Example of Procedure for QMS continual improvement

1.0 PURPOSE

The purpose of this procedure is to identify any possible failures or breakdowns, as well as opportunities for improvement.

2.0 SCOPE

This procedure applies to continual improvement in the QMS for all identified processes

3.0 Process

3.1 Responsibilities

Management Representative
Document Controller
Process Owner
Departmental Head

3.2 Identification and Basis of areas of Improvement

The Management Representative and the respective departmental heads identify the areas for improvement based on the policy and objective of the company. The areas of improvement shall also be based on:

• Corrective Action Requests
• Management review meeting output
• Audit reports
• Analysis of data

3.3 Documentation, Action Plan & Summary of Implementation

The departmental heads and where required the Management Representative shall sum-up all the areas of improvement and shall document the same in Continual Improvement Plan F 005 and the same shall be distributed to all concerned departmental heads. Respective departmental heads shall brainstorm in the departmental meetings the methodology to be adapted and the same shall be implemented and ensured that continual improvement is achieved. Respective departmental personnel shall make an action plan for the areas of continual improvement and the same shall be followed to complete the assignment on time. Respective departmental heads shall sum-up the methodology and the benefit that has been achieved by adapting the continual improvement assignment and the same shall be presented to the management during Management Review Meetings. The continual improvement shall be identified in all areas of operation and effort shall be taken to ensure that the continual improvement is on continual basis.

3.4 Training & Monitoring of Progress/ Effectiveness

Training shall be imparted to all concerned on the concept of continual improvement and the tools to be used to achieve the improvement. Effectiveness of continual improvement assignments shall be monitored and revised periodically and the same shall be discussed in MRM.

4.0 Related Documents

Continual Improvement Plan

ISO 9001:2015 Example of Setting and Monitoring of Quality Objectives

1.0 Objective :

To define a System for setting of Quality Objectives/Key Performance Indicators (KPIs) and monitoring them for achievement.

2.0 Scope :

Relates to Objectives/KPIs for all the key functions of XXX

3.0 Responsibility:

CEO
Department Heads

4.0 Procedure:

Setting of Objectives /Key Performance Indicators

Management of XXX shall set yearly Business Performance Objectives/KPIs for all the Departments . Department Heads sets own quality objectives based upon the KPIs assigned to them by Management. The quality objectives /KPIs fall into 3 broad categories :

Customer oriented
Business Process oriented
Innovation and Learning oriented

It is ensured that the Objectives are in line with the quality policy.

Quality Objectives for departments

The Department Head of each section/department sets up quality Objectives and are communicated to all the key members of the team. The objectives include conformity to products & services (quality related ) and enhancement of customer satisfaction. Defined objectives cover:

Measurable targets
Time frame to achieve the targets
Plan of action for achievement of the Objectives.

Monitoring of Objectives

Monitoring of Objectives is done by Department Heads and the frequency of review is set by the Department Head , for each objective / KPI and are usually half-yearly. The achievement of Objectives is reviewed on a six monthly basis and are recorded in the Objectives Review Report . The objectives review details are consolidated and discussed in the Management Review Meeting attended by the higher Management.

5.0 Records:

Quality Objectives and their Review Records ( F-08)
Management Review Meeting Minutes. ( F-10)

6.0 References:

Nil

Example of QA QC plan

1.0 Introduction

Brief introduction of your company.

This manual shall cover all the requirement of Quality Control and Quality Assurance for the YYY to be performed by ZZZ subsidiary of ABC . This Manual is prepared to comply the general procedures and guidelines to be followed by the manufacturing personnel in carrying out all aspects of the tasks in production process. This Plan mainly provides procedures for carrying out tasks related to inspection, testing and reporting. However, this Plan does not deal with day-to-day technical requirements, nor does it provide solutions to technical problems, as these technical issues are usually administered by the Specifications, drawing and other Documents.
This document is prepared based on the latest version of Qatar Construction Specification since, all the works in the State of Qatar have to fulfill the requirements of this National Standards. Any special requirements for the projects or refer to the international standards, also be follow determined and amended for the projects specific.
It is to be noted that although the intention of this Plan is to provide efficient, high quality and safety, adherence to the adopted guidelines does not necessarily guarantee that these attributes are achieved. This directs to the need, therefore, for all users to exercise judgment based on good engineering practice in all cases rather than blind adherence to the adopted guidelines. This also directs to the urgent need to periodically review and update relevant guidelines and procedures, and hence the Plan is to be seen as an involving guide.
i. Production and Manufactured items
ii. Handling & Storage level
There are some other tasks which has to be undertaken by other parties, since XXX do not carry out any design and development. It has been determined that all the parties have their own Quality Control and Quality Assurance plan to execute their scope of works.
This Quality Control and Assurance plan is intended for use by XXX- ABC as a Contractor in execution of the works.

