change, communicate the need for change for relevant approval, implement change, manage every other document affected by the change, evaluate change for effectiveness, take action to address any deviation and integrate change into the Quality Management System.

Where such a change can affect product conformity or compliance with the Quality Management System requirement, action shall be taken to address the effect of the change. Such actions may be to conduct awareness, train personnel, perform restructuring, engage new hands, procure new equipment or technology, change work location, adopt new codes or methods.

Where the organization considers outsourcing a part of the service provision process, a subcontracting management process shall be implemented.

REQUIREMENT

8.2.1 Customer communication

Communication with customers shall include:

a) providing information relating to products and services;

b) handling enquiries, contracts or orders, including changes;

c) obtaining customer feedback relating to products and services, including customer complaints;

d) handling or controlling customer property;

e) establishing specific requirements for contingency actions, when relevant.

8.2.2 Determining the requirements for products and services

When determining the requirements for the products and services to be offered to customers, the organization shall ensure that:

a) the requirements for the products and services are defined, including:

1) any applicable statutory and regulatory requirements;

2) those considered necessary by the organization;

b) the organization can meet the claims for the products and services it offers.

8.2.3 Review of the requirements for products and services

8.2.3.1 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include:

a) requirements specified by the customer, including the requirements for delivery and postdelivery activities;

b) requirements not stated by the customer, but necessary for the specified or intended use, when known;

c) requirements specified by the organization;

d) statutory and regulatory requirements applicable to the products and services;

e) contract or order requirements differing from those previously expressed.

The organization shall ensure that contract or order requirements differing from those previously defined are resolved.

The customer’s requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements.

NOTE In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information, such as catalogues.

8.2.3.2 The organization shall retain documented information, as applicable:

a) on the results of the review;

b) on any new requirements for the products and services.

8.2.4 Changes to requirements for products and services

The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed.

EXPLANATION

Products and services requirements may result from statutory and regulatory requirements, customer requirements and the organization’s own defined requirements. These requirements shall be adequately defined, understood and agreed with the customer prior to products and services provision.

8.2.1 Customer communication

The necessary resources, procedures, processes, and infrastructure to enable efficient communication with the customer shall be determined and provided.

The organization needs to understand that the main aim of any Quality Management System is customer focus. The ability to satisfy the customer, meet the requirements of the customer and possibly exceed the expectation of the customer. To achieve this, there is a need for adequate and effective communication between the organization and the customer.

Communication with customers shall include information relating to products and services.

This may be seen in two ways:

• Information on the products and services that the organization can offer to customers.
• Information on the products and services that the organization is offering to the customer.

A customer shall be fully aware of the organization’s scope of products and services it can offer. The customer shall know the HOW, WHEN, WHERE and WHICH products and services the organization can offer to enable the customer to determine the extent to which the organization may be engaged.

The following specific customer communication shall be observed and evidenced as applicable:

• Marketing information.
• Quotations and order forms.
• Confirmation of authorized orders and amended orders.
• Delivery notes and certificates of conformity.
• Invoices and credit notes.
• E-mail and general correspondence.
• Site visit reports or notes to or from customers.
• Customer feedback and complaints management process.

The organization shall establish an effective arrangement to provide the customer with product information, handling inquiries, handling orders and for handling customer comments, including compliments and complaints.

The organization shall consistently furnish the customer with information concerning the products and services the organization is providing. That way, the customer is aware of the job progress and shall be able to take relevant decisions when required and make changes when necessary.

Such information may include Selected methods, parts to be subcontracted and the third-party subcontractor, material type and relevant quality control checks, deviations, defects and nonconformities, project quality plan, operations location and so on.

Communication is a two-way process between the organization and the customer. It is therefore required that the organization shall ensure that customer requirements for products and services are communicated to the organization by the customer.

These requirements shall include:

• How customer materials shall be managed.
• Scope of the job to be performed for the customer.
• Terms and conditions for product or service provision.
• Changes to any of the requirements for the product or service to be provided.

These requirements shall be communicated and fully understood by both parties.

The organization shall get feedback from customers on their perception of the organization’s products and services. This will enable the customer to rate the organization on the satisfaction they derive from the products and services provided to them. This becomes a tool for the organization to shape its processes with the aim for continual improvement.

When a complaint is received from a customer or any other interested party, the complaint shall be adequately addressed and where appropriate, corrective action is taken.

To address a complaint:

• Identify and document the complaint.
• Take remedial action to correct the object of complaint and communicate correction back to customer or the interested party.
• Do a root-cause analysis on the complaint to determine the underlying cause of the complaint.
• Propose and implement relevant corrective actions.
• Document results of investigation and actions taken.
• Maintain records.

Where the complaint has a high impact on the conformity of products and services, the organization may escalate the complaints for further investigation to adequately address the root-cause of the complaint.

The template below may be used to document complaints.

Figure 29: Complaint management log

The requirements for handling customer properties shall also be communicated. These may include the requirements for transportation, receipt, handling, protection, storage, retention, disposal or return of customer properties.

The requirements for contingency action shall also be communicated. The customer shall be fully aware of the organization’s plan for emergency situations. How it intends to address risks and emergencies that may emanate in the course of the product or service provision.

A job hazards analysis with the relevant proposed remedial actions shall be established and communicated to the customer.

This clause is aimed at ensuring the full understanding of every term and condition of the project by both parties prior to products and services provision.

8.2.2 Requirements for products and services

The requirements relating to products and services shall be determined.

They may be determined from:

• The requirements specified by the customer.
• The requirements not stated by the customer but necessary for specified or intended use, where known by the organization. These may be requirements specified by codes, standards and manuals.
• Statutory and regulatory requirements applicable to the products and services.
• The organizational knowledge and lesson learned from previous jobs.
• Requirements defined by the organization for the provision of its products and services.

An organization shall only accept to provide products and services to a customer when it has been verified that the organization has the capacity to provide such products and services.

8.2.2.1 Determining requirements.

When determining the requirements for the products and services to be provided to customer, the organization shall ensure that:

The requirements for the products and services are defined, including:

• Customer defined requirements which may be defined in the contract documents.
• Any applicable statutory and regulatory requirements. Statutory and regulatory requirements are key parameters to fulfilling products and services requirements.
• Statutory requirements are Governmental acts like, Companies and Allied Matters Act. Investment Promotion Commission Act, Immigration Act, Foreign Exchange Act. Industrial Development (Income Tax Relief) Act. Investment and Securities Act.
• Regulatory requirements are Governmental controls. These are governmental agencies set up by national and international bodies to control and monitor an organization’s operational activities. The regulatory requirements relevant to an organization’s products and services shall be defined and complied with.
• International codes and standards like, the ISOs, APIs, AWSs, BS ENs, ASMEs, ASTMs, NACEs. Every product or service is guided or controlled by a standard or a code. Sometimes, customers’ specifications and methods are required. They must all be determined and ensure full compliance.

In applying the determined statutory and regulatory requirements, it is required that the latest edition or version shall be applied unless the contract documents say otherwise. By this, an organization shall continually monitor and update these statutory and regulatory requirements for adequacy.

It is also required that the organization shall determine the requirements considered necessary by the organization for the conformity of products and services due to its expertise in the field. A customer may define requirements for an organization based on its limited understanding of the job requirements.

Since the aim of the Quality Management System is to satisfy the customer and exceed their expectation, the organization shall define those necessary requirements not defined by the customer and communicate same to the customer for mutual consent prior to products and services provision.

8.2.2.2 Review of requirements

It is a requirement of the standard that before an organization commits to provide products and services to customers, the organization shall ensure that it has the ability and capacity to meet the requirements for the products and services. Having the ability does not necessarily mean the organization has all the capacity within.

Where the organization does not have all the capacity in-house, the organization shall have qualified external providers fully approved by the organization and accepted by the customer to meet the requirements for the products and services.

It is a requirement that the organization conduct a review to determine and identify the requirements for products and services before committing to providing the products and services. This review shall include both a contract review and a technical review to determine and identify the statutory requirements, regulatory requirements, customer requirements and other known requirements not defined. Records of reviews and any subsequent actions taken shall be maintained.

1. Contract review

Contract review will examine the contract terms to determine:

• Technical data.
• Specifications and standards.
• Drawings.
• That customer requirements are understood and can be met.
• Requirements for product acceptance such as quality, inspections and tests, verification and validation, and any special monitoring.
• Requirements for delivery expectations.
• Requirements for post-delivery expectations.
• That the related standards have been reviewed and can be met:
• Statutory and regulatory requirements.
• International Management System Standards requirements.
• Other necessary and applicable industrial standards requirements.
• Unclear or ambiguous requirements are resolved.
• Feasibility has been determined that:

          a. The organization has the capability to meet order requirements.

          b. The organization has the equipment.

          c. The organization has floor space.

          d. The organization has adequate resources,

          e. The organization has skilled personnel.

• Differences between the contract and quote are resolved.
• If there is any part to be subcontracted and any approved subcontractor for that part.
• If customer materials are in consonance with what is defined in the contract documents.
• If there are any requested deviations and if the organization has the capacity to fulfill such deviations.
• Methods of communicating with the customer are defined relating to:
• Product information.
• Inquiries.
• Feedback.
• Concerns and complaints handling.
• Requirements that are not stated by the customer are defined.

Due to the expertise of an organization, there may be technical requirements known to the organization but not known to the customer and the customer may not define such requirements for the products and services. Such requirements may be rooted in codes, standards, and manufacturer’s manual. It is required that such known requirements be determined and agreed with the customer prior to job execution.

If the customer does not provide their requirements in writing, the requirements shall still be confirmed before they are accepted.

The organization shall define arrangements for the retention of documented information to capture the results of the review including any new requirements or changes such as record of contract review, reference, date, persons, resources, conventional and special requirements, risks outcome and changes.

2. Technical review

This shall be done by the technical experts. Reviews shall include:

• If materials provided are adequate.
• If the versions of the defined standards are suitable and available.
• If the methods selected by the customer are suitable and adequate.
• If the organization has technical competence in terms of personnel.
• If suitable equipment fit for purpose is available and adequate.
• If delivery is possible within the defined time.
• If the customer defined requirements tally with applicable codes and standards.
• If exceptional conditions are defined for the products and services and if the organization has the capacity to provide those conditions.
• If the products and services requirements are clearly understood by the relevant persons.

The results of these reviews and any resulting actions shall be documented and retained. Where there are deviations, such deviations shall be resolved with the customer before committing to products and services provision.

8.2.2.3 Ability to meet the requirements

Before committing to products and services provision, an organization shall have the capacity to meet customer requirements including delivery and post-delivery requirements.

Delivery requirements are the requirements for handling, storage, transportation, receipt, protection and return of products and services.

Post-delivery requirements include requirements for retention, disposal, repair, maintenance or recycling of products and services.

Before committing to service provision, an organization shall be able to meet the requirements not stated by the customer but known by the organization to be necessary for products and services conformity.

The organization shall be able to meet those requirements defined internally for products and services conformity before committing to provide the products and services.

The organization shall have the capacity to fulfill statutory and regulatory requirements necessary for the products or services before committing to service provision.

The organization shall have the capacity to meet any requirement that differs from the original requirements for the product or service or any exceptional requirements for the products and services before committing to service provision. Such differing requirements shall be resolved and agreed with the customer before service or product provision.

The organization shall adequately provide relevant resources and requirements to provide such products and services.

These include:

• Suitable environment.
• Adequate equipment and tools.
• Competent manpower.
• Up to date documented information:
• Contract documents defining customer requirements.
• Updated applicable codes and standard.
• Applicable methods.
• Documented information needed from statutory and regulatory requirements.
• Applicable internal documentation.
• Updated applicable certifications and permits.
• Appropriate organizational knowledge.
• Qualified external providers.
• Ability to meet post-delivery requirements.

For every product or service which an organization claims to provide, it shall ensure that all the defined and relevant requirements are provided and adequate.

8.2.2.4 Resolution of deviations

There may be a situation where a customer does not define the requirement for the products and services, the organization shall confirm the requirements for the products and services from the customer.

Where there is no customer requisition, the organization shall develop a requisition for the products and services which shall be confirmed and agreed by the customer before committing to provision.

By implication, all products and services requirements shall be adequately reviewed, understood and agreed with the customer and the organization shall have the capacity to meet all requirements before committing to provide products and services.

8.2.2.5 Changes to requirements

When there is a change to any of the requirements for products and services, the organization is required to update every document that is affected by the change and responsible people shall be made aware of the change.

Operations and activities of organizations are controlled by international or national codes and standards. Procedures, work instructions and other documented information are developed in line with these standards for job execution. If the applicable standard is revised and changes made, it is a requirement that the procedures and other documentation affected by the change are revised to address the changes. Then the relevant people are made aware of these changes through awareness and training.

There may be a change in an aspect of the Quality Management System which may affect the defined organization’s requirements for its products and services, when such changes occur, relevant procedures and documentations shall be reviewed to address the change and training conducted to make the relevant persons aware of the change.

In the course of products and services realization process, the customer may make a change to the original requirements defined for the product or service. When that happens, the contract documents and every other documentation affected by the change shall be reviewed to capture the change. Then the people doing work that affects the conformity of the product or service shall be made aware of the change. Failure to implement this will result in people working with obsolete documents and superseded information which will lead to nonconforming products and services.

In effecting these changes to relevant documentation and in communicating the changes to the relevant persons, the organization shall keep the following in mind:

• The same role or authority that approved the original documents which has been superseded shall also approve the amended versions.
• Information security as defined for the organization shall apply.
• Documented information and records control processes as defined for the organization shall apply.
• The superseded documented information shall be mopped from the system and replaced with the most recent versions to prevent unintended use of the obsolete versions.
• Records of change management shall be retained as evidence.

REQUIREMENT

8.3.1 General

The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.

8.3.2 Design and development planning

In determining the stages and controls for design and development, the organization shall consider:

a) the nature, duration and complexity of the design and development activities;

b) the required process stages, including applicable design and development reviews;

c) the required design and development verification and validation activities;

d) the responsibilities and authorities involved in the design and development process;

e) the internal and external resource needs for the design and development of products and services;

f) the need to control interfaces between persons involved in the design and development process;

g) the need for involvement of customers and users in the design and development process;

h) the requirements for subsequent provision of products and services;

i) the level of control expected for the design and development process by customers and other relevant interested parties;

j) the documented information needed to demonstrate that design and development requirements have been met.

