Category: Uncategorized

API Q1 5 Product Realization

5.1 Contract Review

5.1.1 General

The organization must uphold a documented procedure for reviewing requirements related to product provision. This procedure should cover determining requirements, reviewing requirements, and making changes to requirements.

5.1.2 Determination of Requirements

The organization must identify requirements outlined by the customer, legal regulations, and any other applicable criteria, as well as requirements not explicitly mentioned by the customer but deemed necessary by the organization for providing the product. In cases where the customer hasn’t provided documented requirements, the organization must confirm these requirements and keep records of the confirmation process.

5.1.3 Review of Requirements

The organization must assess the requirements regarding product provision. This assessment must occur before the organization commits to delivering the product to the customer. It should confirm that requirements are identified and documented, resolve any discrepancies from previously identified requirements, and ensure the organization can meet the documented requirements. If contract requirements change, the organization must update relevant documents and inform relevant personnel of the changes. Records of the review outcomes, including any resulting actions, must be kept.

The organization must establish a documented procedure for the Contract review that defines the process for the review of the requirements related to the provision of products and required servicing. The organization shall determine stated customer requirements, legal and other requirements, and requirements considered by the organization necessary for the provision of the products. When the customer requirements are not documented, the organization must confirm the requirements with the customer and record them. Before the organization‘s commitment to deliver products to the customer, the organization shall review the requirements related to the provision of products. The organization should ensure that requirements are identified and documented. The requirements differing from those previously identified are resolved and the organization can meet the documented requirements. Where contract requirements are changed, organizations must document all changes and amend all relevant documentation and the organizations must notify all affected personnel of changes The results of the review and the action taken must be recorded

The requirement states that the organization should now include a review of the requirements arising either from customer, legal or other requirements or the organization’s customer. The organization should seek and record evidence that these requirements are considered during product and service reviews. The sub-clause mandates that your organization should not issue a quotation or accept an order until it has been reviewed to ensure requirements are defined, and that the organization can meet the defined requirements. It goes on to require that records of the review and any subsequent actions be maintained. The organization should conduct a review of customer requirements before order acceptance. It can conduct a contract review checklist with the following headings as a minimum:

Necessary information is available:

  • Technical data;
  • Specifications and standards;
  • Drawings.
    Customer requirements are understood and can be met:
  • For product acceptance (e.g. Quality, inspections & tests, verification & validation, and any special monitoring);
  • For delivery expectations;
  • For post-delivery expectations.
    Related standards have been reviewed and can be met:
  • Statutory;
  • Regulatory;
  • International quality (e.g. ISO-9001:2015, API Q1);
  • Other necessary and applicable standards.
    Unclear or ambiguous requirements are resolved;
    Feasibility has been determined:
  • capability to meet order requirements;
  • have the equipment;
  • have the floor space;
  • have adequate resources;
  • have skilled personnel.
    Differences between the contract and quote are resolved;
    Methods of communicating with the customer are defined related to:
  • Product information;
  • Enquiries;
  • Feedback;
  • Concerns and complaints handling.
    Requirements that are not stated by the customer are defined.

If the customer does not provide their requirements in writing, the requirements must still be confirmed before they are accepted. Define your organization’s arrangements for the retention of documented information to capture the results of the review including any new requirements or changes e.g. record of contract review, including for example customer, reference, date, persons, resources, conventional/special requirements, risks outcome and changes.

5.2 Planning

The organization must identify and strategize the processes and documents necessary for product realization. During planning, the organization should address the following:

  1. Management of required resources and work environment.
  2. Product and customer-specified requirements.
  3. Legal and other applicable requirements.
  4. Design specifications.
  5. Contingency planning.
  6. Specific verification, validation, monitoring, measurement, inspection, and testing activities for the product, along with acceptance criteria.
  7. Management of change (MOC).
  8. Records are needed to demonstrate that product realization aligns with requirements.

The outcome of this planning must be documented and regularly updated to reflect changes. These plans should be organized in a structure suitable for the organization’s operations.

Planning is a critical requirement. During the discussion, participants will notice that sections (a) through (h) reference other parts of the API Spec Q1 10th edition specification. The organization must take the referenced sections into account during planning. Once the review of requirements has occurred, organizations can begin to plan for the manufacturing or servicing of products.

(a) Resources and Management
During planning, organizations must take into account resources and work environment management necessary for manufacturing or servicing products.

(b) Product and Customer Requirements
The organization must take into account Product and Customer-specified requirements (see 5.1).
Meeting customer-specified requirements at a minimum, must be achieved for the manufacturing or servicing of product to be accepted.

(c) Legal and Other Requirements
The expectation that organizations know and understand legal and other applicable requirements resonates throughout the API Spec Q1 10th edition. HSE, quality, and other requirements are included in this expectation. It is not possible to properly plan the manufacturing or servicing of products if the organization is not aware of the legal and other requirements that they are mandated to comply with.

(e) Contingency Planning
Based on the customer requirements for the manufacturing of the product, the organization shall identify the contingency plans for the identified risk found in the initial risk assessment to reduce and or eliminate the risk through the identified process or backup planning as well as developed employee competencies to manage the identified risk.

(f) Contingency Planning Based on Risks
Planning must include the initial risk assessments so that the risks can be mitigated.

(g) Design and Development Requirements
When planning under section 5.2 Planning, organizations must take into account section
5.4 Design and Development.

  • 5.4.1 Design and Development Planning
  • 5.4.2 Design and Development Inputs
  • 5.4.3 Design and Development Outputs
  • 5.4.4 Design and Development Review
  • 5.4.5 Design and Development Verification and Final Review
  • 5.4.6 Design and Development Validation and Approval
  • 5.4.7 Design and Development Changes.

(h) Verification, Validation & Test
Organizations must address the following for product acceptance:

  • Verification
  • Validation
  • Monitoring
  • Measurement
  • Inspection
  • Test activities

(i) Management of Change
Change is in manufacturing product. When things go wrong, or something unplanned occurs, the organization can refer to the contingency plan, which is still part of . However, when changes fall outside the scope of the contingency plan, an MOC is required. If changes initiated by the organization or the customer result in risks, the organization must notify the customer through the MOC process, as previously discussed.

(j) Records
Records are needed to provide evidence that the product realization processes meet requirements. This links to the following API Q1 elements:

  • 5.7.7 Inspection and Testing: Maintaining Records
  • 5.9 Product Release: Maintaining Records

5.3.2 Risk Assessment
5.3.2.1 Product Delivery

Risk assessment related to product delivery must consider factors such as facility and equipment availability, including maintenance, as well as supplier delivery performance and material availability/supply.

In API Specification Q1, risk assessment related to product delivery must indeed consider various factors to ensure the reliability and consistency of the supply chain. Assess the availability of production facilities, warehouses, and distribution centres. Consider factors such as capacity constraints, maintenance schedules, and potential downtime due to unforeseen events (e.g., equipment failure, natural disasters). Evaluate the availability and reliability of production equipment, machinery, and vehicles. Consider maintenance schedules, breakdown frequency, and the availability of spare parts to minimize the risk of production delays or disruptions. Assess the delivery performance of suppliers, subcontractors, and vendors. Evaluate factors such as lead times, on-time delivery rates, quality consistency, and reliability. Poor supplier performance could lead to delays in receiving essential materials or components, impacting product delivery schedules. Evaluate the availability and reliability of raw materials, components, and supplies required for production. Consider factors such as supplier reliability, inventory levels, lead times, and potential supply chain disruptions (e.g., geopolitical events, transportation delays, raw material shortages). Assess the transportation and logistics infrastructure used for product delivery. Consider factors such as transportation modes, routes, transit times, customs clearance processes, and potential transportation-related risks (e.g., accidents, strikes, fuel shortages). Evaluate the variability in customer demand and the accuracy of demand forecasting. Consider factors such as seasonality, market trends, customer order patterns, and the potential impact of unexpected changes in demand on production and delivery schedules. Consider regulatory requirements and quality standards that must be met throughout the product delivery process. Ensure compliance with relevant regulations, industry standards, and customer specifications to mitigate the risk of non-compliance-related delays or penalties. Develop contingency plans and risk mitigation strategies to address identified risks and uncertainties. Implement measures such as safety stock levels, alternative sourcing options, supplier diversification, and business continuity plans to minimize the impact of potential disruptions on product delivery. By considering these factors in the risk assessment process, organizations can proactively identify potential risks and vulnerabilities in the product delivery process and implement appropriate measures to enhance supply chain resilience, reliability, and performance by API Specification Q1 requirements.

5.3.2.2 Product Quality

Risk assessment concerning product quality must encompass factors such as the delivery of nonconforming products and the availability of competent personnel.

Absolutely, in API Specification Q1, risk assessment concerning product quality encompasses various factors to ensure that products meet the required standards and specifications. Evaluate the risk associated with the delivery of nonconforming products to customers. This includes assessing the potential impact of defects, deviations, or failures in products on customer satisfaction, safety, and regulatory compliance. Implement measures to prevent, detect, and address nonconformities throughout the production and delivery process. Assess the effectiveness of product inspection and testing procedures to ensure that products meet quality requirements before delivery. Consider factors such as the frequency of inspections, sampling methods, testing protocols, and the reliability of testing equipment and personnel. Identify potential gaps or weaknesses in inspection and testing processes that could increase the risk of delivering nonconforming products. Evaluate the quality performance of suppliers and subcontractors to minimize the risk of receiving nonconforming materials, components, or services. This includes assessing supplier capabilities, quality management systems, compliance with specifications, and past performance history. Establish clear criteria for selecting and evaluating suppliers, and implement measures to monitor and improve supplier quality over time. Assess the competence and proficiency of personnel involved in product manufacturing, inspection, testing, and delivery. Ensure that employees have the necessary knowledge, skills, training, and experience to perform their roles effectively and contribute to product quality. Provide ongoing training and professional development opportunities to enhance employee competence and awareness of quality requirements. Evaluate the effectiveness of process controls and monitoring mechanisms to prevent quality-related issues during product manufacturing and delivery. This includes implementing procedures for process validation, control of critical parameters, real-time monitoring of production processes, and corrective actions in response to deviations or abnormalities. Assess the potential impact of changes to processes, materials, equipment, or specifications on product quality. Implement robust change management procedures to evaluate, approve, and implement changes in a controlled manner while minimizing the risk of unintended consequences or quality-related issues. Monitor customer feedback, complaints, and returns to identify potential quality issues and trends. Implement procedures for promptly addressing customer concerns, investigating root causes of quality-related problems, and implementing corrective and preventive actions to prevent recurrence. Foster a culture of continuous improvement to enhance product quality and customer satisfaction over time. Encourage employees to identify opportunities for process optimization, quality enhancement, and innovation. Regularly review and update quality management processes based on lessons learned, best practices, and industry advancements. By considering these factors in the risk assessment process, organizations can effectively manage risks related to product quality and ensure that products consistently meet customer requirements and regulatory standards in accordance with API Specification Q1.

5.3.2.3 Changes Impacting Product Quality

If any of the listed alterations have the potential to adversely affect product quality, a risk assessment concerning product quality must be conducted:

  1. Changes in the organizational structure;
  2. Changes in key personnel;
  3. Alterations in the supply chain of critical products, components, or activities;
  4. Modifications to the management system scope or procedures; and
  5. Adjustments to the organization’s capacity to execute the processes needed for product realization.

Note: Changes may originate internally or externally.

The organization must establish a documented procedure to identify and control risks associated with the impact on the delivery and quality of the product. The procedure must identify the techniques and tools to be applied for risk identification, assessment, and mitigation. The risk assessment must include the availability of facilities, and availability of equipment. It must also include the maintenance of facilities and equipment. The supplier performance should be part of the risk assessment which must also include the supply/availability of material. Availability of competent personnel and delivery of nonconforming products must also be included. Record of Risk assessment and the management of risk should be available. A contingency plan may be developed as a result of risk assessment. Corrective action and /or preventive action can be taken as a result of risk assessment. Risk assessment includes consideration of severity, detection methods, and probability of occurrence.

The purpose of the procedure is to outline your organization’s risk management framework and the activities within. The risk management framework defines the current risk management process, which includes; methodology, risk appetite, methods for training and reporting. Risk Assessment and Management is fundamental to API Spec Q1, 9th edition success as well as aiding the organization to eliminate loss associated with its manufacturing products, processes and services. The API Spec Q1, foundation is about understanding and mitigating risks associated with its manufacturing processes, products and services. By design, this Specification does not detail the organization’s procedure for Risk Assessment and Management. Since there are many different methods and applications available to organizations, it will be up to the manufacturing or servicing providers to decide which procedure best fits their needs. Risk-Based Management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

  1. Identify the Risks :A lot will go into the identification of potential risks for a company. There are two distinct kinds of risk that a company may encounter: external and internal. External risk is the risk incurred from the environment in which the company operates. These can be legal, regulatory, financial, and cultural risks. Internal risk is the risk incurred from within an organization. This can be caused by an organization’s structure, resource deficiencies or allocation, and hierarchy. Risk needs to be determined within the context of the business, something that will lead to different definitions of each term for different organizations.
  2. Plan Your Response:As with any other part of the standard, companies are required to develop a plan for addressing the risks and opportunities they’ve identified. A company will need to do an in-depth assessment of the possible risks for this part. How likely are these risks? How disruptive would they be if they were to happen? What amount of resources is your company willing to dedicate to mitigating these risks? Can their likelihood be increased while mitigating the risk? Is the potential risk worth incurring for a chance at capitalizing on the opportunity? Once these assessments have been made, an organization can develop a plan for addressing the risks based on their stated strategies. Without properly assessing their risk appetite, an organization cannot properly plan to either mitigate it or capitalize on the opportunities it presents. These plans need to be laid out, with a plan for documenting the process and keeping clear records on it.
  3. Integrate the Response into Your QMS:This step requires a company to insert the plan they’ve developed for addressing risk and opportunity into the greater framework of the QMS that they already have in place. This step is critical, in that the plan needs to allow for the rest of a company’s QMS to remain seamless. As a standard that emphasizes universal application, nature will require that the process developed for addressing risk be compatible with all other procedures in the company. For this reason, keeping a company’s QMS in mind as it goes through the process of developing a plan for addressing risk and opportunity can prove to be helpful. Developing a plan only to find that it doesn’t integrate well into the larger process means time and energy have been wasted.
  4. Evaluate Effectiveness:As with any other procedure in a company, proper documentation and record-keeping processes will need to be put in place. This is where a company can record the outcomes and measure the effectiveness of its efforts. This stage in the process is also why it is crucial to develop a comprehensive assessment of the company’s willingness to take on risk and pursue potential opportunities. Without a detailed understanding of the company’s aims in regard to both risk and opportunity, it will be all but impossible to properly assess the effectiveness of the process that’s been implemented. As with any procedure, this step allows for the constant scanning of potential inefficiencies that can be improved upon. It should be noted that context is also a key factor in any risk assessment process. Risk at one juncture of the process might look different than the same risk at another juncture. This is why having a comprehensive strategy for risk assessment is critical. Preparing for and thinking about all the possibilities will help better prepare your company.

5.3.3 Contingency Planning

If the organization deems it necessary to have a contingency plan due to assessed risks, the plan must, at a minimum, outline actions needed to mitigate the impact of disruptive incidents, assign responsibilities and authorities, and establish controls for internal and external communication. These contingency plans must be documented, communicated to relevant personnel, and revised as necessary.

While contingency has been applied by the industry for years, the application has been inconsistent and has overlooked critical information to mitigate risks. The standard mandates that a documented procedure for contingency planning must be available. This requirement for the procedure will include risk mitigation for the delivery and quality of the product. Contingency planning is needed to address risk associated with the impact on:

  • Delivery and Product Quality.
  • Based on the assessed risk
  • Communicated to relevant personnel.

Contingency planning output must be documented and communicated to the relevant operational personnel and updated as required to minimize the likelihood or duration of disruption of manufacturing. The outputs of the contingency planning must be based on assessed risks that were discussed in section 5.3 of this specification. As mentioned in the dictation under 5.5.1, the better the Risk Assessment, the less disruption and the smaller the likelihood of an incident. If an incident does occur, it is more likely to be contained or controlled through contingency planning, thereby minimizing loss.

The contingency plan shall include, at a minimum:

  • Actions required in response to significant risk scenarios to mitigate effects of disruptive incidents;
  • Identification and assignment of responsibilities and authorities, and
  • Internal and external communications controls

Actions Required in Response to Significant Risks covers actions required in response to significant risk scenarios to mitigate effects of disruptive incidents. This is obvious and is what most manufactures often think of when doing contingency planning. This is how we prevent or mitigate the “Incident” we discussed in 5.5.1 of the specification. Here, the manufacture must review different real and potential risk scenarios and do the proper assessments to understand the in order to prevent and/or mitigate the loss. Most manufactures do this as it relates to HSE. However, API Spec Q1 requires this to be done to include delivery and product quality related incidents as well.                                        

The basic contingency planning process includes

1. Map out essential processes.

What processes are essential to your business and safely delivering your product or service to customers? If you’re a manufacturing company that ships directly to consumers, a simplified process list might look something like this:

  • Getting raw materials from suppliers
  • Manufacturing process
  • Freight and shipping
  • Packaging and warehousing
  • Last-mile delivery

Looking at this list, you can see how vulnerable it is to natural disasters or even minor human errors.

2.Create a list of risks for each process.
Once the process list is created, consider what might disrupt business continuity. What can go wrong with each of these critical processes? Let’s look at an example of what could go wrong with “last-mile delivery”

  • The driver can deliver single or multiple packages to the wrong address.
  • The package can be damaged during delivery.
  • The package could get lost at a distribution center.
  • A truck full of packages could be involved in an accident.
  • A flood could cripple the road system in a specific area.
  • The driver could get delayed because a moose wants to lick salt splatter off the car (seriously, it’s a thing).
  • And that’s only a preliminary list. Once you start thinking about it, you’ll realize how many things you rely on to avoid going wrong, even for fundamental processes.

Every business process is vulnerable to some sort of emergency or human error.

3. Evaluate the potential impact and likelihood of each risk.
Once the risks are identified, it’s essential to determine how they could impact your business. Are they likely to happen? How large will the impact on your business if they do occur? Most companies use “qualitative risk assessment” to do this.

4. Calculate costs and contingency reserves, and identify issues to mitigate.

The quantitative risk assessment approach is to assess the potential cost of each risk. This means you can make an educated decision when budgeting contingency reserves into project plans and yearly budgets. During the risk analysis, estimate the potential costs of the adverse event.

5. Create a response plan for prioritized events.

Create a response plan for events by exploring the following questions:

  • What can be done ahead of time to minimize any adverse effects on the event? For example, backing up data, carrying extra stock, or having more employees on call.
  • What can be done immediately after the event to minimize the impact? For example, ordering more from a secondary supplier, rerouting another vehicle, or bringing in on-call staff.

The specifics depend on your company’s unique processes and situation.

5.3.4 Records

Records documenting risk assessment and management, including the actions implemented, must be retained.

As per API Specification Q1, records documenting risk assessment and management, along with the actions implemented, must be retained by the organization. These records serve as evidence of compliance with the standard’s requirements and provide a historical record of the organization’s risk management efforts. The organization should maintain records of the risk assessment process, including the identification of potential risks, their likelihood and impact, and the criteria used to prioritize and evaluate risks. This documentation may include risk registers, risk matrices, risk assessment reports, and any supporting documentation used in the risk assessment process. Records should be kept of the actions taken to address identified risks and mitigate their potential impact. This includes documenting the specific measures implemented, responsible parties, timelines, and outcomes. For example, records may include copies of contingency plans, change management records, corrective and preventive action reports, and documentation of risk mitigation strategies. Records should document the decision-making process related to risk management, including discussions, evaluations, and approvals. This helps ensure transparency and accountability in the risk management process and provides a basis for reviewing and evaluating the effectiveness of risk management decisions over time. Records should be maintained of ongoing monitoring and review activities related to risk management. This includes tracking the status of identified risks, monitoring changes in risk factors, and assessing the effectiveness of risk mitigation measures. Records of management reviews, risk assessment updates, and audit findings related to risk management should be retained. The organization should establish a retention period for records related to risk assessment and management based on regulatory requirements, industry standards, and internal policies. Records should be retained for a sufficient period to demonstrate compliance with API Specification Q1 and to support future audits, assessments, or reviews. Ensure that records related to risk assessment and management are securely stored and protected from unauthorized access, alteration, or destruction. Implement appropriate controls to safeguard sensitive or confidential information contained in these records. At the same time, ensure that authorized personnel have access to the records as needed for business continuity and compliance purposes. Records related to risk assessment and management may be stored in various formats, including electronic or paper-based formats. Regardless of the format, ensure that records are legible, accurate, complete, and readily retrievable when needed.

5.4 Design
5.4.1 General

If the organization is accountable for product design, it must adhere to the requirements outlined in section 5.4. However, these design requirements do not apply if the product is involved in production activities, servicing, storage, distribution, or logistics.

In API Specification Q1, the requirements for product design apply specifically to organizations that are accountable for the design of products. However, these design requirements do not apply if the product is involved in production activities, servicing, storage, distribution, or logistics.

This distinction is important because not all organizations within the petroleum and natural gas industry are responsible for product design. For example, a company that primarily engages in production activities, such as drilling or refining, may not be directly involved in designing the products they produce. Instead, they may rely on suppliers or manufacturers to provide designed products, such as equipment or components, that are used in their production processes. On the other hand, organizations that are accountable for product design must adhere to the specific requirements outlined in the API Specification Q1 related to designing products. These requirements typically include:

  1. Establishing a design process that ensures products meet specified requirements and are suitable for their intended use.
  2. Identifying and documenting design inputs, including customer requirements, regulatory requirements, and any other relevant specifications.
  3. Performing design verification and validation activities to ensure that the designed product meets the specified requirements and performs as intended.
  4. Documenting the design process and maintaining records of design activities, decisions, and revisions.
  5. Implementing controls to manage changes to the design and ensure that changes are properly evaluated, approved, and communicated.

By adhering to these requirements, organizations accountable for product design can ensure that their designed products meet the necessary quality, safety, and performance standards. However, organizations that are not responsible for product design are exempt from these requirements and are instead expected to focus on other aspects of their operations, such as production, servicing, storage, distribution, or logistics, as specified in API Specification Q1.

5.4.2 Design Planning

The organization must uphold a documented procedure for planning and overseeing the design process. This procedure should cover:

a) Planning, including updates to the plan(s), used for design.
b) Various stages of the design process.
c) Allocation of resources, responsibilities, authorities, and their interactions.
d) Review, verification, and validation activities required for each design stage.
e) Requirements for a final review of the design.
f) Criteria and approval process for design changes.

When design activities are outsourced or carried out at different locations within the organization, the procedure should outline controls to ensure compliance with design requirements. If design activities are outsourced, the organization remains accountable for the design and must ensure that the supplier meets outsourcing requirements. Design review, verification, and validation serve distinct purposes but can be conducted and recorded separately or in any combination, as appropriate for the product and the organization.

The organization must maintain a documented procedure to plan and control the design and development of the product. The organization’s procedures are to identify:

  • Design and development plans and plan updates
  • The design and development stages
  • The resources, responsibilities, authorities, and their interfaces to ensure effective communication
  • The review, verification, and validation activities necessary to complete each design and development stage
  • The requirements for a final review of the design

Design and development for products will vary greatly in complexity. Some products present low risks while others may present significant risk, based upon their design and application. All product in the Petroleum, Oil and Gas Industry is expected to meet the requirements of 5.4 Design & Development. The organization shall maintain a documented procedure to plan and control the design and development of the product.

  • Plans and Updates: Plan and control procedure must include the design and development plans and plan updates.
  • D&D Stages: Under this Subpart, organizations are required to identify the D&D stage in its plan and control procedure.
  • Resources, Responsibilities & Authorities: Plan and control procedures must include the resources, responsibilities, authorities and their interfaces to ensure effective communication for the D&D activities
  • Review Activities: In addition to identifying the different D&D stages in the plan and control procedure, organizations must include the review, verification, and validation activities necessary to complete each design and development stage.
  • Final Review: The plan and control procedure the requirements for a final review of the design.

Design planning must specify the design and development stages, activities and tasks; responsibilities; timeline and resources; specific tests, validations and reviews; and outcomes. There are many tools available for planning ranging from a simple checklist to complex software. Control product design and development planning activities including:

  1. Scope of the design e.g. customer requirements design rationale, design assumptions, objectives, complexity, size, detail, timescales, criticality, constraints, risks, producibility, accessibility, maintainability;
  2. Stages of the design process, distinct activities and review e.g. work breakdown structure, work packages (tasks, resources, responsibilities, content, inputs/outputs), concept design, preliminary design, detail design, design review gates preliminary design review, detail design review, critical design review);
  3. Verification and validation activities comprising checks, trials, tests, simulations, and demonstrations are required to ensure requirements are met;
  4. Assignment of responsibilities and authorities e.g. job profiles, CVs, accountability statements, delegation of authority, levels of approval, register of authority and approvals, authorized signatories;
  5. Internal and external resources such as knowledge acquisition, people, competency, investment, funding, facilities, equipment, innovation, technology, interested parties (customers, external providers, research establishments), information (principles, standards, rules, codes of practice);
  6. Organizational interfaces such as personnel and functions e.g. sales, project management, production, procurement, quality, finance, customers, and end-users;
  7. Levels of control required or implied by interested parties (customers, regulators, end users etc.) e.g. customer acceptance, safety checks, risk management, verification/validation activity, product certification;
  8. Required documented information e.g. design plan, design reviews, design outputs (specifications, schemes, drawings, models, data, reports), control plans, certificates.