2.0 Quality Policy Statement

Enter you Quality Policy here

3.0 Definition

3.1 Quality Assurance: Quality Assurance is defined as all the planned and systematic activities implemented within the Quality System and demonstrated as needed to provide adequate confidence that an entity will fulfill the requirements.

3.2 Quality Control and Assurance Plan: Quality Control and Assurance Plan is a base document outlining policy, procedures, responsibilities, compliance, acceptance criteria and documentation needed for the successful implementation of a project. It should be prepared and accepted by all parties concerned before the start of a project. It generally covers the following:

Identification of all parties involved in QA and their interrelationship;
Internal QA System of each party;
Levels of Cross-checking/verification in case of multiple verification/ controls, including systems of inspection and audit wherever applicable;
Organization of personnel, responsibilities and lines of reporting for QA purposes;
Criteria for acceptance/rejection, including identification of proper authorities for such decision;
Inspection at the end of defect liability period;

3.3 Quality Control: Operational techniques and activities that are used to fulfill requirements for quality, all of those are planned and systematic, actions necessary to provide confidence that a product or service will satisfy given requirements for quality.

3.4 Corrective Action: An action taken to eliminate the cause of a detected nonconformity or other undesirable situation

3.5 Defect: The non-fulfillment of a requirement that is recognized and corrected while in current process. For example, a misplaced cleat detected at the fit checking stage may be directed back to the fitting station for proper relocation; this may be considered a defect and not a nonconformity.

3.6 Document: Information and its supporting medium used to define and/or establish quality requirements

3.7 Nonconformity: The non-fulfillment of a requirement

3.8 Objective Evidence: Data supporting the existence or verity of something

4.0 Management System

4.1 Understanding the organization and its context:

XXX – ABC which is a division of XXX has been in operation since year of 0000. Designing, cutting, bending, welding and rolling of steel including prefabrication works (Steel moulds, tanks, etc.) as well as steel pipes as per the client’s requirements,. The Quality Assurance Plan is the methodology that is selected for ensuring that the project incorporates all elements that are needed for the successful completion of the project. The QAP shall deals with all aspects of selections and testing of materials acceptance criteria, guidance for nonconforming materials and works and documentations. All the testing activities have been subcontracted to an Independent third party laboratory that is responsible for the sampling, testing, and preparing reports of tests. However the test reports shall be reviewed by the QA/QC Engineer and deals with if there is any deviation. ABC as part of XXX has a established Quality Management System Plan (part of the integrated Management System), implemented and committed to continual improvement of Quality Management system as per the ISO 9001 standard requirements. As thrive to give highest quality products and services, XXX always focus on the customer requirements collect their feedback and improve in quality of products and services. The Management of construction projects is basically focused on the same as Quality Management system. XXX reviews and analyses the key aspects of itself and its stakeholders to determine the strategic direction of the organization. Internal and external issues that make impact on the XXX’s core business process and its stakeholder’s interest are taken into consideration, monitored and implemented. Changes in the market, technologies, laws, regulations, economy, government policies competitors, cultural and social responsibilities, are also being taken into consideration while carrying out business operation, by:

Understanding our core products and services, and scope of management system
Maintaining a Register for the internal and external issues determined by QDC which is reviewed annually.

Outsourcing of activities are strictly controlled and ensured that the requirements of the product and QA/QC requirements of the XXX are maintained throughout the product manufacturing lifecycle

4.2 Understanding the needs and expectations of the interested parties

Understanding needs and expectations of the interested parties are of key concern to XXX and have ensured through regular meeting with relevant section managers to clearly understand who they are and how they can affect the organizational ability to consistently perform. For this XXX,

Maintains a register for determining who are the relevant interested parties and are monitored in regular frequency
Regularly updates the needs and expectations of the interested parties so that they are clearly understood and met
Where applicable to be added as legal and other requirements the respective process owners shall inform the management and update it.

4.3 Scope and Application:

XXX – ABC (ZZZ) aims to provide highest quality of product and services to its customers. Towards achieving this overall policy, XXX – R&M Division realize the importance of Quality assurance in the production process. Quality Assurance Systems are needed for manufacturing at various levels.