8.3.3 Design and development inputs

The organization shall determine the requirements essential for the specific types of products and services to be designed and developed. The organization shall consider:

a) functional and performance requirements;

b) information derived from previous similar design and development activities;

c) statutory and regulatory requirements;

d) standards or codes of practice that the organization has committed to implement;

e) potential consequences of failure due to the nature of the products and services.

Inputs shall be adequate for design and development purposes, complete and unambiguous.

Conflicting design and development inputs shall be resolved.

The organization shall retain documented information on design and development inputs.

8.3.4 Design and development controls

The organization shall apply controls to the design and development process to ensure that:

a) the results to be achieved are defined;

b) reviews are conducted to evaluate the ability of the results of design and development to meet requirements;

c) verification activities are conducted to ensure that the design and development outputs meet the input requirements;

d) validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use;

e) any necessary actions are taken on problems determined during the reviews, or verification and validation activities;

f) documented information of these activities is retained.

NOTE Design and development reviews, verification and validation have distinct purposes. They can be

conducted separately or in any combination, as is suitable for the products and services of the organization.

8.3.5 Design and development outputs

The organization shall ensure that design and development outputs:

a) meet the input requirements;

b) are adequate for the subsequent processes for the provision of products and services;

c) include or reference monitoring and measuring requirements, as appropriate, and acceptance criteria;

d) specify the characteristics of the products and services that are essential for their intended purpose and their safe and proper provision.

The organization shall retain documented information on design and development outputs.

8.3.6 Design and development changes

The organization shall identify, review and control changes made during, or subsequent to, the design and development of products and services, to the extent necessary to ensure that there is no adverse impact on conformity to requirements.

The organization shall retain documented information on:

a) design and development changes;

b) the results of reviews;

c) the authorization of the changes;

d) the actions taken to prevent adverse impacts.

EXPLANATION

The organization shall establish, implement and maintain a design and development process that is appropriate to ensure the subsequent provision of products and services.

A planned design and development process will ensure that the project delivers the intended result, is completed within the defined time and meets the budgetary requirements. To achieve this, the design inputs, which may be the contract documents provided by the customer or action points agreed with the customer during various meetings, or the regulatory requirements for the intended product, shall be captured and documented.

The progress of the design and development shall continually be reviewed and verified to ensure that the customer requirements are being met at defined stages. This validation will also ensure that the product or service meets its intended purpose at the user’s environment after delivery.

All outputs from the design and development stages shall be documented and retained.

8.3.1 Design planning

The complexity of the design and development stages shall determine the level of planning. The amount of planning shall meet the intended result of the design and development.

In determining the stages and controls for design and development, the organization shall consider:

• The nature, duration and complexity of the design and development activities: The organization shall determine and understand what is to be designed and developed. A more complex design and development will require a more intense planning. A time limit shall be defined for the design and development activities.

• The required process stages, including applicable design and development reviews: The design and development shall be broken down into manageable stages. The organization shall identify the applicable reviews, processes, inputs and outputs for each of the stages.

• The required design and development verification and validation activities: To ensure that the design and development produce the desired results, the process, inputs and outputs shall be verified and validated at appropriate stages. The organization shall determine what to be verified, when to verify and the criteria for acceptance. These verification and validations shall be implemented as planned.

• The responsibilities and authorities involved in the design and development process: The organization shall identify the responsibilities and authorities that will perform activities affecting the design and development. Competent persons shall be assigned to these responsibilities and supported to implement the relevant authorities for the design and development.

• The internal and external resource needs for the design and development of products and services: The organization shall determine the resources needed for the design and development whether they are internally or externally provided.

Internal resources: They include competent persons, equipment (hardware and software, documented information relevant to the design and development, environment, organizational knowledge, processes and their interactions and so on.

External resources: They include products and services obtained from external providers that form inputs into the design and development, including any part that is outsourced.

• The need to control interfaces between processes involved in the design and development process: The organization shall determine the quality control verification needed to ensure that only conforming output from one stage goes into the next stage in the design and development process. To achieve this, the acceptance criteria for inputs and outputs for each stage shall be determined and the responsibility for the control shall be assigned to the competent people.

• The need for involvement of customers and users in the design and development process: The organization shall determine where and when to include the customers or users in either witnessing, verification, validation or in decision making with regards to the design and development. The means of communication shall be adequately defined and applied.

• The requirements for subsequent provision of products and services: The organization shall consider the requirements for the subsequent use of the output from the design and development process. Factors such as the environment where the output will be used, what the output will be used for, applicable post-delivery activities for the output of the design and development shall be considered.

• The level of control expected for the design and development process by customers and other relevant interested parties: The organization shall determine and agree with the relevant interested parties on the extent to which they shall have control over the design and development process.

• The documented information needed to demonstrate that design and development requirements have been met: The organization shall determine the relevant documentation and records to be generated for the design and development. Such documented information may include customer contracts, statement of work, drawings and specifications, reusable information from design and development activities of previous projects, industry standards, competitor analysis, any applicable statutory and regulatory requirements, internal or external resource needs, verification check sheets, records of validations and so on.

The planning may be done in a formal plan or through meetings, periodic reports or other methods. The intent is to ensure that all planning elements are met, and all information collated.

While planning for design and development activities, the planning for the following shall be considered:

• Design and development stages
• Design and development inputs
• Design and development controls
• Design and development outputs
• Design and development changes.

8.3.2 Design inputs

Inputs are essential factors to determine the conformity of the final output of any process. To ensure that the output from the process of design and development activities meets defined requirements, the organization shall determine the requirements essential for the specific types of products and services to be designed and developed.

These shall include:

• Functional and performance requirements such as the customer contracts, statement of work, drawings, software, interaction with the environment, factor of safety, operational force, operational temperature, type and amount of power input and output, data inputs and outputs, rigidity, etc., shall be determined and defined.
• Information derived from previous similar design and development activities.
• Statutory and regulatory requirements.
• Standards or codes of practice that the organization has committed to implement.
• Design inputs may also be obtained considering the potential consequence of failure due to the nature of the product or service.
• Customers and other stakeholders projected level of control of the design and development process.

Inputs shall be adequate for design and development purposes, complete, unambiguous and clearly understood.

Conflicting or deviating design and development inputs shall be resolved and agreed by relevant interested parties.

The organization shall retain documented information on design and development inputs to demonstrate the adequacy of design and development inputs.

8.3.3 Design control

Once all design inputs are finalized, the next step is to ensure that adequate controls are applied to define outputs of the design and development process as per the customer’s requirement. Controls can be applied in the form of reviews, verification and validation of design and development activities.

While reviews, verification and validations are done to meet separate purposes, they can be conducted separately or in any suitable combination.

Design and Development Reviews

Conducted to assess the results of the design and development process, check the progress of design activities, check the effectiveness of costs involved and take action if any problems are detected. Reviews may be conducted at required milestones or intervals depending on size, complexity, risks involved and the customer requirements.

Design and Development Verification

Verification is to make sure that the outputs of design and development processes are meeting the defined inputs requirements. This may include simulations and testing, comparing this to previous design for a similar product, reviewing the design documents, comparing with applicable reference standard materials. Through objective evidence of such verification, an organization needs to demonstrate that defined requirements have been fulfilled.

Verification will ensure that:

• Design complies with and is traceable to inputs.
• Design complies with client requirements.
• Design complies with codes, standards, guides and specifications.
• Design complies with statutory and regulatory requirements.
• Design complies with the organization’s defined requirements.

Design and Development Validation

Validation is to check the products or services suitability for their intended use. This will involve modelling, simulations, experiments, prototypes, inspections, functional and performance testing conducted in the end-user environment, process capability studies, review of the process design documents, and so on.

Validation will ensure that:

• The design is suitable for the intended use.
• Specific user requirements have been met.
• Changes to the design and development are managed.
• What is being built matches what has been designed.

Any deviation detected during the review, verification and validation processes shall be resolved before proceeding further with production.

The organization shall retain documented information on design and development controls to demonstrate the performance of design and development controls.

8.3.4 Design outputs

Design and development outputs may be in the form of drawings, prototype of the finished product or a specification. The output shall meet the input requirement for design and development and shall be appropriate for the intended use.

Design output may also include a reference to any monitoring and measuring related requirement and acceptance criteria, if applicable. These may include weight, density, volume, temperature, pressure, humidity, amperage, voltage, flowrate, resistance and so on.

The design and development outputs shall ensure that the final products or services that are produced based on the design are fit for their intended use and shall specify the characteristics of the products and services that are essential for their intended purpose, including their safe and proper provision such as safe limits for operation, handling, transportation, storage and so on.

Any documented information obtained from the design and development process shall be retained.

8.3.5 Design changes

When changes are required for either the design input or design output, the organization shall identify, review and control such changes to prevent adverse impact on the conformity of the design and development requirements.

This may be achieved through:

• Documenting all requirements for design and development changes.
• Evaluate the impact of the change on the relevant stages and processes.
• Evaluating the impact of the change on the resources used and the characteristics of the products and services.
• Evaluating the impact of the change on statutory and regulatory requirements by determining if the design and development activity still complies with the statutory and regulatory requirements or standard codes after the change is implemented.
• Determining the additional resources required.
• Determining how the budget and schedule will be impacted and if it is sustainable to go ahead with the change.

Based on the results from the evaluation of impacts, the change shall be authorized and implemented, taking sufficient actions to prevent any adverse impacts on the design inputs and outputs.

The organization shall retain documented information on design and development changes to demonstrate the performance of design and development change control.

REQUIREMENT

8.4.1 General

The organization shall ensure that externally provided processes, products and services conform to requirements.

The organization shall determine the controls to be applied to externally provided processes, products and services when:

a) products and services from external providers are intended for incorporation into the organization’s own products and services;

b) products and services are provided directly to the customer(s) by external providers on behalf of the organization;

c) a process, or part of a process, is provided by an external provider as a result of a decision by the organization.

The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.

8.4.2 Type and extent of control

The organization shall ensure that externally provided processes, products and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers.

The organization shall:

a) ensure that externally provided processes remain within the control of its quality management system;

b) define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output;

c) take into consideration:

1) the potential impact of the externally provided processes, products and services on the organization’s ability to consistently meet customer and applicable statutory and regulatory requirements;

2) the effectiveness of the controls applied by the external provider;

d) determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.

8.4.3 Information for external providers

The organization shall ensure the adequacy of requirements prior to their communication to the external provider.

The organization shall communicate to external providers its requirements for:

a) the processes, products and services to be provided;

b) the approval of:

1) products and services;

2) methods, processes and equipment;

3) the release of products and services;

c) competence, including any required qualification of persons;

d) the external providers’ interactions with the organization;

e) control and monitoring of the external providers’ performance to be applied by the organization;

f) verification or validation activities that the organization, or its customer, intends to perform at the external providers’ premises.

EXPLANATION

An external provider is a supplier, or any entity that provides goods, materials, printed materials, knowledge, services, software, parts, assemblies, or finished goods that are incorporated into the organization’s products and services realization process.

The externally provided products and services may relate to:

• Products and services from external providers that are intended for incorporation into the organization’s own products and services.
• Products and services that are provided directly to the customer by external providers on behalf of the organization.
• A process, or part of a process, which is provided by an external provider as a result of a decision by the organization.

External providers shall be adequately controlled to ensure that supplied products and services conform to defined requirements.

External providers are controlled through initial selection and evaluations using self-assessment questionnaires, supplier’s Quality Management System audit or suppliers process audit. The selection criteria for both potential suppliers, and approved suppliers shall be documented and authorized.

8.4.1 Supplier’s evaluation

The organization shall assess the supplier’s facilities, Quality Management System, or process controls to determine the potential impact of the supplier’s processes on the organization’s ability for products and services conformity.

The scope, extent, responsibility and criteria for evaluating suppliers shall be defined.

An organization shall evaluate and approve every supplier prior to products and services provision. The supplier’s evaluation is performed to determine the ability of the supplier to provide products and services that meet quality, delivery, and performance requirements.

A supplier may be evaluated through:

• Collating and analyzing data including technological capacity, operational capability, logistics competence, quality capacity and technical risks of the supplier.
• On-site assessment of the supplier’s Quality Management System.
• Compliance review of the supplier’s processes.
• Completing and signing a quality agreement or contract with the supplier.

To conduct a supplier evaluation:

• Identify externally provided products and services that are incorporated into the organization’s products and services realization process.
• Categorize identified externally provided products and services based on their impact on the organization’s Quality Management System.
• Define the minimum performance threshold or benchmark in percentage as acceptance criteria.
• Identify the potential supplier.
• Determine what method of evaluation is suitable.
• Conduct evaluation assessment to determine if there is a potential product or regulatory risk.
• Confirm the capability of the supplier to supply or manufacture to requirements.
• Include supplier in approved supplier list, if successful.

Suppliers shall be given an overall performance rating between 0-100%. Statistical methods shall be used to determine the supplier’s performance rating.

Below is a sample of a supplier evaluation score board.

Figure 30: Supplier evaluation score board

From the above score card, the supplier is to be evaluated on fifteen parameters and the maximum obtainable score per parameter is five.

From this, maximum expected score from a supplier is 15 x 5 = 75

Assuming after rating the supplier, the total score for the supplier is 70,

Then performance rating will be

Supposing two of the defined parameters are not applicable to the supplier, the evaluation will be:

Number of applicable parameters = 15 -2 =13

Maximum expected score from the supplier is 13 x 5 = 65

Supposing supplier total score is 62,

Then performance rating will be

The resulting performance rating is an indication of the supplier’s performance ability to meet the organization’s requirements. The performance rating for a supplier shall be compared with the defined criteria benchmark to determine approval.

Records of supplier evaluations and any actions taken shall be retained.

8.4.2 Suppliers’ approval

Suppliers are either approved, or not approved, based on their financial standing, business risk, cost effectiveness, products and services expertise, past performance records, health and safety compliance, technological capacity, logistics, supply chain integrity, and any known significant environmental requirements.