The design management plan typically includes specific quality practices, assessment methodology, record-keeping, documentation requirements, resources, etc., and usually references the sequence of activities relevant to a particular design or design category. The design management plan references applicable codes, standards, regulations and specifications. and describe the interfaces with different groups or activities that provide, or result in, input to the design and development process. Each design activity is planned, and divided into phases, and tasks are assigned to competent and skilled design personnel equipped with adequate tools and resources. Design management plans are documented and updated as the design evolves. As required, at the commencement of a design package, the Design Manager is required to complete a Design Management Plan (DMP) which will include at a minimum:

  1. Confirmation of the standards baseline used for the work being undertaken and an explanation of how compliance to this baseline will be demonstrated;
  2. An organisation chart with defined responsibilities for all staff with direct involvement in the design or with a potential impact on safety;
  3. Skills matrix to define the competence of individuals with ‘prepare’, ‘check’ and ‘approval’ duties;
  4. Scope definition and interface identification including key issues and operational requirements;
  5. Projected output, timelines, milestones, and defined deliverables;
  6. Stated processes and procedures to ensure acceptable quality assurance will be demonstrated and records maintained (specifically the formal Assurance Gates);
  7. Processes and procedures to be used to ensure compliance with the engineering safety management;
  8. The design review process, both single (SDR) and multi-design consultant (IDR) reviews and stakeholder intervention, before the Assurance Gate Reviews at 20%, 60% & 100% design completion stages;
  9. Explanation of how compliance with input requirements will be demonstrated.

5.4.2 Design and Development Inputs

5.4.3 Design Inputs

Inputs must be identified and assessed for adequacy, completeness, clarity, and absence of conflicts. Any identified issues must be resolved. Inputs may encompass functional and technical requirements, along with the following, if applicable:

  1. Customer-specified requirements;
  2. Requirements from external sources, including API product specifications;
  3. Environmental and operational conditions;
  4. Documentation of methodologies, assumptions, and formulas; e) Historical performance and other data from similar previous designs;
  5. Legal requirements; and
  6. Potential consequences of product failure, as required by legal mandates, industry standards, customer specifications, or deemed necessary by the organization.

Records of design inputs must be retained.

The organization must identify the Design Inputs and review them for adequacy, completeness, and lack of conflict. The functional and technical requirements of Design Inputs can be customer-specified, requirements provided from external sources, including API product specifications, environmental and operational conditions, methodology, assumptions, formulae documentations, historical performance and other information derived from previous similar designs, legal requirements and results from risk assessments. The design inputs must be recorded.

Define which design inputs are required to carry out the design and development process. The inputs should be determined according to the design and development activities. For example, which employees are required or what information is required for every step of the development process? When determining design input requirements, ensure the retention of documented information such as:

  • Statutory and regulatory requirements e.g. legislation, regulation, directives;
  • Standards or codes of practice e.g. policies, standards, specifications, rules and aids, protocols, guidance, industry codes
  • Functional and performance requirements informed by customer requirements, operational and performance characteristics, usability, reliability, availability, maintainability, and safety (e.g. Human factors and RAMS);
  • Knowledge exchange from others, similar proven designs, lessons learned, performance data, in-service data, customer feedback, external feedback, best practice, benchmarking;
  • Design assumptions and associated risks;
  • Methods of validation and verification;
  • Adequacy of inputs e.g. clear, complete, unambiguous, and authorized;
  • Conflicting inputs are resolved by communicating with interested parties/contract amendments.

Conceptual Design Statement (CDS)

The Conceptual Design Statement (CDS) includes a design statement that declares the inputs to be used in the design and the proposed design solution. A design statement illustrates the principles concepts and input data relevant to the design and allows relevant stakeholders to understand the thinking behind any chosen design solution. The Design Team will normally produce a Conceptual Design Statement that states the standards and requirements against which the design is to be developed, the processes to be applied and the level of independent checking to be carried out (if any) that is proportionate to the level of risk. The design activities are then carried out by the Design Team using the CDS as the basis. Design and development inputs are documented and controlled. Design and development inputs can be in any form, including data sheets, customer drawings and specifications, photographs, samples, references to standards, etc.

Design standards baseline

All designs are based on a list of approved design standards, referred to as the Standards Baseline. This list is owned and managed by the Engineering Manager. The Standards Baseline is made up of a combination of National and International Standards, National Engineering Specifications, and Approved Codes of Practice. The Standards Baseline should be reviewed monthly and any changes are controlled by the Engineering Manager. At the commencement of any given design package, the Design Team is required to specify the Standards Baseline that will be used in the design. The Engineering Manager should be responsible for checking that the correct design standards have been specified and for verifying that the design output complies with these standards and design requirements. Due to the continuous review and updating of standards, the baseline between different design instructions may vary so a strict configuration control is maintained and only agreed changes are used in the assurance process. Once a design package has been instructed, the baseline for that element of work becomes fixed and will not reflect any subsequent changes in standards.

Design assumptions

Assumptions will normally be statements to fill uncertainties in available information. They are generated by the Design Team to allow designs to continue in the early stages. The anticipation is that assumptions are temporary and are closed out either by obtaining data or updating documents to confirm or change the assumption. Assumptions have the potential to be incorrect and are therefore a source of risk, that requires management. Any associated risk is identified and raised through the Risk Register. The assumption management activity is coordinated by the Design Manager, with input from the Design Team. Assumptions regarding domain knowledge include facts about the application of the end product or service that allow requirements to be developed in a particular context. The assumptions are normally traceable to gaps or inconsistencies in the design inputs e.g. incomplete or conflicting functional requirements, inconsistencies between the applicable Standards, unclear scope of work, or demarcation issues. The Responsible Body; which might be another company, organisation, person, or team against which an assumption has been made or who are responsible for providing a feature or undertaking an action to resolve an assumption agreed by them. Qualifying criteria for design assumptions are based on the following:

  • Assumptions on scope and allocation;
  • The assumption regarding gap or conflict in the stated capabilities, systems or operational aspects;
  • Conflict between standards;
  • Assumptions due to missing design data;
  • Assumptions regarding a design decision;
  • Assumptions relating to interface issues.

Assumptions must not be raised on programme and cost-related matters. The requirements or the design statement will be verifiable against the raised assumption or the origin of the assumption. Assumptions are accepted by the Resolving Body; they may be turned into design requirements or project risks. The process for managing design assumptions is summarised as follows:

  • Assumptions are managed using an Assumptions Register;
  • The Design Team propose an assumption to fill an uncertainty;
  • The Engineering Manager reviews the suitability of the assumption against the criteria;
  • Once agreed with the Resolving Body, the Design Team updates the assumption register;
  • Action owner closes out assumption by the agreed date, this could be done either by establishing additional data or confirming a decision;
  • The Engineering Manager monitors that action owners are closing out assumptions and takes action to expedite if necessary;
  • Any assumption remaining at the end of the design phase must be clearly recorded in the Assumptions Register and transferred to the Risk Register.

Assumptions are considered closed when they are successfully resolved i.e. accepted by the Resolving Body and the Resolving Body has taken an action that is documented in a resolving document. This resolving document must be properly reviewed, verified and issued before the closure of an assumption is accepted. The respective Gate Review Authority are the final authority to accept or reject the closure of an assumption. The confirmation of closure is noted in the Assumptions Register and a reference to the resolving document with the relevant clause is provided for verification purposes.

Design requirements

The design management process is geared towards meeting customer requirements, while providing a product cost, which enables organizations to have a satisfactory return on investment. The physical and performance requirements of a product used as a basis for product design and development; includes user requirements, regulatory requirements, and system requirements. The customer and user requirements are translated into design requirements and may either be hardware or software (according to intended use) and included in the design specifications and other design documents.

The requirements are reviewed for adequacy by a cross-functional, multidisciplinary team involving Design, Engineering, Sales, Manufacturing, Procurement, Sales and Quality to ensure the requirements are complete, unambiguous and not in conflict with each other. The Design Team notifies the Engineering Manager if the requirements are ambiguous or conflict with each other. The Design Team produces evidence of the capture of and compliance with the requirements. This evidence is presented in the Requirements Register. The Design Team should provide compliance matrices and verification reports to demonstrate how the designs meet the requirements, supported by the compliance rationale, evidence, models and analysis as required, whilst ensuring that:

  • All requirements are traceable to the identifier, author, rationale, source, requirement owner, allocation and stakeholder;
  • All requirements have been validated and approved by identified personnel;
  • All requirements have been reviewed and agreed upon with the customer;
  • Are requirements are recorded into the project applicable database;
  • All allocated requirements are understood and accepted by all the recipients.

In order to progress their close-out and acceptance, compliance statements are prepared and allocated to each requirement, commensurate to the design stage e.g. Gate 1, 2, or 3. Links and references to supporting drawings and documents are provided as the design progresses.

Customer-supplied user requirements are transferred to the Requirements Review Checklist and additional requirements are addressed with the customer. The Marketing Manager and the Sales Manager should identify and document the markets’ need for new solutions in a requirement statement which serves as the input for design and development work. The requirement statement includes the following:

  • What is required (features/functions, etc.);
  • Why it is needed (customer demand);
  • When it is needed;
  • Assumptions needed to progress the design;
  • Risk and opportunity, and hazard analysis;
  • Requirements for performance, reliability, safety, statutory and regulatory, etc.;
  • Pricing targets and design project milestones.

When a product is designed or modified to meet specific customer requirements, the Engineering Manager receives from Marketing Manager and the Sales Manager an outline design order with customer requirements and specifications. The Design Team translates the needs and expectations from the requirements and design statements to technical specifications for materials, products, services and processes.

Design interfaces

Where necessary, the Design Team should form working groups to develop interface control documents and record agreements for interfacing stakeholders in order to elicit their requirements and to provide feedback that may be important to your designs. Their emphasis should be on the identification and co-ordination of the important characteristics, parameters and configurations that need to be developed to deliver effective interface designs. The level of detail documented must be proportionate with the level of detail being developed in the design outputs.

  1. Identify, specify and manage interfaces;
  2. Assist in the resolution of interface issues relating to commercial or contractual issues;
  3. Assist in the production of and agree on interface documents with interfacing parties;
  4. Ensure that the process of interface management is fully supported during the development of detailed designs;
  5. Review and monitor the development of interface identification.

Design documentation

The established document numbering system must be used by the Design Team. All documents produced to support the design and the design assurance process should be listed in the Master Design Document List, which is a list of all plans, processes and procedures to be used to control the safety, quality and efficiency of the design output.

All design documents must follow the ‘Prepare’, ‘Check’, and ‘Approve’ process, evidenced by the signatures of competent individuals. All design documents should be signed off in the three categories:

  1. Prepared – by a competent person who produces the design document, checking their own work complies with codes and standards governing that work.
  2. Checked – by a competent person able to undertake a formal detailed check/review of design methods, codes and standards used, deliverables, calculations, drawings and specifications produced by another member of the Design Team. This role is undertaken by a competent person of the same discipline, not the Preparer, but can be a member of the same team.
  3. Approved – by a competent person of the same discipline, but not a member of the same team, able to undertake a review of the design output after detail checking has taken place to validate that the design is consistent with requirements, is fully integrated and satisfies interface requirements.

Design reference materials (e.g. standards, catalogues, etc.) should be available and maintained by the Engineering Manager. Only current issues and revisions of reference material must be used. All documents produced to support the design and the design assurance process must be listed in the Master Design Documents List.

5.4.4 Design Outputs

The documentation of outputs must enable verification against the requirements outlined in the design inputs. These outputs should:

  • Meet the requirements specified in the design inputs.
  • Provide information for purchasing, production, inspection, testing, and servicing, as applicable.
  • Identify or reference design acceptance criteria (DAC).
  • Include identification of, or reference to, products, components, and/or activities considered critical to the design.
  • Incorporate the results of relevant calculations.
  • Specify the characteristics of the product essential for its intended purpose and safe and proper function.

Records of design outputs must be retained. Identification of criticality of products, components, and/or activities may be managed separately from the design process.

The outputs of Design should meet the input requirements for design and development. It must provide appropriate information for purchasing, production, and servicing. It must identify or must design acceptance criteria (DAC). It must identify or refer to products and/or components which are critical to the design. It must include results of applicable calculations and must specify the characteristics of the product that are essential for its safe and proper use. The organization must document its Design outputs for verification against the design and development input requirements. The design output must be recorded. Identification of criticality of products and/or components can be maintained outside of the design and development process. The design and development output is the result of the design and development process. The output is a clear description of the product, containing detailed information for production. The organization’s design and development outputs reconcile with its design and development inputs by:

  1. Ensuring outputs meet input requirements e.g. checklists, design review records, authorization to proceed, customer acceptance, and product certification;
  2. Ensuring outputs are adequate for product and service provision e.g. standards, specifications, schemes, drawings, models, part lists, materials, methods, manufacturing instructions, technical packages, tooling, machine programs, preservation, handling, packaging, specialist training, user instructions, service manuals, repair schemes, and external provision;
  3. Reference to monitoring and measuring equipment e.g. inspection equipment, gages, instruments, environment;
  4. Acceptance criteria e.g. product/service specification, limits, tolerances, and quality acceptance standards;
  5. Product/service characteristics e.g. key characteristics, customer critical features, interface features, inspections, service intervals, and operating characteristics;
  6. Critical items such as identification, key characteristics, special handling, service intervals, component lifting, cyclic life, life management plans, source and method change, and traceability;
  7. Outputs are approved prior to release e.g. scope of authorization, authorized persons, levels of authorization, method of authorization and documented information is retained.

Outputs of the detailed design are the final technical documents used for purchasing, production, installation, inspection and testing, and servicing. Design output includes production specifications as well as descriptive materials which define and characterize the finished design and include drawings and documents used to procure components, fabricate, test, inspect, install, maintain, and service the product. Design and development outputs are in the form of documented information that defines the product, including its characteristics that affect safety, fitness for use, performance, and reliability are provided for the manufacturing phase:

  1. Schematics, assembly drawings and wiring diagrams.
  2. Component and material specifications.
  3. Production and process specifications.
  4. Software design specifications.
  5. Bills of materials.
  6. User operation and maintenance instructions.
  7. Results of risk analysis and transfer of residual risk.
  8. Software source code and software machine code.
  9. Results of verification and validation activities.
  10. Quality assurance specifications and procedures.
  11. Installation and servicing procedures.
  12. Packaging and labeling specifications, including methods and processes.
  13. Details of new or revised procedures, work instructions, or processes.
  14. Applicable workmanship standards.
  15. Inspection and test criteria.

Specifications and procedures for product packaging and labelling are also part of the design and development output. Support documentation (e.g. calculations, risk analysis, test results, verification and validation reports, etc.) is also part of the design and development output. The transfer of a design to production typically involves review and approval of specifications and procedures and, where applicable, the proving of the adequacy of the specification, methods and procedures through process validation including the testing of finished product under actual or simulated use conditions. The design transfer phase ensures that the design is correctly translated into production specifications, such as assembly drawings, component procurement specifications, workmanship standards, manufacturing instructions, and inspection and test specifications. They may also be:

  1. Documentation (in electronic format as well as paper);
  2. Training materials (e.g. manufacturing processes, assembly, and test and inspection methods);
  3. Digital data files (e.g. computer-aided manufacturing (CAM) programming files);
  4. Manufacturing jigs and other aids (e.g. moulds or templates).

The Engineering Manager should ensure that the design transfer process addresses the following basic elements:

  1. Undertaking a qualitative assessment of the completeness and adequacy of the production specifications;
  2. Ensuring that all documents and articles that constitute the production specifications are reviewed and approved;
  3. Ensuring that only approved specifications are used for manufacture and production.

Prior to execution of a work transfer, analysis of any regulatory or contractual requirements are reviewed and flowed down through the supply chain to ensure compliance of any established requirements. Outputs may also include product preservation methods, identification, packaging, service requirements, etc. as appropriate.

5.4.5 Design Review

At appropriate stages, evaluations must be conducted to assess the suitability, adequacy, and effectiveness of the outcomes of design stages in meeting specified requirements, and to identify any issues and recommend required actions. These reviews must involve representatives from relevant functions associated with the design stages under review. Records of the review outcomes and any subsequent actions must be retained.

Periodically at suitable stages of Design, the organization must review its Design. The review is performed to identify any problems and take necessary actions. The organization must evaluate the suitability, adequacy, and effectiveness of the results of design stages to meet specified requirements. Representatives of concerned functions should be part of the review. The result of review and any necessary action should be recorded. Design reviews should be carried out after the initial concept stage and again after the detailed design stage and finally, before the design is released. The design review function is carried out at various stages of the design process in order to check that the design solution is in accordance with the original design inputs and objectives and includes identification of concerns, issues and potential problems with the design. Design review meetings should be held at pre-defined points during the development process, with reviews held on an as-needed basis, depending upon the complexity of the design. Participants of design review meetings are competent to evaluate the design stage and discipline under review to permit them to examine the design and its implications.

Assurance reviews: The Design Manager should ensure that design reviews are carried out by the Design Management Plan when the design has progressed by 20%, 60% and 100%. A cross-functional, multidisciplinary team (including at least one individual who does not have direct responsibility for the design stage under review) undertake a documented, comprehensive, systematic examination of the design to evaluate its adequacy, to determine the capability of the design to meet the requirements, and to identify problems, whilst ensuring that:

  1. The input for the Design Reviews is captured from all stakeholders;
  2. All open actions from previous Design Reviews are tracked through to closure;
  3. All areas of concern are highlighted for further discussion and risk mitigation;
  4. All design reviews are documented and shared with stakeholders promptly.

The following elements are considered during design reviews:

  1. Customer needs and expectations versus technical specifications;
  2. Ability to perform under expected conditions of use and environment;
  3. Safety and potential liability during unintended use and misuse;
  4. Safety and environmental considerations;
  5. Compliance with applicable regulatory requirements, national, and international standards;
  6. Comparison with similar designs for analysis of previous quality problems and possible recurrence;
  7. Reliability, serviceability, and maintainability;
  8. Product acceptance/rejection criteria, aesthetic specifications and acceptance criteria;
  9. Ease of assembly, installation, and safety factors;
  10. Packaging, handling, storage, shelf life, and disability;
  11. Failure modes and effects analysis;
  12. Ability to diagnose and correct problems;
  13. Identification, warnings, labelling, traceability, and user instructions;
  14. Manufacturability, including special processes;
  15. Capability to inspect and test;
  16. Materials and components specifications;
  17. Review and use of standard parts.

The reviewers are responsible for raising any comments, while the Design Manager should be responsible for capturing comments using the Design Review Meeting Minutes. Conclusions drawn during design reviews are considered and implemented as appropriate. Not all identified concerns result in corrective actions, the Engineering Manager should decide whether the issue is relevant, or the issue is erroneous or immaterial. In most cases, however, resolution involves a design change, a change in requirements, or a combination of the two. Records of design review meetings are retained and identify those present at the meeting and the decisions reached.

Single-consultant Design Review (SDR): The Single-consultant Design Review (SDR) is a presentation of the design to relevant stakeholders. These reviews are carried out by the Design Manager when the design has progressed by 20%, 60% and 100%. The purpose of the review is to present evidence at each of these stages to confirm that the design is compliant with the standards and requirements defined in the Conceptual Design Statement. The reviewers are responsible for raising any comments, while the Design Manager should be responsible for capturing comments using the Design Review Meeting Minutes, and referencing the document upon which they are commenting along with their name. If a reviewer cannot attend a session it is their responsibility to ensure adequate cover or to issue their comments the Design Manager for inclusion. The minutes of SDR meetings are recorded. Meeting minutes include a detailed listing of all the documents that have provided the basis of the review. Issues raised may be addressed in the following design stage. Any outstanding issues are recorded in the Design Issues Log (or similar), presented at the Assurance Gate Review meeting as issues for the next design stage and subsequently confirmed as being closed out at the subsequent Gate.

Inter-consultant Design Review (IDR): The Inter-consultant Design Review (IDR) is a presentation of the design of a work package or packages to interfacing Design Teams. These are carried out by the Design Manager when the design has progressed by 20%, 60% and 100%. Its primary purpose is to seek evidence that all interfaces have been agreed and that the design integrates to deliver the requirements. At each IDR an Inter-consultant Design Review Certificate is produced to evidence that all interfacing Design Teams are satisfied with the design under consideration. It should be signed by accepted representatives of the interfacing Design Teams and contain a list of any actions required to close out any exceptions raised but not deemed a bar to acceptance. The reviewers are responsible for issuing any comments in writing using the Design Review Meeting Minutes, and referencing the document upon which they are commenting along with their name. If a reviewer cannot attend a session it is their responsibility to ensure adequate cover. The minutes of IDR meetings are recorded and include a detailed listing of all the documents that have provided the basis of the review. Issues raised may be addressed in the following design stage. Any outstanding issues are recorded in the Design Issues Log (or similar), presented at the Assurance Gate Review Meeting as issues for the next design stage and subsequently confirmed as being closed out at the subsequent Gate. Other instances of design reviews may be required when the Engineering Manager has identified significant design change that requires a review to revalidate the design.

Assurance gate reviews: The Assurance Gate Reviews 1 to 3 are the primary control mechanism that provides progressive assurance when evidence is reviewed at defined stages to confirm that the designs produced meet the design project’s objectives, requirements, obligations and that the risks associated with the engineering are identified and fully understood.

  1. Gate 1 – (Initial concept (20% complete) The details will be outline only but will define the character, limit and form of manufacture, fabrication or construction.
  2. Gate 2 – (Functional design (60% complete) At this stage the design has progressed to an intermediate position (progress check at 60% complete) This Gate is a check point at about the mid-point between Gate 1 and the final design. At the outset of a design project, the target deliverables at Gate 2 are clearly defined so that it provides an interim way point to confirm progress.
  3. Gate 3 – (Detailed design ready for manufacture, fabrication or construction (100% complete) At this stage the design is complete and ready to be issued for manufacture, fabrication, or construction. Design details are finalised and fully integrated with other interfaces.

The purpose of the Assurance Gate Review process is to provide progressive assurance during the design stage that the objectives of the design intent can be achieved and that the design can progress successfully to the next stage. The next stage of the design process can only proceed when the Assurance Gate Review is successfully passed. If the evidence submitted at the Assurance Gate Review demonstrates that the design meets the objectives, it will be approved. If the Gate Review Panel decides that the submitted deliverables fall short of the requirements, the design will not pass through the Assurance Gate Review and is therefore prevented from proceeding to the next stage. The Gate Review Panel also known as the ‘Approval Authority’ has the responsibility to make the appropriate decision at each Assurance Gate Review. The Gate Review Panel is a multi-discipline committee formed of members from various departments and stakeholders throughout the organization. The Gate Review Panel members should be selected based on perceived risks, applicable regulatory or legal requirements, technical complexity, financial repercussions and criticality of the product. Department representation should include Quality, Manufacturing, Engineering, Sales, Planning, Purchasing, Business Development, Contract, Legal, or others as deemed necessary. Formal, documented design and development Assurance Gate Reviews should be held at appropriate stages of the design and development cycle and include representatives from all concerned functions and stakeholders. Each Assurance Gate Review focuses on assessing whether the design deliverables meet all the objectives and appropriate criteria. The minimum approval criteria used for determining whether the design meets the intent are set out below. In addition to these minimum requirements, the Engineering Manager may specify further criteria at the outset of each design stage. The Gate Review Panel is responsible for managing the Gates Review process thereby ensuring that:

  1. The design progress and the design status have successfully reached a stage of development appropriate to the Gate being assessed;
  2. Cost and programme issues have been agreed and align with budget constraints;
  3. The assurance evidence presented to the panel is sufficient to support the Gate requirements;
  4. The risks are either designed out, have appropriate mitigation or have been identified and agreed that they can proceed to the next stage;
  5. All the necessary deliverables and other legal have been identified and complied with and the design is compliant with any including undertakings and assurances;
  6. After the Gate Review Panel and the Gates Chair Person shall confer, taking full account of the views of the other Panel Members, and decide whether or not the design submission and presentation meets the Assurance Gate Review objectives and consequently can be given a pass or is prevented from passing the Gate.
  7. If the Gates Chair Person decides that missing deliverables or evidence do not impact on the ability of the project to proceed, then a conditional pass may be given, subject to the remaining deliverables being completed within a specified time.
  8. The conditions and timescales are conveyed to the Design Manager at the Review;
  9. Where conditions are raised that are potentially of a significant risk, consideration shall be given to the inclusion of the conditions;
  10. The Gate Review Panel’s findings and decisions are recorded, together with any supporting data.