4.4 Process

Enter your process map here

5.0 Leadership

5.1 Leadership Commitment

Management is responsible for ensuring that:

A documented statement is in place that describes the Fabricator’s Quality Policy with respect to commitment and quality objectives,
All employees are made fully aware of their authority and role in the Quality System
A Quality System that conforms to the requirements of this Quality plan is implemented,
A senior-level management representative Mr Pretesh Biswas is appointed to ensure that the requirements of the Quality System are maintained and reported,
A quality system audit is carried out by a third party at a maximum interval of one year,
The Quality System is reviewed at a senior management level at a maximum interval of one year, or more frequently, to ensure its continuing suitability and effectiveness,
Adequate resources are provided to carry out the Quality System including performance and verification of work.

5.2 Organization Roles, Responsibilities and Authorities

Each employee is responsible for the quality of his or her own work and carries an equally important share in the effectiveness of the quality assurance process. All employees are responsible to ensure that the work performed by them conforms to a standard of workmanship required by the company in accordance with the applicable contract requirements. Management is responsible for ensuring that responsibility and authority is defined for carrying out the following:

ensuring that all product quality verification are carried out on a continuous basis,
dealing with nonconformities and ensuring that the specified dispositions are carried out on a continuing basis,
communicating with the customer’s appointed inspection representative(s),
work is carried out in accordance with the applicable codes and standards;
all welding is in accordance with the applicable codes and standards
nonconformities of a technical nature are dealt with in accordance with the applicable codes and standards,
ensuring that all production personnel understand the contract requirements pertinent to their assignment,
providing sufficient notice and making proper arrangements for required inspection,
ensuring that all contract requirements, including revisions, are conveyed to the relevant departments and incorporated into the detail drawings and other fabrication data,
purchasing all items in accordance with the contract requirements, including revisions and obtaining the required documentation.

The Section Manager shall be responsible for managing all resources. The Section Manager shall designate the Quality Control and operation staffs and deliver the duties and responsibilities of all workforce as per the requirement. Section Manager shall be responsible to plan the daily production, communicate the programme and ensures the availability of all necessary resources.

QA/QC Engineer shall be responsible to establish the quality control procedures, measuring and monitoring procedures as per the defined standards and product requirements. Pre/Post-Inspection of the material to assure compliance with client requirement, prepare sampling and testing plan and supervise testing, receive test reports, check the compliance and submit to the clients as quality assurance documents for approval.

Safety Officer shall be responsible to establish safety Plan, guidance, identification of Safety Hazards, measure/monitor the safety appliances at yard area, also identifies the safety training course as per the requirements and other task as per the HSE plan.

Enter your organization chart

6.0 Planning

6.1 Actions to address risks and opportunities

Management system risk identification, assessment and risk treatment shall be appropriate to XXX’s needs and situations. These processes shall be undertaken in the following sequence:

Identifying risks
Analyzing risk
Evaluating risk
Identifying and evaluating existing risk controls
Further risk treatment and opportunity for improvement

Management system risk assessment shall be a live process and the process of risk identification, assessment and risk treatment shall be reviewed and performed once a year or when one of the following may occur

New management system (new service, association, acquisition etc)
Changes within the organization (Organizational change)
Major client dissatisfaction
Changes in legislation
Changes in the management system
Changes in the needs and expectations of the interested parties
Incidents (Major only – Fatality or permanent disability due to management system processes, other shall be assessed in the hazard risk assessment procedure)
Changes brought about by corrective action

The process owners will decide based on the criticality of the process to review and update the management system risk assessment.

6.1.1 Risk Identification

The process owners shall identify the processes which are identified as Critical for the management system while identification of management system risks. Identification of management system risks shall cover, but not limited to, the following:

Routine and non-routine activities
All management system processes including ones associated with consultants, sub consultants contractors, sub-contractors, management system partners, suppliers, government , public, customer representatives, service providers, employees, etc
Information’s received and processed
Physical Asset and finances – Infrastructure, materials, equipment at work place (both owned by Organization or service providers), financial risks on projects.
Changes or proposed changes in organization or its activities or type of materials used
Modification of management system and its effects on activities
Applicable legal obligations and implementation of necessary controls
Past, ongoing and future activities and services
Needs and expectations of interested parties
Internal and external issues

The process owners in consultation with the top management, and with appropriate participation of XXX employees, shall ensure that management system risks associated with the processes under their responsibility and control are identified. The process owners/ managers in consultation with the MR, Top Management, QC/QA incharge and with appropriate participation of the employees, shall ensure that management system risks associated with the processes under their responsibility and control are identified and documented. All the identified risks shall be documented in the Risk Assessment Register (QF 01) format.

6.1.2 Analyzing Risk
Likelihood & consequence
The identified management system risk shall be assessed taking account of the likelihood (L) of its occurrence and the Consequences (C) of its effect. The consequences and likelihood shall be documented based on the risks identified in Risk Assessment Register (QF 01).
Tabular information
The following table lists the Level & Criteria/ Score for the Likelihood &Consequences of the Risk. The risk analysis is carried out with reference to the tabular information.