Approved suppliers shall have satisfactorily demonstrated their ability to meet the organizations Quality Management System requirements, as well as customer, statutory and regulatory requirements, as shown by the results of the initial supplier evaluation process.

Where the supplier performance rating is acceptable, the supplier shall be added to the approved supplier list. Signed approval shall be implemented by an authorized representative, most likely the Quality Manager and the Purchasing, or Contracts Manager. The approval status for an approved supplier shall be clearly identified in the approved supplier list.

Below is a sample of approved suppliers’ list.

Figure 31: Approved suppliers’ list

The organization may also issue an approval certificate to the supplier clearly stating the supply duration at the end of which the supplier shall be re-evaluated.

8.4.3 Suppliers’ performance monitoring

The performance of suppliers shall be consistently monitored by the Quality Manager in collaboration with the Purchasing, or Contracts Manager. This may include the review of applied measures, achieved targets, Key Performance Indicators, score cards, or survey results.

Some of the criteria to rate supplier’s performance includes:

• Assessment of the conformity of products and services provided.
• On-time delivery performance.
• Supplier responsiveness and ease of communication.
• Total number of corrective actions per defined time.
• Defective parts per million (PPM).
• Cost effectiveness.
• A review of receiving records, inspection records, or acceptance records.

The organization shall define a minimum performance threshold or benchmark in percentage as acceptance criteria. Supplies from the supplier shall be verified and scores assigned for performance based on the defined parameters. The score rating may be between 1 to 5 as poor to excellent, respectively.

The supplier’s performance shall be statistically analyzed as above and the performance score rating determined. Where a supplier’s performance at the end of the supply period meets or exceeds the defined benchmark, such a supplier shall be retained in the approved supplier’s list for the next supply period.

Where the supplier’s performance falls below the defined benchmark, any of the following may apply depending on the level of failure:

• Issue a corrective action request to the supplier to take action to address the cause of failure.
• Transfer the supplier to the potential supplier’s list and monitor performance for the defined period.
• Disqualify and discontinue the use of supplier.

The organization may periodically communicate the results of monitoring and evaluation to the supplier as appropriate. Where it is deemed necessary by the Quality Manager and the Purchasing, or Contracts Manager, on-site supplier process audits may be conducted at the supplier’s premises.

Issues or conditions that may necessitate a supplier audit include quality issues, recurring nonconformities, changes in technology, process changes, plant location changes or the criticality of the product or service. When an audit is necessary, the organization shall contact and agree with the supplier on the schedule and agenda for the on-site visit.

The organization shall retain documented information regarding the evaluations and approvals of suppliers.

Below is a sample of a score board for supplier’s performance monitoring.

Figure 32: Supplier’s performance monitoring score card

8.4.4 Type and extent of control of externally provided products and services

Because of the effect of externally provided products and services on the conformity of the organization’s Quality Management System, the organization shall ensure that externally provided products and services are controlled. The extent of control shall depend on the impact of the products and services on the organization’s Quality Management System.

To achieve this, the organization may need to categorize the externally provided products and services according to their impacts on the Quality Management System and assign methods of control to the defined categories.

These categories may include:

• High impact.
• Medium impact.
• Low impact.

8.4.4.1 Controls

A. High impact:

These are externally provided products and services that are fed directly into the organization’s production process. They may include operational equipment, monitoring and measuring equipment, raw materials, calibration and testing services, software, manpower supply, etc.

The following controls may be applied.

Figure 33: Control for high impact

B. Medium impact:

These are externally provided products and services that support the organization’s production process. They may include safety gadgets, personal protection equipment, maintenance services, transportation and logistics services, consultancy services, fuel to run operational equipment, etc.

The following controls may be applied:

Figure 34: Control for medium impact

C. Low impact:

These are externally provided products and services that do not directly impact on the organization’s production process but are required for the effective performance of the organization. They may include office stationery, office computer accessories, office building accessories, etc. These may be procured from the open market and there may be no need to evaluate and approve the supplier.

The following controls may be applied:

Figure 35: Control for low impact

Externally provided processes shall remain under the organization’s Quality Management System control and may be achieved through documented information that is aligned to ensure common inputs, outputs, controls, ownership, governance etc., between the organization’s requirements and those for interfacing with the supplier.

Where appropriate, the requirements for certification, inspection reports, statistical data, approval of samples, etc. shall be included in purchasing documents.

The organization shall ensure that records of compliance are documented and retained.

8.4.5 Information for external providers

To engage an external provider, the organization shall determine and adequately identify the requirements for the products and services to be outsourced.

These requirements shall include:

• Organization’s Quality Management System requirements.
• Customer requirements.
• Statutory and regulatory requirements.
• Industrial standard requirements.

Where appropriate, the organization shall communicate not just the information for the products and services they intend to receive but also any processes they want the external provider to undertake on their behalf.

To ensure adequacy of specified purchasing information prior to being communicated to the supplier, the supplier is requested to quote on price and availability. All relevant purchasing information, as determined by the organization and customer requirements shall be included in the request for a quote.

The purchase order shall be developed after the review and acceptance of the supplier’s quote and shall contain the same information as the request for quote.

The purchase order shall define:

• The process, products or services to be provided.
• The product approval requirements, e.g., approving authority, certificate of conformity.
• The intended verification arrangements, e.g.; quality checks, witness testing or certification.
• The personnel competency and qualifications, quality, environmental, and safety requirements.
• The communication and interaction arrangement between the organization and the supplier.
• Control and monitoring of the external providers’ performance to be applied by the organization.
• Records to be maintained.

Where activities are wholly outsourced or subcontracted, the organization has the responsibility to ensure product conformance to all specified requirements. Information communicated to supplier shall include acceptance criteria, and where appropriate, the requirements for the approval of supplier’s procedures, processes, personnel and equipment.

Applicable versions of standards, specifications, drawings, traceability, technical data, process requirements, inspection instructions, requirements for qualification and competence of the supplier’s personnel, and Quality Management System requirements shall be defined and communicated.

8.4.6 Purchasing verification

The organization shall ensure that products and services which are essential to fulfilling customer requirements and which directly affect the quality of its products and services, are verified upon product or service delivery to verify they conform to the requirements for:

• Receiving inspection.
• The organization’s Quality Management System.
• Purchase orders.
• Product specifications.
• Certificates of conformity.
• Inspection and acceptance tests.
• Delivery notes.
• Purchasing specification.
• Purchasing agreements.
• Release certificates.
• Competency of external personnel.
• National or international standards.

On receipt of incoming materials, the receiving person shall identify and inspect the materials supplied and match them against the delivery note. The delivery note shall be compared with the corresponding purchase order and any related documentation.

This inspection shall include:

• Confirming traceability to purchase order number, drawing numbers, material markings etc.
• Confirming conformance to defined purchase order requirements.
• Confirming correctness of defined quantities.
• Visual examination for possible defects.
• Measurement comparison to drawings where required.
• Availability of specified certification and documentation required.
• Confirming adherence to delivery plan.

When the same materials are supplied in large quantity, visual and dimensional checks may be done for at least 5% of the total quantity. Materials shall not be released for use until receiving inspection has been completed and materials accepted.

Accepted materials may be transferred to a storage area. Nonconforming materials shall be separated and clearly identified to prevent unintended use.

Further investigation shall be conducted on the nonconforming materials to determine whether the materials should be:

• Accepted by informed decision.
• Reworked to a usable condition.
• Returned to Supplier.
• Scrapped.

Materials that include specified certification or documentation shall only be accepted after the Quality or the Purchasing Manager has reviewed and approved such certification and documentation.

Records of verification shall be maintained to demonstrate compliance with the requirements of materials verification.

REQUIREMENT

8.5.1 Control of production and service provision

The organization shall implement production and service provision under controlled conditions.

Controlled conditions shall include, as applicable:

a) the availability of documented information that defines:

1) the characteristics of the products to be produced, the services to be provided, or the activities to be performed;

2) the results to be achieved;

b) the availability and use of suitable monitoring and measuring resources;

c) the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met;

d) the use of suitable infrastructure and environment for the operation of processes;

e) the appointment of competent persons, including any required qualification;

f) the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement;

g) the implementation of actions to prevent human error;

h) the implementation of release, delivery and post-delivery activities.

8.5.2  Identification and traceability

The organization shall use suitable means to identify outputs when it is necessary to ensure the conformity of products and services.

The organization shall identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.

The organization shall control the unique identification of the outputs when traceability is a requirement, and shall retain the documented information necessary to enable traceability.

8.5.3 Property belonging to customers or external providers

The organization shall exercise care with property belonging to customers or external providers while it is under the organization’s control or being used by the organization.

The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products and services.

When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.

NOTE A customer’s or external provider’s property can include materials, components, tools and equipment, premises, intellectual property and personal data.

8.5.4 Preservation

The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.

NOTE Preservation can include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection.

8.5.5 Post-delivery activities

The organization shall meet requirements for post-delivery activities associated with the products and services.

In determining the extent of post-delivery activities that are required, the organization shall consider:

a) statutory and regulatory requirements;

b) the potential undesired consequences associated with its products and services;

c) the nature, use and intended lifetime of its products and services;

d) customer requirements;

e) customer feedback.

NOTE Post-delivery activities can include actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.

8.5.6 Control of changes

The organization shall review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.

The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

EXPLANATION

An organization shall carry out its activities to provide products or services under controlled conditions.

These controlled conditions shall include documented information for products and services, suitable monitoring and measurement resources (including equipment), suitable infrastructure and environment, competent persons, validation of the ability of the process to achieve planned results, actions to prevent human error, activities to control product release, delivery, and post-delivery activities.

Products and services may be controlled in two ways:

• Controlling the product that is passing through the processes.
• Controlling the processes through which the product passes.

Process control is the activity to control the elements that drive the process, whereas product control is the activity to verify the product as it emerges from one process to the other. The combination of both controls is required to yield products and services of consistent quality and conformity.

8.5.1 Control of production and service provision

Control of products and services provision requires an organization to control its method for products and services provision.

The organization shall identify and document records as evidence that the conditions by which products and services are provided are controlled by ensuring that:

• Documented information that defines the characteristics and acceptance criteria of the product or service is available and at the point of use.
• Documented information that defines the activities needed to be performed to provide the products and services is available at the point of use, and that it specifies the results that are to be achieved.
• Monitoring and measuring activities are performed to verify conformity at appropriate stages in the production process to ensure that both the processes and the process outputs meet the defined acceptance criteria.
• The process environment and infrastructure are suitable and where the environment affects the ability to achieve valid results, the environment shall be monitored, and records retained to demonstrate the conformity of the environment.
• Suitable monitoring and measuring resources are made available and fit for the intended use.
• Personnel are competent on the basis of education, training or experience. Where necessary, the personnel shall possess the appropriate industrial and regulatory qualifications and certifications.
• For processes where the resulting output cannot be verified by subsequent monitoring or measurement, the process itself shall be initially validated and periodically re-validated through process reviews to determine if the planned result is being met.
• Actions to prevent human errors such as availability of up-to-date work instructions, training and retraining, adequate supervision, etc. shall be implemented.
• Products and services release activities such as verification, validation and authorization shall be implemented.
• Delivery activities such as packaging, stacking and transportation shall be implemented as required.
• Post-delivery activities such as maintenance, retention, recycling and disposal shall be implemented.

An organization shall develop, conduct, control and monitor production processes to ensure that products and services conform to specifications. This shall include documented information that define the requirements for the process activities, approval of the processes, approval of personnel, approval for any changes to process activities, monitoring, measuring, controlling of process parameters, and verification of the process output.

This may be achieved using documented procedures, work instructions, specifications, drawings, standard reference materials, suitable equipment and specific monitoring and measuring equipment.

Where the absence of such controls does not affect products and services conformity, the organization shall employ consistent and appropriate process controls for the production processes.

8.5.2 Identification and traceability

The organization shall identify and document records as evidence that products are identified and that their status with regards to monitoring and measurement are identified throughout the process of production and service provision.

8.5.2.1 Identifying of outputs

Where traceability is a requirement to ensure products and services conformity such as to prevent output mixing up with other outputs, the organization shall assign, record and control a unique identity for the products and services throughout the production process to ensure that only products and services that have passed the required inspections and tests are released.

Tags or stickers with unique traceability identifiers, such as job numbers, control numbers, lot or batch numbers may be included on the products labels. The identification may be engraved on the product or a colour mark is made on the product.

8.5.2.2 Identifying the status of outputs

The organization shall have a process in place for identifying and ensuring the traceability of outputs with regards to monitoring and measurement requirements throughout the stages of production processes. The identification may include physical marking, labeling, tagging, bar coding, signages, visual indications, product segregation, storage racks and lay down areas.

The status of output whether conforming or not shall be identified throughout the production process.

The assigned traceability shall be maintained for the product, from raw material through inspection, test and final release of the product and if applicable, rework.

8.5.3 Property belonging to customers or external providers

The organization shall exercise care with property belonging to customers or external providers while it is under the organization’s control or being used by the organization. To achieve this, the organization shall put a process in place to manage property belonging to customers or external providers.

A customer’s or external provider’s property may include materials, components, tools and equipment, premises, intellectual property and personal data.

The established process may include the requirements for:

• Transportation.
• Receipt.
• Identification and traceability control.
• Handling.
• Protection.
• Storage.
• Retention.
• Disposal.
• Return.

The organization shall identify, verify, protect and safeguard customers’ or external providers’ property provided for use or incorporation into the products and services. Where the customer or external provider has assigned a traceable identity to the property, the organization may adopt that identity. Otherwise, the organization shall establish an identity as appropriate to identify the status of the property.

When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred.

8.5.4 Preservation of outputs

The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements.

The preservation process shall include identification, handling, contamination control, packaging, storage, transmission or transportation, protection and other product specific handling methods.

The requirements which may be an output from the design process include:

• Identification: The organization shall ensure that products are adequately identified and do not become mixed with other orders.

• Handling: This may include bulk handling using moving equipment or physical contact. Where handling may influence product conformity, the organization shall ensure that suitable handling methods are implemented throughout the stages of the production process.