The Design Review Meeting Minutes should capture the results of the Gate Review Panel’s review. It serves as a record of the review and summarises the findings. The key aspects of the report are recording the evidence presented to satisfy the approval criteria and using this to support the decision regarding pass or re-submission. It is the Design Manager’s responsibility to assemble and present to the Gate Review Panel sufficient evidence, see table of deliverables below, when the design has progressed to 20%, 60% and 100%, to enable the Gate Review Panel to discharge their duties. Key design deliverables that are associated with the Assurance Gate Review are provided to the Gate Review Panel at least 5 working days prior to the scheduled review date

5.4.6 Design Verification and Final Review

To confirm that the design outputs meet the design input requirements, design verification and a final review must be carried out and documented according to the organization’s procedure. Records of design verification, any required actions, and the final review must be preserved.

By planned arrangements the design and development verification and a final review must be conducted and documented to ensure that the design and development outputs meets the design and development input requirements. Design and development verification and the final review must be recorded. Design verification is confirmation by examination and provision of objective evidence that the specified input requirements have been fulfilled. Any approach which establishes conformance with a design input requirement is an acceptable means of verifying the design concerning that requirement. Complex designs require more and different types of verification activities. The nature of verification activities varies according to the type of design output. Design verification is carried out to check that the outputs from each design phase meet the stated requirements for the phase. Requirements traceability verification is undertaken to ensure that the design fulfils the design concept while expressing the necessary functional and technical requirements. This process was verified throughout the Assurance Gate Reviews. In most cases, verification activities are completed before each design review, and the verification results are submitted to the reviewers along with the other design deliverables to be reviewed. The results of the design verification, including identification of the design, method(s), date, and the individual performing the verification, shall be documented and retained.

5.4.7 Design Validation and Approval

The organization’s procedure must include conducting design validation to ensure that the resulting product can fulfil the specified requirements. Whenever feasible, validation must be concluded before product delivery. After validation, the finalized design must be approved by competent individuals other than those who developed the design. Records of design validation, approval, and any required actions must be retained.

Design and development validation shall be performed by planned arrangements to ensure that the resulting product is capable of meeting the specified requirements. Validation shall be completed before the delivery of the product, when possible. The completed design shall be approved after validation. A competent individual other than the person or persons who developed the design shall approve the final design. Records of the design and development validation, approval, and any necessary actions shall be maintained. Design and development validation shall be performed by planned arrangements to ensure that the resulting product is capable of meeting the specified requirements. Validation shall be completed before the delivery of the product, when possible. Design validation is similar to verification, except this time you should check the designed product under conditions of actual use. If you are designing dune buggies, you might take your creation for a spin on the beach. If you are making beverages, you might conduct a consumer taste test. Verification is a documentary review while validation is a real-world test. Perform design and development validation by ensuring the product meets the specified requirements. Maintain records of validation activities and approvals. Design validation follows successful verification, and ensures, by examination and provision of objective evidence, that each requirement for a particular use is fulfilled. The performance characteristics that are to be assessed are identified, and validation methods and acceptance criteria are established. At the commencement of the design project, the requirements received from the previous design phase form the initial baseline. During design reviews, the requirements are considered to ensure that the right requirements and any assumptions have been captured, to identify missing requirements and to ensure that the design intent will meet those requirements. The results of the design validation, including identification of the design, method, date, and the individual(s) performing the validation, should be documented and retained. The organization shall have records that the product designed will meet defined user needs before delivery of the product to the customer, as appropriate. Methods of validation could include simulation techniques, proto-type build and evaluation, comparison to similar proven designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity should be planned, and executed with records maintained as defined in the planning activity. Retain documented information to demonstrate that any test plans and test procedures have been observed, that their criteria have been met and that the design meets the specified requirements for all identified operational conditions e.g. reports, calculations, test results, data, and reviews.

5.4.8 Design Changes

Design changes must be identified and subjected to review, verification, and validation as necessary before being approved for implementation. The review of design changes must assess their impact on the product and its component parts at relevant stages of product realization, including already delivered products. Additionally, the review must evaluate whether customer notification is necessary if the changes adversely affect the specified performance capability of the product. All design changes, including modifications to design documents, must adhere to the organization’s procedure. Records of design changes, reviews, and any required actions must be documented and maintained.

Any changes for Design and Development must be identified, reviewed, verified, and validated, as appropriate, and approved before implementation. The review of design and development changes includes evaluation of the effect of the changes on products and/or their constituent parts already delivered. Design and development changes must have all the controls as with the original design and development. This includes changes in the design documents. The design and development changes, their review and any necessary action must be recorded. It is important to control design changes throughout the design and development process and it should be clear how these changes are handled and what affects they have on the product. The organization has retained documented information concerning:

  • Design and development changes;
  • The results of reviews;
  • The authorization of changes;
  • Actions taken to prevent adverse impacts.

The organization should begin identifying, reviewing and controlling of design changes including the implementation of a process to notify the customer when changes affect the customer requirement e.g. customer communication, notifications of change, requests for deviation, and contract amendments. The Engineering Manager in conjunction with the Design Manager is responsible for evaluating the risks and the impact of design changes against the criteria. The Engineering Manager logs all change requests in the Design Change Request Log, performs an evaluation and either approves or denies the request. Major changes are also evaluated by any affected stakeholders. All change requests serve as design and development inputs for design and development changes. Design documentation is updated to accurately reflect the revised design.

It is as important to control design changes throughout the design and development process and it should be clear how these changes are handled and what effects they have on the product. Ensure control over design and development changes, design changes must be:

  • Identified.
  • Recorded.
  • Reviewed.
  • Verified.
  • Validated.
  • Approved.

Configuration control can be managed via alteration requests, a notice of the change, amendments, deviations, waivers, concessions, part revision changes, part number changes, change categories, service bulletins, modification bulletins, airworthiness directives, engineering communication notice, and product change boards. Design and development changes (after the original verification and validation) have to be ‘verified and validated as appropriate’ (as well as reviewed) and to ‘include evaluation of the effect of changes on constituent parts and products already delivered’. If the organization chooses not to perform re-verification and re-validation on every design change, then the auditor should expect to see some very well-defined criteria as to when the activity needs to occur. Retain documented information that includes design change history, evaluation of change results, authorization of change and actions taken about subsequent activities that are impacted by the change.

5.5 Purchasing
5.5.1 Purchasing Control
5.5.1.1 Procedure

The organization must maintain a documented procedure for purchasing products, components, and/or activities necessary for product realization. This procedure should cover:

  1. Identifying critical products, components, and/or activities.
  2. Initial assessment and selection of suppliers.
  3. Using identified risks to determine the initial assessment method of the supplier’s capability for critical purchases.
  4. Determining the type and extent of control applied to the supply chain for critical products, components, or activities. Note: Additional requirements for outsourced activities are specified in section 5.5.1.7.
  5. Establishing criteria, scope, frequency, and methods for re-evaluating suppliers.
  6. Identifying approved suppliers and defining the scope of approval.
  7. Identifying customer-specified suppliers and suppliers limited by proprietary and/or legal requirements when section 5.5.1.3 applies.

Procurement and the controls of materials, products and suppliers is one of the most critical elements of API Q1. The organization must maintain a documented procedure to ensure that purchased product or outsourced activities conform to specified requirements and must address:
a) the determination of the criticality of activities or products as they are applicable to conformance to product or customer specifications
b) Initial evaluation and selection of suppliers based on their ability to supply products or activities in accordance with the organization’s requirements
c) type and extent of control applied to the supplier based on the criticality of product or activity
d) criteria, scope, frequency, and methods for reassessment of suppliers
e) maintaining a list of approved suppliers and scope of approval, and
f) type and extent of control applied to outsourced activities

a) Determination of Criticality: The determination of the criticality of the activities or products as they are applicable to conformance to product or customer specifications. This is an important requirement to both ensure that all incoming raw materials, components and finished product(s) meet specification. It is also important factor for determining which suppliers may or may not be critical as well.
b) Initial Evaluation of Suppliers: Initial evaluation and selection of suppliers based on their ability to supply products or activities in accordance with the organization’s requirements
Some things to consider here include:
o Suppliers ability to meet the organizational requirements
o Suppliers ability to meet customer requirements
o The supplier’s actual capacity and capability of meeting organization requirements.
c) Applied Control: This mandates that organizations include in the procedures, the type and extent of control applied to the supplier and activities or products based on the of the activities or products. The term “criticality” is important. The criticality of the activities or products as well as the supplier’s risks, determines the type and extent of controls that the organization provides for the supplier, activities or products.
d) Reassessment of Suppliers: The procedure shall address:
o Criteria
o Scope
o Frequency
o For supplier reassessments
e) Approved Supplier Listing: The procedure shall address:
o List of approved suppliers
o Scope of approval
f) Control Over Outsourced Activities: The procedure shall address the type and extent of control to be applied to outsourced activities. The amount of control normally takes the suppliers performance into account. Some performance criteria include:

  1. Quality of product and service
  2. On-time delivery
  3. Reporting & documentation
  4. Budget
  5. Risk(s)

Supplier approval
Approved suppliers must have satisfactorily demonstrated their ability to meet your business’s requirements, as well as customer and legal requirements, as determined and evidenced by the initial supplier evaluation process. Suppliers are often approved, or not approved, on the basis of financial standing, preferred cost, product expertise, past performance, technology, logistics, supply chain integrity, business risk, and any known significant environmental, or health and safety compliance issues. If the supplier is acceptable, they should be added to your approved supplier list. Signed approval must be given by an authorized representative, typically the Quality Manager or Contracts Manager have the authority sign off on supplier approvals. The approval status of each supplier must be clearly authorized on your approved supplier list.

5.5.1.2 Initial Supplier Evaluation—Critical Purchases

For critical products, components, or activities, the initial evaluation of suppliers who have not been previously approved must consider the scope of supply and be specific to each supplier. This evaluation must include:

  1. Verifying the implementation of the supplier’s quality management system and its conformity to the organization’s specified quality system requirements for suppliers.
  2. Verifying the type and extent of control applied by the supplier internally and throughout their supply chain to meet the organization’s requirements.
  3. Assessing the supplier’s capability to meet the organization’s specified requirements. This can be done through one or more of the following methods based on identified risks:
    • Conducting an on-site assessment to verify that process controls perform relevant product realization processes and effectively achieve conformity to requirements.
    • Conducting a remote assessment to verify that relevant product realization processes are performed using process controls and effectively achieve conformity to requirements.
    • Performing inspection, testing, or verification of relevant characteristics of received products.

For suppliers of critical purchases with high-risk severity, identified by the organization for which an on-site assessment is not conducted, the evaluation of the supplier’s capability must include a remote assessment and inspection, testing, or verification. When conducting a remote assessment, it must include verification of objective evidence through real-time audio/visual observation of required activities and documentation using information and communication technology. Additionally, any additions to a supplier’s scope of approval or change from an approved site to a new site of supply must also undergo evaluation as per the requirements outlined in this section.

For purchases of critical products, components or activities, the criteria for the initial evaluation of suppliers by the organization shall be site-specific for each supplier. For purchases of critical products, components or activities, the criteria for the initial evaluation of suppliers by the organization shall be site-specific for each supplier and shall include verification that the supplier’s quality management system conforms to the quality system requirements specified for suppliers by the organization. Assessment of the supplier to ensure its capability to meet the organization’s purchasing requirements by performing an on-site evaluation of relevant activities, or performing first article inspection to ensure conformance to stated requirements, or identifying how the supplied product conforms to stated requirements when limited by proprietary, legal, and/or contractual arrangements.

A critical vendor is one that you rely on heavily to support the most important activities within your organization – oftentimes called ‘critical activities’. While critical activities will differ between organizations, examples of critical vendors might include those who:

Inspection Companies– Non-Destructive Testing, Magnetic Particle Inspection, thread inspection, etc. 3rd party inspection companies could be considered a critical supplier.
Calibration Companies – The organization requires certificates published from the 3rd party vendors. This makes calibration companies a critical supplier.
Material –Product and Raw Material Supplier– The Supplier for material would be considered a critical supplier to our needs since many of the products are supplied because if we would stop buying from them our operation would simply crumble
Trucking and delivery – These are suppliers are crucial to the end result as we depend on them to get it to the rigs, so they would definitely be considered critical.
O-rings, seals, and gasket suppliers – Anytime product requires O-rings, seals and gaskets they can be classified as critical.

Defining your critical vendors begins with being clear about your own critical activities. A good place to start is with your company’s business continuity/disaster recovery plan, which defines critical activities within your own operations. Knowing those activities will help you determine which vendors support those critical operational areas. Here are a few things you should do to get started to identify critical vendors:

  • Inquire of your Procurement department if they maintain a listing of all vendor contracts.
  • Review your user listings to critical systems. You should already perform periodic user access reviews, but doing so will give you an understanding of what vendors have access to your network or sensitive data.
  • Once you have performed these tasks, you may be able to better categorize your critical vendors, according to the following classifications and how they rate within your own organization:
    • Vendor type
    • Regulatory requirements
    • Specific services provided
    • Business disruption factors
    • Data type and volume

5.5.1.3 Initial Supplier Evaluation – Critical Purchases – Customer Specified, Proprietary, and/or Legal Limited

For critical products, components, or activities where the supplier is specified by the customer or involves proprietary and/or legal requirements that restrict the application of Initial Supplier Evaluation, the initial evaluation process shall involve verifying the implementation of the supplier’s quality management system and its conformity to the quality system requirements specified by the organization and/or the customer’s requirements and identifying how the supplied product, component, or activity conforms to specified requirements. The scope of approval for customer-specified suppliers shall be restricted to the relevant customer contract in cases where an assessment has not been conducted.

In API Specification Q1, for critical products, components, or activities where the supplier is specified by the customer or involves proprietary and/or legal requirements that restrict the application of Initial Supplier Evaluation, the initial evaluation process involves several key steps:

  1. Verification of Supplier’s Quality Management System (QMS): The organization must verify the implementation of the supplier’s quality management system. This includes assessing whether the supplier has established and effectively implemented processes, procedures, and controls to ensure product quality and conformity to requirements. The verification process may involve reviewing documentation, conducting audits, and evaluating the supplier’s QMS effectiveness.
  2. Conformity to Quality System Requirements: The organization must verify that the supplier’s quality management system conforms to the quality system requirements specified by the organization and/or the customer’s requirements. This entails comparing the supplier’s QMS practices, procedures, and controls against the organization’s quality system requirements and any additional customer-specific requirements.
  3. Identification of Product Conformity: The organization must identify how the supplied product, component, or activity conforms to specified requirements. This involves assessing the product’s characteristics, performance, and adherence to technical specifications, standards, and contractual agreements. The organization may use various methods such as inspection, testing, validation, and certification to verify product conformity.
  4. Documentation and Record-Keeping: The results of the initial evaluation process, including verification of the supplier’s QMS, conformity to quality system requirements, and product conformity assessments, must be documented. The organization should maintain records of these evaluations, findings, and any corrective actions taken.
  5. Communication with the Customer: If the supplier is specified by the customer or if customer-specific requirements apply, the organization must ensure that relevant information regarding the supplier’s QMS, quality system conformity, and product conformity is communicated to the customer as appropriate.
  6. Continuous Monitoring and Improvement: Following the initial evaluation, the organization should establish mechanisms for ongoing monitoring and oversight of the supplier’s performance. This may include periodic audits, performance reviews, and communication channels to address any issues or deviations promptly. Additionally, the organization should continuously seek opportunities for improvement in supplier performance and product quality.

5.5.1.4 Initial Supplier Evaluation—Noncritical Purchases

For the procurement of noncritical products, components, or activities that influence product realization or the final product, the organization’s criteria for evaluating suppliers must either meet the requirements of Initial Supplier Evaluation—Critical Purchases or fulfil one or more of the following:

  1. Verifying that the supplier’s quality management system aligns with the quality system requirements specified for suppliers by the organization.
  2. Assessing the supplier’s ability to meet the organization’s purchasing requirements.
  3. Evaluating the product or component upon delivery, or activity upon completion.

Even for purchase of noncritical products, components, or activities that impact product realization or the final product, the criteria for evaluation of suppliers by the organization must either meet the requirements of criteria of evaluation of critical suppliers or satisfy verification that the supplier’s quality management system conforms to the quality system requirements specified for suppliers by the organization or assessment of the supplier to meet the organization’s purchasing requirements or assessment of the product upon delivery or activity upon completion. A non-critical vendor is one that does not undergo the same level of examination as critical vendors. Non-critical vendors simply offer support to the operations that allow employees to do their jobs efficiently, effectively and in comfort. They do not, however, have any impact on the final product or service. These vendors may affect productivity but they do not affect the product or service provided itself. The main difference in treatment between a critical and non-critical vendor lies in the frequency between reviews and assessments. Critical vendors generally undergo reviews once a year while non-critical vendors only face reviews once every two-to-three years.

5.5.1.5 Supplier Reevaluation

For suppliers previously approved for products, components, or activities, the organization must determine the frequency of supplier reevaluation based on identified risk and supplier quality performance. For the reevaluation of suppliers providing critical products, components, or activities, the provisions of section 5.5.1.2 shall be followed. For the reevaluation of suppliers providing critical products, components, or activities specified by the customer or restricted by proprietary and/or legal requirements, the requirements outlined in section 5.5.1.3 shall be adhered to. For the reevaluation of suppliers providing non-critical products, components, or activities that affect product realization or the final product, the guidelines detailed in section 5.5.1.4 shall be followed.

For re-evaluation of all suppliers weather critical or noncritical, the requirements of 5.6.1.3 shall apply. The criteria for re-evaluation of suppliers by the organization must either meet the requirements of criteria of evaluation of critical suppliers or satisfy verification that the supplier’s quality management system conforms to the quality system requirements specified for suppliers by the organization or assessment of the supplier to meet the organization’s purchasing requirements or assessment of the product upon delivery or activity upon completion. A typical supplier evaluation and reevaluation might include:

  • Gathering and analysis of data (such as technological and operational capabilities, logistics, quality, technical risks) about the supplier.
  • An on-site assessment of the quality system or compliance review by your Audit staff.
  • Completing and signing a quality agreement or contract.
  • Businesses often assess the supplier’s facilities, quality system, and process controls to determine if there is potential impact on their own manufacturing or service provision processes.
  • Assign risk levels on parts/materials, as appropriate:
    • Determine if there is a potential product or regulatory risk.
    • Confirm the capability of the supplier to supply or manufacture to requirements.

5.5.1.6 Records

Records of evaluation results, comprising objective evidence and any subsequent actions, must be retained. Additionally, records of approved suppliers, customer-specified suppliers, and suppliers bound by proprietary and/or legal requirements must be kept.

Records of the results of all evaluations and any necessary actions arising from the evaluations shall be maintained. All suppliers should be given an overall performance rating between 0-100%. Set the minimum performance threshold or benchmark to 95% for example. The resulting performance rating is an indication of a supplier’s performance ability and their ability to meet your requirements. Retain records of supplier evaluations and the related actions.

5.5.1.7 Outsourcing

When an organization decides to delegate a process or activity from its quality management system to an external supplier, it must ensure that the supplier meets the relevant requirements of the organization’s quality management system. If an organization opts to outsource a process or activity related to product realization, it must retain accountability for ensuring that the product meets specified requirements, which may include relevant API or other external specifications. Documentation of outsourced activities must be retained, including evidence of conformity.

When an organization choose to outsource any activity within the scope of its quality management system, the organization shall ensure that all applicable elements of its quality management system are satisfied and shall maintain responsibility for product conformance to specified requirements, including applicable API product specifications associated with product realization. Records of outsourced activities shall be maintained.

Monitoring Outsourcing performance
The performance of outsourced processes must be consistently monitored by the Quality Manager or Contracts Manager. Various ways include the review of measures, targets, KPIs, scorecards, dashboards, scored ratings, or survey results. The ongoing monitoring commonly uses some of the following criteria to rate performance:

  • An assessment of the quality and quantity of products, services or materials provided.
  • On-time delivery performance.
  • responsiveness/communication.
  • Total number of corrective actions.
  • response time.
  • Defective parts per million (PPM).
  • Total cost.
  • A review of receiving records, inspection records, or acceptance records.

Organizations should periodically communicate these results to their vendors as appropriate. On-site audits and process audits at the vendor’s premises are deemed necessary by the Quality Manager and the Purchasing, or Contracts Manager. Issues or conditions which might initiate a vendor’s audit include quality issues, engineering changes, process changes, plant location changes or the criticality of the part or service. When an audit is necessary, you should contact the vendor to schedule an on-site visit and confirm the agenda.

5.5.2 Purchasing Information

The organization must verify the adequacy of specified purchasing information before transmitting it to the supplier. Purchasing information provided to the supplier must be documented and clearly outline the product, component, or activity to be procured. This documentation should include, as appropriate:

  1. Acceptance criteria;
  2. Requirements for approving the supplier’s procedures, processes, and equipment;
  3. Relevant technical data such as specifications, drawings, process requirements, inspection instructions, and traceability requirements;
  4. Criteria for qualifying the supplier’s personnel;
  5. Requirements related to the quality management system;
  6. Conditions for approving product release; and
  7. If either the organization or its customer intends to conduct verification at the supplier’s premises, the intended verification arrangements.

Applicable specifications may encompass or derive from customer requirements, API specifications, design output, and/or industry standards.

The organization must ensure before communicating with the supplier the adequacy of the purchasing information must be adequate and documented. Purchasing information must describe the product or activity to be purchased, including acceptance criteria, and where appropriate requirements for approval of supplier’s procedures, processes, equipment, applicable version of specifications, drawings, process requirements, inspection instructions, traceability, and other relevant technical data. It must also describe any supplier personnel’s qualifications and QMS requirements. Purchase orders for items that are essential to fulfil customer requirements and directly affect the quality of your products and services should only be raised by the Purchasing Manager, or the Accounts Department (at the request of the Purchasing Manager). Purchase orders may be raised by the use of the computerized purchasing system or soft-backed purchase order books. Purchase orders should contain:

  • Supplier;
  • Originator;
  • Date;
  • Purchase Order Number;
  • Items required;
  • Quantities;
  • Required delivery date;
  • Quoted prices where applicable or known;
  • Any other information deemed critical for the supply of the material should also be noted.

Ensure that purchase orders or purchasing specifications include, where appropriate the requirements for the approval and acceptance of products, services, procedures, processes or equipment. Purchasing documentation should also define the requirements for approval of the supplier’s personnel, verification arrangements, or quality management system requirements as necessary. All purchase orders or purchasing specifications must be reviewed and approved before they are released to the supplier. Where appropriate, ensure the requirements for certification, inspection reports, statistical data, approval of samples, etc. are included in purchasing documents. Some purchasing documents may include an agreement obligating your suppliers to give notification of changes to their products or services. When notification is received, the Quality Manager and the Purchasing, or Contracts Manager should evaluate how, and whether the changes affect the quality of your completed products or services.

The organization must where appropriate, communicated not just the products or services they wish to receive but also any processes they want the external provider to undertake on their behalf. To ensure the adequacy of specified purchasing information before their communication to the supplier, the supplier is usually requested to quote on price and availability. All pertinent purchasing information, as determined by your organization and customer requirements; should be included in the request for a quote (RFQ). The purchase order should be created after the review and acceptance of a supplier’s quote and must contain the same content as the request for a quote. Describe the product to be purchased by:

  • Defining product approval requirements, e.g.; certificate of conformity;
  • Defining intended verification arrangements, e.g.; witness testing or certification;
  • Defining personnel qualifications and quality, environmental, and safety requirements;
  • Maintaining records.

Where activities are wholly outsourced, or subcontracted; your organization maintains responsibility for product conformance to all specified requirements. Purchasing information should include acceptance criteria, and where appropriate, state the requirements for the approval of supplier’s procedures, processes, and equipment. Applicable versions of specifications, drawings, process requirements, inspection instructions, traceability, relevant technical data, and requirements for qualification/competence of the supplier’s personnel, and quality management system must be specified and communicated.

5.5.3 Verification of Purchased Products, Components or Activities
5.5.3.1 General

The organization must uphold a documented procedure outlining the verification needed to ascertain whether purchased products, components, or activities adhere to specified purchase requirements.

The organization must establish a documented procedure for the verification or other activities necessary for ensuring that purchased products or activities meet specified purchase requirements. Where the organization or its customer intends to perform verification at the supplier‘s premises, the organization shall state the intended verification arrangements and method of product release in the purchasing information. The organization must ensure and provide evidence that purchased products and activities conform to specified requirements. The organization shall maintain records of verification activities.