*Consequences*			*Likelihood*
Level	Descriptor	Criteria	Level	Descriptor	Criteria
1	Insignificant	Very little Impact – negligible	1	Rare	5% chance of happening
2	Minor	Impact available but will not affect management system	2	Unlikely	30% chance of happening
3	Moderate	Impact available, will affect management system and needs correction to avoid affecting management system	3	Possible	60% chance of happening
4	Major	Impact available, will affect management system, loss of image and needs major correction to avoid affecting management system continuously	4	Likely	80% chance of happening
5	Catastrophic	Impact available, will affect management system, loss of image and needs to shutdown management system	5	Almost certain	95% chance of happening

Risk rating & calculation of risk
The rating of the risk is generated from the combination of its likelihood of occurrence and severity of effect indicated as
Risk = Consequences X Likelihood

6.1.3 Evaluating Risk

Risk rating & risk level
The rating of the risk is generated from the combination of its likelihood of occurrence and consequence of effect. The risk Level for the risk rated is analyzed using the following risk assessment matrix.

Likelihood	Consequences
Likelihood	Insignificant (1)	Minor (2)	Moderate (3)	Major (4)	Catastrophic (5)
Rare (1)	(1)	(2)	(3)	(4)	(5)
Unlikely (2)	(2)	(4)	(6)	(8)	(10)
Possible (3)	(3)	(6)	(9)	(12)	(15)
Likely (4)	(4)	(8)	(12)	(16)	(20)
Almost certain (5)	(5)	(10)	(15)	(20)	(25)

Levels

E	≥16	Extreme Risk – Risk treatment needed immediately (Initiate within two working day)
H	10-15	High Risk – Risk treatment needed (initiate within one Week)
M	5-9	Medium Risk – Risk treatment needed (initiate within one Month)
L	≤ 4	Low Risk – To be decided if risk treatment needed or not

E – Extreme, H – High, M – Moderate, L – Low

After evaluating the risk the levels of the risks shall be document on the Risk Assessment Register (QF 01) as per the table above

Identifying and evaluating existing risk controls

The Process owners (& Team) shall review the existing controls which are applied while evaluating the risk and results of the risk shall be discussed with the team and where required with the Management.

6.1.4 Further risk treatment and opportunities for improvement

Risk Treatment

Additional risk treatment
Based on the results of the risk assessment and evaluation, the process owner shall advocate the additional risk treatment measures required for “controlling” the identified risk and keeping it at “Low” where possible.
“Extreme” and “High” risks necessitate controls and actions shall be taken immediately after consultation with the Top Management.
“Medium” risks necessitate controls and actions shall be taken within one month after consultation with the process owners and management.

“Acceptable and Low” risks, No additional controls are required unless mandatory of felt necessary.
Identified additional Risk treatment measures shall be recorded in the Risk Assessment Register (QF 01).

Risk treatment measures
Based on the ‘risk’ identified by the process owners the following risk treatment measure shall be taken but not limited to:

Eliminate risk by appropriate measure
Substitute the risk
Change or prepare policies and procedures to address the risk
Set objectives and targets to mitigate the risk
Implementation of management programs to reduce the risk

Risk treatment status & reporting
Status of the risk treatment and its achievement in addressing the risk shall be reviewed by the process owners on a regular basis and reported to the Top Management in the Management review meeting.

6.1.5 Opportunities for improvement

Those opportunities which are identified during the risk assessment and found beneficial to the organization in terms of

Management system improvement
Market reputation
Cost improvement
Process efficiency
Process or Service reliability
Opportunities to eliminate or reduce OH&S risks
Beneficial environmental impacts
Compliance obligations
Any other which may benefit the organization in short or long term

Opportunities for Improvement shall be implemented/initiated by the Process owners and reported to the Top Management in the Management review meeting.