• Contamination control: The organization shall ensure that processes such as separation, access and handling equipment are controlled to prevent contamination that may invalidate the conformity of the output.

• Packaging: The organization shall ensure that labeling and marking of products are sufficient and adequate to make them identifiable and traceable to the organization. This shall include ensuring that labeling and marking maintain their integrity and remains affixed throughout the product’s life. Packaging shall meet the defined requirements to ensure that the integrity of the product is preserved throughout the transportation process.

• Storage: The organization shall ensure that outputs are stored in such conditions to prevent deterioration, damage or loss. The product shall be stored in a manner to safeguard the product and to meet the defined storage requirements. These may include the environmental condition, stacking, positioning etc. Environmental conditions such as temperature, pressure, humidity, vibration, magnetic waves, etc. shall be taken into consideration.

• Transmission or transportation: In moving the output to the point of use, the organization shall ensure that all the requirements for moving the output are met. Such requirements may include packaging, positioning, security, lifting, stacking, protection, etc.

• Protection: Raw materials, in-process materials, inspected products, nonconforming products and products ready for transportation shall be identified with their status and protected from any unintended alteration or use. The organization shall verify that appropriate measures are in place to protect the product. This will vary depending on the nature and type of product.

8.5.5 Post-delivery activities

When there is a need to perform activities on the organization’s product or service after it has been delivered to the customer, the organization shall determine and meet the requirements for these activities.

In determining these requirements, the organization shall consider:

• The statutory and regulatory requirements for the product.
• Any undesired consequences of the product once in use.
• The nature and expected lifetime of the products and services.
• Customer requirements, and feedback.

Considering these will give the organization an idea of possible activities needed to be performed on a product after delivery. Post-delivery activities may include warranty provisions, maintenance services, or recycling and final disposal services.

8.5.6 Control of changes

When a change is necessitated after formal approval of a product configuration information, the organization shall implement a process for responding to such unplanned changes that are considered essential to ensure that products and services continue to meet their specified requirements.

The organization shall make changes considering the potential impact of the change on other processes, products and possibly the customer.

To address such changes, the organization shall:

• Evaluate the impact of the change to determine its effects on the work in process or products already delivered?
• Determine what process control documentation will need to be updated as a result of the change to be implemented?
• Ensure that the change is approved prior to implementation and where applicable, approval shall be by the customer, statutory or regulatory authority.
• Ensure that the retained documented information indicates the source of the change and information on any actions taken and the approvals.

The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.

The organization shall retain this objective evidence that the organization has implemented the process to control unplanned changes in accordance with requirements.

REQUIREMENT

The organization shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.

The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.

The organization shall retain documented information on the release of products and services. The documented information shall include:

a) evidence of conformity with the acceptance criteria;

b) traceability to the person(s) authorizing the release.

EXPLANATION

The organization shall demonstrate evidence that a planned process which may include method, techniques, formats, is in place to monitor and measure the characteristics of products and services to verify that requirements are being met.

The organization shall fully implement the planned process at appropriate stages of the products and services realization process, to verify that the products and services requirements have been met.

Records to provide evidence of conformity and to indicate the person(s) authorizing the release of products shall be maintained.

The release of product or delivery of service shall not proceed until the planned arrangement for the products and services is fully completed, unless duly approved by the relevant authority.

The release of product may include:

• Release from one operation stage to the next operation stage.
• Release to an internal customer.
• Release to final customer.

Planned arrangements may include design verification, design validation, inspections, thorough examination, destructive and non-destructive testing, customer acceptance testing, product certification and qualification, third party qualification from a regulator or independent testing body etc.

When approved by the relevant authority and by the customer as appropriate, a planned arrangement for a product release or service delivery may be waived.

The characteristics of the products and services shall be monitored and measured to demonstrate:

• That products and services characteristics are continually met.
• Evidence of conformity with product and services requirements.

The organization shall retain records to provide evidence that the acceptance criteria for the products and services have been met.

These may include:

• Certificate of conformity.
• Release certificate.
• Regulatory certificate.

These shall ensure traceability to the person(s) authorizing the release such as name, authorized signatories, user identification, stamp impression etc., including their authority status (release signatory, certifying staff, scope of authorization etc.).

REQUIREMENT

8.7.1 The organization shall ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.

The organization shall take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.

The organization shall deal with nonconforming outputs in one or more of the following ways:

a) correction;

b) segregation, containment, return or suspension of provision of products and services;

c) informing the customer;

d) obtaining authorization for acceptance under concession.

Conformity to the requirements shall be verified when nonconforming outputs are corrected.

8.7.2 The organization shall retain documented information that:

a) describes the nonconformity;

b) describes the actions taken;

c) describes any concessions obtained;

d) identifies the authority deciding the action in respect of the nonconformity.

EXPLANATION

The organization’s Quality Management System shall establish a control process to implement corrective actions to address deviations, nonconforming or defective outputs, including products and services.

The deviation may be identified internally by the organization or reported externally by the customer or other interested parties. This is to control, correct and prevent unintended use by or delivery of nonconforming outputs to the customer, which may be products or services. The standard requires an organization to deal with outputs that fail to conform to specified requirements.

The organization shall evaluate the need for actions to prevent recurrence of nonconformities. To achieve this, the organization shall implement a correction, determine the root-cause of the nonconformity, implement a suitable corrective action, monitor and evaluate the effectiveness of the corrective actions taken.

Actions to address a nonconformity may be necessitated by a nonconforming work observed from process monitoring and measurement, customer complaints, internal or external audits, management reviews, and observations by organization’s personnel.

The organization shall ensure controls to prevent the delivery of nonconforming outputs to customers and to prevent their unintended use. When a nonconforming output is delivered to the customer, the organization shall take appropriate action to reduce or eliminate the effect of the nonconformity by promptly notifying the customer or any relevant interested parties of the nonconforming output delivered.

To adequately address nonconformities, the organization shall document a process to define:

• How nonconforming products and processes are identified.
• How nonconformity shall be documented.
• How nonconforming products and processes are dealt with.
• How to remove or correct nonconformities.
• How to prevent the delivery or use of nonconforming products and processes.
• How to verify that the nonconforming products and processes were corrected.
• How to provide evidence that corrected products and processes now conform to requirements.
• How to determine, implement, verify and validate corrective actions.
• Who has the responsibility to verify and validate the corrective actions?
• How to keep records of nonconforming products and processes and the actions taken.

These shall include the reaction to the nonconformity, evaluation of necessary action(s), implementation and monitoring of identified action(s), review of effectiveness and sustaining of the action(s) taken.

Figure 36: Process to address nonconformity

Methods of describing nonconformities shall include:

• Internal nonconformity statement.
• Audit reports.
• Suitable objective evidence.
• Illustrations, photos, schematics.
• Defect codes.
• Verbal statements.

Possible actions to address nonconformities shall include:

• Acceptance by informed decision. (Use-as-is).
• Containment.
• Segregation.
• Labeling.
• Re-work.
• Return of product delivered.
• Suspension of product delivery.
• Disposing or scrapping.
• Applications of any concessions.

Approval of the decision on nonconformities shall be by person(s) with appropriate delegated technical authority or nonconformance control authorities. Where applicable, approval shall be by the customer.

Records of nonconformities shall be maintained to increase the possibility to spot negative trends and aid the process of determining the root-cause to eliminate the cause of problems. This will lead to fewer defective products or process outputs, resulting in more satisfied customers.

8.7.1 Documenting nonconforming outputs

The Business Development Manager, who acts as the customer representative, has the responsibility to collate and document customer feedback and complaints.

The Quality Manager is responsible for initiating the nonconformity report, conducting the root-cause analysis and monitoring the implementation of the corrective action plan. The Quality Manager has the responsibility to determine whether a further action is required to prevent a similar nonconformity from reoccurring in the same place or occurring somewhere else, and to determine if similar nonconformities have occurred elsewhere.

The quality control representative or inspector shall notify the Quality Manager of any observed process or products nonconformity using the inspection check sheet implemented during the inspection or any other suitable means. The quality manager on receiving the nonconformity report shall take appropriate action in conjunction with the affected process manager to address the nonconformity.

The nonconformity and the outcome of any action taken shall be documented and retained in a nonconformity monitoring log. See below sample of a nonconformity log.

Figure 37: Nonconformity monitoring log

The records of nonconformities and the relevant actions taken shall form inputs into the quality management review to enable top management to take informed decisions on the actions to address the occurrence of nonconformities.

8.7.2 Actions to address nonconforming outputs internally

When a nonconformity is observed, it shall be reported to the quality manager by any means. The quality manager shall document the nature of the nonconformity in conjunction with the affected process owner to address the nonconformity.

An organization shall have it as a policy to detect, control and rectify any aspect of nonconformance as quickly and efficiently as possible.

When nonconformities are identified, the organization shall examine whether to:

• Segregate and immediately terminate the service.
• Correct the nonconforming output.
• Replace the service provided.
• Offer an alternative.
• Inform the customer.
• Obtain authorization for the customer to accept the nonconforming output under concession.

Steps to addressing nonconformities shall include:

A. Segregation

The organization shall identify, separate and control the nonconforming output as appropriate and where necessary, halt the process. This is to prevent further processing of the nonconformity until it is adequately addressed, to prevent unintended use or delivery. Improvement actions are then implemented to ensure the nonconformance does not reoccur.

B. Correction

A remedial action shall be taken to contain the effect of the nonconformity. This is to prevent the spread of the nonconformity and to ensure the effect is contained, pending the implementation of the corrective action.

8.7.3 When to apply a corrective action

Action to address the effects of a nonconformity may require a simple correction by the process owner or operator where it was discovered.

Where it is observed that the nonconformity has severe impact on the Quality Management System and if not properly addressed may become catastrophic, more significant levels of resources shall be needed to resolve the problem and take corrective action. The quality manager shall initiate a corrective action process that will require thorough investigation of the situation to determine other underlying conditions and other possible areas where the nonconformity can recur.

The appropriate corrective actions shall be implemented, and their effectiveness adequately evaluated.

The quality manager has the responsibility to decide whether to implement or not to implement corrective action based on the risk level of the nonconformity.

Some factors that may trigger a corrective action process include:

• Complaint or request by a customer.
• A repetitive problem to an activity/process, or similar problems across many activities/processes.
• Significant quality or management system issues.
• A safety or quality issue with high impact on the product or personnel.
• Product performance or reliability issues.
• An issue with a high adverse impact on production or maintenance operations.
• Difficulty in detecting the nonconformity.
• A complex problem that cannot be resolved without assistance from others not located where the problem occurred.

Records shall be maintained and retained as evidence to demonstrate the implementation of actions to address nonconformities.

These shall include:

• Description of the nonconformity.
• Description of the actions taken (correction, root-cause, corrective actions, verification, validation).
• Description of any concessions obtained.
• Identification of the authority deciding the action in respect of the nonconformity.

The organization is required to identify the processes or activities to monitor and measure the performance and effectiveness of the QMS. The organization is required to determine how and when the monitoring and measurement should be done, and then analyze and evaluate the results of these monitoring and measurements.

Performance evaluation is the Check point in the Plan-Do-Check-Act (PDCA) cycle which ISO 9001:2015 is based on. An organization can only determine if the Quality Management System (QMS) is suitable, adequate and effective, or if changes are needed to meet the requirements by applying this step of the PDCA cycle.

REQUIREMENT

9.1.1 General

The organization shall determine:

a) what needs to be monitored and measured;

b) the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;

c) when the monitoring and measuring shall be performed;

d) when the results from monitoring and measurement shall be analysed and evaluated.

The organization shall evaluate the performance and the effectiveness of the quality management system.

The organization shall retain appropriate documented information as evidence of the results.

9.1.2 Customer satisfaction

The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.

NOTE Examples of monitoring customer perceptions can include customer surveys, customer feedback on delivered products and services, meetings with customers, market-share analysis, compliments, warranty claims and dealer reports.

9.1.3 Analysis and evaluation

The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement.

The results of analysis shall be used to evaluate:

a) conformity of products and services;

b) the degree of customer satisfaction;

c) the performance and effectiveness of the quality management system;

d) if planning has been implemented effectively;

e) the effectiveness of actions taken to address risks and opportunities;

f) the performance of external providers;

g) the need for improvements to the quality management system.

NOTE Methods to analyse data can include statistical techniques.

EXPLANATION

9.1.1 General

Referring to the PDCA cycle, having planned and done the plan, the organization is required to check the results of performance against the initial plan for the purpose of improvement. This is referred to as performance evaluation and it is achieved through the organization’s evidence of analysis and evaluation of the results of monitoring and measurement.

The organization shall be able to demonstrate that it has considered what, how and when to measure performance and that the result of monitoring and measurements ensure appropriate process controls.

9.1.2 Customer satisfaction

The organization shall solicit for the customer’s perception of the degree to which their needs and expectations have been fulfilled. This shall be achieved through any method convenient for the organization.

This may include customer surveys, customer feedback on delivered products and services, meetings with customers, market-share analysis, compliments, warranty claims and dealer reports.

The organization shall consistent implement a systematic and statistical approach to deal with customer feedback and in obtaining information on customer perception by:

• Establishing customer satisfaction surveys and feedback process.
• Establishing a method for receiving and dealing with customer feedback.
• Establishing a suitable process to monitor trends in customer perception and reviewing customer data.
• Defined a benchmark as a criterion for assessing performance.
• Feeding results of analysis and evaluation as inputs into the management review process.

The organization shall define when periodic evaluation of customer feedback will be conducted. Probably bi-annually, the Business Development Manager shall issue feedback questionnaires to customers.

The questionnaires shall cover items that have an impact on the level of satisfaction derived from the organization’s products and services.

The aim of the questionnaire is to determine if the requirements of the customers are being fulfilled.

Where the response to the survey questionnaire is low or there is the need to have a sufficient opinion pool about the organization’s products and services, the Business Development Manager or the project manager shall perform a face-to-face interview with the relevant customers during service delivery and complete a copy of the survey questionnaire.

See sample below.