The documented procedure must ensure that items, which are essential to fulfilling customer requirements and which directly affect the quality of products and services, are verified upon product receipt or service delivery to verify they conform to:

  • QMS requirements;
  • Competency of external personnel;
  • Purchase orders;
  • Purchasing specification;
  • Purchasing agreements;
  • Delivery notes;
  • Release certificates;
  • Certificates of conformity;
  • Inspection and acceptance tests;
  • Product specifications;
  • National or international standards.
  • Receiving inspection

On receipt of incoming materials, the receiving personnel must identify and inspect the items, goods and materials and match them against the delivery note. The delivery note is compared to the corresponding purchase order and any related documentation. This inspection should include but not be limited to:

  • Confirmation of identification using purchase order number, drawing numbers, material markings etc.;
  • Confirmation of adherence to delivery schedule;
  • Confirmation of conformance to purchase order requirements;
  • Confirmation of correct quantities;
  • Visual examination for obvious defects;
  • Measurement comparison to drawings where required;
  • Specified certification/documentation as required.

For large numbers of identical items, visual and dimensional checks should be undertaken on a minimum of 5% of the total quantity. No material is released for further processing until receiving inspection has been completed and goods accepted. All accepted materials passing immediate inspection can be allocated a storage area. Any non-compliant goods must be placed in a separate area, and identified. Further investigation should determine whether the items, materials or goods are to be:

  • Scrapped;
  • Returned to Supplier;
  • Reworked to a useable condition.

When inspecting materials that include specified certification or documentation should only be accepted when such certification and documentation has been viewed and approved by the Quality Manager or the Purchasing Manager.

5.5.3.2 Critical Purchases

For critical products, components, or activities, the organization’s verification procedure should cover:

  1. Reviewing the required documentation provided by the supplier;
  2. Ensuring that the correct versions were utilized when specifying specifications, drawings, process requirements, inspection instructions, traceability requirements, and other relevant technical data as outlined in section 5.5.2 item c;
  3. Defining the inspection, testing, and/or verification requirements, including methods, frequency, and the responsible party. The organization should determine these aspects based on identified risks and supplier quality performance.

In API Specification Q1, the verification procedure for critical products, components, or activities involves several key steps to ensure that the organization’s requirements are met and that risks are appropriately managed. The organization should review all required documentation provided by the supplier. This documentation may include quality management system documentation, product specifications, drawings, process requirements, inspection instructions, traceability records, and other relevant technical data. The purpose of this review is to verify that the supplier has provided complete, accurate, and up-to-date documentation that meets the organization’s requirements. It’s essential to ensure that the correct versions of specifications, drawings, process requirements, inspection instructions, and other technical data are utilized. This verification helps prevent errors, discrepancies, or misunderstandings that could lead to nonconforming products or components. The organization should establish procedures for verifying the currency and accuracy of all technical documentation provided by the supplier. The organization must define the inspection, testing, and/or verification requirements for critical products, components, or activities. This includes specifying the methods, frequency, acceptance criteria, and responsible parties for conducting inspections, tests, and verifications. These requirements should be based on identified risks, supplier quality performance, regulatory requirements, and customer specifications. The organization should determine the inspection, testing, and verification requirements based on identified risks associated with the product, component, or activity. Higher-risk items may require more rigorous inspection and testing procedures, while lower-risk items may require less intensive verification. By applying a risk-based approach, the organization can allocate resources effectively and prioritize efforts where they are most needed to ensure product quality and conformity. The organization should also consider the supplier’s quality performance history when defining inspection, testing, and verification requirements. Suppliers with a demonstrated track record of high quality and reliability may warrant less intensive scrutiny, while suppliers with a history of quality issues may require more stringent oversight. Performance metrics such as on-time delivery, defect rates, and corrective action responsiveness can inform decisions about the level of verification required.

5.5.3.3 Noncritical Purchases

The organization’s documented procedure must verify noncritical products, components, or activities.

For non-critical products, components, or activities, the organization’s documented procedure for verification should still be robust and systematic, even if the level of scrutiny may be less intense compared to critical items. Similar to critical items, the organization should review the documentation provided by the supplier for noncritical products, components, or activities. This includes specifications, drawings, process requirements, inspection instructions, and any other relevant technical data. While the level of detail and scrutiny may be less than for critical items, ensuring that the documentation is complete and accurate is still important. Just as with critical items, it’s essential to verify that the correct versions of specifications, drawings, and other technical documents were utilized. This helps prevent errors and misunderstandings that could lead to non-conformities. The organization should define the inspection, testing, and verification requirements for noncritical products, components, or activities. While the level of scrutiny may be less rigorous compared to critical items, it’s still important to specify the methods, frequency, acceptance criteria, and responsible parties for conducting inspections, tests, and verifications. While noncritical items may not pose as significant risks as critical items, it’s still advisable to take a risk-based approach to determine the level of verification required. Consider factors such as the impact of nonconformities, the likelihood of occurrence, and the supplier’s quality performance history when defining verification requirements. Even for noncritical items, it’s important to consider the supplier’s quality performance history when determining verification requirements. While the level of scrutiny may be less intense compared to critical items, suppliers with a history of quality issues may still require additional oversight. The organization should maintain records of all verification activities conducted for noncritical products, components, or activities. This includes documentation of the review of supplier documentation, verification of correct versions, and any inspection, testing, or verification results. As with all quality management processes, the organization should continuously monitor and evaluate the effectiveness of its verification procedures for non-critical items. Seek feedback from stakeholders, track performance metrics, and make adjustments as necessary to improve efficiency and effectiveness. By implementing a documented procedure for verifying noncritical products, components, or activities, organizations can ensure consistency, reliability, and compliance with quality requirements, even for items that may not pose significant risks to product quality or safety.

5.5.3.4 Records

Documentation of verification activities and evidence demonstrating conformity to specified requirements must be retained.

Documentation of verification activities and evidence demonstrating conformity to specified requirements must be retained by the organization. These records serve as evidence of compliance with quality management system requirements and provide a documented history of product verification processes. The organization should maintain records documenting all verification activities conducted for products, components, or activities. This includes documentation of reviews of supplier documentation, verification of correct versions, inspection, testing, and any other verification activities performed to ensure conformity to specified requirements. Records should include evidence demonstrating conformity to specified requirements. This may include inspection reports, test results, certificates of compliance, supplier documentation, and any other relevant documentation that demonstrates that the product, component, or activity meets the specified requirements. The organization should establish a retention period for records of verification activities and evidence of conformity based on regulatory requirements, industry standards, and internal policies. Records should be retained for a minimum period of 10 years to demonstrate compliance with API Specification Q1 and to support future audits, assessments, or reviews. Ensure that records of verification activities and evidence of conformity are securely stored and readily accessible when needed. This may involve maintaining electronic or paper-based records in a centralized location or document management system that allows for easy retrieval and reference. Implement appropriate controls to ensure the security and integrity of records, protecting them from unauthorized access, alteration, or destruction. This may include password protection, encryption, backup procedures, and restricted access to sensitive information. Maintain an audit trail of verification activities and changes to records, documenting the date, time, and identity of individuals who performed or approved verification activities. This helps ensure accountability and transparency in the verification process. Periodically review and verify the accuracy and completeness of records of verification activities and evidence of conformity. This ensures that records are up-to-date, accurate, and reflective of the organization’s verification processes.

5.6 Control of Product Realization
5.6.1 General

The organization must uphold a documented procedure outlining controls related to product realization. This procedure should cover:

  1. Establishing and applying manufacturing acceptance criteria (MAC);
  2. Identifying and documenting critical processes involved in product realization;
  3. Executing the quality plan, if applicable;
  4. Ensuring compliance with design requirements and associated modifications, if applicable;
  5. Utilizing and ensuring the availability of product realization equipment and TMMDE (unless excluded);
  6. Following relevant work instructions;
  7. Employing process control documents;
  8. Maintaining identification and traceability requirements throughout the product realization process;
  9. Executing monitoring and measurement activities.

The organization must establish a documented procedure that describes controls associated with the product realization. The procedure shall address the availability of information that describes the characteristics of the product, when applicable implementation of the product quality plan, when applicable ensuring design requirements and related changes are satisfied, when applicable, the availability and use of suitable production, testing, monitoring, and measurement equipment, when applicable the availability of work instructions, process control documents, implementation of monitoring and measurement activities, and implementation of product release including applicable delivery and post-delivery activities.

The procedure shall address the following the availability of information that describes the characteristics of the product. A product characteristic is an attribute or property of the product that describes the product’s ability to satisfy its purpose in a larger system. Examples of product characteristics are size, shape, weight, colour, quality, hardness, etc. The list of product characteristics depends on your product and how its functional design requirements have been defined. Some product characteristics are more significant than others in terms of reliability, quality and safety. Thus, it can be important to identify those that are most critical. The procedure shall address the following implementation of the product quality plan, when applicable. The procedure shall address ensuring design requirements and related changes are satisfied, when applicable. Changes to the Product Quality Plan design requirements and related changes may affect the application or other risk associated with the changes therefore a review of the Design and Development process is required to ensure associated with the changes related to product quality, delivery and meeting customer requirements are affected. The availability and use of suitable Production, Testing, Monitoring and Measurement Equipment. Manufacturing in the process must ensure that production equipment required for the manufacturing process is available, based on capacity and suitability for the application required as well as having properly calibrated TMME suitable for monitoring the manufacturing process to ensure the product meets the stated specifications. The availability of work instructions, when applicable. While not stated in the specification, processes especially critical processes should have work instructions describing critical steps and include what risks to Quality, Health & Safety that could affect product quality/delivery and where employee’s health and safety are at risk. This is linked to their competencies. The procedure shall address process control documents. Process control documents includes those documents demonstrating to the stated requirements (Customer, API, product standards/ codes etc.) and listed within the product quality plans, if applicable. These documents include routing, travelers, checklists, process sheets, or equivalent controls required by the company. The procedure shall address the implementation of monitoring and measurement activities. The procedure shall address the implementation of product release, including applicable delivery and post-delivery activities. Product release cannot proceed until the product meets the agreed-upon planned arrangement or is approved by a relevant authority and, where applicable, by the customer.

  1. Establishing and Applying Manufacturing Acceptance Criteria (MAC): The organization should establish clear manufacturing acceptance criteria (MAC) that define the acceptable quality standards for products. These criteria should be based on customer requirements, regulatory standards, and internal quality objectives. The procedure should outline how MAC are established, communicated, and applied throughout the product realization process.
  2. Identifying and Documenting Critical Processes: Critical processes involved in product realization should be identified and documented. This may include processes such as material procurement, production, assembly, testing, and packaging. The procedure should specify how critical processes are identified, documented, and controlled to ensure consistent product quality and conformity.
  3. Executing the Quality Plan: If applicable, the organization should execute a quality plan that outlines the specific quality objectives, activities, and responsibilities for product realization. The procedure should describe how the quality plan is developed, implemented, and monitored to ensure that quality requirements are met throughout the product realization process.
  4. Ensuring Compliance with Design Requirements: If applicable, the organization should ensure compliance with design requirements and any associated modifications during product realization. This may involve reviewing design specifications, drawings, and technical documentation to verify that manufacturing processes align with design intent. The procedure should outline how design requirements are communicated, controlled, and verified during product realization.
  5. Utilizing Product Realization Equipment and TMMDE: Unless excluded, the organization should utilize and ensure the availability of product realization equipment and tools, machinery, measuring, and test equipment (TMMDE). The procedure should specify how equipment and TMMDE are selected, calibrated, maintained, and used to ensure accurate and reliable measurements and inspections.
  6. Following Relevant Work Instructions: Employees should follow relevant work instructions, procedures, and standard operating practices during product realization. The procedure should outline how work instructions are developed, approved, communicated, and updated to ensure consistency and adherence to quality requirements.
  7. Employing Process Control Documents: Process control documents should be employed to specify the methods, parameters, and controls required to maintain product quality and consistency. This may include control plans, standard operating procedures, and inspection plans. The procedure should describe how process control documents are developed, maintained, and implemented to control critical processes.
  8. Maintaining Identification and Traceability Requirements: The organization should maintain identification and traceability requirements throughout the product realization process to ensure the ability to trace products back to their source and track their movements. This may involve assigning unique identifiers, labeling products, and maintaining records of material, components, and processes. The procedure should outline how identification and traceability requirements are implemented and verified.
  9. Executing Monitoring and Measurement Activities: Monitoring and measurement activities should be executed to verify that product realization processes are performing as intended and meeting quality objectives. This may include in-process inspections, testing, and monitoring of key performance indicators. The procedure should specify how monitoring and measurement activities are planned, conducted, and recorded to ensure product quality and process effectiveness.

By establishing a documented procedure that covers these aspects of product realization controls, organizations can ensure consistent and reliable manufacturing processes, adherence to quality requirements, and continuous improvement in accordance with API Specification Q1 requirements.

5.6.2 Quality Plan

When stipulated by contract, the organization must create a quality plan delineating the processes of the quality management system, including product realization, and the resources allocated to a product. This plan should cover the following minimum aspects:

  1. Description of the product or the quality plan’s scope;
  2. Required processes and documentation, encompassing necessary inspections, tests, and record-keeping to ensure compliance with requirements;
  3. Identification of outsourced activities and references to their management;
  4. Identification of each procedure, specification, or document referenced or utilized in each activity;
  5. Specification of the required hold points, witnessing, monitoring, and document review stages.

The quality plan, along with any modifications, must be documented and endorsed by the organization. Additionally, the quality plan and its revisions should be communicated to the customer. A quality plan may consist of one or more documents and may be known by various terms, such as product quality plan (PQP), inspection and test plan (ITP), manufacturing process specification (MPS), process control plan (PCP), or quality activity plan (QAP).

The organization must develop a quality plan [ can also be called as Product quality plan (PQP), inspection and test plan (ITP), manufacturing process specification (MPS), process control plan (PCP), and quality activity plan (QAP)] which specifies the processes of QMS including the product realization process and resources to be applied to products when required by contract. The product quality plan must description of the product to be manufactured, required processes and documentation, including required inspections, tests, and records, for conformance with requirements, identification and reference to control of outsourced activities, identification of each procedure, specification, or other document referenced or used in each activity and identification of the required hold, witness, monitor, and document review points. These product quality plans must ensure customer requirements are met and must be communicated to customer. The quality plans and any revisions must be approved by the organization and documented. A product quality plan may be comprised of one or several different documents. A quality plan often makes references to parts of the quality manual or to procedure documents. A Quality Plan (QP) is a tool that will allow you to effectively communicate what you expect from your suppliers, your in-house workforce, or external contractors. It covers all areas of the production process from first concepts to the finished product. A quality plan is a document that specifies quality standards, practices, resources, specifications, and the sequence of activities relevant to a particular product.  An example of this can be a manufacturing company that machines metal parts. Its quality plan consists of applicable procedures, applicable workmanship standards, the measurement tolerances acceptable, the description of the material standards, and so forth. These may all be separate documents. Work orders specify the machine setups and tolerances, operations to be performed, tests, inspections, handling, storing, packaging, and delivery steps to be followed. An operating-level quality plan translates the customer requirements into actions required to produce the desired outcome and couples this with applicable procedures, standards, practices, and protocols to specify precisely what is needed, who will do it, and how it will be done. Quality Plan shows the techniques and procedures for controlling the product. Quality Plan need to consider the goals of reliability and quality. Reliability goals are established based on the needs and expectations of end users. Quality goals should be based on metrics that are gained from company production or past experience. The Product Quality Plan may be as simplistic as a one-page document or as complex as a 5” binder document set. The complexity of an Quality Plan varies depending on the complexity of the product.

The Quality plan should cover the following:

  • Description of the Product or Scope of the Quality Plan: The quality plan should provide a clear description of the product, service, or project to which it applies. This includes defining the scope of work, identifying deliverables, and specifying any special requirements or considerations relevant to quality management.
  • Required Processes and Documentation: The quality plan should outline the required processes and documentation necessary to ensure conformance with requirements. This includes specifying the procedures, methods, inspections, tests, and records needed to verify that products or services meet quality standards. The plan should detail the sequence of activities, responsibilities, and acceptance criteria for each process.
  • Identification of Outsourced Activities: If any activities are outsourced to external suppliers or contractors, the quality plan should identify these activities and reference their control. This includes specifying the criteria for selecting, evaluating, and monitoring outsourced suppliers, as well as outlining the responsibilities and expectations for ensuring quality in outsourced work.
  • Identification of Referenced Documents: The quality plan should identify each procedure, specification, or other document referenced or used in each activity. This ensures that all relevant documents and standards are properly integrated into the quality management process and followed consistently throughout the project lifecycle.
  • Identification of Hold, Witness, Monitor, and Document Review Points: The quality plan should identify the required hold points, witness points, monitor points, and document review points throughout the project or product lifecycle. Hold points indicate stages at which work must be stopped until certain conditions are met or approvals are obtained. Witness points require the presence of a designated individual to observe and verify specific activities. Monitor points involve ongoing surveillance or oversight of critical processes or activities. Document review points involve reviewing and approving documents, reports, or records to ensure accuracy, completeness, and compliance with requirements.

5.6.3 Process Control Documents

The organization is required to document process controls, which must encompass or make reference to Criteria for verifying compliance with relevant quality plans, API product specifications, customer requirements, and/or other pertinent product standards/codes; Instructions and criteria for processes, tests, inspections, and; When relevant, points designated for the customer’s inspection hold, witnessing, monitoring, and document review. Process controls may take the form of routings, travelers, checklists, process sheets, or similar controls, and may be electronic or hard copy.

Process controls are be documented in routing, travelers, checklists, process sheets, or equivalent controls as required by the organization including requirements for verifying conformance with applicable product quality plans, API product specifications, customer requirements, and/or other applicable product standards/codes. The process control documents also include or have reference to instructions and acceptance criteria for processes, tests, inspections, and required customer’s inspection hold or witness points. Process control is about monitoring and controlling all aspects of a manufacturer’s production and operation. It’s part of the larger supply chain management and it works in conjunction with other operation management functions such as inventory control and quality control. The purpose of production control is to balance the output of a facility to guarantee that the specifications of the products being produced are met. It does this by applying specific actions and making insightful decisions to predict, plan and schedule work. Some of the activities that are regulated in production control include labor, the availability of materials and any restrictions on capacity and cost. The end result of production control is to achieve the expected quality and demanded quantity while monitoring the production schedule to ensure that the production plan is being met. The production control process varies from industry to industry and even business to business. That said, there are some fundamental steps that are common in any production control process. They are as follows.

  • Routing: The first step of any production control process is the definition of your operation, from beginning to end. This includes what raw materials you’ll need for production, other resources, such as labor and equipment, the needed quantity, quality expectations and where the production will take place. This process is to determine the most efficient and cost-effective step-by-step manufacturing process through scheduling.
  • Traveller: It is a document that contains all of the details about the materials and processes that went into the production of a given item. When a manufacturer receives an order, they create a work order to begin the production process. In addition to the work order, a traveller is created and moves along with the product as it flows through the production facilities. The traveller contains information about what items are necessary for the given product, what tools will be needed, and what steps the product will need to go through to be assembled.
  • Checklist for Manufacturing: A control checklist for manufacturing includes all the requirements for a product, both visual and physical. It is a beneficial tool to ensure all parties are on the same page about the demands for the parts, materials, and final product. It outlines the standards your suppliers and manufacturers should meet and describes the “ideal” product that your customer expects from you. You can think of a checklist as guidelines for all teams to follow when making and selling your products. It streamlines the cooperation process and helps eliminate any possible errors occurring along your entire manufacturing workflow.
  • Process sheet: A process sheet is a document that provides all the steps for manufacturing products. Process sheets are also processed records, production documents, or shop orders. A process sheet consists of manufacturing instructions for a specific batch, lot, or run. It describes the operating parameters and settings for the equipment and facilities used and associated tooling or supplies. It contains part information, routing information, and operation detail information. A process sheet is a set of instructions that can be followed to achieve the desired goal.

5.7.1.5 Validation for Production & Servicing

5.6.4 Validation of Processes

The organization is obligated to validate processes in cases where the resulting output cannot be verified through subsequent monitoring or measurement, leading to the detection of deficiencies after product delivery or during its usage. Validation must demonstrate these processes’ capability to achieve planned outcomes. Process validation shall adhere to either of the following:

  1. If a product specification specifies particular processes necessitating validation, only those specified processes shall require validation for the relevant product. (Note: The organization may, at its discretion, opt to validate additional processes beyond those outlined in a product specification.)
  2. If there is no applicable product specification or the specification does not identify processes requiring validation, processes necessitating validation for the product, if applicable, shall include, at a minimum: nondestructive examination (NDE)/nondestructive test (NDT), welding, heat treating, and coating and plating (when deemed critical to product performance by the product specification or the organization).

The organization must maintain a documented procedure for process validation, detailing the review and approval methods. This procedure should cover required equipment; personnel qualification; specific methods, including defined operating parameters; identification of process acceptance criteria; record-keeping requirements; and revalidation criteria. In cases where the organization outsources a process requiring validation, it must retain evidence confirming compliance with the stipulations outlined in section 5.6.4.

This section reviews the validation of process for production and servicing. All those process of production and servicing has to be validated where the resulting output cannot be verified by subsequent monitoring or measurement, and as a consequence, deficiencies become apparent only after the product is in use or the servicing has been delivered. The organization shall maintain a documented procedure to address methods for review and approval of the processes including:

o Required equipment
o Qualification of personnel
o Use of specific methods
o Identification of acceptance criteria
o Requirements for records
o Re-validation

The organization shall validate those processes identified by the applicable product specification as requiring validation. If these processes are not identified, or there is no product specification involved, the processes requiring validation shall include, as a minimum, nondestructive examination, welding, and heat treating, if applicable to the product. Process validation is the act of controlling a process and actually performing the necessary tests to ensure that the process can, in fact, perform according to the requirements it is designed to meet. The monitoring and measuring of the characteristic of the been designed, implemented and executed in a way that enables fulfillment of the planned results. Each organization with the implemented quality management system need validate each of their production and delivery services processes where these processes operate without exhaustive monitoring or measurement. A process needs to be validated if you will not be able to check if the product or service is compliant with input requirements. An example might be a soldering process or welding process where you cannot check the strength of every weld during your regular production without damaging or destroying the parts. Not every process is required to undergo a validation so if you have a process where validation is not required you can still choose to validate the process. For instance, you may want to validate a process in order to reduce a complex or costly inspection of the product or service after the process, even if you could check that the outputs meet the input requirements. Which processes you validate is determined by you and your needs.

5.6.5 Identification and Traceability

The organization is responsible for establishing and preserving identification throughout product realization, encompassing relevant delivery and post-delivery activities. This entails acknowledging traceability requirements outlined by the organization, the customer, and/or pertinent product specifications. The organization must uphold a documented procedure for identification and traceability while the product remains within its control, covering the following:

  1. Methods employed for identification.
  2. Necessary information for traceability, if mandated.
  3. Criteria for maintaining and/or reinstating identification and/or traceability.
  4. Measures to rectify instances of lost identification and/or traceability.

Records documenting traceability must be retained. Please note that “product” may encompass components or raw materials.

The organization must establish a documented procedure for identification and traceability while the product is under control of the organization as required by the organization, the customer, and/or the applicable product specifications throughout the product realization process, including applicable delivery and post-delivery activities. The procedure shall include requirements for maintenance or replacement of identification and/or traceability marks. Identification and traceability must be recorded. Where traceability is a requirement, the organization should control and records the unique identity of the product throughout the production process to ensure that only products that have passed the required inspections and tests are utilized. The process for the identification and traceability of outputs, in terms of the monitoring and measurement requirements at all stages of production, to enable the demonstration of conformity to requirements, e.g. physical part marking, labeling, tags, bar codes, signage, visual indicators, part segregation, lay down areas, storage racks. There are several ways of identifying products to prevent them becoming mixed with other parts, components, or orders. The most obvious is using tags or stickers with a unique traceability identifier, such as a lot or batch number included on the product labels. The identification may be engraved in the product itself, or the product may simply be marked by a color. Establish and implement a procedure to identify the product through the design, development, manufacture and delivery stages. The established a traceability system should track components from raw material through inspection, test, and final release operations, including rework:

  1. Establish the identity and status of products;
  2. Maintain the identity and status of products;
  3. Maintain records of serial or batch numbers.

5.6.6 Inspection/Test Status

The organization is required to uphold a documented procedure for maintaining the identification of inspection and/or test status throughout product realization, clearly indicating whether the product conforms or exhibits nonconformity.

The organization must establish a documented procedure for the identification of product inspection and/or test status throughout the product realization process that indicates the conformity or nonconformity of product with respect to inspections and/or tests performed. The organization shall ensure that only product that meets requirements or that is authorized under concession is released. Product inspection & test status are conducted for the product identification, and all the quality requirements managed in it. Product inspection and test status documentation is managed to recording information of the quality inspection and quality test that conducted, progress of the test and its status records are managed in the documents, the quality inspection and test status is maintained for the product identification. The documentation of the Product inspection & test status are maintained each process stages that required for the manufacturing, producing materials with quality as per customer requirements. The documents covered materials and its identification method that used to product realization with detailed information is managed in the quality inspection and test status. Management of the quality concern issues and its concern methods are also maintained in details. The stages of the product management are conducted incoming materials to final product and its concern information that used for the product identification. The documentation for inspection and test status is the part of the product identification, and the records are managed by quality manager, and quality manager is responsible for the managing records and its concern activities that help to determine actions for improvement for particular stages and its methods that handled during the process.