6.2 Objectives

Objectives in line with the stated policy, measurable and monitored is established. The General Manager in coordination with the respective section manager(s) reviews and recommends, where needed, to process owners to revise the objectives in the management review meeting to ensure that the objectives are relevant to the conformity of products and services provided to the customers and serves to enhance customer satisfaction. The Quality objective for ABC is as follows

Process:	Objectives:	Measurement Frequency	Target	Measurement Index	Responsibility
		Enter your quality objective

7.0 Support

7.1 Resources

XXX has identified the personnel and the corresponding level of education, training, skills, and experience required in order to ensure that work affecting product quality is carried out in the required manner. Welders, welding operators, tack welders, welding supervisors, and welding engineers are qualified to the latest requirements

7.2 Competency requirement identification

The ZZZ manager identifies the competency requirements of all the individual designations in the section. The competency requirements are identified based on the works assigned for the designation and shall be documented in the respective Job descriptions and skill matrix of the employees. These shall be evaluated in the candidate interview and assessment form (QF 047). The competency requirements shall be reviewed by the section manager once in a year or whenever there is a change in the requirements of designated work. The necessary competence of persons doing work under its control that affects the performance and effectiveness of the Quality Management System shall be identified, reviewed. It shall be ensured that these persons are competent on the basis of appropriate education, training, or experience; where applicable, necessary actions shall be taken to acquire the necessary competence. Actions taken to ensure competence can include;

individual capabilities
roles & responsibilities
Verification with other competent person who is performing the same job.

The MR shall ensure that persons doing work under the organization’s control are aware of:

The company policy;
Relevant objectives;
Their contribution to the effectiveness of the Integrated Management System, including the benefits of improved performance;
The implications of not conforming to the Integrated Management System requirements.

Management Representatives/or respective operational supervisor ensures that all the personnel are aware of their responsibilities and importance of their activity in achieving conformity to product requirement and Integrated Management System.

Section Managers shall:

Define and document the level of competency needed to match the job requirements (descriptions) of their subordinates.
Plan a training program to reconcile any deficiencies with current or future job Requirements.
Evaluate and document the effectiveness of the training program.
Identify training need for their subordinates to achieve their functional objectives.
Forward a copy of the Training Record (QF 012) to MR
Modify the training program as required ).

7.3 Competency requirement evaluations:

The competency requirement evaluation shall be done by respective section manager. Laboratory technician’s competency is evaluated by QC manager or Laboratory Supervisor. Education level, skills and work experiences on the respective testing and handling of equipment are evaluated. The level of competency as per the requirement for the designation by the individual shall be maintained in the training records. For the laboratory, the competency requirements are determined as per the tests and work assigned, the summary of the tests shall be used for evaluation of the competency and shall be recorded in the training records (QF 012).

7.4 Training need identification

Competence criteria of personnel, whose work affect the quality of service / have a significant impact on the environment / may have an OHS risk are defined through Job descriptions. The training need shall be identified for all employees under the following circumstances:

New recruitment
Introduction of any new technology/system / product
Corrective action(s)
Technical and communication skill
Difference from the required competence level
Opportunity for improvement,
Skills and competencies development in relevant standards procedures
Refreshment

The section managers shall identify the training need for the personnel and shall identify external / internal arrangements and decide training subject / topic which are common to all and document the same in Training Record (QF 012). The induction checklist shall be used as a guide (QF 023). Where required, the section managers can recommend training requirements in their area to the General Manager.
Training in general is divided into following:

Induction training
On job training
Other in house training
Training conducted by external agencies

7.5 Calibration,

Equipment required for calibration is listed in the log sheet (QF 006) which defines Name of equipment, unique identification (Assets No.), Location Calibration date, Frequency and current status. For laboratory equipment Calibration record (QF.067) form is used to have record. Respective process owner shall maintain this log sheet and ensure that calibration is done on time. Equipment is calibrated by third party independent calibration author. QA/QC Manager shall evaluate the uncertainty and errors and make decision for its suitability. Calibrations will be conducted by an approved calibration agency.

7.5.1 Re-calibration

Operator of respective /equipment shall ensure the performance of the equipment and within tolerable criteria. The permitted tolerance of the each equipment shall be recorded in the calibration report together with degree of uncertainty which applicable with require traceability to national reference standards (e.g. mass or weight). Prior to its expiry all the equipment are calibrated. In case of any results are out of tolerance or suspected changes or deterioration in the reading, such equipment shall be re calibrated.

7.5.2 Maintenance

The equipment shall be maintained to ensure that it continues to be capable of producing intended results to the required specifications and tolerances. Any movement of calibrated equipment in the laboratory should be authorized by QC Manager. A maintenance Plan QF 045 and Equipment Maintenance Checklist QF 079 is established for laboratory equipment. If any equipment found not performing to deliver the intended results immediately remove from the use and send for maintenance and shall be calibrated to ensure its accuracy.

7.5.3 Calibration Verification Records

Calibration report is reviewed by QC Manager and maintained the record of review in Q F 044. Results of calibration, tolerance, error and uncertainty are reviewed and made the decision by QC Manager.