Figure 38: Customer feedback survey questionnaire

9.1.2.1 The statistical approach

Periodically as defined for evaluating customer feedback, the completed customers’ feedback questionnaires shall be analyzed and evaluated qualitatively, quantitatively (statistically), and graphically for performance trends.

The quantitative analysis shall be done using the customer assigned scores to the elements defined in the customer feedback questionnaire while any other comments, questions or concerns stated by the customer shall form the basis for the qualitative analysis.

The result of both quantitative and qualitative analysis shall provide the basis for self-assessment of the organization aimed at continual improvement. The quality manager shall be responsible for the evaluation.

The template below may be used to analyze and evaluate the completed feedback questionnaire.

Figure 39: Customer feedback analysis template

The score assigned to each of the elements in the questionnaire shall be filled into the customer score for each of the customer feedback questionnaire.

To statistically evaluate the data:

• Count the number of scores per element to be evaluated and record this in the row for “COUNT”.
• Find the sum of the score for each of the elements and record this in the row for “SUM”.
• Find the average score for each of the elements by dividing the sum by the correspondent number of counts.
• Expected total score per element is the product of the number of count and the maximum expected score per element.
• Individual percentage score per element is the ratio of average score to expected total score, multiplied by 100.
• The overall percentage is the average of all the individual percentages.

Example:

If we are to evaluate 10 customer feedback questionnaires, then the count = 10.

If the sum of scores from all the customers for element number 1 = 46,

then average score for element number 1 =  

The maximum expected score from each customer per element is 5.

Individual percentage score =

This implies that the level of satisfaction derived by the customers for element number 1 is 90%.

This shall be done for every other element in the questionnaire.

Average performance is then calculated from the average of all the individual percentages.

The individual percentage scores shall be compared with the defined benchmark to determine performance. Where the percentage score for an element falls below the benchmark, action shall be taken to improve in that area so as to raise the performance score above the benchmark in the next evaluation.

The result of the customer satisfaction analysis shall be used as an input into the management review meeting. The result may trigger corrective actions which shall continually improve the Quality Management Systems.

Periodic results of evaluation shall be compared with the results for previous periods to determine trends in customer satisfaction for each of the elements evaluated.

9.1.3 Analysis and evaluation

The organization shall monitor the performance and effectiveness of its Quality Management System by developing a process (method, techniques, format, etc.) to identify, collect and analyze appropriate data and information from both internal and external sources.

This information shall include:

• Quality records.
• Records of actions to address risks and opportunities.
• Monitoring and measuring results.
• Product test results.
• Process performance results.
• Quality objectives.
• Internal audit findings.
• Customer surveys and feedback.
• Customer complaints.
• Second or third-party audit results.
• Competitor and benchmarking information.
• Effectiveness of actions to address actions points from management review meetings.
• Supplier performance information.

The results of the analysis and evaluation shall demonstrate the adequacy, suitability and effectiveness of the Quality Management System and its processes, including the interactions.

This shall demonstrate the organizations performance for:

• Achievements in setting quality objectives.
• Customer satisfaction and perception.
• Product conformance.
• Process performance.
• Conformity to product and process requirements.
• Conformity trends for products and processes.
• Opportunities for improvement.
• Suppliers and subcontractors’ performance.
• Need for corrective and preventive actions.
• Addressing risks and opportunities.
• Competition and competitiveness.

Furthermore, the organization shall evaluate any record with data that is an established part of the Quality Management System.

The organization shall document and retain the results of analysis and evaluations, as evidence of the performance of the Quality Management System. Monitoring and measuring the Quality Management System operations and activities will establish a process to ensure that the organization is meeting its defined policies, objectives and set targets.

To achieve this, the organization shall:

• Identify the activities that can have significant impacts and risks on the organization’s Quality Management System.
• Determine the acceptance criteria for the activities to be monitored and measured.
• Establish suitable methods and equipment to monitor and measure the activities.
• Define the check points for measuring the activities.
• Record data on performance, controls and conformance, based on the set criteria.
• Analyze and evaluate data, to determine performance.
• Establish a management review and reporting process.
• Implement action points from the management reviews.

REQUIREMENT

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the quality management system:

a) conforms to:

1) the organization’s own requirements for its quality management system;

2) the requirements of this International Standard;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) take appropriate correction and corrective actions without undue delay;

f) retain documented information as evidence of the implementation of the audit programme and the audit results.

NOTE See ISO 19011 for guidance.

EXPLANATION

The organization shall conduct internal audits at planned intervals to provide information on whether the Quality Management System conforms to the organization’s own requirements for its Quality Management System, the requirements of the International Standard and if it is effectively implemented and maintained.

Planned intervals implies that the audit shall be planned and the defined time to conduct the audit shall be consistent.

The internal audit shall be conducted against a series of audit criteria, separately or in combination.

The audit criteria may include:

• Requirements defined in one or more management system standards (e.g. ISO 9001, ISO 17025, ISO 45001, ISO 14001)
• Policies and requirements specified by relevant interested parties (e.g. specifications).
• Statutory and regulatory requirements.
• Management system processes defined by the organization or other parties (e.g. methods, codes, standards)
• Management system plan(s) relating to the provision of specific outputs of a management system (e.g. quality plan, project plan, standard operating procedures).

There are three types of audits as shown in the figure below.

Figure 40: Types of audits

The organization shall establish an internal audit program to cover all requirements of the standards, other applicable audit criteria and the results of previous audits.

Objective evidence shall be retained to demonstrate the effective implementation of the audit program.

The internal audit process shall include:

• The development of an internal audits program which may be revised depending on the results of previous audits and the results of monitoring and measurements.
• The identification, selection and training of internal auditors.
• Conducting internal audits using a range of methods (e.g. Questioning, Listening, reviewing evidence, observing activity, evidence recording).
• The analysis and evaluation of the results of internal audits.
• The identification of the need for corrective or improvement actions.
• The verification of the complete implementation and effectiveness of these actions.
• Documentation regarding the execution and results of audits.
• The communication of the results and effectiveness of audits to the top management.

The internal audit process is part of the continual improvement process to evaluate and improve the effectiveness of the Quality Management System. It also identified areas of deficiencies and where changes are needed to improve the efficiency or effectiveness of the Quality Management System. Internal audits are also methods to monitor process compliance.

9.2.1 Principles of auditing

Effective auditing is based on a number of audit principles. Application of these principles to an auditing process will provide audit conclusions that are objective and sufficient to identify improvement areas.

It also helps auditors, working independently to reach similar conclusions in similar audit situations.

These principles include:

a. Integrity

The audit team shall be:

• Ethical, honest and responsible in the performance of the audit process.
• Take part in audit activities only if competent to do so.
• Conduct audit activities in an impartial manner without conflict of interest, they shall be fair and unbiased in all their dealings.
• Avoid any influences that may impact on their ability to judge fairly during an audit.

b. Fair presentation

Auditors shall maintain truthfulness and accuracy in reporting audit findings, audit conclusions and audit report. Difficulties encountered during the audit and unresolved diverging opinions between the audit team and the auditee shall be reported. The communication shall be truthful, accurate, objective, timely, clear and complete.

c. Due professional care

Auditors shall be able to make careful and reasoned judgement no matter the audit situations.

d. Confidentiality

Information acquired during an audit shall be protected and shall not be used inappropriately for personal gain or in a manner that is detrimental to the legitimate interests of the auditee. Sensitive or confidential information shall be managed to ensure their security and integrity.

e. Independence

Auditors shall be independent of the activity being audited wherever practicable, to ensure impartiality. That is, an auditor shall not audit his own process or any process where the auditor has a self-interest and shall remain objective throughout the audit process. This will enhance freedom from conflict of interest and bias by ensuring that the audit findings and conclusions are based on the audit evidence only.

For small organizations, it may not be possible for internal auditors to be fully independent of the activity being audited, but as much as possible, objectivity shall be maintained.

f. Evidence-based approach

An audit conclusion shall be based on verifiable sampled evidence of information available for the audit. Appropriate use of sampling shall be applied, as this will determine the level of confidence in the audit conclusions.

g. Risk-based approach

Audit planning, implementation and reporting shall consider the possible risks and opportunities associated with the audit. This will ensure that the audit is focused on matters that are significant for the organization, and for achieving the objectives of the audit.

9.2.2 Levels of audits

9.2.2.1 Gap analysis audits

This is an audit conducted to determine the status of an organization’s existing Quality Management System to provide information for the subsequent implementation approach to the Quality Management System. This knowledge enables the organization to establish accurate budgets, timelines and expectations which are proportional to the state of the organization’s current management system when directly compared to the requirements of the standards.

The results of a gap analysis audit help an organization to determine the variances and gaps between the organization’s existing management system and the requirements of the standard and to determine how the gaps are to be closed.

At the completion of a gap analysis audit, the organization will identify the activities and processes that are compliant and those not compliant. The non-compliant activities and processes then become the target of the organization’s implementation plan.

9.2.2.2 Management system audits

Management system audits are conducted by an organization to determine compliance to established audit criteria in the form of requirements from standards like ISO 9001, ISO 14001 or ISO 45001, as well as customer, or regulatory requirements.

The system audits are best undertaken using an internal audit checklist. This type of audit focuses on the Quality Management System as a whole and compares the planning activities and broad system requirements to ensure that each clause or requirement has been implemented.

The checklist stands as a reference point before, during and after the audit, and will provide the following benefits:

• Ensures that the audit is conducted systematically.
• Promotes audit planning.
• Ensures a consistent audit approach.
• Actively supports the organization’s audit process.
• Provides a source for notes collected during the audit process.
• Ensures uniformity in the performance of different auditors.
• Provides reference to objective evidence.

Before starting a new audit, it is important to check the status of any outstanding issues from the last audit (if any). Where there are outstanding issues, they shall be carried forward into the current audit, and the previous audit may then be closed off.

9.2.2.3 Process audits

The standard specifies process approach to Quality Management Systems. Process audit is the auditing of the organization’s processes and their interactions that make up the Quality Management System.

A process audit provides evidence to validate compliance to the implementation of the planned arrangement and to demonstrate the ability of the process to provide conforming outputs.

A clause-by-clause internal audit checklist is effective for the initial audits in preparation for implementation, gap analysis or certification. However, once the management system is established, a process approach auditing becomes more effective.

The process audit identifies opportunities for improvement and relevant corrective actions. Process audits focus on any special, vulnerable, new or high-risk processes.

A process is a set of interrelated activities that transform inputs, such as materials, customer requirements and work into outputs, such as a finished product or service. The different stages of the process shall comply with applicable clauses of the standard.

A process auditing shall focus on the following:

• Does the process have an owner who is responsible to the process?
• Are the process activities, inputs, processes, outputs and acceptance criteria defined?
• Are process planned arrangements continually being fully completed.
• Are the process activities documented?
• Are links and interactions between other processes established and defined?
• Are processes and their interactions monitored?
• Are adequate records maintained?

The process audits shall be scheduled and planned according to the processes defined by the organization’s Quality Management System.

The audit shall not be based on the clauses of the standard, but on the importance and criticality of the process itself.

The process approach to auditing shall go through these stages:

• Preparing for the audit (desk review).
• Auditing the process and its interaction.
• Preparing the summary and audit report.
• Implementing and validating corrective actions for relevant audit findings.

The audit of each process shall be conducted at planned intervals to determine the process’s compliance with planned arrangements and to provide process performance information to top management.

The audit trail shall begin with the process owner to determine the interactions with the other process inputs, outputs, suppliers and customers.

9.2.3 Planning the audit program

The audit program or schedule shall address the specifics of what, where, who, when and how the audit shall be conducted.

These shall include:

• What does the audit intend to achieve? (objectives)
• Where will the audit be done? (Location and scope)
• When will the audit(s) occur? (Time and how long?)
• Who are the auditors? (Responsibilities and competence).
• How will the audit be done? (Methods and criteria).

To plan an audit program, the auditor shall establish the process to:

• Establish the scope of the audit program and any known constraints.
• Determine the external and internal issues, risks and opportunities that can affect the audit program, take actions to address them and integrate the actions into the audit process.
• Ensure that competent audit team is selected for the auditing activities by assigning roles, responsibilities and authorities with the appropriate leadership support.
• Establish the processes to implement the audit process. These shall include processes to:
• Manage the audit program.
• Establish the audit objectives, scope and criteria, methods and select the audit team.
• Evaluating auditors for competence.
• Communicate with relevant interested parties.
• Complaints and disputes resolutions.
• Audit follow-up.
• Audit reporting.
• Determine and provide relevant resources.
• Documentation and maintenance of audit information and records.

Audit program shall be approved by the relevant interested parties prior to implementation.

9.2.4 Determining audit frequency

The frequency of internal audits shall depend on the need, size, criticality of each process and the complexity of the organization. However, all processes within the Quality Management System shall be audited at least once in a year audit cycle. Critical processes in the Quality Management System that directly affect process and product conformity, and customer satisfaction shall be audited more frequently.

Process status in terms of maturity and stability shall be considered in determining audit frequency. A more established and proven process may be audited less frequently than a newly established or recently modified process. Invariably, processes whose performance does not meet the planned arrangements shall be audited more frequently.

Support processes may be given a lower ranking than the operations, manufacturing and service provision processes. In addition, the results of previous audits should be considered. Processes that have been audited recently and have shown effectiveness and improvement may be audited less frequently.

To determine the frequency of internal audit, the organization shall consider:

1. The level of risk associated with the process activities.
2. The criticality of the process to the Quality Management System.
3. The results of previous external and internal audits.
4. The criticality or recurrence of problems identified in the process.
5. The criticality of the process to product and service quality.
6. Complexity of the processes requiring close monitoring and control to ensure conformity.
7. Balance across operational and non-operational processes.
8. Qualification of process personnel and impact by human factors.
9. Activities or processes that occur across multiple locations.
10. Introduction of new or changed processes.
11. Statutory and regulatory requirements issues.
12. Process performance based on conformities, nonconformities and customer complaints.

A process may be audited at least once a year but where a recurring problem is identified with a process, a more frequent audit is required to address the recurring problem.

Where a process was not audited within a year, the audit for that process shall be trended and rescheduled for the following year.