5.6.7 Externally Owned Property

The organization must uphold a documented procedure for managing externally owned property, including customer property, incorporated into the product while under the organization’s control. This property encompasses intellectual property and non-publicly available data. The procedure should cover identification, verification, safeguarding, preservation, maintenance, and reporting loss, damage, or unsuitability for use to the external owner. Records concerning the control and disposition of externally owned property must be retained.

The organization must a documented procedure for the identification, verification, safeguarding, preservation, maintenance, and control of Externally owned property, including intellectual property and data, while under control of the organization. The procedure includes requirements for reporting to the customer any loss, damage, or unsuitability for use of Externally owned property. The control and disposition of Externally owned property must be recorded.

This contains the requirement for organizations to have documented procedures for the identification, verification, safeguarding, preservation, maintenance, and control of Externally owned property property. Check that your organization communicates with its External provided including customers in regard to the handling and treatment of their property. You should also check that contingency plans and, where relevant, actions are undertaken when non-conformities occur with Externally provider property. Good sources of information often include the following examples:

  • Goods returned by the customer;
  • Warranty claims;
  • Revised invoices;
  • Credit notes;
  • Articles in the media;
  • Consumer websites;
  • Direct observation of, or communication with, the customer.

If there are any products, materials, or tools on your organization’s premises that are owned by External provider, customer, all employees must exercise care with this property. This means they must ensure that the product is not lost or damaged. If External provided property is lost or damaged, this needs to be recorded and the External provider needs to be notified. Establish and implement a process to manage property supplied by External provider:

  • Establish the identity and status of External provided supplied product;
  • Maintaining records.

5.6.8 Preservation of Product

The organization must uphold a documented procedure outlining the approaches employed to maintain the integrity of the product and its component parts during product realization and delivery. This procedure should cover identification and traceability marking, storage procedures (including designated storage areas or stock rooms), periodic condition assessments as specified by the organization, transportation, handling, packaging, and protection. Records of assessment results must be retained.

The organization must establish a documented procedure for preservation of product and its constituent parts, It must describe the methods used to preservation throughout product realization and delivery to the intended destination in order to maintain conformity to requirements. It must include identification and traceability marks, transportation, handling, packaging, and protection as applicable. The preservation process must include packaging, storage and other product specific handling methods.

  1. Identification and traceability– Ensure that products are properly identified and do not become mixed with other orders. You should expect to see that all products are clearly identified. This is relative to identification and traceability however for preservation of product it is a requirement and not ‘as applicable’;
  2. Handling – This may include bulk handing using moving equipment or physical contact where handling may influence product conformity. You should verify that suitable handling methods are implemented throughout the processes.
  3. Packaging – Ensure that labeling and marking of shipped products are sufficient to enable adequate identification and traceability back through your QMS. This should include ensuring that labeling and marking maintains its integrity and remains affixed throughout the shipping process. You should expect to see that methods have been established for packaging the product to preserve its integrity. Package products appropriately for shipping in order to preserve the product’s integrity throughout the shipping process;
  4. Protection – Raw materials, in-process materials, inspected product, nonconforming product and product ready for shipping should also be identified with its status and protected from any unintended alteration. You should verify that appropriate measures are in place to protect product. This will vary depending on the product.

The procedure must also identify the requirements for storage and assessment of the and its constituent parts . There must be designated storage areas or stock rooms to prevent damage or deterioration of product before its use or delivery. To check for deterioration, the condition of product or constituent parts in stock has to be assessed at specified intervals . The interval will be appropriate to the products or constituent parts being assessed. The organization must use designated storage areas or stock rooms to prevent damage or deterioration of product, pending use or delivery. Appropriate methods for authorizing receipt to and dispatch from such areas shall be stipulated. The storage facilities, should not only be physical security but also the environmental conditions (e.g., temperature and humidity). In order to detect deterioration, the condition of product in stock shall be assessed at appropriate intervals. It may be appropriate to check periodically items in storage to detect possible deterioration. The methods for marking and labeling should give legible, durable information in accordance with the specifications. Consideration may need to be given to administrative procedures for expiration dates, and stock rotation and lot segregation.

5.6.9 Inspection, Testing, and Verification
5.6.9.1 General

The organization must maintain a documented procedure for inspecting, testing, and/or verifying the product to ensure that requirements have been met. This procedure should cover:

  1. Methods and application of in-process inspection, testing, and/or verification.
  2. Methods and application of final inspection, testing, and/or verification.
  3. Creation and retention of records.

It’s important to note that in-process and final inspection may be combined into one or more activities, and certain product characteristics may necessitate final inspection/verification during product realization.

A product inspection is the process of examining your goods against a list of pre-set criteria to ensure they meet your quality standards. The process might include packaging and labeling checks, visual examination, functionality checks, and measurement taking.Product testing typically involves using advanced equipment in a laboratory setting to verify product safety, compliance, or performance. You might test your products to check for harmful chemicals, comply with regulations, or simulate repeated use.The key differences between inspection and testing in manufacturing are:

  • Inspections typically take place at the factory where the goods are produced, while testing occurs in a specialized lab.
  • Inspections typically use basic equipment that an inspector can carry with them, while testing involves advanced equipment.
  • Inspections are typically focused on maintaining quality standards, while testing is focused on regulatory compliance and performance standards.

Types of inspection / verification:

  • Quantity
  • Description: size, weight, diameter, length
  • 100% or sampling
  • Visual inspection
  • Gaging
  • Dimensional inspection
  • Nondestructive examination
  • Hardness testing
  • Positive material identification
  • Document review (inspection reports, material test reports)

organizations must maintain a documented procedure for inspecting, testing, and/or verifying the product to ensure that requirements have been met. Here’s how the procedure should cover each aspect:

  1. Methods and Application of In-Process Inspection, Testing, and/or Verification:
    • The procedure should detail the methods used for in-process inspection, testing, and/or verification during the manufacturing or assembly process.
    • It should specify the points in the production process where in-process inspections or tests are conducted, as well as the acceptance criteria for each inspection or test.
    • The procedure should outline how the results of in-process inspections or tests are documented, communicated, and used to make decisions about product acceptance or further processing.
  2. Methods and Application of Final Inspection, Testing, and/or Verification:
    • The procedure should describe the methods used for final inspection, testing, and/or verification of the finished product before release or delivery.
    • It should specify the criteria and procedures for conducting final inspections or tests, including sampling plans, test methods, and acceptance criteria.
    • The procedure should outline how the results of final inspections or tests are documented, evaluated, and used to determine product acceptability and readiness for release.
  3. Creation and Retention of Records:
    • The procedure should define the requirements for creating, maintaining, and retaining records of inspection, testing, and verification activities.
    • It should specify the information to be included in inspection, test, and verification records, such as the date and time of the activity, the identity of the inspector or tester, the results of the inspection or test, and any actions taken as a result of the findings.
    • The procedure should outline the retention period for inspection, test, and verification records, as well as the storage and retrieval requirements to ensure that records are maintained in a secure and accessible manner.

By covering these aspects in the documented procedure for inspecting, testing, and verifying the product, organizations can ensure consistency, accuracy, and reliability in their quality control processes, leading to the production of products that meet specified requirements and customer expectations by API Specification Q1 requirements.

5.6.9.2 In-process Inspection, Testing, and Verification

The organization must conduct inspections, tests, and/or verifications of products at predetermined stages as specified by the quality plan, process control documents, and/or documented procedures. Evidence demonstrating conformity with the acceptance criteria must be retained.

The organization must inspect/verify and test the product at planned stages as per the product quality plan, process control documents, and/or documented procedures. Evidence of conformity with the acceptance criteria must be maintained. In-process inspections seek to examine workflow to reduce cycle time and Work-in-Process (WIP), while increasing capacity. Resources are evaluated to ensure proper training. Environmental factors are taken into consideration and products are inspected directly on the shop floor. The inspections can be performed by both manufacturing and inspection personnel.

5.6.9.3 Final Inspection, Testing, and Verification

The organization must conduct final inspection, testing, and/or verification of the product by the quality plan, process control documents, and/or documented procedures to ascertain and document conformity of the completed product with the specified requirements. Unless conducted by an automated system, individuals other than those involved in or directly overseeing the product realization process shall carry out the final acceptance inspection at the scheduled stages of the product realization process.

The organization must perform all final inspections and testing as per the product quality plan and/or documented procedures to validate and document the conformity of the finished product to the specified requirements. Personnel who have not performed or directly supervised the production must conduct a final acceptance inspection.  For single-step manufacturing processes (e.g. threading), in-process and final inspection and testing may be the same. Final inspections take place when production is complete. The overall product is measured against engineering, customer requirements, and standards. Final inspections and device approvals play an integral role in the decision to move items to stock or shipment. An inspection report is run before final device approval to ensure there are no open items. A final inspection report will validate that all required operations are complete, all non-conformances have been resolved, and required traceability has been recorded.

Usually, the Quality Manager determines the scope of the inspection and testing. This will be thoroughly communicated to all personnel. This procedure usually includes

  • Holding back products until all inspections have been finalized
  • The work order is reviewed to ensure all first-part inspections, processes, and specified operations have been completed—the relevant supervisor signs off the sheet
  • Check that all documents are traceable to each product and made available for inspection
  • Do a visual inspection to verify all specified operations have been completed. This is also done to detect any visible damage or defects
  • Goods are released for packaging and shipping after the final inspection has been completed

5.6.9.4 Records

Records documenting all necessary inspection, testing, verification, and final acceptance activities must be preserved.

Records documenting all necessary inspection, testing, verification, and final acceptance activities must be preserved by the organization. These records serve as evidence that products have been adequately inspected, tested, and verified to ensure they meet specified requirements before being released to customers or used in further processes. Inspection, testing, verification, and final acceptance records provide documented evidence that the organization has complied with its quality management system requirements and procedures. This documentation demonstrates that products have undergone appropriate evaluation and have met the necessary standards and criteria. Preserved records allow for traceability and accountability throughout the production and quality assurance processes. They enable the organization to track the history of each product, including who conducted inspections or tests, when they were performed, and what the results were. This traceability helps identify potential issues, track trends, and assign responsibility if problems arise.

5.6.10 Preventive Maintenance

The organization must uphold a documented procedure for conducting preventive maintenance on equipment utilized for product realization. This procedure should outline the equipment types subject to maintenance, the frequency of maintenance tasks, and the individuals responsible for carrying them out. Records detailing preventive maintenance activities must be retained. Preventive maintenance protocols can be devised based on various factors such as risk assessment, system reliability, usage patterns, historical data, industry best practices, applicable regulations, manufacturer recommendations, or other relevant criteria.

The organization must establish a documented procedure for preventive maintenance of equipment used in product realization. The procedure shall identify the type of equipment to be maintained, frequency and personnel responsible for preventive maintenance. Record for Preventive maintenance must be maintained. Preventive maintenance can be based on risk, system reliability, usage history, experience, industry-recommended practices, relevant codes and standards, original equipment manufacturer’s guidelines, or other applicable requirements.

Preventive maintenance consists of regular, scheduled maintenance activities that are performed on equipment to reduce the chance of failure and extend uptime. Preventive maintenance can be defined as the “systematic inspection, detection, correction, and prevention of incipient failures before they become actual or major failures.”

a) This specification requires that the type of equipment used in the process realization process be identified and maintained.

(b) Frequency Identifying the frequency of the preventive maintenance to be performed. This may include:

  • Daily/weekly
  • Monthly/Quarterly
  • Semi-Annually
  • Annually

(c) Identifying the responsible personnel to perform the preventive maintenance. This may include:

  • Operator
  • Maintenance Personnel
  • Manufacture/ 3rd Party

5.7 Product Release

The organization must retain a documented procedure concerning the release of products to customers. Product release should not occur until all planned arrangements have been satisfactorily fulfilled. Only products that conform to requirements or have been authorized under concession shall be released by the organization. Records must be kept to facilitate the identification of the individual responsible for authorizing product release.

The organization must establish a documented procedure to ensure release of product to the customer shall not proceed until all the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer. Records to enable identification of the individual releasing the product must be maintained. The release of the product must not be completed until the planned requirements have been met. The release of a product may include, according to product planning and the verification stages; release to the next operation, release to an internal customer, or release to the final customer, etc. Planned arrangements can include design verification and design validation, which can involve modelling, simulations, experiments, trials, prototypes, functional testing, performance testing; inspections comprising, in-process, first article and final inspection; thorough examination through destructive and non-destructive testing; customer acceptance testing, product certification/qualification, third party qualification from a regulator, recognized society, or independent testing body etc. For product release, the planning requirements may be waived but must be approved by the relevant authority and by the customer as appropriate. Monitor and measure product characteristics to ensure they can demonstrate:

  1. Product characteristics are continually met;
  2. Evidence of conformity with product requirements.

Retain records to provide evidence that acceptance criteria have been met might include: e.g. certificate of conformity, release certificate, and regulatory certificate. Ensure traceability to the person(s) authorizing the release such as name, authorized signatories, user identification, stamp impression etc., including their authority status (release signatory, certifying staff, scope of authorization etc.).

5.8 Testing, Measuring, Monitoring, and Detection Equipment (TMMDE)

5.8.1 General

The organization must establish the testing, measuring, monitoring, and detection requirements necessary to demonstrate conformity to specified standards. This includes the necessary Test, Measurement, Monitoring, and Detection Equipment (TMMDE). TMMDE, whether owned and maintained by the organization, owned by employees, or obtained from external sources such as third-party vendors, proprietary sources, or customers, must be controlled. Calibration of TMMDE must occur at specified intervals, with documentation of the date of first use when the calibration interval is determined based on this date.

5.8.2 Procedure

The organization must uphold a documented procedure for controlling Test, Measurement, Monitoring, and Detection Equipment (TMMDE). This procedure must encompass specific equipment types and include:

  1. Unique identification;
  2. Calibration status;
  3. Traceability to international or national measurement standards. If such standards are absent, the basis for calibration must be recorded;
  4. Calibration method and acceptance criteria;
  5. Calibration frequency and the commencement of calibration intervals;
  6. Documentation of calibration measurements before and after adjustments, known respectively as ‘as-found’ and ‘as-left’ measurements. If no adjustments are made, ‘as-found’ and ‘as-left’ measurements are the same;
  7. Measures to prevent unintended use of TMMDE identified as out-of-calibration, beyond calibration intervals, or out-of-service;
  8. Assessment of the validity of previous measurements and actions to be taken on the TMMDE and product if TMMDE is found to be out of calibration, including maintaining records and evidence of customer notification if the suspect product has been shipped;
  9. Utilization of third-party, proprietary, employee-owned, and customer-owned TMMDE;
  10. Maintenance; and
  11. Suitability for planned monitoring and measurement activities.

5.8.3 Equipment

TMMDE identified in 5.8.1 must adhere to the following:

  • a) Undergo calibration;
  • b) Have its calibration status identifiable by the user before and during use;
  • c) Be safeguarded from adjustments or modifications that could invalidate the measurement result or calibration status;
  • d) Be protected from damage and deterioration during handling, maintenance, and storage; and
  • e) Be utilized under environmental conditions suitable for the calibrations, inspections, measurements, and tests being performed.

When utilized in testing, monitoring, measurement, or detection to meet specified requirements, the suitability of computer software to fulfil the intended application must be confirmed before initial use and reconfirmed as necessary.

5.8.4 TMMDE Equipment from Other Sources

When utilizing TMMDE that is third-party, proprietary, or customer-owned, the organization must ensure the equipment is calibrated before use. If constrained by customer, contract, or licensing agreement limitations, the requirements outlined in 5.8.2, Item c), 5.8.2, Item d), 5.8.2, Item e), 5.8.2, Item f), 5.8.2, Item j), and 5.8.2, Item k) shall not be applicable.

The organization must determine the testing, monitoring, and measurement required and the associated equipment needed to provide evidence of conformity to those requirements. The organization must establish a documented procedure for maintenance and calibration of the testing, measurement, and monitoring equipment and that the equipment is used as per the monitoring and measurement requirements. The procedure shall include unique identifier, calibration status, equipment traceability to international or national measurement standards. If no such standards exist, the basis used for calibration or verification must be recorded. It must also include frequency of calibration prior to use and also at specific intervals. The calibration or verification method, including adjustments and readjustments as necessary, the acceptance criteria and control of equipment identified as out-of-calibration in order to prevent unintended use should be included in the procedure. When the equipment is found to be out of calibration, an assessment of the validity of previous measurements must be undertaken. Actions to be taken on the equipment and product. If any suspect product has been shipped, there must be evidence of notification to the customer. Records must be maintained. Test, Measurement, Monitoring, and Detection Equipment (TMMDE) must be calibrated or verified, or both, against measurement standards. Verification against identified acceptance criteria is performed on nonadjustable equipment. TMMDE must have the calibration status identifiable by the user for the activities being performed at all times. It must be safeguarded from adjustments that would invalidate the measurement result or the calibration status. It must be protected from damage and deterioration during handling, maintenance, and storage. It must be used under environmental conditions that are suitable for the calibrations, inspections, measurements, and tests being carried out. When used in the testing, monitoring, or measurement of specified requirements, the ability of computer software to satisfy the intended application must be confirmed prior to initial use and reconfirmed as necessary. When the equipment is provided from either third-party, proprietary, employee- and customer-owned equipment, the organization must verify that the equipment is suitable and provide evidence of conformity to the requirements. The organization must maintain a registry of the required TMME which must include a unique identification, specific to each piece of equipment. Record of results calibration and verification must be maintained.

TMMDE are subject to the following controls:

  • Devices are calibrated at intervals or before use, based on recognized standards;
  • Devices are adjusted as necessary according to the manufacturer’s instructions;
  • Devices are identified to enable calibration status to be determined;
  • Devices are safeguarded from adjustment, which may invalidate results;
  • Devices are protected from damage during handling, maintenance or storage;
  • The validity of results from a non-confirming device is re-checked with a conforming device;
  • Devices are calibrated by external providers certified to ISO 17025;
  • Records of calibration and verification are maintained;
  • Computer software which is used for monitoring/measuring is validated before initial use;
  • Computer software used for monitoring and measuring is re-validated where necessary.

If measurement traceability is not required, verify that those monitoring and measuring resources used by your organization are suitable. You should ensure that record is maintained in order to demonstrate the suitability of monitoring and measuring equipment. While this is not required, all equipment requiring calibration must be identified and must be:

  1. Calibrated or verified at specific intervals, or prior to being used. Equipment must be calibrated using measurement standards traceable to international or national measurement standards. Where there is no standard available for the device the basis for calibration or verification must be recorded. A Certification Auditor would expect to see that traceable standards are used and where applicable have not expired. Where calibration is completed by an outsourced process i.e. vendor, the records of traceability must be reviewed.
  2. Adjusted or readjusted as necessary. There must be evidence that equipment found to be out of calibration are adjusted/re-adjusted by qualified personnel and the validity of the previous measuring results are accessed when equipment is found to be out of calibration and appropriate action is taken (may include recall of product). A process must be in place to provide traceability of each piece of equipment to the process/product that the equipment was used on. The calibration and verification results must be maintained as quality records.
  3. Identified to show calibration status. Each piece of equipment must be identified in such a way that the user can determine that the device has current calibration, this may be accomplished by the equipment’s unique serial number traceable to the calibration record however, the calibration status label is a good practice. Other methods may be used however must identify the calibration status. Where the environment is not conducive to the use of stickers, the status may be identified by colour-coding, identification number with associated calibration record, and/or calibrated before every use.
  4. Safeguarded from adjustment. A process must be in place to ensure that users outside the calibration process do not adjust equipment. Equipment may be verified before use however any adjustments made to equipment must meet all requirements of this section. Methods to safeguard may include; locking materials for setscrews, tamper-proof seals, limited entrance to calibration areas, and other methods.
  5. Protected from damage during handling, maintenance and storage. The measuring equipment must be handled and stored in a manner to protect the equipment from damage.

5.9 Control of Nonconforming Product
5.9.1 Procedure
5.9.1.1 General

The organization must uphold a documented procedure that outlines controls, along with the corresponding responsibilities and authorities, for managing nonconforming products throughout product realization and post-delivery.

5.9.1.2 Nonconforming Product During Product Realization

The procedure for handling a nonconforming product discovered during product realization must encompass guidelines for product identification and control to avoid unintended use or delivery, addressing the identified nonconformity, implementing measures to prevent its initial intended use or delivery, and obtaining authorization for its use, release, or acceptance under concession from the appropriate authority and, if necessary, from the customer.

5.9.1.3 Nonconforming Product After Delivery

The procedure for handling a nonconforming product discovered during product realization must encompass guidelines for product identification and control to avoid unintended use or delivery, addressing the identified nonconformity, implementing measures to prevent its initial intended use or delivery, and obtaining authorization for its use, release, or acceptance under concession from the appropriate authority and, if necessary, from the customer.

5.9.2 Nonconforming Product

The organization shall manage nonconforming products by executing one or more of the following actions:

  • a) Conducting repair or rework followed by subsequent inspection to ensure compliance with specified requirements;
  • b) Re-grading for alternative applications;
  • c) Releasing under concession;
  • d) Rejecting or scrapping the product.

5.9.3 Release of Nonconforming Product Under Concession

Nonconforming products that do not meet manufacturing acceptance criteria (MAC) may be released under concession if authorized by the organization’s relevant authority, given that:

  1. The products still meet the applicable design acceptance criteria (DAC) and customer criteria;
  2. It is determined that the violated MAC is unnecessary to meet the applicable DAC and/or customer criteria; or
  3. The DAC has been modified, and the affected products comply with the revised DAC and associated MAC requirements. If the DAC was previously agreed upon with the customer, any changes to the DAC must be authorized by the customer.

The organization is not permitted to release products that do not conform to DAC or contract requirements without authorization from the customer.

5.9.4 Customer Notification of Nonconforming Product

The organization is required to inform customers of any delivered product that does not meet the agreed design acceptance criteria (DAC) or contractual requirements. The organization must maintain records of such notifications.

5.9.5 Records

Records documenting nonconformities must be retained, encompassing details of the nonconformity, actions taken thereafter including any concessions secured, the reasoning behind approving product release under concession, and the pertinent authority involved.

The organization must establish a documented procedure to identify the controls including the responsibilities and authorities for nonconforming product. The procedure for nonconforming product identified during product realization must includes controls for product identification to prevent unintended use or delivery, address the detected nonconformity, take action to preclude its original intended use or delivery and authorizing its use, release, or acceptance under concession by relevant authority and, where applicable, by the customer. The procedure for nonconforming product identified after delivery must include identifying, documenting, and reporting nonconformances or product failure identified after delivery. It must ensure the analysis of product nonconformance or failure, provided the product or documented evidence supporting the nonconformity is available to facilitate the determination of the cause. It must take action appropriate to the effects, or potential effects, of the nonconformance when nonconforming product is detected after delivery. The organization shall address nonconforming product by repair or rework with subsequent inspection to meet specified requirements; and /or re-grade for alternative applications; release under concession and/or reject or scrap.

The evaluation and release under concession of nonconforming product that does not satisfy manufacturing acceptance criteria (MAC) can be permitted when the organization’s relevant authority and the customer (where applicable) have authorized the release provided that products continue to satisfy the applicable Design acceptance criteria (DAC) and/or customer criteria; or the violated MAC are categorized as unnecessary to satisfy the applicable DAC and/or customer criteria or the DAC are changed and the products satisfy the revised DAC and associated MAC requirements. The organization shall notify customers of product not conforming to DAC or contract requirements, that has been delivered. The organization shall maintain records of such notifications. The nature of nonconformities and any subsequent actions taken, including concessions obtained, must be recorded. The organization must keep records of each nonconformance or defect and how it was dealt with. Records of product nonconformity should be periodically reviewed to determine if a chronic problem exists with the production process. The product should then be subject to further inspection to verify that it is now correct. As for records, if you documented the nonconforming product there should normally be somewhere to verify that you successfully (or not) cured the problem and that it is now conforming. Re-verification simply means that you cannot assume that because someone tells you they have corrected the problem then it is ok. The clause is asking you to re-verify by whatever means you originally chose. If you used inspection as a method of verification then re-inspect in the same method. If not, use whatever method suits you (or your customer). Just make sure it is ok before it leaves. The re-verification after remedial work might involve testing as well as inspection. The reason is not just to verify that the defect has been removed, but also to assure that fresh defects have not been introduced by the rework. Records would be as appropriate for the re-inspection or re-testing performed. Re-verification is equivalent to re-inspection and records could include a signature of approval or a more formal test report. Whichever format is chosen, it must be defined in the nonconformity procedure. You may need to supply new evidence of conformance to your customer along with corrective action documentation if requested. The method that you use in either of these situations should be defined in your procedures, that way you relieve yourself and your auditor from guessing how you would address them. Where necessary, any product or process outputs that do not conform to specified requirements should be properly identified and controlled to prevent unintended use or delivery. Improvements are then implemented to ensure the nonconformance does not reoccur. Control defective products by:

  • Defining how nonconforming products and processes are identified;
  • Defining how nonconforming products and processes are dealt with;
  • Removing or correcting nonconformities;
  • Preventing the delivery or use of nonconforming products and processes;
  • Verifying how nonconforming products and processes were corrected;
  • Providing evidence that corrected products and processes now conform to requirements;
  • Keeping records that catalogue nonconforming products and processes.