7.6 Documented Information

7.6.1 Work instruction and Method statement

XXX has already identified and established Work Instructions/ Method Statement formats for the standard scope of work provided by Steel Engineering Works. These formats shall be used as guidance for the preparation product specific method statement/ work instruction as required. The method statement shall have full details of equipment to be deployed (size/number/capacity), the sequence of operation, filed trials if any are involved, design of the product, QA/QC requirements, inspections and records maintained temporary works erection launching, safety precautions, environmental protection measures etc. The method statement shall also have the details of manpower requirements with competency requirements related to the work. Prior to the commencement of work and activities, the project specific Work Instruction/Method statement shall be consulted to the all concerned including quality and safety related to the scope of works, based on the specification, National standards and International Standards for review. The reviewed Work Instruction/Method Statements shall be submitted to the client/Client representative as applicable for their approval. Any comments received from the client/client representative shall be incorporated in order to meet entire satisfaction of the client. All the standard Work Instructions/Method Statement shall be prepared and approved for use prior the work. The QA/QC shall ensure that all the approved Work Instructions/Method Statement are communicated and available at point of use. A copy of the Work Instruction for “Production/Welding process” is attached for as a reference for the type of the documents prepared for works.

7.6.2 Work Programme

Based on the timeline framed out in the contract/project, XXX – ABC shall submit a Work Programme to be approved by the Client/Consultant that provides for completion of the works in accordance with these datelines. Following approval Work Programme, the programme shall be reviewed periodically based on the execution of works and if any amendment or priority to be given based on the client requirements shall be incorporated as instructed.

7.6.3 Working Drawing

The drawing provided to XXX – ABC for the execution of works is integral part of contract documents which has to be followed to perform the works. All documents received from external as a part of the project shall be maintained as “documents of external origin” and their versions controlled. The QA/QC shall ensure that the control of documented information procedure is applied to the incoming drawings and records maintained at point of use.
Consequently, to achieve proper administration of the contract the transmittal of the approved design drawings and subsequently submitted drawing related to “work” and “daily work” orders, shall be handled with circumspection and properly recorded at all stages to avoid unnecessary disputes and claims. The QA/QC shall ensure that only applicable and approved versions of the drawings are available at the shop floor for execution.

7.6.4 Inspection, Daily reports and diaries

7.6.4.1 Inspection
As an evidence of compliance with contracts documents it is essential that all the personnel charged with inspection responsibilities properly prepare themselves in advance through detailed study and understanding of the plans and specifications. The inspections shall be based on the approved Inspection Test Plan (ITP) and records of the approved ITP shall be communicated to all concerned. One site (including shop floor and locations) observations of the supervisor/engineer’s activities and procedures shall be reviewed by the Manager as applicable/ITP to ensure compliance with plans and specification. The format of inspection shall be approved as a part of the documented information related to the project and shall be approved by the client/client representative as applicable. Inspection reports shall be documented as per the requirements of project quality plan/ contractual obligations or the quality management system of XXX. The site(including shop floor and locations) shall be inspected to confirm compliance with the day to day works requirements as per the ITP. If any deviation or defect found same shall be reported and no works shall be preceded without written approval of the QA/QC /consultant to resume the works.

7.6.4.2 Daily Inspection report
A Daily report shall be completed by each Supervisor/Engineer. These reports shall be reviewed and complied by the Section Manager and will be constitute part of the projects Quality Documents to be kept in Projects file. The daily report from each Supervisor/Engineer shall include but not limited to the following items:

Quantities of works performed under their inspection
Site conditions
Usual or unsatisfactory conditions;
Delays encountered;
Equipment, plant, methods used
Numbers of workers deployed;
Test performed to satisfy quality control, and as samples taken,;
Weather conditions and effect on the works and
Day works records

8.0 Operations

8.1 Quality Planning and Control

XXX shall determine the procedures, documentation, records and resources required to ensure that his product meets the customer requirements.
8.1.1 Types of Quality Control
One of the most important tasks is quality control while execution of the works is technical quality control. It has to be ensured that materials delivered to site have met the technical requirements in the contract specification. There are four (4) types of quality control, which are described was below:
8.1.1.1 Process Control Methods
Process Control Method control is usually carried out initially prior to the execution of the work, where the processes required ensuring the quality and compliance are maintained. This is usually done by the section manager and the engineering reviewing the contractual requirements and preparations of Quality documents, this include Project Quality Plan, Work Instructions, method Statements, Inspection test Plans, QA/QC plan , etc as applicable. All the process documents shall be approved for use prior to the work initiation, where applicable approval from the Client/Client representative as well.
8.1.1.2 Materials Control Methods
Material Control Methods are done for all incoming materials used in the project, all incoming materials shall be reviewed and inspected as per the approve ITP prior to use in the work shop. Records of inspection and approval shall be maintained by the Engineers.
8.1.1.3 Production Control Methods
Production Control methods is usually carried out by the Consultant’s filed staffs whose job it is to be on the site and supervise the contractor during executing the works. At the same time the field staff will perform simple measurements, such as the recording of the thickness of fill layers, the temperature of asphalt materials and the slump of cement concrete.
8.1.1.4 Final product Control Methods
End-result control includes field tests e.g. control of the evenness of completed pavement layers and laboratory tests. E.g. Marshall tests, on asphaltic materials. Other tests are a combination of field and laboratory test as per the requirement of Qatar Construction Specification. End results control is carried out by laboratory technicians, and most of the work consists of laboratory tests.