Unscheduled audits may be conducted at any time depending on:

• Results of previous audits.
• Regulatory requirements.
• Changes in operational activities whether planned or unplanned.
• Issues identified and decisions during management review.
• Identified or recurring non-conformance.

The frequency of internal audits shall be reviewed depending on prevailing circumstances.

9.2.5 Objectives, Scope and Criteria for audit

Any documented information used as a reference standard to demonstrate consistency and compliance of an organization’s Quality Management System may be referred to as audit criteria.

The extent of audit criteria to be covered by the audit is the audit scope while what the audit intends to achieve like, determining compliance to defined criteria, determining conformity of a process outputs, finding the cause of a process compliance problem etc., refers to the audit objective.

Audit criteria include:

• Policies, quality manual, work instructions, standard operating procedures, objectives.
• Statutory and regulatory requirements.
• Quality Management System requirements and control plans.
• Relevant external and internal interested parties’ requirements.
• Industrial codes and standards.
• Quality Management System standards such as ISO 9001, ISO 14001, ISO 45001, ISO 17025.

9.2.6 Audit method

Applicable methods during an internal audit may include:

• Questioning: Asking objective questions within the defined scope for the audit.
• Listening: Listening attentively to what the auditee is saying and not listening to hear a predetermined opinion.
• Reviewing evidence: Adequate review of presented audit evidence to establish objective audit findings that will lead to fair and unbiased audit conclusions.
• Observing activity: Observe to identify how things are actually done.
• Evidence recording: Record verifiable audit findings as precisely as possible.

9.2.7 Selecting the auditors

Auditors shall be competent and shall possess the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform. They shall also possess a level of discipline and sector-specific knowledge and skills to ensure confidence in the audit process.

Auditors shall be selected based on personal behaviour and the ability to apply the knowledge and skills gained through education, work experience, auditor training and experience.

An auditor’s competence shall be evaluated with a plan, implemented and documented to provide objective, consistent, fair and reliable results.

The evaluation process shall include:

• Determining the required competence to fulfill the needs of the audit program.
• Establishing the evaluation criteria to meet the determined competence.
• Selecting an appropriate evaluation method.
• Conducting the evaluation.

Auditors shall continually develop, maintain and improve their competence through continual professional self-development and regular participation in auditing activities.

Where an audit team member does not possess the necessary competence, the organization shall take necessary actions for the audit team member to achieve the needed competence.

Auditors’ competence may be monitored using the log below.

Figure 41: List of auditors

9.2.8 Audit planning

The audit plan shall define in detail, the performance of the audit process, considering:

• The objective, scope and duration of each audit and the number of audits to be conducted, reporting, method and, if applicable, audit follow-up.
• The management system standards or other applicable criteria such procedures, standards, statutory and regulatory requirements and requirements from relevant interested parties.
• The number of activities, importance of activities, complexity and locations of the activities to be audited.
• Results of previous internal or external audits and action points from management reviews.
• The concerns of interested parties such as customer complaints, customer feedback and supplier’s performance.
• Nonconformities of products and service.
• Health and safety issues.
• Organization’s risks and opportunities, including actions to address them.
• Identification of the auditee’s representative(s) for the audit.
• The working and reporting language of the audit including cultural and social issues.
• Logistics and communications arrangements, including specific arrangements for the locations to be audited.
• Any actions required to address risks and opportunities relevant to achieving the audit objectives.
• Confidentiality and information security.
• Any follow-up activities to the planned audit.
• Collaboration with other audit activities, in case of a joint audit.

Audit plans should be presented to the auditee. Any issues with the audit plans shall be resolved between the audit team leader, the auditee and, if necessary, the individual(s) managing the audit program.

9.2.8.1 Establishing contact with auditee

The audit team leader shall establish and communicate the auditee to:

• Confirm communication channels with the auditee’s representatives.
• Confirm the responsibility and authority to conduct the audit.
• Provide information on the audit objectives, scope, criteria, methods and audit team and technical experts, where applicable.
• Confirm the applicable statutory, regulatory and other requirements relevant to the activities, processes, products and services of the auditee.
• Request access to relevant information for document reviews and planning purposes.
• Determine any areas of interest, concern or risks to the auditee.
• Agree with the auditee, the extent for the disclosure of confidential information.
• Arrange for the audit activities.
• Confirm any location-specific arrangements for access, health and safety, security, confidentiality and others.
• Agree on the attendance of observers and the need for guides or interpreters for the audit team, where applicable.
• Resolve any issue regarding the composition of the audit team with the auditee.

9.2.8.2 Assigning roles and responsibilities

Auditors shall be assigned the responsibilities to audit areas where they possess some levels of sector-specific knowledge and skills to ensure confidence in the audit process.

Where required, the audit team leader and auditee may approve the inclusion of audit guides and observers in the audit team. They are not to influence or interfere with the conduct of the audit. Where the suitability of guides or observers is in doubt, the audit team leader has the right to reject their inclusion in the audit team.

The observer witnesses the audit on behalf of the auditee.

Guides shall assist in any arrangements for access, health and safety, environmental, security and confidentiality of the auditee.

Their responsibilities include:

• Identifying individuals to participate in audit interviews.
• Confirming timings and locations.
• Arranging access to specific locations of the auditee.
• Ensures that the rules concerning location-specific arrangements for access, health and safety, environmental, security, confidentiality and other issues are known and respected by the audit team members.
• Take actions to address risk that occur during the audit process.
• Provides clarification and assists in collecting information, when needed.

9.2.8.3 Review of documented information

The auditors shall review the relevant management system documented information to ensure:

• Adequate understanding of the auditee’s operations to enable them to prepare suitable audit documentation and plan for relevant processes.
• Adequate understanding of the extent of the documented information to determine conformities to the audit criteria and identify areas of deficiencies, omissions and conflicts.

The documented information shall include management system documentation and previous audit reports. During the process of review, the auditor shall consider the context of the auditee’s organization, the size, nature and complexity, audit scope, criteria, objectives and the relevant risks and opportunities.

9.2.8.4 The audit plan

The size and content of an audit plan may differ, depending on the type of audit and shall be flexible enough to allow changes which may become necessary as the audit activities progress.

An audit plan shall define:

• Audit objectives.
• Audit scope.
• Identification of the organization, its functions and processes to be audited.
• Address of organization to be audited.
• Audit criteria and any reference document.
• Locations whether physical or virtual.
• Dates expected time and duration of each audit activity to be conducted.
• Time for opening and closing meetings.
• Audit methods to be used.
• Roles and responsibilities of the audit team members, guides and observers or interpreters.

The audit plan shall be communicated to and approved by the auditee prior to the audit date to give the auditee room to prepare for the audit.

Figure 42 Sample audit plan.

9.2.8.5 Audit checklist

The audit checklist may be prepared by the auditors under the supervision of the Lead auditor. Questions are developed from the audit criteria including any relevant reference documents and shall be consistent with the audit program.

Auditors shall perform the following steps:

• Thoroughly read and understand relevant documented information (procedures/work instructions etc.).
• Develop checklist covering the scope of the audit to be performed.
• Use the checklist as a guide to perform audit.

9.2.9 Conducting the audit

In conducting the audit, the following phases shall be observed:

• Opening meeting.
• Conducting the audit (Interview and collation of information).
• Audit team meeting.
• Closing meeting.

9.2.9.1 Conducting opening meeting

At the beginning of the audit activity, the audit team shall conduct an opening meeting presided over by the lead auditor. The opening meeting shall be held with the auditee’s management and, where appropriate, owners of the functions or processes to be audited. During the meeting, the lead auditor shall offer the opportunity to ask questions.

The opening meeting is conducted to confirm:

• The agreement of all participants (auditee, audit team) to the audit plan.
• The audit team and their relevant roles.
• That all planned audit activities can be performed.
• The language to use for the audit.
• Any necessary modification to the audit plan.
• The audit methods.
• Audit objectives, scope and criteria.
• The date and time for the closing meeting.
• The availability of resources and facilities required for the performance of the audit.
• The communication channels between the audit team and the auditee.
• Activities on site that can impact the process of the audit.
• Confidentiality and information security issues.
• Relevant access, health and safety, security, emergency and other arrangements for the audit team.

Information on the following shall be presented, as appropriate:

• The method of reporting audit findings including criteria for grading, if any.
• The conditions under which the audit may be terminated.
• How to deal with possible findings during the audit.
• The channel for feedback from the auditee on reported audit findings, conclusions, complaints or appeals.

9.2.9.2 Collecting and verifying information

The audit will address every area of the scope and verify objective evidence for the following:

• Process quality objectives.
• Process risks and opportunities, including the actions to address them.
• Process activities and compliance with defined process documented information.
• Effectiveness of process interactions.
• Adequacy and fitness of infrastructure for purpose, including documented information.
• Security and integrity of information.
• Competence and qualification of process personnel, including responsibilities and authorities.
• Management of feedback, including complaints.
• Products conformity and traceability.
• Implementation of process quality controls. The following shall be observed:
• If the control prevents or detects the process risks.
• Frequency of control (daily, weekly, monthly, quarterly, etc.)
• Does control mitigate the process risk?
• Is the control manually performed, performed by an application, or both?
• An initial assessment of the process risks (e.g. high, medium, or low).

The verification process shall include:

• Determining how the control is performed.
• Physically seeing the control being performed.
• Reviewing documented evidence that the controls are being performed.
• Confirming that the controls provide valid outcomes.

All evidence and observations shall be truthfully and accurately documented with reasoned judgement.

9.2.9.3 Generating audit findings

The auditor shall evaluate audit evidence against the audit criteria to determine audit findings which may be conformity or nonconformity. The audit findings shall include conformity and good practices along with their supporting evidence, opportunities for improvement, and any observation that may lead to recommendations to the auditee.

Nonconformities and their supporting evidence shall be recorded and shall be graded depending on their impact on the organization’s Quality Management System and the ability to provide conforming outputs. This grading may be quantitative form level 1 to 5 and qualitative which may be minor or major. Audit findings shall be acknowledged by and agreed with the auditee that the audit evidence is accurate and that the nonconformities are understood.

Diverging audit findings opinions shall be resolved as much as possible. Any diverging opinion that is not resolved shall be recorded in the audit report.

The findings may be graded as below:

Conforming:  The process has demonstrated stability and the ability to consistently provide performance indicators, metrics, objectives, audit results, showing compliance to defined requirements and that targets are continually achieved and fully documented.

Opportunity for improvement: Process demonstrates conformity, with minor problems that require improvement through process or product change planning.

Minor nonconformity: Process not achieving expected results or observed poor performance with negative trends. Current practices are conforming or partially implemented but are not documented or partially documented.

Major nonconformity: Process noncompliance to defined requirements. Practices are nonconforming and likely to have a significant adverse effect on customer satisfaction, product conformity and regulatory compliance.

The process shall take actions to address audit findings that indicate nonconformity. These shall include immediate correction or containment action, investigate the root cause(s) and apply the appropriate corrective action. Actions to address the nonconforming audit findings shall be re-audited and validated in 4 weeks or as defined for the Quality Management System, to verify effectiveness.

Top management shall actively participate in actions to address major nonconformities and ensure that all actions agreed by the relevant team are fully implemented.

9.2.9.4 Preparation for closing meeting

Prior to the closing meeting, the audit team shall converse to:

• Review the audit findings and any information collected during the audit against the audit criteria and objectives.
• Agree on the audit conclusions.
• Agree on recommendations.
• Decide on follow-up actions.

The audit conclusions shall address the Level of process conformity to audit criteria, how robust and effective the management system is, in meeting the intended outcomes. It shall also address areas of deviations for defined requirements.

9.2.9.5 Conducting closing meeting

At the end of the audit, a closing meeting shall be held to present the results of the audit and discuss any subsequent steps required to complete the audit.

It shall be presided over by the audit team leader and where applicable, it shall be attended by:

• The management of the auditee organization.
• Owners of the functions or processes audited.
• Members of the audit team.
• Other relevant interested parties as determined by the auditee.

The audit team leader shall present the relevant audit findings, both positive and negative, and advise the auditee on areas where issues that can decrease confidence in the audit conclusions where they are encountered.

Participants in the closing meeting shall agree on the timeline to complete actions to address the audit findings. Attendance records shall be documented and maintained.

The audit team leader shall explain the following to the auditee in the closing meeting:

• That the audit evidence collected was based on a sample of the information available and does not necessarily fully represent the overall effectiveness of the auditee’s processes.
• How the audit finding shall be addressed.
• Consequences of not adequately addressing the audit findings.
• Present the audit findings and conclusions in such a way that they are clearly understood and are acknowledged by the auditee’s management.
• Channels for post-audit activities such as review of corrective actions, audit complaints and appeals.
• Present recommendations and opportunities for improvement.

It shall be emphasized that recommendations are not binding and should be addressed at the auditee’s discretion.

Diverging audit findings opinions shall be resolved as much as possible. Any diverging opinion that is not resolved shall be recorded in the audit report.

9.2.10 Audit report

The audit result shall be reported by the audit team leader. The report shall be complete, accurate, and concise.

It shall be a fair representation of the result of the audit and shall include a reference to:

• The audit objectives.
• The audit criteria.
• The audit scope by identifying the organization of the auditee and the functions or processes audited.
• Identification of the audit team and the auditees that took part in the audit.
• Dates and locations where the audit activities were conducted.
• The audit findings and related evidence.
• The audit conclusions and recommendations.
• A statement on the degree to which the audit criteria have been fulfilled.
• Any unresolved diverging opinions between the audit team and the auditee.
• A statement that not all the activities of the process were verified but sample of the activities of the process were verified to provide evidence of the organization compliance to requirements and may not be the exact representation.

The audit report may also include:

• Audit summary including difficulties encountered in cause of the audit.
• Any areas in the audit scope not covered during the audit.
• A statement That the content of the audit report, the notes issued while conducting the audit, and the materials collected to support evidence shall be strictly treated as confidential information and shall not be distributed outside the organization unless required by law.

A good audit report is the final output of the audit process and deserves an appropriate amount of attention and effort. The audit summary and the corrective action forms shall be attached to the audit report, which now becomes the audit record.

Only the summary report and corrective actions need be given to the process owner, this is to ensure information confidentiality.