There may be instances where it is impossible to completely eliminate the cause of the nonconformity, so in these instances, the best you can do is to reduce the likelihood or the consequences of a similar problem happening again in order to reduce the risk to an acceptable level. Where applicable any corrective action taken and controls implemented to eliminate the cause of nonconformity should be applied to other similar processes and products.

Handling Nonconforming Products
Documented procedure should indicate the plan of action for controlling products. Nonconforming product is identified and separated from other conforming products. Nonconforming product must be reviewed and approved before release. Details of nonconformity must be documented. If nonconformity is identified after delivery, separate actions taken. Re-processed nonconforming products should be re-validated before release. When it comes to controlling and handling non conforming products , there is a specific procedure that must be carefully followed to ensure that the wrong product is not given out to consumers. First and foremost, the organization should already have a documented procedure that indicates the method they will use or plan of action that will be taken in order to control the products in question.

Upon the removal of the non conforming products , the organization will ensure that it does not get mixed up with the quality products that are on their way to be distributed to the masses. Once the product has been effectively identified and removed from the others, it must be properly reviewed and approved before it can be released. The release of a nonconforming product can be made under concession by an authorized person. Any release of this kind should be properly documented after it has been completed. The other details of the nonconformity must also be documented in detail. This should include the exact non-conforming characteristics that were identified, as well as the procedures that were followed in order to get rid of it and prevent it from happening in the future. From the documentation of the nonconforming product, all company personnel should be able to understand the nature of the event, why the product did not conform to the specified standards, and what was done to eliminate the issue. In the event that a nonconforming product is identified after it has already been distributed or delivered, there will be a separate set of actions that must be taken to solve the problem at hand. These actions will depend on the severity of the nonconformity, and will be determined by the discretion of the company leaders. When a nonconforming product has been identified and a plan of action has been established to solve the problem, it can either be permanently removed or possibly altered in order to fit the guidelines and be considered a qualifying product. When any nonconforming product is reprocessed, it must go through a revalidation process by someone of proper authority in order to be approved for release.

5.10 Management of Change (MOC)
5.10.1 General

The organization is required to uphold a documented procedure for Management of Change (MOC) to ensure the integrity of the quality management system amid changes. This MOC procedure shall cover:

  1. a) Description and justification of the change;
  2. b) Allocation and availability of resources, including personnel;
  3. c) Assessment of potential risks associated with the change;
  4. d) Review, approval, and execution of the change;
  5. e) Notifications regarding the change;
  6. f) Verification of the completion of MOC activities and assessment of their impact on the Quality Management System (QMS).

5.10.2 MOC Application

The organization must utilize Management of Change (MOC) for alterations that could adversely affect the product’s quality.

5.10.3 MOC Notification

The organization must inform pertinent internal staff about the change and its associated risks. If mandated by contract, the organization must also notify the customer of the change and its associated risks. Documentation of MOC notifications is required.

5.10.4 Records

Records of MOC activities must be maintained

Changes are intended to be beneficial but they need to be carried out when determined by your organization as relevant and achievable. In addition, consideration of newly introduced risks and opportunities should also be taken into account. To achieve the benefits associated with changes, your organization should consider all types of change that may occur. These changes may be generated, for example, in:

  1. Processes and procedures;
  2. Quality manual;
  3. Documented information;
  4. Infrastructure;
  5. Tooling;
  6. Process equipment;
  7. Employee training;
  8. Supplier evaluation;
  9. Stakeholder management;
  10. Interested party requirements.

Whenever quality management system changes are planned, Top management should ensure that all personnel are made aware of any changes which affect their process, and that subsequent monitoring is undertaken to ensure that QMS changes are effectively implemented. The organization must consider

  • The purpose of the changes and their potential risk and opportunities.
  • The integrity of the management system.
  • The availability of resources.
  • The allocation or reallocation of responsibilities and authorities

Decide on Disposition Option
This is the step where you decide what to do with the non-conforming products. There are several options that you can choose from:

  1. Eliminate the non-conformance: By applying rework to the product , you can bring it back to fully meeting the requirements. The main difference between a rework and a repair is that the non-conformance is fully eliminated to be compliant with a rework, but it is only eliminated enough to make it usable with a repair. Finding a bracket with holes that were too small and drilling them bigger to meet a drawing would be an example of a rework.
  2. Authorizing use: If there is a concession from the requirements and the product or service is useable, although not fully compliant, then you can accept to use the product or service as is. Sometimes a repair to the product will be required to change the product enough to make it usable, although it will not fully meet the requirements. If a bracket has holes out of position, you could make the holes into slots so that the part fits in place. This would be an example of a repair.
  3. Preclude original use: This is when you decide to either scrap the product or to re-grade the product or service (such as product sold as seconds).
  4. Correct per Disposition: This is simply doing the actions you decided to do . If you are accepting the product or service as is, then allow it to continue. If you are reworking or repairing something, have the steps carried out to do so as planned (and make sure it is re-verified afterwards). If you are using the unit to sell as a second, how do you identify it so that it ends up being used properly at the end of the process?
  5. Corrective Action: Finally, after deciding how to fix the product , take a look at why the non-conformance happened, and try to find and fix the cause so that it doesn’t happen again. If there is an error in the instructions that caused the problem, get the instructions fixed. If a program bug caused a service error, fix the program. If you have found that a part of the machine is wearing out, implementing a preventive maintenance check on that machine could go a long way toward helping prevent similar problems in the future. If this is a recurring problem, then maybe switching the investigation over to the Corrective Action process would allow for greater improvements. Often, the Non-conforming Product process is the biggest input to the Corrective Action process.

Example of Oil Spill Contingency Plan

1. Introduction

Oil spills can arise from a number of different sources ranging from small operational spills like overloading tanks and burst hoses to the most serious such as a catastrophic failure in a large tanker’s hull integrity due to a collision or grounding. There are also other non operational sources such as urban runoff and natural seepage. However this oil spill contingency plan will be dealing with the former sources of pollution. Without doubt the most crucial aspect of dealing with any emergency is to be prepared. However, unlike most emergencies that occur with little warning, but are over in a relatively short period of time, an oil spill incident can also occur with little warning, but may extend for weeks, months or even years.

Therefore planning for oil spills must not only look at the immediate tactical response and managing the immediate aftermath but must be prepared to cater for a much lengthier tactical response and must have a more strategic view with regard to an aftermath that may extend for years. It is extremely important, also to ensure that your planning process is not done in isolation but includes all of those constituents who would be affected by the oil spill. Any company either large or small operates in a public working environment met an incident, depending on the consequences there will be an explosion of impacts on the operating environment. Major oil spills in the tank farm area of the complex can generate technical, legal and public relations problems for the organization. The best way to handle oil spills is to prevent their occurrence. Good housekeeping, adequate equipment maintenance and strict adherence to proper operation procedures are the best insurance against oil spills.

If, in spite of the best care, accidental spills do occur, they will require immediate coordination of most of the departments of the organization and perhaps, the assistance of outside agencies too. This oil spills preparedness plan is designed to help company personnel to respond quickly and effectively to the problems presented by accidental spills.  Its primary goal is to limit, as far as practicable, damage to property (inside and outside the refinery) and ecology from such a spill.

The major oil spill in the plant can occur due to major failures, fires or tank ruptures. Such type of oil spill may possibly result in release of oil, which extends beyond the property limits of the plant.  This situation may further be aggravated as channels are connected to sea. The oil spills, if not properly controlled, can result into loss of oil to sea. In the event of -Tank rupture, spilled oil will get accumulated inside the dyke walls and may overflow to open storm water channels. In case oil spill takes place large amount of oil may be carried away to sea via open storm water channel or due to overflowing of separator.

2. Standard Reference For Classification Of Oil Spill Types

To avoid communication problems, ensure uniform references which will help to decide   the use of proper equipment and methods for response, the following classifications &  category will be used.  

 There are 3 types of oil spill classifications as below:

  • Tier 1 oil spill
  • Tier 2 oil spill
  • Tier 3 oil spill

2.1 Category

  1. Persistent
  2. Non-Persistent

Category 1 refers to Persistent Oil and includes

  1. Crude oil
  2. Fuel oil
  3. Marine Diesel Oil (Heavy Diesel Oil)
  4. Lubricating oil.
  5. Used lubricating oil

Category 2 – refers to Non-Persistent Oils and includes

  1. Gasoline
  2. Jet and Aviation Fuels Solvents Middle Distillates.

3. Tier Definitions

 These levels or response tiers are defined according to:

  • the type and quantity of oil split
  • the potential impact on the environment
  • potential media and public interest in the incident
  • the amount and source of resources deployed
  • the levels of support and higher level management activated

The three tiers of oil spills  are described below:

TierDescriptionNominal  Volumes
1Minor spill< 1000 Ltr
2Medium spill<10,000 Ltr
3Major spill> 10,000 Ltr

It should always be borne in mind that designating tiers to oil spills is for planning purpose only. When an oil spill occurs whether it is a small or a large release there are number of other complicated and sensitive factors that will determine the impact of the spill and could influence the scale of response to the spill.

3.1 Tier 1 Contingency Plan

A Tier one plan should be prepared to cover the risk of a small local spill occurring due to normal operations within the facility operated. Examples of such spills are ruptures of oil transfer hoses, tank overloading or valve leakage where the period of uncontrolled flow of oil can be quickly curtailed resulting in a spill of a relatively small amount. However just because the spill size is small it does not lessen the need for a quick and effective response. Statistics will show that there is a greater number of Tier One type spills than any other and unless they are dealt with effectively they can have a more chronic effect on the immediate environment than any other category of spill. The response to a tier one spill should be immediate if not then at least within the first hour of the spill taking place.

   3.2 Tier Two Contingency Plan

The Tier Two plan will cover those types of medium or moderate oil spill incidents at a company facility where the company has limited control over events and the physical size of the spill or the effect of its impact is beyond the scope of the Tier One response capability. In this case a company will know that the Tier One response capability is not sufficient and that it requires further resources as quickly as possible to supplement its Tier One resources. The line drawn between Tier Two and Tier Three is never clear therefore it is important to ensure that a Tier Two plan can be simply escalated into a Tier Three plan. Always remember that one man’s Tier Two incident is another man’s Tier Three. For instance a company may well consider an incident within the Tier Two response capability but the media and environmental lobby may push the event into the Tier Three category by raising the profile and speculating on the consequences.

   3.3 Tier Three Contingency Plan

The Tier Three plan is the ultimate plan to respond to a spill of catastrophic proportions. Normally this will consist of a plan drawn up by a government to protect the national interest. Reason being since only governments can draw upon massive resources like the military that would be required in the event of a catastrophic spill. Governments can also commandeer resources from the public and private sectors as well as legislating for emergency powers. Examples of the types of incidents covered by such a plan would be catastrophic failure of a tanker’s hull integrity causing a major if not total release of the oil cargo or bunkers. This is normally due to a collision and subsequent foundering of the vessel or grounding.

  4. Oil Spill Response Team

Company Oil Spill Response Team (OSRT) undertakes the responses to all Tier 1 oil spills at Plant site

  Figure 4.1 lists the personnel who are assigned to each of the key roles.

 5.0  Spill Assessment And Monitoring

  5.1 General

An accurate estimation of spill volumes, and the type of oil split is essential if an appropriate level of response is to be mobilized and effective strategies and equipment used.  A preliminary assessment is done by the IC but is unlikely to be entirely accurate.  A follow up assessment of the spill is therefore required.  However, the size of an oil slick and the nature of the oil are not constant.  Weathering processes act to either increase or decrease slick volumes and, generally, the viscosity of oil will increase over time.  This has implications for the effectiveness of spill response strategies. Ongoing surveillance and assessment of the spill is required.

5.2  Preliminary Spill Assessment

The preliminary assessment of an oil spill is to be undertaken by the IC.  The Oil spill parameters should be recorded.

5.2.1 Voulume

Estimates of spill volumes can often be made on the basis of the cause of the spill and the duration of the spill event. 

5.2.2 Oil Type

The type of oil spilt should be recorded.  It is important to differentiate between spills of waste Lube Oil oils or refined product.  Spillages of refined volatile product present distinct risks to human health and safety.

5.2.3  Nature of the Incident

Information regarding the cause of the spill can be important in:

  • Determining whether there is, or is likely to be, a threat to human health and safety;
  • Calculating the volume, or potential volume, of a spill.

5.3 Continuing Assessment

For any spill requiring a Response, continuing surveillance of the slick is required. 

5.4 Spill Prediction

Predicting the movement and behavior of an oil slick may be undertaken using manual calculations.

5.5 Oil Behavior

The volume, and area of a slick, and the character of the oil will change in time. 

Estimates of slick area are seldom accurately predicted.  These are best estimated by observation.

6.0 Immediate  Response

6.1 Introduction

The preferred response action, in all oil spills, is to contain and recover oil from the Surface. The Incident Controller (IC) will consult with the Plant Site Officer (PSO) to determine the nature of any Immediate Response within Plant site

6.2 Measures to be employed

In the event of an oil spill on the land surface the following measures should be employed according to the circumstances of the spill and conditions prevailing:

  • If possible prevent, control or stop the outflow or release of the oil from the source
  • If possible contain the spread of oil

The importance of human health and safety in any response operation cannot be over stressed.

6.3 Overall Protection Priorities including the protection for neighbors

Protection priorities to be employed during a response to an oil spill are, in order of descending priority:

  • Human health and safety
  • Habitat and cultural resources
  • Rare and/or endangered flora and fauna
  • Commercial resources
  • Amenities.

However, in assessing protection priorities, it is necessary to maintain a balanced view of the potential success of particular response strategies.  

6.4 Incident Reporting and Response Activation

Notification of a pollution incident will normally be made by:

  • Those responsible for the incident 
  • Government Agencies
  • Aircraft flying over the spill
  • The public/ neighbors. 

It is important that the information received be reported without delay to enable immediate and appropriate action to be taken. Pollution reports from the polluter may prove to be imprecise, often conservative.  All efforts should be made to validate the quantity to better planning and decision making. The response procedures that shall be followed are summarized in Figure 6.1.

                  Figure 6.1 -Typical Response Procedure

6.5 Oil Spill Clean-up strategy

Our clean-up strategy for a potential oil spill depends on many factors such as weather conditions and type of oil. The abatement strategies are as follows:

  • Mechanical recovery: consists in removing the oil from the surface of the land mechanically by using pump.
  • Cleaning the surface of land by spreading soil and by using cloth.

7.0 WASTE HANDLING, STORAGE & DISPOSAL

 7.1 General

The Waste Materials Coordinator is responsible for developing and implementing a Waste Management Strategy for each spill. Once recovered from the land surface, oil will be either:

  • Pumped directly for storage in holding tanks;
  • Placed in temporary holding tanks, drums or lined pits;
  •    Held in temporary, bunded, piles, (if solid).

7.1 Priorities

The Waste Management Strategy should ensure that:

  • Oil and oily debris is adequately treated and stored at the point of collection;
  • Oil and oily debris is rapidly collected and taken to designated sites for storage, treatment or disposal;
  • Treatment or disposal practices ensure that the waste poses no future threat to the environment.
  • A number of options are available.  The preferred options are (in order of preference):
  • Recovery and recycling of materials;

7.2 Transport

The Waste Management Coordinator is responsible for the mobilization of transport vehicles if it is required to transferred oil spill material to other place for storage.

7.3 Storage

Liquid oil or oily water can be stored in tank & processed in Oil re-refining plant.

8.0 Response Termination

8.1  Responsibility For Terminating The Response

The Incident Controller is responsible for terminating oil spill Response. However, permission to stand down must be obtained from the General Manager facility.

8.2  Stand Down Procedures

Response personnel may be located in a number of areas.  It is essential that all appropriate coordinators, managers and officers are informed that the response activities are being terminated and that all personnel are informed as quickly as possible.

8.3   Assessment Of Spill Response Activities

It is the responsibility of the (IC) to ensure that all field reports are completed and submitted to the Manager.

The IC is responsible for ensuring that all reports, logs etc., are compiled and for the preparation of a Summary Report to the Manager

Such a report should address:

  1. Spill causes;
  2. Spill response;
  3. speed
  4. operation
  5. effectiveness
  6. Equipment suitability;
  7. Familiarity of spill response team members with roles and responsibilities;
  8. Integration of plan and procedures with other response agencies.

Where appropriate the report will make recommendations for improving performance.

8.5  Post Spill Monitoring

The Preliminary oil spill recovery record should be mentioned in oil spill and recovery register. In this register should have mentioned spill quantity and recovery quantity in storage tanks.