8.2 Customer communication

8.2.1 Customer Satisfaction:
Customer feedback is collected and analyzed regularly using customer satisfaction and survey forms by the respective section managers once in six (6) months or upon completion of the project. MR reviews the external communication performance periodically through surveys (Customer Satisfaction Survey – QF 018) and ensures that appropriate actions are taken to address the concerns expressed.

8.2.2 Customer Complaints:

The Management Representative shall log all customer complaints in the Customer Complaint Register.
Any individual in the organization, who identifies a customer’s complaint whether verbal or written, shall communicate the same to the section heads and the Management Representative for investigation.
The Management Representative shall study the complaints and necessary corrective action shall be taken in consultation with the section managers and staff as appropriate.
Details of actions taken on the complaint shall be registered in the Customer complaint register. Complaints shall be registered only when the complaint is serious or is a repeating type of complaint.
Corrective measures taken to prevent such situations in future will be intimated to customer.

8.3 Contract Review

XXX shall have a system in place to ensure that contract requirements are reviewed and incorporated into the work. The Fabricator shall ensure that the necessary expertise, personnel, equipment, and plant resources are available to meet the contract requirements. The Fabricator shall ensure that all additions and revisions to contract requirements are duly communicated to the necessary personnel, and incorporated into the work.

8.4 Design and Development

The design engineer prepares the design and development plan as per products requirements received from the customers. The plan consist of stages required for the design and developments, review verification, and validation appropriately to each stages and responsibility of design and development stages also the raw materials requirements, specification, volume, of raw materials, quality sources etc. Details of products, characteristic, handling, storage and preservation and installation instruction shall be prepared. Review of all stages during design and development is carried out, and status of review is documented on the suitable reports as per the nature of design. The review results are discussed with Production Engineer and communicate with Customers for the verification. As necessary meeting shall be arranged with all the parties and discussion output is recorded in Minutes of Meeting (QF 004) and documented. Such minutes also shall be constituent of contract. Basically, during design stages, new identified techniques and methods which will be integrated for the products designing and production process shall be taken approval from General Manager. Validation of design stages is carried out, and documented, same will be part of quality records. The testing requirements of each process during the production period are also identified (design stages). Prior to finalize the design, same is submitted to production engineer for his review and comments and final approval from General Manager. Following information shall contain in the design:

Designed by (Name, Signature and Date)
Reviewed by (Name, Signature and Date)
Approved by (Name, Signature and Date)
Title of the project
Product Code, name and dimensions, volume
Revision date & status
Final approval

The design is submitted to the customer for their approval prior to proceed for the production, The Design Review and Approval Form (QF 027) shall be the control documents for the transmittal and obtaining approval.

8.5 Control of externally provided products and services

8.5.1 General
All the materials proposed to use for the projects shall be approved first. XXX- ABC shall submit materials submittal along with company prequalification initially and materials have been classified as below:

8.5.2 Identification of external providers (Evaluation and approving)
The new external providers are identified as a result of the requirements from the process owner through an evaluation process involving the Purchasing In-charge. Potential external providers are evaluated on the basis of the following criteria:

Price,
Quality of Service/Product (based on samples and quality assurance records.
Terms and Conditions (Contractual terms including financial)
Location of providers,
Market Reputation of the providers and products/services
Communication,
Technical Capability (In terms of services or product after sales service)
Environmental impacts
OHS hazards
Any others,

The purchase in charge shall evaluate the external providers based on these criteria in the New External provider Evaluation Form (QF 015). If the external provider attains more than 60% score in the evaluation criteria, they shall be approved and listed as Approved External providers. Records of evaluation shall be maintained by the Purchase in charge. In case of sole external providers and having a score less than 60%, then prior approval from the management has to be attained for approving and listing in the Approved External provider List. All existing external providers are maintained as approved external providers and maintained in the Approved External Provider List (QF008). Once they have entered into the list, they shall be evaluated once in a year for re-approval (Re-evaluation).