Top management shall have a complete copy of the audit report.

The audit report shall be issued within the agreed timeline and where delayed, the reasons for the delay shall be communicated to the auditee. The audit report shall be dated, reviewed and acknowledged by both the lead auditor and the auditee.

See sample audit report below.

Figure 43: Summery page of an internal audit report

Figure 44: Audit details page for an internal audit report

Figure 45: Conclusion page for an internal audit report

Figure 46: Attendance page for an internal audit report

Internal audits shall be tracked for follow-up actions. The quality manager or his nominee shall track internal audits to ensure they are followed up for adequate closeout.

The template below may be used.

Figure 47: Internal audit monitoring log

The quality manager shall also track and monitor the individual nonconformities from an internal audit to ensure follow-up and closure using the log below.

Figure 48: internal audit closeout monitoring log

These logs shall continually be updated for adequacy and to ensure that all findings are closed out. Where the closeout of a nonconformity is unduly delayed, the nonconformity shall be escalated to top management to enable top management to address the cause of the delay.

9.2.11 Actions to address audit findings

The process owner shall take appropriate actions to address the audit findings. This may include the need for corrections, root-cause analysis, corrective actions, or opportunities for improvement. Such actions shall be proposed and implemented by the auditee within an agreed timeline. As appropriate, the auditee shall communicate to the audit team the status of the actions taken.

For actions to address audits nonconformities, refer to Actions to address nonconforming outputs internally in this book.

9.2.12 Audit trending

Where a planned internal audit cannot be conducted for a process as planned for any reason, the skipped audit shall be trended and monitored to ensure it is conducted on a more feasible date. The organization shall ensure that all relevant processes are audited within the planned audit year. The table below may be applicable to trend internal audits.

Figure 49: Internal audits trend monitoring log.

9.2.13 Conducting audit follow-up

The completion and effectiveness of actions to address audit findings shall be verified. This verification may be part of a subsequent audit. Outcomes of the follow-up action shall be recorded and reported in management review.

Records of planning, implementation, attendance, reporting and follow-up shall be retained as evidence of internal audits.

REQUIREMENT

9.3.1 General

Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.

9.3.2 Management review inputs

The management review shall be planned and carried out taking into consideration:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the quality management system;

c) information on the performance and effectiveness of the quality management system, including trends in:

1) customer satisfaction and feedback from relevant interested parties;

2) the extent to which quality objectives have been met;

3) process performance and conformity of products and services;

4) nonconformities and corrective actions;

5) monitoring and measurement results;

6) audit results;

7) the performance of external providers;

d) the adequacy of resources;

e) the effectiveness of actions taken to address risks and opportunities (see 6.1);

f) opportunities for improvement.

9.3.3 Management review outputs

The outputs of the management review shall include decisions and actions related to:

a) opportunities for improvement;

b) any need for changes to the quality management system;

c) resource needs.

The organization shall retain documented information as evidence of the results of management reviews.

EXPLANATION

Top management shall periodically, at planned intervals, review the Quality Management System to ensure its continuing suitability, adequacy, and effectiveness. The frequency or intervals of management review of the Quality Management System shall be defined.

The management review shall address the possible need for changes to policy, objectives, targets, and other elements of the management system. Information on the operation of the Quality Management System and its processes shall be reported to enable top management to take informed decisions and to recommend improvements.

There are no specified time periods applicable to conducting management review meetings. However, they shall be organized with a frequency and format appropriate to the level of risks and complexity of the organization.

Top management may conduct monthly meetings to review the results of monitoring and measurements of objectives performance to determine any required corrective action. The process owner has the responsibility to report close out progress in the review meeting.

Issue with high impact on the Quality Management System, such as process performance, customer feedback, results of monitoring and measuring may be reviewed more frequently, while less critical issues, such as reviewing the quality policy and objectives may be reviewed less frequently. This will minimize the length of each management review meeting, cover all required management review inputs over the duration of the management review program and allow for trends analysis of data.

Annual management reviews may not be sufficient to adequately address issues relevant to the Quality Management System effectively. It may be too late to respond to imminent issues that may have serious impact on the Quality Management System. Reviews may be conducted at multiple levels to respond to issues relevant to that level before they are reviewed at the top management level.

9.3.1 Preparing for management review

At the beginning of every calendar year, the organization shall plan management reviews. The managing director shall preside over the meeting while the management representative shall statistically report the results of monitoring and measurements for every item in the agenda for the meeting.

The statistical presentation of data will enable top management to make informed decisions as to the suitability, adequacy and effectiveness of the Quality Management System and its processes. Areas for improvement shall be identified and actions shall be proposed to address them.

These decisions shall be formulated into management review outputs and adequately documented for implementation. It is important that everyone involved in the management review process fully understand and appreciate the management review requirements.

Attendees in management review meetings shall include functional managers, line managers, internal auditors, process owners, lead process users, and decision makers within the scope of the Quality Management System, as appropriate. All necessary information shall be collated and analyzed before the review meeting day, to enable top management to evaluate the relevant results of analysis prior to the management review meeting.

9.3.2 Management review inputs

The management review process shall focus on the following inputs:

• The status of actions from previous management reviews.

These shall include:

1. The number of actions identified from the previous management review.
2. How many of these actions have been effectively closed out.
3. How many of these actions are still open and not addressed.
4. Possible reasons why they have not been addressed.
5. Suggestions on how to address the difficulties in closing them out.

• Changes in external and internal issues that are relevant to the Quality Management System.

These may include:

1. Changes in market trend.
2. Changes in technological trends.
3. Political and legal requirements change.
4. Changes in environmental factors.
5. Changes in customers’ scope.
6. Changes in statutory and regulatory requirements.
7. Changes in customer requirements.
8. Changes in the performance trend of the organization.
9. Changes in the risks and opportunities of the organization.

• Information on the performance and effectiveness of the Quality Management System, including trends in:

A. Suitability of policies and procedures.

These may include:

1. The suitability and adequacy of the quality policy.
2. Suitability of any other established policy.
3. Suitability of the Quality Management System procedures and work instructions.
4. Suitability of the chosen methods.

B. Changes in the scope of activities.

1. This will include activities included in or excluded from the organization’s scope.

C. Customer satisfaction feedback and complaints from relevant interested parties.

These may include:

1. How many customers’ feedback where collated and analyzed.
2. Percentage performance of the organization based on the customer feedback.
3. Identification of areas where the organization performed well.
4. Identification of areas where the organization performed below expectation.
5. How many customer complaints were received?
6. Areas where the customer complaints focused on.
7. How many of the customer complaints have been addressed and the effectiveness of the actions to address them.

D. The extent to which quality objectives have been met.

These may include:

1. The total number of objectives set for the organization.
2. How many of the objectives were achieved?
3. How many of these objectives were not achieved?
4. Actions taken to address the failure.

E. Process performance and conformity of products and services.

These may include:

1. The percentage of conforming products and services delivered.
2. The results of quality control checks on production or service provision processes.
3. Material verifications.
4. Environmental monitoring.
5. Competency evaluations and appraisals.
6. Results of equipment monitoring.

F. Nonconformities and corrective actions.

These may include:

1. Number of jobs completed within the period under review.
2. The number of jobs in which nonconformities were observed.
3. Number of nonconformities observed.
4. Percentage of jobs in which nonconformities were observed against the number of jobs completed for the period.
5. Results of action taken to address nonconformities.
6. Trends in nonconformities with regards to job execution.

G. Monitoring and measuring results.

1. This may include the results of data generated from the process of monitoring the Quality Management System processes such as quality control checks, quality objectives, externally provided products and services monitoring.

• Audit results.

These may include:

1. How many audits were conducted (internal and external)?
2. How many nonconformances were issued?
3. How many of the nonconformances have been adequately addressed.
4. How many are still open?
5. Any overdue nonconformances and possible reason for delay.
6. Any trended process yet to be audited, the reason for delay and the planned action to address that issue.

• The performance of external providers.

These may include:

1. The evaluation and qualification of external providers.
2. External providers enlisted.
3. External providers delisted.
4. Results of external providers performance monitoring.

• Outcomes of the assurance of the validity of results.

These may include:

1. Equipment verification and calibration results.
2. Results of process validations.
3. Availability of applicable codes, standards and specifications.
4. How much statutory and regulatory requirements have been met?
5. Results of proficiency testing, interlaboratory comparison, repeatability and reproducibility testing where applicable.

• The adequacy of resources.

These may include:

1. The adequacy of competent manpower.
2. Suitability of the established processes and their interactions.
3. Adequacy of suitable equipment.
4. Suitability of production environment.
5. Effectiveness of the execution of planned budgets.

• The effectiveness of actions taken to address risks and opportunities.

These may include:

1. The number of risks and opportunities identified.
2. Number of risks and opportunities adequately addressed.
3. How many are yet to be addressed and possible reasons.
4. Any spillovers from identified risks and opportunities of previous reviews.

• Opportunities for improvement.

These will include areas where the organization can improve the Quality Management System and enhance the conformity of products and services such as:

1. New technologies.
2. New and effective methods.
3. New learning and certifications aimed at improvement.
4. Strategies for market expansion.
5. New activities focused on customer satisfaction.
6. Possible new scope for expansion.
7. Strategies for cost effective implementation of processes.
8. Identification of possible competent external providers for qualification and enlistment.

• Other relevant factors, such as quality control activities and staff training.

9.3.3 Management review outputs

Management review results shall be summarized, specifying management commitments, directives and action points. The review output shall specify the target dates of completion and the person responsible for addressing the action point.

Expected review outputs shall include decisions and actions related to the following:

• Effectiveness of the Quality Management System and its processes.

• Opportunities for improvement of the effectiveness of the Quality Management System and its processes.

These shall include:

1. Process improvement actions.
2. Quality management system improvement actions.
3. Product and service improvement actions.

• Any need for changes to the Quality Management System.

These shall include:

1. The revision of business plans and budgets.
2. Revision of objectives and Key Performance Indicators.
3. Amendments to policies and procedures.

• Identification of resources needed for meeting customer requirements.

Action shall be taken to address any corrective outputs from the management review meeting through the nonconformity and corrective action process.

9.3.4 Action points from management review

Minutes of meetings shall be generated to include review inputs, review outputs, action points from review, corrective outputs, recommendations and opportunities for improvements.

This shall be communicated to top management for approval. Copies of the approved minutes of management review shall be distributed to people who attended the review meeting, for their information and action. Attendance for the management review meetings shall be established and maintained.

All action points from the management review shall be extracted and populated in an action point follow-up log to enable adequate follow-up and closeout of the action points.

See the log below for example.

Figure 50: Minutes of management review action point monitoring log

Minutes of management review meetings, agenda, program and presentations should be retained as documented information.

The organization shall continually take advantage of improvement opportunities to achieve the intended outcomes of its Quality Management System.

Potential sources of improvement opportunities include:

• The results of analysis and evaluation from monitoring and measurements, quality performance results, results of the evaluation of customer feedbacks and complaints, products and services conformity, internal audits and management reviews.
• Improvement of products and services to meet requirements and to address future needs and expectations of the customer.
• Improving products and services through investment in latest technologies and innovations, improving reliability, reducing cost, and improving on-time delivery.
• Correcting, preventing or reducing undesired effects by investigating root cause and taking corrective actions.
• Improving the performance and effectiveness of the Quality Management System by acting on process performance results, addressing audit findings, process re-engineering, reducing waste and rework, structural re-organization, and promoting breakthrough developments.

REQUIREMENT

The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.

These shall include:

a) improving products and services to meet requirements as well as to address future needs and expectations;

b) correcting, preventing or reducing undesired effects;

c) improving the performance and effectiveness of the quality management system.

NOTE Examples of improvement can include correction, corrective action, continual improvement, breakthrough change, innovation and re-organization.

EXPLANATION

The organization shall continually take advantage of improvement opportunities to achieve the intended outcomes of its Quality Management System.

Potential sources of improvement opportunities include:

• The results of analysis and evaluation from monitoring and measurements, quality performance results, results of the evaluation of customer feedbacks and complaints, products and services conformity, internal audits and management reviews.
• Improvement of products and services to meet requirements and to address future needs and expectations of the customer.
• Improving products and services through investment in latest technologies and innovations, improving reliability, reducing cost, and improving on-time delivery.
• Correcting, preventing or reducing undesired effects by investigating root cause and taking corrective actions.
• Improving the performance and effectiveness of the Quality Management System by acting on process performance results, addressing audit findings, process re-engineering, reducing waste and rework, structural re-organization, and promoting breakthrough developments.

REQUIREMENT

10.2.1 When a nonconformity occurs, including any arising from complaints, the organization shall:

a) react to the nonconformity and, as applicable:

1) take action to control and correct it;

2) deal with the consequences;

b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by:

1) reviewing and analysing the nonconformity;

2) determining the causes of the nonconformity;

3) determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) update risks and opportunities determined during planning, if necessary;

f) make changes to the quality management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.

10.2.2 The organization shall retain documented information as evidence of:

a) the nature of the nonconformities and any subsequent actions taken;

b) the results of any corrective action.

EXPLANATION

Nonconformity may arise from customer complaints, poor results and negative trends from monitoring and measurements, reviews, assessments and inspections, non-fulfilment of statutory and regulatory requirements, or procedures not being followed.

To address a nonconformity, the following steps shall be taken:

• Identify nonconformity.
• Implement containment action.
• Implement a correction.
• Investigate the root-cause of the nonconformity.
• Propose and implement an appropriate corrective action.
• Verify and validate the effectiveness of the corrective action.
• Integrate the results of corrective action into the Quality Management System.
• Maintain records of nonconformities and the relevant actions taken.

10.1.1 When to apply corrective action

The decision to implement or not to implement a corrective action process shall be made by the appropriate level of management authority within the organization, based on the level of risk. The analysis of nonconformities shall not focus on blaming someone or a department but on the understanding and improving the organizational weaknesses that caused the nonconformity.

When an organization identifies a nonconformity through monitoring or internal audits that the organization’s policy, objectives, standards and other requirements as defined within the Quality Management System are either not implemented or are improperly implemented, a nonconformance report shall be raised using the corrective action request process and captured in the nonconformity log as appropriate. The responsible process owner shall agree to the existence of the nonconformity.