ISO 45001:2018 Internal audit checklist

ISO 45001:2018 Checklist
Clause 4: Context of the organization
4.1 Understanding the organization and its context
Has the organization determined external and internal issues that are relevant to your purpose and that affected its ability to achieve the intended outcomes of your OH &S management system?
4.2 Understanding the needs and expectations of workers and other interested parties
Has the organization determined the interested parties other then workers that are relevant to the OH&S Management System?
Has the organization determined the the needs and expectation i.e the requirements of the workers and other interested parties relevant to the OH &S Management System?
Has the organization determined which of these needs and expectations becomes its legal requirements and other requirements?
4.3 Determining the scope of the OH & S management system
Has the organization established the boundaries and applicability of the OH &S management system to establish its scope?
When determining the scope of the OH &S management system has the organization considered the external and internal issues referred to clause 4.1 and also considered the legal and other requirements in clause 4.2?
While determining the scope, has the organization taken into account the planned or preformed work-related activities?
While determining the scope, has the organization determined the activities, products and services within its control or influence which can impact its OH&S performance?
Is the organization’s scope maintained as a Documented Information?
4.4 OH &S management system 
Have the organization established, implemented maintained and continually improved it’s OH&S management system, including the processes needed and their interactions, in accordance with the requirements of ISO 45001:2018?
Clause 5 Leadership
5.1 Leadership and commitment
Does the top management demonstrate leadership and commitment by taking overall responsibility and accountability for the prevention of work-related injuries and ill-health as well as the provision of safe and healthy workplace and activities?
Has the top management ensured that the OH & S policy and OH & S objective are established and are compatible with the strategic direction of the organization?
Has the organization integrated the requirements of OH & S Management System into the business processes?
Is the top management ensuring that the resources needed to establish, implement, maintain and improve the OH & S Management System are available?
Is the importance of the effective OH&S Management and conforming to OH & S Management System requirements communicated?
Does the top management ensure that the OH & S Management System is achieving its intended results?
Does the top Management developing, leading and promoting a culture in organization that supports the intended outcomes of the OH & S Management System?
Does the Top Management direct and supports the persons to contribute to the effectiveness of the OH & S Management System?
Is Top Management ensuring and promoting continual improvements?
Is Top Management supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibilities?
Does the Top Management protect the workers from reprisals when reporting incidents, hazards, risk and opportunities?
Is Top Management ensuring the establishment and implementation of process for consultation and participation of Workers?
Is Top Management supporting the establishment and functioning of health and safety committees?
5.2 Policy
Has top Management established, implemented and maintained an OH &S Policy that is appropriate to the purpose, size and context of the organization, and to the specific nature of its OH&S risk and opportunities?
Does the OH&S policy include a commitment to provide a safe and healthy working conditions for the prevention of work-related injuries and ill-health?
Does the OH&S policy provide the framework for setting OH&S objective?
Does the OH&S policy include a commitment to eliminate Hazards and reduce OH&S risk?
Does the OH&S policy include a commitment to fulfill its legal requirements and other requirements?
Does the OH&S policy include the commitment to continual improvement of the OH & S Management System?
Does the OH&S policy include the commitment to consultation and participation of workers and where they exit to the workers representative?
Is the OH&S policy available as documented information, communicated within the organisation , available to interested parties as appropriate ?
Is the OH&S policy relevant and appropriate?
5.3 Organizational roles, responsibilities and authorities
Has the Top management ensured that the responsibilities and authorities for relevant roles are assigned and communicated at all levels within the organization?
Has the Top management ensured that the workers at each level of the organization assumes responsibility for those aspects of the OH&S Management system over which they have control?
Has top management assigned the responsibility and authority for ensuring that the OH&S management system conforms to the requirements of ISO 45001:2018?
Has top management assigned the responsibility and authority for reporting on the performance of the OH&S management system to top management?
5.4 Consultation and Participation of workers
Has the organization implemented , established and maintained processes for the consultation and participation of workers at all applicable levels and functions and where they exit the workers representative in the development, planning , implementation, performance evaluation and action for improvement of the OH&S management system?
Does the organization provide mechanisms, time, training and resources necessary for consultation and participation?
Does the organization provide timely access to clear, understandable and relevant information about the OH&S management system?
Does the organization determine and remove obstacles or barriers to participation and minimize those that cannot be removed?
Does the consultation of non-managerial workers emphasize on determining the needs and expectations of interested parties?
Does the consultation of non-managerial workers emphasize on establishing the OH&S policy?
Does the consultation of non-managerial workers emphasize on assigning organizational roles, responsibilities and authorities, as applicable?
Does the consultation of non-managerial workers emphasize on determining how to fulfill legal requirements and other requirements?
Does the consultation of non-managerial workers emphasize on establishing OH&S objectives and planning to achieve them?
Does the consultation of non-managerial workers emphasize on determining applicable controls for outsourcing, procurement and contractors?
Does the consultation of non-managerial workers emphasize on determining what needs to be monitored, measured and evaluated?
Does the consultation of non-managerial workers emphasize on planning, establishing, implementing and maintaining an audit program?
Does the consultation of non-managerial workers emphasize on ensuring continual improvement?
Does the participation of non-managerial workers determine the mechanisms for their consultation and participation?
Does the participation of non-managerial workers identify hazards and assessing risks and opportunities?
Does the participation of non-managerial workers determine actions to eliminate hazards and reduce OH&S risks?
Does the participation of non-managerial workers determine competence requirements, training needs, training and evaluating training?
Does the participation of non-managerial workers determine what needs to be communicated and how this will be done?
Does the participation of non-managerial workers determine control measures and their effective implementation and use?
Does the participation of non-managerial workers emphasize on investigating incidents and nonconformities and determining corrective actions?
6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
When planning for the OH&S management system, have the organization considered the issues referred to in 4.1, the requirements referred to in 4.2, the scope of the OH&S management system and determined the risks and opportunities related to environmental aspects, compliance obligation that needs to be addressed to give assurance that the OH&S management system can achieve its intended outcomes?
When planning for the OH&S management system, have the organization considered to prevent or reduce undesired effects, and to achieve Continual improvement?
When determining the risks and opportunities for the OH&S management system and its intended outcomes that need to be addressed, has the organization taken into account hazards, OH&S risks and other risks, OH&S opportunities and other opportunities, legal requirements and other requirements?
Has the Organization determined and assessed the risks and opportunities that are relevant to the intended outcomes of the OH&S management system associated with changes in the organization, its processes or the OH&S management system? In case of planned changes , was this assessment undertaken before the changes was implemented?
Does the organization maintain documented information on risks and opportunities?
Does the organization maintain documented information on the processes and actions needed to determine and address its risks and opportunities to the extent necessary to have confidence that they are carried out as planned?
6.1.2 Hazard identification and assessment of risks and opportunities
6.1.2.1 Hazard identification
Has organisation established, implemented and maintained a processes for hazard identification that is ongoing and proactive.?
While determining the hazards, has the organization taken into account how work is organized, social factors (including workload, work hours, victimization, harassment and bullying), leadership and the culture in the organization?
While determining the hazards, has the organization taken into account routine and non-routine activities and situations like infrastructure, equipment, materials, substances and the physical conditions of the workplace?
While determining the hazards, has the organization taken into account routine and non-routine activities and situations like product and service design, research, development, testing, production, assembly, construction, service delivery, maintenance and disposal;
While determining the hazards, has the organization taken into account human factors and how the work is performed?
While determining the hazards, has the organization taken into account past relevant incidents, internal or external to the organization, including emergencies, and their causes?
While determining the hazards, has the organization taken into account potential emergency situations?
While determining the hazards, has the organization taken into account of those people with access to the workplace and their activities, including workers, contractors, visitors and other persons?
While determining the hazards, has the organization taken into account those people in the vicinity of the workplace who can be affected by the activities of the organization?
While determining the hazards, has the organization taken into account those workers at a location not under the direct control of the organization?
While determining the hazards, has the organization taken into account the design of work areas, processes, installations, machinery/ equipment, operating procedures and work organization, including their adaptation to the needs and capabilities of the workers involved?
While determining the hazards, has the organization taken into account situations occurring in the vicinity of the workplace caused by work-related activities under the control of the organization?
While determining the hazards, has the organization taken into account situations not controlled by the organization and occurring in the vicinity of the workplace that can cause injury and ill health to persons in the workplace?
While determining the hazards, has the organization taken into account actual or proposed changes in organization, operations, processes, activities and the OH&S management system?
While determining the hazards, has the organization taken into account changes in knowledge of, and information about, hazards?
6.1.2.2 Assessment of OH&S risks and other risks to the OH&S management system
Has organisation established, implemented and maintained processes to assess OH&S risks from the identified hazards, while taking into account the effectiveness of existing controls?
Has organisation established, implemented and maintained a processes to determine and assess the other risks related to the establishment, implementation, operation and maintenance of the OH&S management system?
Are the organization’s methodologies and criteria for the assessment of OH&S risks defined with respect to their scope, nature and timing to ensure they are proactive rather than reactive and are used in a systematic way?
Does the organization maintain documented information on the methodologies and criteria?
6.1.2.3 Assessment of OH&S opportunities and other opportunities for the OH&S management system
Has organisation established, implemented and maintained processes to assess OH&S opportunities to enhance OH&S performance, while taking into account planned changes to the organization, its policies, its processes or its activities ?
Has organisation established, implemented and maintained processes to assess opportunities to adapt work, work organization and work environment to workers?
Has organisation established, implemented and maintained processes to assess opportunities to eliminate hazards and reduce OH&S risks?
Has organisation established, implemented and maintained processes to assess other opportunities for improving the OH&S management system?
6.1.3 Determination of legal requirements and other requirements
Has the organization determined and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system?
Has the organization determined how these legal requirements and other requirements apply to the organization and
what needs to be communicated?
Has the organization taken into account legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system?
Are legal requirements and other requirements maintained and retained as documented information and is updated to reflect any changes?
6.1.4 Planning Action
Has the organization plan action to address risks and opportunities, legal requirements and other requirements, prepare for and respond to emergency situations ?
How does the organization integrate and implement the actions into its OH&S management system processes or other business processes?
How does the organization take into account the hierarchy of controls and outputs from the OH&S management system when planning to take action?
How does the organization evaluate the effectiveness of its action?
Have technological options, Financial, operational and business requirement been taken into account by the organization?
6.2 OH&S objectives and planning to achieve them
6.2.1 OH&S Objectives
Has the organization established OH&S objectives at relevant functions and levels in order to maintain and continually improve the OH&S management system and OH&S performance?
Are the OH&S objectives consistent with the OH&S policy?
Are OH&S objective measurable ( if applicable) or capable of performance evaluation and monitored?
Are OH&S objectives communicated and updated as required?
Does the organization takes into account applicable requirements, the results of the assessment of risks and opportunities and the results of consultation with workers and, where they exist, workers’ representatives ?
6.2.2 Planning Actions to Achieve OH&S Objectives
For planning to achieve the OH&S objectives does the organization determines what will be done, what resources are required, who will be responsible, when will it be completed and how are the result to be evaluated including indicators monitoring ?
Have the organization considered how actions to achieve your OH&S objectives can be integrated into your business processes?
Does the organization maintain and retain documented information on the OH&S objectives and plans to achieve them?
7 Support
7.1 Resources
Has the organization determined and provided the resources needed for the establishment, implementing, maintaining and continual improvement of the OH&S management system?
7.2 Competence
Does the organization determine the necessary competence of workers that affects or can affect its OH&S performance?
Does the organization ensure that these workers are competent (including the ability to identify hazards) on the basis of appropriate education, training or experience?
Does the organization take applicable actions to acquire and maintain the necessary competence and evaluate the effectiveness of action taken?
Does the organization retain the appropriate documented information as evidence of competence?
7.3 Awareness
How does the organization ensure that the Workers are aware of the OH&S policy and OH&S objectives?
How does the organization ensure that the Workers are aware of their contribution to the effectiveness of the OH&S management system, including the benefits of improved OH&S performance?
How does the organization ensure that the Workers are aware of the implications and potential consequences of not conforming to the OH&S management system requirements?
How does the organization ensure that the Workers are aware of incidents and the outcomes of investigations that are relevant to them?
How does the organization ensure that the Workers are aware of hazards, OH&S risks and actions determined that are relevant to them?
How does the organization ensure that the Workers have the ability to remove themselves from work situations that they consider present an imminent and serious danger to their life or health, as well as the arrangements for protecting them from undue
consequences for doing so?
7.4 Communication
7.4.1 General
How does the organization determine the internal and external communications relevant to the OH&S management system, including on what it will communicate, when to communicate, how to communicate, with whom to communicate internally among the various levels and functions of the organization, among contractors and visitors to the workplace, and among other interested parties?
When considering its communication needs , how does the organization take into account diversity aspects (e.g. gender, language, culture, literacy, disability)?
When considering its communication needs how does the organization ensure that the views of external interested parties are considered?
When establishing its communication processes has the organization taken account its legal requirements and other requirements?
When establishing its communication processes has the organization taken account of the information communicated is consistent with information generated within the OH&S management system and reliable?
How does the organization responds to relevant communications on its OH&S management system?
Does the organization retain the appropriate documented information as evidence of communication as appropriate?
7.4.2 Internal communication
How does the organization ensures that information is communicated internally relevant to the OH&S management system among the various levels and functions of the organization, including changes to the OH&S management system, as
appropriate ?
How does the organization ensures its communication processes enable worker to contribute to continual improvement?
7.4.3 External Communication
How does the organization ensure that its external information is communicated as established by its communication process and also as required by the organization’s legal and other requirements?
7.5 Documented Information
7.5.1 General
Does the organization’s OH&S Management System include documents required by ISO 45001:2018 and documents determined by the organization necessary for the effectiveness of the OH&S Management System?
7.5.2 Creating and updating
While creating and updating documented information, does the organization ensure it is appropriate in terms of identification descriptions?
While creating and updating documented information does the organization ensure that it is in proper format and in the correct media?
While creating and updating documented information, does the organization ensure that there is appropriate review and approval for suitability and adequacy?
7.5.3 Control of documented information
How does the organization control its documented information to ensure that it is available and suitable for use, whenever it is needed?
How is the documented information adequately protected?
How is the distribution, access, retrieval and use of documented information adequately controlled?
How is the documented properly stored and adequately preserved and it is legible?
How is there control of changes (e.g. version control)?
Are adequate control in place for retention and disposition?
How are external origin documented information necessary for planning and operation of OH&S Management System appropriately identified and controlled?
8 Operations
8.1 Operation planning and control
8.1.1 General
How does the organization plan, implement, control and maintain the processes needed to meet the requirements of the OH&S management system and to implement the actions determined in Clause 6, by establishing criteria for the processes?
How does the organization implemented control of the processes in accordance with the criteria?
How does the organization maintaining and retaining documented information to the extent necessary to have confidence
that the processes have been carried out as planned?
How does the organization adapt work to workers?
At multi-employer workplaces, How does the organization coordinate the relevant parts of the OH&S management system with the other organizations?
8.1.2 Eliminating hazards and reducing OH&S risks
Has the organization established, implemented and maintained processes for the elimination of hazards and reduction of OH&S risks using the following hierarchy of controls:
a) eliminate the hazard.
b) substitute with less hazardous process, operations, materials or equipment.
c) use engineering controls and reorganization of work.
d) use administration controls, including training.
e) use adequate personal protective equipment.
8.1.3 Management of change
Has the organization established processes for the implementation and control of planned temporary and permanent changes that impact performance including new products, services and processes, or changes to existing products, services and processes, including workplace locations and surroundings, working organization, working conditions, Equipment, work force?
Has the organization established processes for the implementation and control of planned temporary and permanent changes that impact performance including changes to legal requirements and other requirements?
Has the organization established processes for the implementation and control of planned temporary and permanent changes that impact performance including changes to knowledge or information about hazards and OH&S risks?
Has the organization established processes for the implementation and control of planned temporary and permanent changes that impact performance including developments in Knowledge and technology?
Does the organization review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary?
8.1.4 Procurement
8.1.4.1 General
Has the organization established, implemented and maintained processes to control the procurement of products and services in order to ensure their conformity to its OH&S management system?
8.1.4.2 Contractors
Does the organization coordinate its procurement processes with its contractors, in order to identify hazards and assess and control the OH&S risks arising from the contractors’ activities and operations that impact the organization?
Does the organization coordinate its procurement processes with its contractors, in order to identify hazards and assess and control the OH&S risks arising from the organization’s activities and operations that impact the contractors workers?
Does the organization coordinate its procurement processes with its contractors, in order to identify hazards and assess and control the OH&S risks arising from the contractors’ activities and operations that impact other interested parties in the workplace?
How does the organization ensure that the requirements of its OH&S management system are met by contractors and their workers?
Do the organizations procurement processes define and apply occupational health and safety criteria for the selection of contractors?
8.1.4.3 Outsourcing
How does the organization ensure outsourced functions and processes are controlled?
Does the organization ensure that its outsourcing arrangements are consistent with legal requirements and other requirements and with achieving the intended outcomes of the OH&S management system?
Has the type and degree of control to be applied to these functions and processes been defined within the OH&S management system?
8.2 Emergency Preparedness and Response
Has the organization  established, implemented and maintained processes needed to prepare for and respond to potential emergency situations identified in clause 6.1.2.1?
How does the organization establish planned response to emergency situations including provision of first aid?
How does the organization providing training for the planned response?
How does the organization periodically testing and exercising the planned response capability?
How does the organization evaluating performance and as necessary, revising the planned response, including after testing and in particular after the occurrence of an emergency situation?
How does the organization communicating and providing relevant information to all workers on their duties and responsibilities?
How does the organization communicating relevant information to contractors, visitors, emergency response services, government authorities, and as appropriate local community?
How does the organization taking into account the needs and capabilities of all relevant interested parties and ensuring their involvement, as appropriate, in the development of the planned response?
Has the organization maintained documented information on the process and on the plans for responding to potential emergency situations?
9. Performance evaluation
9.1 Monitoring, measurement, analysis, and evaluation
9.1.1 General
How does the organization monitor, measure, analyze, and evaluate its  performance?
How does the organization monitor and measure the extent to which legal requirements and other requirements are met??
How does the organization monitor and measure its activities and operations related to identified hazards, risks, and opportunities?
How does the organization monitor and measure progress towards achieving OH&S objective?
How does the organization monitor and measure effectiveness of operational and other controls?
How does your organization determine the methods for monitoring, measurement, analysis and performance evaluation needed to ensure valid results?
How does your organization determine the criteria against which the organization will evaluate its OH&S performance?
How does your organization determine when the monitoring and measuring shall be performed?
How does your organization determine when the results from monitoring and measurement shall be analyzed and evaluated and communicated?
How does your organization evaluate the performance and the effectiveness of the OH&S management system?
How does the organization ensure that monitoring and measuring equipment is calibrated or verified as applicable, and used and maintained as appropriate?
In what form does your organization retain appropriate documented information as evidence of the monitoring, measurement, analysis and performance evaluation and maintenance, calibration or verification of measuring equipment?
9.1.2 Evaluation of Result
How does your organization establish implement and maintain processes for evaluating compliance with legal and other requirements?
Have the organization determined the frequency that compliance will be evaluated?
Have the organization evaluated compliance and take action if needed?
Have the organization maintained knowledge and understanding of its compliance status with legal requirements and other requirements?
Have the organization retain documented information as evidence of the compliance evaluation results?
9.2 Internal Audit
9.2.1 General
Does the organization conduct internal audits at planned intervals to provide information  on whether the OH&S Management system conforms to its own requirement for OH&S Management system including policy and objectives, ISO 45001:2018 requirements and including policy and objectives? is effectively implemented and maintained  ?
9.2.2 Internal audit program
Did the organization plan, establish, implement, and maintain an audit program?
Did the audit program include the frequency, methods, responsibilities, planning requirements, and reporting of its internal audit?
Does the audit program take into consideration the environmental importance of the process concerned, changes affecting the organization, and the results of previous audits?
Did the organization define the audit criteria and scope of each audit?
Does the organization ensure that the audit is conducted by the auditors to ensure objectivity and impartiality of the audit process?
Does the organization ensure that the results of the audits are reported to relevant management, workers and where they exist, workers representatives, and other relevant interested parties?
Does the organization take action to address nonconformity and continually improve its OH&S audit programme and the audit results?
Does the retain documented information as evidence of the implementation of the audit program and the audit results ?
9.3 Management review
Does the Top Management review the organization OH&S Management system at planned intervals  to  ensure its continuing suitability, adequacy and effectiveness?
Does the review take into consideration the status of actions from previous management reviews?
Are the changes in external and internal issues relevant to OH&S Management system considered?
Are the changes in the needs and expectations of interested parties including legal and other requirements considered?
Are the changes in the risk and opportunities considered?
Does the review take into consideration the extent to which OH&S policy and objectives have been met?
Does the review take into consideration the the OH&S performance on Consultation and participation of workers, Risks and opportunities?
Does the review take into consideration the OH&S performance including the trends in incidents, nonconformity and corrective actions, monitoring and measurement results, results of evaluation of compliance with legal requirements other requirements and the audit results?
Does the review take into consideration the adequacy of resources for maintaining an effective OH&S system?
Does the  review takes into consideration relevant communications from interested parties?
Does the review take into consideration the opportunities for  continual improvement?
Do the outputs of the management review include decisions and actions related to the continuing suitability, adequacy, and effectiveness in achieving the intended outcomes?
Does the output take includes decisions related to continual improvement opportunities?
Does the output decisions related to resources needed and any need for changes to the OH&S management system?
Does the output includes actions needed?
Does the output includes opportunities to improve integration of the OH&S management system with other business processes?
How are the relevant outputs from management review communicated to workers and where they exist workers representatives?
Does the organization retain documented information as evidence of the result of the management review?
10 Improvement
10.1 General
How do you determine and select opportunities for improvement and implement any necessary actions to achieve intended outcomes of your OH&S management system?
10.2 Incident, Nonconformity and corrective action
Has the organization has established, implemented and maintained processes for reporting, investigating and taking action to determine and manage incidents and nonconformity?
When any nonconformity occurs, does the organization react in a timely manner to take action to control, correct it and deal with its consequences?
When any nonconformity occurs, does the organization evaluate, with the participation of workers and the involvement of other relevant interested parties, the need for corrective action to eliminate the root cause of the incident or nonconformity, in order that it does not recur or occur elsewhere,
How does the organization investigate the incident or review the nonconformity?
How does the organization determine the causes of the incident or nonconformity?
How does the organization determine if similar incidents have occurred, if nonconformities exist, or if could potentially occur?
How does the organization review existing assessments of OH&S risks and other risks, as appropriate?
How does the organization determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls and the management of change?
How does the organization assess OH&S risks and that relate to new or changed hazards, prior to taking action?
How does the organization review the effectiveness of any action taken, including corrective action?
How does the organization make changes to the OH&S management system, if necessary?
Does your organization take corrective actions appropriate to the effects or potential effects of the incidents or nonconformities encountered?
In what form does your organization retain documented information evidence of the nature of the incidents or nonconformities and any subsequent actions taken?
In what form does your organization retain documented information evidence of the results of any action and corrective action including their effectiveness?
How is this information communicated to relevant workers and, where applicable, workers representatives, and other interested parties?
10.3 Continual improvement
How does your organization continually improve the suitability, adequacy and effectiveness of the OH&S management system?
How does your organization enhance OH&S performance?
How does your organization promote a culture that supports the OH&S management system?
How does your organization promote the participation of workers in implementing actions for continual improvement of the OH&S management system?
How does your organization communicating the results of continual improvement workers and if appropriate workers representatives?
How does your organization maintain and retain documented information as evidence of continual improvement?

ISO 27001:2022 Example of Setting and Monitoring of Information security Objectives

1.0 Objective :

To define a System for setting of Information Security Objectives/Key Performance Indicators (KPIs) and monitoring them for achievement.

2.0 Scope :    

Relates to Objectives/KPIs related to Information Security for all the key functions of  XXX

3.0 Responsibility:   

  • CISO     
  • Department Heads

4.0     Procedure:

Setting of Objectives /Key Performance Indicators

Management of XXX shall set yearly Information Security Objectives/KPIs for all the Departments . Department Heads  sets own objectives  based upon the risk assessment . The Information security objectives /KPIs fall into 5  broad  categories :

  1. IT and business alignment
  2. Information security risk management process
  3. Compliance processes
  4. Awareness process
  5. Audit processes

            It is ensured that the Objectives are in line with the Corporate policy for Information Security Management.

   Information Security  Objectives  for departments

The Department Head of each section/department sets up Information Security Objectives  and are communicated to all the key members of the team. Defined objectives cover:

  •  Measurable targets
  • Time frame to achieve the targets 
  • Plan of action for achievement of the Objectives.

Monitoring of Objectives

Monitoring of  Objectives  is done by Department Heads  and the frequency of review is set by the  Department Head , for each objective / KPI and  are usually half-yearly. The achievement of Objectives is reviewed on a six monthly basis and are recorded in the Objectives Review Report . The objectives review details are consolidated and discussed in the Management Review Meeting attended by the higher Management.

5.0 Records:

  1. Objectives and their Review Records  ( F-08)
  2. Management Review Meeting Minutes. ( F-10)

 6.0 References:  

     Nil 

Example of Objective

1. IT and business alignment

ObjectiveMethod/sourcesTargetsJustificationFindingsJustificationAction plans
% of business strategic goals and requirements supported by information security strategic goals and decisions.Review business strategic decisions and ensure that they have been risk-assessed in relation to IT and information security issues. Likewise all major information security strategic decisions should be reviewed and approved by upper management to ensure alignment with business services and strategies.100%All business decisions need to be supported by IT decisions and specifically information security issues. If not relevant, this needs to be documented and approved as part of the project phase.50%Our latest outsourcing and IT procurement decisions have not been aligned with our IT strategy and specifically not with information security requirements.Ensure that IT requirements are mandatory on the agenda and all relevant information security requirements and potential issues are identified and addressed.
Level of business (stakeholders) satisfaction with offered information security services and internal support. Does information security bring value to the stakeholders?Data collected through interviews or survey forms sent to relevant stakeholder of each business unit, business process or similar.HighOur baseline is above average e.g. high level of satisfaction with offered information security services (scale going from
low over medium, high, to excellent).		HighCompared to last year we have increased the level of satisfaction from medium to high.No action plans
Percentage of executive management roles with clearly defined accountability for information security decisions.Review job roles and descriptions to ensure that responsibility and accountability has been defined and communicated.80%It’s important that management and, in particular, business unit owners and IT-systems owners have clearly defined roles and accountability. We are planning to increase the numbers from 50% to 80% this year and next year ensure 100% coverage.85%We are on target this year with 85%No action plans
% of changes to the information security strategy that is approved by management.Review current information security strategy or major information security strategic decisions and ensure that management has formally approved them.100%All information security strategic decisions need to be approved by management.75%Some IT-strategic decisions to outsource critical IT-systems during 2022 were not risk assessed or approved by management.Ensure that all major IT-strategic decisions are management approved. Establish some baseline requirements for management approval. For example:
1) Critical IT-services
2) Sensitive data?
3) Specific information security issues
4) Budgetary scope
5) Conflicts with business strategies

2. Information security risk management process

ObjectiveMethod/sourcesTargetsJustificationFindingsJustificationAction plans
% of business processes and their-services covered by the risk management process.Interviews and correlation with management.50%Depending on current maturity level of an organisation it could be all or only some of the business processes/IT-services. Extending coverage could be part of a maturity process.40%Four critical business processes have not been subjected to a BIAWe need to find out if it’s a resource problem or poor risk planning
% of approved risk treatment plans actually being
implemented compared to last risk assessment.		Correlate with previous risk assessment
reports.		100%We need to ensure that proposed and approved risk treatment plans are carried through and not forgotten or “saved for later”.60%Only 60% of the approved action plans have been implemented this year. This is a drop on 20% compared to last year.Training of risk treatment to the team. Identify the root cause for e.g. is it financial issue, lack of ownership or other factors.
Are significant organisational or technological changes being reflected in the latest risk assessment?Interview and review of risk assessment
reports.		100%All major technological shifts (IT- procurement, investments, outsourcing, etc.) need to be reflected in the IT-risk assessment.100%Our use of cloud outsourcing services and the approval of BYOD has been included in the IT-risk assessment.No action plans
% of IT budgets used to manage IT risk management processes.This requires information security spending to be documentedCorrelate total man-hours spent on risk assessment process with total IT-budget.No valueTarget could be just to track spending on IT-risk management processes. The metric doesn’t necessarily need to define a
maximum % of IT budget or information security budget.		15%Budgets and time spend on the IT-risk assessment process have increased 15% since last assessment.Further analysis needs to be done. Causes can range from:
1) Changes in the methodology
2) Resource issues
3) Increase in number of identified risks (correlate with other metrics)
Number of new threats and risks identified compared to previous risk assessment.Compare total numbers of risks/vulnerabilities, and/or criticality level with previous IT-risk assessments.0We need to reduce our risk posture and ensure that prior risks and vulnerabilities don’t reoccur.7The total number of critical risks/ vulnerabilities is slightly increasing, but the number of recurrent risks/ vulnerabilities has decreased, which indicates that we have effectively addressed prior IT-risk assessment identified risks.Further analysis needs to be done. Causes can range from:
1) Changes in the methodology
2) Resource issues
3) Increase in number of identified risks (correlate with other metrics)
Tracking changes to risk appetite. Does it increase or decrease? Can we correlate it to strategic, organisational or financial decisions?Look at changes to risk threshold. Arguments for rejections and approvals of action plans would also be a source. Correlate that with strategy changes, technology changes, security incidents, organisational changes, etc.No change Changes to risk appetite should be recorded as part of management reporting along with explanation of possible reasons.DecreaseOur risk appetite has decreased this year compared to last year.Analyse why risk appetite has changed.
Level of satisfaction with risk outcome from business perspective. This could be the risk outcome from the BIA, vulnerability assessment or action plans. The business needs to review the quality and output of the BIA to ensure data is correct.
Measurement scale: not satisfied, acceptable or very
satisfied.		Interviews or self-assessment questionnaire.Very SatisfiedWe need a high level of satisfaction (very satisfied) with the risk results from the BIA’s and vulnerability assessments.AcceptableInput from business owners, system owners and IT operations suggest that the results were not aligned with their expectations. There were too many errors in the assessments and especially in relation to the maturity assessment of IT- controls.We need to ensure that the people performing the risk assessment are adequately competent and internal review of results must be done before final reporting.

3. Compliance processes

ObjectiveMethod/sourcesTargetsJustificationFindingsJustificationAction plans
Number of non-compliance issues and derived costs per year (e.g. external requirements, policies and procedures)Reviewing end-of-year reported incidents including major external audit findings0No major non-compliance issue with either financial or image impact.1We had a data breach by our outsourcing vendorReview relevant IT-security processes and vendor contract.
Time between identification of non-compliance and implementation of fixes. Helps identify problems with the efficiency of the compliance process.Correlate time of reported non-compliance issues of security incidents with actual implementation time.0 casesDepending on the complexity, the issue needs to be addressed within two working days.2 CaseWe had two incidents that still haven’t been resolved.We need to evaluate the effectiveness of the internal compliance department. Do we need to restructure the process? Are there any resource constraints or internal opposition?
Costs for fixing non-compliance issues such as
administrative work in relation to fixing the problems
(process optimization, procedures, policies or IT controls).		Review total costs associated with fixing non-compliance with annual IT-budget.20% (max)Under normal circumstances, there is a maximum of 20% of IT-budgets allowed for addressing security related issues.more then 20% Costs relating to non-compliance issue exceed the 20% limit. This includes performing a new pen-test and reworking of policies with the assistance of external consultants.Has a business case and cost-benefit analysis been performed? Who has reviewed and approved the spending?
Total costs due to reputation loss, financial fines, loss of clients, etc.) Per compliance incident.Review total impact costs associated with compliance
issue.		0%Recording the total cost and comparing this with last year. The target is not to have an increase in costs, but a decrease.Reduction by 15%Total cost associated with this year’s compliance incidents has decreased by 15 % and there was 1 less incident.No action plans

4. Awareness process

ObjectiveMethod/sourcesTargetsJustificationFindingsJustificationAction plans
% deviation when comparing established success factors for awareness campaigns with the results of implemented campaigns.Comparing results from awareness/ training program with results of physical audits or employee quizzes/tests.80%he goal was to ensure that minimum 80% completed the test/quiz following the campaign. Physical inspection of work areas shows a significant decrease in physical sensitive work paper, unlocked workstations, USB devices, etc.60% Less than 60% answered correctly on the mobile device policies and use of cloud-services. During our internal audit, we discovered unlocked workstations and customer-sensitive documents lying in the printer room.We need to re-evaluate the way we present the message. Perhaps we can make it more story-driven and be better at using the intranet.
Are awareness plans/ strategies/sessions/courses, etc. aligned with information security risks currently of concern to the organisation?Correlate awareness/training programs and strategy with current risk posture (results from risk assessment, external requirements, security incidents, technological changes, audits, etc.).YesThere needs to be a direct link between focus-areas of awareness/training and current risk posture.NoThe awareness strategy has been arbitrarily chosen more based on security trends and media talk than actual risks
relevant to the organisation.		We need to ensure that it’s derived from relevant risks to our organisation.
% of IT users who have visited the security awareness intranet site so far this month.Document the monthly visit rate on the information security section of the intranet. 70%Our average visit rate must not fall below 70%.90%The last update with the malware alert was seen by 90% of IT-employeesNo action plans
Cost-effectiveness of the awareness and training program E.g. can we detect a reduction in security incidents with financial impact, impact to intangibles (image/reputation).Compare security incident before/ after awareness/ training efforts. This could also include physical observations of related employee behaviour, number of support calls or input from network security (IDS, IPS, content filtering or policy violations).
Other sources: Results from audits.		Decrease We must be able to detect a reduction in security incidents following our awareness/training programs.DecreaseAll approved follow-up plans have been implemented.No action plans
Retention of key awareness messages % of employees that remember awareness messages. Can be measured by doing tests/quizzes on prior awareness campaign themes.Compare results of tests performed a short time after completion to test run after a longer period of time e.g. 2- 6 month.60%Success rate of 60% of employees remembering prior awareness/training themes.less then 50%The knowledge of the topics drops dramatically after 6 months, compared to tests run after completion of awareness training.We need to maintain awareness and knowledge on important security themes by increasing the frequency of awareness initiatives.