See below for a sample corrective action request form.

Figure 51: Corrective action request form

The root-cause shall address the nonconformity and the corrective action shall address the root-cause.

Any nonconformities and actions taken to prevent their reoccurrence and the effectiveness of the corrective action(s), shall be adequately documented and retained.

10.1.2 Defining the nonconformity

In issuing a corrective action request, the organization shall consider:

• What the nonconformity is. That is, the operations, products, materials, defects, malfunctions that make up the nonconformity.
• Who is responsible for the nonconformity, who is reporting the nonconformity, who is rectifying the nonconformity, and who the nonconformity is affecting.
• The location where the nonconformity
• The process, product or service affected by the nonconformity.
• When the nonconformity occurred (time, date, when it starts, how long it lasts, how often it occurs)
• When the nonconformity was reported.
• When the nonconformity was corrected.
• Has the same nonconformity occurred before? If yes, what is the history?
• How was the nonconformity detected?
• What is the effect of the nonconformity measured in terms of rework, costs, delays, scrap rate, customer complaints, return rate, concessions, reliability rate?
• How is the problem currently addressed and corrected?

The description shall contain facts such as observations, documentation evidence and not assumptions. All relevant information shall be collated prior to identifying the root-cause.

The organization shall determine, verify and implement the interim remedial and containment action to isolate the effects of the nonconformity from any internal or external customer until corrective actions are implemented.

10.1.3 Establish a Response Team

Identify representatives from functions that may have an influence on the corrective action process, including the identification of the root-causes and define their responsibilities and objectives. Those performing the job, such as operators, inspectors, drivers, etc., are the best people to help identify the real causes and shall form part of the team.

The complexity and the impact of the nonconformity shall determine the size and composition of the team which may continually change depending on the results of analysis and the required actions. New team members shall join the team if identified as being in the scope while others shall leave the team if they are identified as out of the scope.

Brainstorming sessions shall be used to identify potential causes. A comparative analysis shall be applied to identify relevant changes in a change-induced situation and the number of possibilities to be considered in determining the root-cause shall be identified.

To achieve this, the team shall consider:

• What is unique, peculiar, different or unusual about the indicators?
• Features such as people, processes, materials, machines and the environment.
• Listing all the facts without bias as to the possible cause of the nonconformity.
• Evaluating each difference listed, identifying changes and what has changed that resulted in the difference.
• Listing the changes and their corresponding differences.
• Identifying the dates each change occurred.
• Eliminating changes that occurred after the problem has started.
• The categories of people, machines, processes or measurements involved in the change.

All information determined during the comparative analysis shall be based on fact and not on opinions. The team shall not rule out any fact that might give valid answers.

10.1.4 Containment action.

When a nonconforming situation is identified, a containment process shall be initiated to prevent escalation and to minimize the impact of the nonconformity on the affected parties.

Such containment actions may include:

• Acceptance by informed decision. (Use-as-is).
• Segregation.
• Labeling.
• Re-work.
• Return of product delivered.
• Suspension of product delivery.
• Disposing or scrapping.
• Applications of any concessions.
• Correcting the nonconforming output.
• Replacing the service provided.
• Offering an alternative.
• Informing the customer.
• Obtaining authorization for the customer to accept the nonconforming output under concession.

The nature of the nonconformity will determine the applicable containment action. Serious consequences may occur when the underlying symptoms are not addressed, or quick a fix is accepted as a final or permanent solution.

Excessive reliance on containment or emergency response action will create a repeating cycle. Containment of nonconformity is a problem that will only get worse until the root-causes are identified and addressed.

10.1.5 Implementing correction

Correction, which is also known as immediate fix or remedial action, is an action taken to eliminate a detected nonconformity or defect. A correction may be implemented alongside a corrective action. Correction for products nonconformity may include rework, accepting the nonconforming output by concession, replacing, or scrapping the product.

Taking appropriate action to address the effects of the problem may require a simple correction by the process owner or operator where it was discovered. If a major failure or defect exists, more significant levels of resources shall be needed to resolve the problem and take corrective action.

Correction to nonconformities may not be the same for all situations. In some instances, the organization may have to scrap the defective product but in other situations the organization may be able to do some remedial work and bring it back to specification.

Supposing a material of length 1.10m is used for a precision production process where a material of length 1.00m is required, this is a deviation from specified requirements and shall be corrected. To do so, the 1.10m material has to be removed and replaced with a 1.00m material. Where possible, the 1.10 m material may be reworked and reduced to the specified 1.00m.

Where a material of 0.90m is used in place of the 1.00m, remedial work may not restore the conformity of the material. In such situations, the material has to be scrapped and replaced with another material of 1.00m. That way, the deviation is corrected.

The product shall then be subjected to further inspection to verify that it is now correct. Re-verification simply means that the organization cannot assume that because someone says they have corrected the problem, then it is corrected. The effectiveness of the correction shall be ascertained by re-verifying the output before delivery to the customer.

The re-verification after correction work may involve testing as well as inspection. This is not just to verify that the defect has been removed, but also to ensure that fresh defects have not been introduced during the process of rework.

Records shall be maintained as appropriate for the re-inspection or re-test performed including the signature of the approving authority.

There may be a need to supply new evidence of conformance to the customer along with corrective action documentation if requested for nonconforming products already delivered before being detected.

10.1.6 Identify the Root-Cause(s)

Root-cause analysis is a problem-solving method aimed at identifying the root-causes of problems or nonconformities. A problem is best solved by trying to correct or eliminate root-causes. Knowing the cause of the nonconformity will enhance the effectiveness of taking actions to mitigate recurrence.

The 5-Whys (1st Why, 2nd Why, 3rd Why, 4th Why, and 5th Why) and the root-cause technique are very easy to use and effective methods for determining the root-cause of nonconformities.

This is an approach for identifying the underlying causes of a problem so that the most effective solutions can be identified and implemented. This is done by asking and providing answers to series of related questions until the most possible answer is obtained.

To implement the 5-WHY method, the organization shall ask “WHY” the nonconformity happened? This will yield an “A” reason why it happened. Then, “WHY” did reason “A” happen? This will yield a reason “B” why it happened. This is repeated till the most convincing reason is determined. Understanding the root-cause will give an idea of the action to prevent recurrence.

From the example above, we may need to ask the WHYs this way:

1Y – why was a material of 1.10 m used rather than a material of 1.00m?

Possible reason – the measuring equipment gave inaccurate readings while the material was measured prior to cutting.

2Y – Why did the measuring equipment give inaccurate reading?

Possible reason – the personnel who took the measurement was incompetent and he used the measuring equipment in a hot and humid environment that was not monitored.

3Y_a – why was the personnel incompetent?

3Y_b – why was the environment not monitored?

Possible reason_a – personnel were undergoing on the job training and yet to be authorized.

Possible reason_b – No equipment in place to monitor the measuring environment.

4Y_a – why was unauthorized personnel used in taking the measurement?

4Y_b – why is there no equipment to monitor the environment?

Possible reason_a – inadequate competent personnel in the process.

Possible reason_b – delay in approval for the procurement of the monitoring device due to financial constraints.

At this point, we do not need to ask, why are there inadequate competent personnel because clause 8.5.1e of the standard says, “The organization shall implement production and service provision under controlled condition to include the appointment of competent persons, including any required qualification”.

We shall not also ask why has financial constrains delayed the approval for the procurement of the monitoring device because clause 8.5.1d of the standard says, “The organization shall implement production and service provision under controlled conditions to include the use of suitable infrastructure and environment for the operation of processes”.

The root causes of the nonconformity are therefore, that the process has inadequate competent personnel and that the measuring environmental condition is not being monitored due to delay in approval for the procurement of the monitoring device.

From this, we may begin to see what corrective action we need to take to ensure that the nonconformity does not reoccur.

The corrective action may include:

1. Engaging another competent hand in the process since the available hand is still undergoing training and does not have the competence to ensure accurate measurements.
2. Obtaining the approval for the purchase of the monitoring device and procuring the device.
3. Placing the monitoring device in the measurement area after verifying and calibrating the monitoring device.
4. Establishing an environmental monitoring process and a log for monitoring and capturing the environmental condition of the measurement area.

These proposed corrective actions shall be implemented and monitored to ensure effectiveness.

Other applicable methods include:

• 3-Ws (what, where, when).
• 8D Eight Dimensions.
• Fish-bone Analysis.
• Pareto Analysis.
• Failure Mode and Effects Analysis.
• Fault-tree Analysis.
• Barrier analysis.
• Cause Mapping – draws out, visually, the multiple chains of interconnecting causes.
• Change analysis.

The 5-Whys technique is very effective for organizations with varying levels of Quality Management System experience.

10.1.7 Implement the corrective actions

When all root and contributing causes of the nonconformity have been identified and their effects understood, the organization shall propose and implement corrective actions that are appropriate to the nonconformity.

The planned actions shall be implemented as planned and their effectiveness to permanently prevent the undesirable condition, situation, nonconformity or failure from recurring is evaluated.

To ensure that the most effective corrective actions are implemented, the most likely or critical root causes are taken into consideration. Operational constraints such as costs, lead time, difficulty of implementation, and resources shall also be considered.

Where applicable, modify the relevant processes, policies, practices and procedures to prevent recurrence of nonconformity and similar ones by taking the following steps:

• Review the history of nonconformity.
• Analyze how the nonconformity occurred and escaped.
• Identify affected parties.
• Identify the possibility for similar nonconformities to occur and escape.
• Identify practices and procedures that allowed the nonconformity to occur.
• Identify practices and procedures that allowed the nonconformity to escape to the customer.
• Analyze how similar nonconformity may be addressed.
• Identify and choose appropriate corrective
• Develop action plan to implement corrective action.
• Implement corrective actions.
• Implement required controls.
• Evaluate the corrective action for deviations and effectiveness.
• Remove the immediate containment action.
• Verify and validate corrective actions and their effectiveness.
• Confirm with the customer that the symptoms have been eliminated.
• Present systemic corrective recommendations to the process owner.

Where it is impossible to completely eliminate the cause of the nonconformity, the organization shall implement actions to reduce the likelihood or the consequences of a similar nonconformity happening again, to reduce the risk to an acceptable level.

Where applicable, any corrective action taken, and controls implemented to eliminate the cause of nonconformity shall be applied to other similar processes and products.

10.1.8 Verification and validation of implemented corrective actions

The appropriate authority shall verify that all planned actions have been completed as scheduled and that they have prevented the undesirable condition, situation, non-conformity or failure from recurring.

When it has been verified and validated that the action taken has eliminated the cause of the nonconformity, the applied containment action may be removed, and the effectiveness of action taken shall be monitored for the long-term results.

Some of the verifications and validations required from the example of nonconformity given above include:

1. Evidence of correction for the nonconformity (1.00m material used for the production process).
2. Evidence of engaging another competent hand for the process (appointment letter, defined job responsibilities, records of induction).
3. Environmental monitoring device placed in the measurement area (conduct functional checks).
4. Evidence of verification and calibration of the monitoring device prior to use (certificate of calibration, records of verification).
5. Evidence of an established process to monitor the environmental condition of the measurement area and evidence of adequate implementation.
6. Evidence of data obtained from monitoring, showing that the environmental condition of the measurement area is conforming to requirement.
7. Evidence of verification that the measuring equipment now gives accurate readings.

Having verified and validated the effective implementation of the planned corrective actions, the appropriate shall sign off and close the nonconformity. Then, the process shall be monitored for continual application of the actions taken.

10.1.9 Monitor actions taken for effectiveness

The owner of each corrective action, the team leader and all team members and when relevant, the customer shall verify the effectiveness of the actions taken.

Examples of verification methods include:

• Additional process monitoring and measuring until it is demonstrated that the process is stable and capable of consistently meeting defined requirements.
• Follow-up internal audits to specifically verify the effectiveness of the corrective actions.
• Documentation of data and results of monitoring and measurements showing significant improvement resulting from the corrective actions.

Results of corrective action may be integrated into the Quality Management System through:

• Updated procedures, work instructions and control plans.
• Sharing of lesson learned with all stakeholders to prevent similar undesirable condition, situation, non-conformity or failure occurring on other products, production lines or suppliers.
• Keeping of lessons learned register which includes a summary of content and results of analyses, flow charts, performance data, main actions and decisions, location where detailed data can be retrieved, difficulties encountered when managing the issue, etc.

Escalation to top management or transfer to another function may be required to ensure adequate and effective implementation of planned actions and follow-up.

REQUIREMENT

The organization shall continually improve the suitability, adequacy and effectiveness of the quality management system.

EXPLANATION

To achieve continual improvement, the organization shall continually determine, identify, implement and monitor improvement actions.

These improvement actions may stem from:

• Policies and objectives.
• Risks and opportunities.
• Hazards and safety risks.
• Analysis and evaluation of data from monitoring and measurements.
• Competency appraisals.
• Customer feedback and complaints.
• Audit results.
• Management review.
• Nonconformity and corrective action.

The organization shall continually integrate the results of the improvement action into the Quality Management System by:

• Review of operating procedures, work instructions and methods.
• Restructuring and reassignment of roles.
• Application of new technologies.
• Competency building.

Processes can always improve and become more efficient and effective, even when they are producing conforming products. Continual improvement programs are aimed at increasing the possibility of satisfying customers by identifying areas that need improvement.

It requires the organization to plan activities that can improve the processes, products and services with the focus of satisfying the customer.

The continual improvement principle implies that the organization shall adopt the culture that improvement is always possible and shall develop the skills and tools necessary to drive improvement.

The PDCA cycle is a systematic methodology to introducing continual improvement to an organization’s activities. Each step to improvement may be defined by the four sub steps, Plan, Do, Check and Act:

Plan: Establish internal audits and management reviews plans. Establish the objectives, processes and their interactions necessary to deliver results in accordance with customer’s requirements and organization’s policies.

Do: Provided the need resources and implemented the planned actions ensuring that every planned arrangement is completed.

Check: Monitor and measure processes and product against criteria, defined policies, objectives and requirements and report the results to top management.

Act: Take actions to address deviation and to continually improve the process performance.