ISO 27001:2022 Example of Procedure for continual improvement

1.0 Purpose

The purpose of this procedure is to continually improve the suitability, adequacy and effectiveness of the established ISMS. continual improvement requires measuring the effectiveness and efficiency of technology, people and processes and adapting to inevitable changes in the environment – technical, organisational or otherwise

2.0 Scope

This procedure applies to continual improvement in the ISMS for all identified processes

3.0 Responsibility:

3.1 Department/section heads: To identify the “areas of improvement” and to implement the improvement in the section after getting the approval from the Top Management.

3.2 Management representative: To remind the department/section heads/process owners about the continual improvement and request to present the status to the Top Management

3.3 CISO : To approve the continual improvement plans which may improve the Information Security management system. To ensure that there is adequate resources for the plan and to monitor the status reports from the department/ section heads/process owners.

4 Procedure:

The respective department/section heads shall identify the areas for improvement based on the policy, objectives and strategic plans of the organization. The areas of improvement shall be based on:

  • improvements in strategy (i.e. why things are done): Improving strategy improves or maintains the suitability of an ISMS and requires improving knowledge and understanding of the environment and threat landscape.
  • improvements in practice (i.e. what is done): Improving practice can increase the effectiveness of the ISMS and resulting security controls.
  • improvements in process (i.e. how things are done):Improving processes can increase the efficiency of controls and surrounding processes.

Improvements can be made in the short or long term. However most improvements will follow the process below:

  • Identify opportunity for improvement.
  • Identify root cause (as applicable).
  • Allocate responsibility for implementing change.
  • Identify, analyse and evaluate (based on cost vs benefit) possible solutions.
  • Plan implementation of changes.
  • Implement changes.
  • Measure effectiveness of actions

4.1 Steps in an improvement process

Process Example activities
1.Define what you should measureIdentify technical, operational and strategic goals
Define what you will measure
2.Define what you can measureScoping
Risk assessment and risk treatment plans
Identify the strategy for improvement
3. Gather the data
4. Process the data
Implement improvement plans
Implement controls, services monitoring etc.
5. Analyse the dataAnalyse gathered data (e.g. from monitoring)
Carry out gap analysis
Internal and external audits
6. Present and use the information
7. Implement corrective action		Implement corrective actions and fixes;
Record lessons learned
Feed back and report

The departmental/section heads shall identify and document the areas of improvement in the Continual Improvement Plan (F 012) form and send it to the management representative (MR) for review. The management representative (MR) shall review and send the plan to the CISO for final approval. Respective departmental personnel shall make prioritized action plan for the areas of continual improvement and the same shall be followed to complete the assignment in time. Respective departmental/section head shall review the status of the continual improvement plan. and the status of the plan shall be presented to the management during management review meetings. The effectiveness of continual improvement plans shall be monitored and reviewed periodically and the same shall be discussed in MRM.

4.2 Sources of information and opportunities for improvement

Opportunity for improvementSources of information
Organisational changesMeetings with top management
Departmental/organisational announcements, news bulletins etc.
Changes in business requirements/circumstancesThird party requirements
Public media and news
Security/business conferences
Team meetings
Management reviews
Service reviews
Change in security requirementsPolicy reviews
Information security incidents
Service requests
Change requests
Bulletins and announcements
Changes in regulatory environmentNotifications from suppliers
Notifications from third parties
Notification from statutory bodies e.g. the Information Commissioner’s Office
Internal security forums
Security mailing lists
Contact with Special Interest GroupsSecurity conferences and community meetings
Security mailing lists
Changes in skill setsRecruitment of new staff
Knowledge gained from training
User/customer engagementService requests
User satisfaction surveys
Knowledge bases
Service requestsService desk management tools
Knowledge bases
Risk assessmentsRisk assessment outputs
Gap analysis reports
VulnerabilitiesVendor vulnerability announcements
Security community mailing lists
Results from penetration testing and vulnerability scanning Log files
Service requests and notifications from users/customers
Information security incidentsIntrusion detection/prevention system alerts
Log files and network flows
Knowledge gained from analysing and resolving incidents
Internal audit and reviewReview meetings
Policy reviews
Audit reports
Vulnerability scanning and penetration testing reports
Security reviews
External auditsReview meetings
Audit reports
Vulnerability scanning and penetration testing reports
Security reviews

5 Reference:

Continual Improvement Plan

Example of Procedure for QMS continual improvement

1.0 PURPOSE

The purpose of this procedure is to identify any possible failures or breakdowns, as well as opportunities for improvement.

2.0 SCOPE

This procedure applies to continual improvement in the QMS for all identified processes

3.0 Process

3.1 Responsibilities

  • Management Representative
  • Document Controller
  • Process Owner
  • Departmental Head

3.2 Identification and Basis of areas of Improvement

The Management Representative and the respective departmental heads identify the areas for improvement based on the policy and objective of the company. The areas of improvement shall also be based on:

• Corrective Action Requests
• Management review meeting output
• Audit reports
• Analysis of data

3.3 Documentation, Action Plan & Summary of Implementation

The departmental heads and where required the Management Representative shall sum-up all the areas of improvement and shall document the same in Continual Improvement Plan F 005 and the same shall be distributed to all concerned departmental heads. Respective departmental heads shall brainstorm in the departmental meetings the methodology to be adapted and the same shall be implemented and ensured that continual improvement is achieved. Respective departmental personnel shall make an action plan for the areas of continual improvement and the same shall be followed to complete the assignment on time. Respective departmental heads shall sum-up the methodology and the benefit that has been achieved by adapting the continual improvement assignment and the same shall be presented to the management during Management Review Meetings. The continual improvement shall be identified in all areas of operation and effort shall be taken to ensure that the continual improvement is on continual basis.

3.4 Training & Monitoring of Progress/ Effectiveness

Training shall be imparted to all concerned on the concept of continual improvement and the tools to be used to achieve the improvement. Effectiveness of continual improvement assignments shall be monitored and revised periodically and the same shall be discussed in MRM.

4.0 Related Documents

Continual Improvement Plan

Example of Procedure for ISO 27001:2022 Management Review

1. SCOPE

This procedure applies to all the activities within the scope of the XXX Information System Management System.(ISO 27001:2022 )

2. PURPOSE

2.1 To ensure that top management systematically reviews the ISMS and its performance in accordance with the established operating procedures.

2.2 To review the adequacy. suitability. and effectiveness of previous corrective and preventive actions including those related to outsourced service and supplier performance.

3.3 To identify strengths and opportunities for improvement and make recommendations for continual improvement.

3. REFERENCE DOCUMENTS

3.1 XXX Information Security Management system Manual,
3.2 Procedure for Internal ISMS Audit.
3.3 Procedure for Non Conformity & Corrective Action

4. TERMS & DEFINITIONS

4.1 Management Review: cross-functional review by an organization’s top management which takes place at regular intervals aimed to assess the organization’s success at achieving objectives established thus ensuring its continued suitability, adequacy, and effectiveness and to take action to correct it when necessary.

4.2 ISMS Objective: A statement describes what should be achieved within the time frame and available resources. It shall be consistent with the evidence-based practice and the visions that the institution creates itself to achieve.

4.3 Audit: A systematic, independent, and documented process for obtaining audit evidence (records, statements of fact, or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (set of policies. procedures, or requirements) are fulfilled.

5. RESPONSIBILITY AND AUTHORITY

The following will be responsible for the process of preparing for the Management Review Meeting :
5.1 CEO :
5.1.1 Assure the implementation of the MR policy
5.1.2 Chair the MR meeting
5.1.3 Invite members of the top management to the meeting
5.1.4 invite other categories of staff as per necessity (e.g. quality focal points, internal auditors)
5.2 CISO and Staff of department:
5.2.1 Set in coordination with the Director, the date and time of the meeting.
5.2.2 Prepare and present the agenda of the meeting according to the agenda stated above.
5.2.3 Take the list of attendance.
5.2.4 Make minutes of the meeting that includes discussion points raised with the suggestions as well as the decisions that have made during the output session.
5.2.5 Follow-up the decisions that have been taken during the output discussion.
5.2.6 Follow-up the implementation of the MR.

6. DETAILS OF PROCEDURE

6.1 Attendants:

6.1.1 Top management review meeting shall be held once a year . The meeting is allocated a maximum of 2:30 hours. The distribution is according to the following:

1 hour: presenting the review input.
30 minutes: questions and answers
1 hour: review output (it is recommended that this section is attended by the CEO, CISO, directors, and  heads of departments)

6.1.2 The Management review meeting to be chaired by CEO or CISO in case CEO is not available. In case CEO is not available, CISO must brief the CEO the finding and the output of the meeting with the CEO.

6.2 Agenda of MR:

6.2.1 Review Input: this part of the review shall include information on:

  1. Follow-up actions from previous management reviews.:This refers to all issues raised or resolved since the last review to make sure problems are being resolved properly. and to look for trends in the data. The action which was taken as result of the previous MRM must be reviewed. It must be verified that all the actions have been taken and also the effectiveness of the action taken must be verified. In case the the action was not completed or was found not to be effective, the root cause must identified and corrective action should be taken.
  2. Changes in external and internal issues that are relevant to the Information Security management system.
  3. Changes in needs and expectations of interested parties that are relevant to the information security management system;
  4. Status of non conformity and corrective actions. This refers to reporting of steps that have been taken to manage failures detected as well as steps to avoid the occurrence of any potential problems that are likely to rise.
  5. Process and result of performance monitoring and measurement. This refers to reporting whether XXX is reaching and/or maintaining performance targets.
  6. Results of audits. By reporting the results of audits carried during the previous period (internal and external). It should include the presentation of data analysis showing strengths and opportunities for improvement in the system.
  7. Information Security objectives: This refers to the Information Security objectives which was established during the previous MRM. The review must verify if the objectives were met and incase they were not met what was the root cause that it was not met and what corrective action was taken . Also the Information Security objective for the next year must be established based on the audit findings and the result of the performance monitoring and measurement.
  8. Feedback from Interested parties . Through analysis of reporting results of feedback from Interested parties that have been collected through various channels such as satisfaction surveys and compliments and complaints system. The reporting should look closely at both the negative and positive feedback.
  9. The result of the Event and Incident Reporting System and analysis.
  10. The effectiveness of actions taken to address risks as a result of risk assessment and the status of the risk treatment plan:
  11. Opportunities for continual improvement. This refers to proposing corrective and preventative actions to be taken based on the outcome of the review of the system carried out since the last MR in order to improve the quality of ISMS.

6.2.2 Review Output: This part of the review shall be allocated to discuss and decide on actions to be taken to improve the management system, services/ processes. and resource needed. The output shall include any decisions and actions related to:

  1. Improvement of the effectiveness of the Information management system and its processes. This refers to the fact that based on the information that has been discussed whether there are areas where worthwhile improvements can be made.
  2. Any need for change in Information Security Management System

6.3 Forms and records of the review:

The record of the review will be maintained by the IT department and a summary report of the meeting will be sent to the Management Representative.

7. RETAINED DOCUMENTED INFORMATION

7.1 Management Review record (ISMS F027)
7.2 Data analysis reports. (ISMS F028)
7.3 Management review agenda and minutes(ISMS F029)

ISO 9001:2015 Example of Setting and Monitoring of Quality Objectives

1.0 Objective :

To define a System for setting of Quality Objectives/Key Performance Indicators (KPIs) and monitoring them for achievement.

2.0 Scope :    

Relates to Objectives/KPIs for all the key functions of  XXX

3.0 Responsibility:   

  • CEO    
  • Department Heads

4.0     Procedure:

Setting of Objectives /Key Performance Indicators

Management of XXX shall set yearly Business Performance Objectives/KPIs for all the Departments . Department Heads  sets own quality objectives  based upon the KPIs assigned to them by Management. The quality objectives /KPIs fall into 3  broad  categories :

  1. Customer oriented 
  2. Business Process oriented 
  3. Innovation and Learning oriented

            It is ensured that the Objectives are in line with the quality policy.

   Quality  Objectives  for departments

The Department Head of each section/department sets up quality Objectives  and are communicated to all the key members of the team. The objectives include conformity to products & services (quality related ) and enhancement of customer satisfaction. Defined objectives cover:

  •  Measurable targets
  • Time frame to achieve the targets 
  • Plan of action for achievement of the Objectives.

Monitoring of Objectives

Monitoring of  Objectives  is done by Department Heads  and the frequency of review is set by the  Department Head , for each objective / KPI and  are usually half-yearly. The achievement of Objectives is reviewed on a six monthly basis and are recorded in the Objectives Review Report . The objectives review details are consolidated and discussed in the Management Review Meeting attended by the higher Management.

5.0 Records:

  1. Quality Objectives and their Review Records  ( F-08)
  2. Management Review Meeting Minutes. ( F-10)

 6.0 References:  

     Nil 

Example of ISO 27001:2022 ISMS Awareness and Training Procedure

1.Purpose

The purpose of this procedure is to:
● Ensure protection of sensitive information regarding ISO 27001
● Provide system and instructions.
● Assign responsibilities for identifying training needs.
● Provide the required training for establishing awareness programs. And
● Maintaining training records.

2. Application

This procedure applies to all training and awareness programs.

3. Scope

All employees (classified, hourly, contractors, business partners)

4. Procedure

4.1 General

  • The objective of training program is to ensure that employees possess the required knowledge and skills for performing their jobs; and that they are familiar with relevant requirements of the information security systems pertaining to their job functions.
  • Awareness programs focus on understanding the importance of customer requirements, and the relevance of individual contributions towards meeting these requirements and achieving the security policy and objectives.
  • Employees are made aware of the types of device defects which may occur from the improper performance of their specific jobs.

4.2 Competence requirements, security and privacy awareness and training needs

  • Company-wide training and awareness programs are provided to all employees, irrespective of their function and position in the company. These programs include general orientation, rules and regulations, safety, and other such company-wide systems and issues. Compliance department with the SecOps unit and CISO are responsible for determining requirements and identifying training and awareness needs for company-wide programs.
  • Training and awareness programs will be perform when there is environmental or operational changes affect the security of electronic PHI (ePHI), credit card information or other sensitive data, for examples new or updated policies or procedures, new or upgraded software or hardware, new security technology, or new threats or vulnerabilities to ePHI and/or credit card information, and at least once a year. The training and awareness programs which perform at least once a year, will include:
    • Protection from Malicious Software – Any employee who has access to ePHI, credit card information or other sensitive data must be trained to identify the symptoms of malicious software, and the procedures for reporting and controlling such problems.
    • Log-In Monitoring – employees should be trained to recognize discrepancies in log-in procedures, and technical safeguards must be in place to detect suspicious log-in activity. Routine monitoring of account activity, such as detecting repeated incorrect password entries should be performed, and know how to recognize when their accounts may have been accessed without their knowledge.
    • Password Management – employees should be trained in creating, changing and safeguarding secure passwords. This guidance in particular must be periodically reviewed to ensure it remains effective as password requirements change over time.
  • Competence requirements and training needs for specific positions and jobs are defined in the Job Descriptions maintained by relevant departments, using Form Job Description.
  • Training needs for individual employees are determined on the basis of their education, experience and job performance, including periodical evaluations conducted by Human Resources

5. Company-wide training and awareness programs

5.1 General orientation training:

Human Resources provides employee orientation training to all new and existing employees. This training familiarizes employees with administrative rules, employee programs and benefits, etc.; and explains the product, product requirements, and the information security system:

  • Overview of the company’s information security system;
  • Discussion of security and privacy policy; and
  • Explanation of how individual employees can contribute to maintaining and improving the information security system.

Participation in the employee orientation training is recorded. These records are maintained by Human Resources

6.2 General orientation and information security system training:

  • The CISO is responsible for promoting constant awareness for information security among the users of information systems.
  • The Compliance Officer is responsible for issuing an awareness program at least once a year for information security which includes continuous awareness-training and updates. HR department is responsible for updating the Compliance department of incoming new employees (including their role, start date and employment emails). Compliance department is responsible for liaising with SecOps and the CISO to examine the most appropriate training courses as per certification/legal requirements and further based on the expert opinion of the CISO. Awareness for information security derives from constant exposure to security issues. The CISO is responsible for the allocation of training/marketing resources for security issues such as ePHI and/or credit card information including in the following issues:
    • Use of company-wide systems: Wide groups of employees are trained in the use of interdepartmental systems, such as part and material coding/numbering system, bar-code system, retrieval and creation of electronic (computer) documents and records, and so forth. Training is provided by the department that is responsible for the system. Training records are maintained by the department that provides training and monitored by the Compliance Officer to ensure enforcement.
    • Media Control: Training on media control covering removal and receipt of hardware/software including access control, accountability, data backup, data storage, mobile storage devices, and disposal of electronic data.
    • External training: Seminars, conferences, and other forms of external training. Requests for external training are evaluated and processed by Human Resources.
    • Self-study: The Company encourages personnel on all levels to read professional reports, magazines, and books. Requests for magazines and books are evaluated and processed by individual departments. Self-study is considered in formal recognition of skills as an alternative form of training. Where appropriate, self-study is recorded.
    • Report: Implementing an Incident response plan that helps employees identify potential incidents, and understand what steps to follow in the event of potential data breaches.
    • Document: Documentation of training is automated within the training monitoring tools which is supervised by the Compliance team

6.0 Training and Awareness Monitoring Tools

  • Learning Management System: The Company uses a Learning Management System (“LMS”) to complete the equired training courses online customized to the specific department and role they fulfill.
  • The courses are interactive and contain questions throughout that must be passed in order to receive the certificate for the specific course.
  • Emails are automatically sent to employees on their first day of employment from the LMS platform to set up their individual accounts and with a link to the required courses. Employees are required to complete critical security related courses within 1 week of the start of their employment.
  • Further retraining is required on a periodic basis (yearly and quarterly depending on the role within the company).
  • The LMS sends reminder emails 3 days before the completion deadline to employees who have not completed the required training.
  • An email is sent to the compliance department if the deadline has passed without completion of the required training. Further action will be taken if required

7.0 Departmental training

  • As part of their training, personnel are made aware of device defects which may occur from the improper performance of their specific jobs. Also, personnel who perform verification and validation activities are made aware of defects and errors that they may encounter.
  • On-the-job training, i.e. working under supervision of a more experienced employee, is provided to all personnel in any new or modified job affecting product quality. On the-job training is recorded, to include its scope, duration, and the name of the person who supervised the training.
  • Employees who have been performing their jobs or functions for at least six months prior to the initial implementation of this procedure may have their qualifications formally confirmed by their supervisors or departmental managers, without having to go through the initial training. This confirmation is documented in a written statement,
  • Including specific designation of the particular jobs and functions for which the employee is being confirmed. The confirmation record is equivalent to a training record, and is filed and maintained as such by Human Resources.
  • Employees who do not perform satisfactorily are provided with additional or repeated training.

8.0 Training effectiveness evaluation

The method used for evaluation of effectiveness for each training activity will be proportionate to the risk involved in the work for which the training is provided. The following methods and approaches are used for evaluating the effectiveness of training provided:

  • Follow-up evaluation of individual employees: Following competency or skill training, employees are evaluated by their supervisors or departmental managers. This evaluation assesses whether a particular training has achieved its objectives and if the employee is sufficiently competent and/or skilled to perform the new job function for which he or she was trained. Results of this evaluation are recorded and are kept together with the original training record.
  • Review of overall performance in areas related to particular training: When wider groups of employees are trained in safety, emergency procedures, or interdepartmental systems, this type of training is evaluated by comparing statistical performance data from before and after the training was provided. For example, the effectiveness of safety training is measured by tracking rates of work-related accidents.
  • Correlation of training with nonconformists and system failures: Training and competency are always considered when investigating causes of product and process nonconformities and failures of the information security system. When inadequate training is the cause, the investigation goes further to determine specifically which particular training is at fault. This training is then reviewed and improved, by changing its scope, format, or frequency, as appropriate.
  • Global evaluation of training by management review: Training and awareness programs and their effectiveness are evaluated by management reviews. This includes presentation and discussion of data correlating information security performance in particular areas with specific training and awareness programs. Operational Procedure, Management Review, defines this process.
  • LMS metrics: Employees must complete testing during the process of completing required courses within the LMS. Metrics are predefined to evaluate employee understanding of materials and to ensure an adequate level of comprehension based on the risk associated with each topic.

Example of ISO 27001:2022 Corrective action Procedure

1 Introduction

This procedure describes the steps to be taken when a nonconformity is found within the Information Security Management System (ISMS). A nonconformity is defined by ISO as the “non-fulfillment of a requirement”.
This is a wide definition which basically means that the ISMS is not succeeding in its purpose, which is to fulfil the information security requirements of the organization. A nonconformity may arise for many reasons, in many forms and from many different sources. The purpose of this procedure is to ensure that they are recorded when they are identified and that the appropriate steps are taken to ensure that the immediate and wider actual and potential impacts of the nonconformity are addressed.
In addition to internal and external audits, non conformity may be identified from the day- to-day performance of procedures, management meetings and communication with suppliers, customers and other interested parties.

2 Nonconformity Management Procedure

2.1 Procedure Diagram

The procedure for identifying and managing non conformity is summarized in the diagram below. The detail of the steps is described in the following sections.

2.2 Identifying Nonconformities

Nonconformities may be identified from any source and the [Information Security Manager] will encourage staff, users, customers and suppliers to propose ways in which they can be addressed. Such nonconformities may be identified from:

  • Security reviews
  • Team meetings
  • Supplier meetings
  • Risk assessments
  • User surveys
  • Internal and external audits

However, the above is not an exhaustive list.

2.3 Add to Nonconformity and Corrective Action Log

Once identified, the nonconformity will be documented within the Nonconformity and Corrective Action Log with a status of “Open”. At this stage, the action to correct the nonconformity has not necessarily been determined. As much detail as possible should be specified as to the exact nature of the nonconformity.

2.4 React to the Nonconformity

If action needs to be taken to address the nonconformity immediately then this should be done without delay. This may be to fix it, stop it from getting worse or to reduce its effects until further action may be taken. Appropriate resources should be allocated to addressing the nonconformity depending on the current assessment of its seriousness. Actions taken should be recorded in the action log, with dates.

2.5 Cause determination

Once logged and initial reactive actions put in place, the nonconformity will be evaluated to assess its underlying cause i.e. why it has arisen. Other parties may be consulted during this stage to understand the mechanism and events leading to the nonconformity. The identified cause should be recorded in the action log with as much description as appropriate.

2.6 Assess potential impact

Once the cause is understood, a review should be undertaken to assess whether similar nonconformities already exist elsewhere within the ISMS and whether they could potentially arise in the future. The findings of this review should be recorded in the action log.

2.7 Implement corrective action

Once the cause and real or potential impact has been established, appropriate corrective action should be identified to address both the current situation and potential future impact of the nonconformity. The expected benefits of correcting the nonconformity should be sufficient to justify the resources required to achieve the corrective action. The details of the corrective action to be taken should be recorded in the action log, along with the timescale and person responsible. Dated progress updates should also be added when appropriate. Once corrective action has been completed the status of the nonconformity record within the Nonconformity and Corrective Action Log should be updated to “Review Pending” and the date of closure recorded.

2.8 Review effectiveness of corrective action

After a reasonable period of time (which will depend on the nature of the nonconformity and the corrective action) the effectiveness of the corrective action should be reviewed to assess whether it has fixed the issue, including its actual and potential impacts. If the benefits expected are not achieved, the reasons for this will be investigated as part of the regular management review meeting. If successful, the date and results of the review will be recorded, and the status of the nonconformity will be updated to “Closed”.

2.9 Amend ISMS if necessary

If the nonconformity is judged to have occurred due to a fault in the ISMS, it may be necessary to amend the ISMS itself, including any relevant policies, procedures and forms. This should be done with the agreement of top management.