8.5.3 Re – Evaluation Criteria:

All the external providers shall be evaluated every year in order to measure and monitor their performances. The re-evaluation shall be based on the following criteria

Delivery performance,
After sales services,
Quality of service/Product
Technical performance or after sales services e of Service)
Communication,
Environment impacts
Occupational health and safety
Any other (if any)

The Re-evaluation of the external providers is recorded in the external provider re- evaluation form (QF 18). All external providers’ performances are documented and discussed in the management review. The minimum scoring required by an external provider in re-evaluation is set as 70%. Where the external provider has failed to meet the required score, actions shall be taken in discussion with the process owners and top management in the management review meeting. All the records of evaluations shall be maintained by the purchase in charge.

8.5.4 Approved External provider List

External providers who are selected are enlisted on an Approved External provider List (QF 008), which is controlled by the document controller and are available with the Purchasing In charge. The General Manager – ABC approves additions and deletions to this list.

8.5.5 Outsourced activities:

Where it is essential to outsource activities that are performed by the company, the external providers of such activities are also identified and selected in a similar manner. The list of such companies or agencies to which activities are outsourced, is also maintained in the same manner using the approved external provider list. In all cases, where found that the external provider is not performing or not delivering the desired results, a corrective action request will be issued through a Non Compliance Form (QF 007). The number of NCR’s issued to the external provider shall be also be used as a criterion during their re-evaluation.

8.5.6 Requisitions & Purchase order
Any purchases within QR. 3,000.00 shall be purchased from petty cash upon approval of Petty Cash Request (QF 006) from the General Manager; the documents are documented by requester under his custody for petty cash. All requirements for credit purchasing or above than QR. 3,000.00 cash are documented on a Material Requisition Slip (QF 001) and the result of all discussions and negotiations are documented. The final document Local Purchase Order (QF 003) for credit purchase that is reviewed and signed for adequacy and after ensuring that all relevant details are communicated adequately to the external provider (Janitorial purchases are also made similarly).
The General Manager – ABC or his appointed deputy approves the Local Purchase Order (QF003)
Purchasing of assets shall be upon approval of the Group Commercial Manager with comparative evaluation of three (3) proposals from different external providers as far as possible. If three external providers are not identified for required assets, justification shall be documented for the reason of not having three external providers. The comparative reports shall be prepared on External Provider Canvass Form (QF 006).

8.5.7 Inspections

The purchased material is inspected by the stores in-charge or his deputy (if required). The inspection is documented using Inspection report (QF004). Prior to use in the process, the requisitioned personnel or the department Head/In-Charge acknowledges the conformance of the product on the Inspection Report (QRF004) In case of any problems identified with regard to quality, quantity, damage, etc. the same is communicated to the Management Representative who initiates the corrective actions, insurance processes, claims etc. as required. He also records the problem to take Corrective action in Non-Compliance Report QF007.

8.5.8 Type and extent of control for externally provided processes, products & services

The organization shall ensure the adequacy of requirements to be maintained by the external providers prior to their communication to the external providers. The type and extend of the controls to be applied to the external providers shall be documented in the List of Externally provided Processes, Products & Services . The controls applied shall consider the potential impact of the externally provided providers not able to meet the organizations ability to consistently deliver conforming products (including environmental and OHS requirements) and services to its customers. The purchase in charge along with the process owners shall ensure that the external providers shall

Remain within the control of the Quality management system
Provide outputs that meets the QMS requirements and are within the tolerance limits of the controls applied.

8.6 Performance of Quality Control

8.6.1 Testing Facilities
Based on the contract, XXX – ABC shall establish a site Laboratory as per the client requirements. The required testing facility shall be made available i.e.

All testing equipments shall be available
All testing equipments shall be valid, calibrated and qualified,
Qualified laboratory technician shall be deployed.
Test reports shall be prepared on the Standard reports format

Any special testing facility not available in the site laboratory shall be taken to independent laboratory office. XXX – ABC shall always allow access to the testing activities if client/consultant would like to witness the testing.

8.6.2 Test Specification:
Specification usually describes test methods by referring to standards methods. Qatar Construction Specification has described the testing procedures to be followed ASTM, BS and CML same shall be followed.

8.6.3 Testing Frequency:
The frequency of the testing is usually laid down by the consultant at the beginning of a project and generally related to the project specifications. A testing plan giving the test frequency standards acceptance criteria and third party laboratory for the testing shall be prepared and submitted to the Client/consultant for the approval.

8.6.4 End – Result control
The frequency of end – result control depends on the quality parameters that are to be checked. Parameters which can vary considerably are continuously controlled. i.e. the binder content, stiffness of asphalt materials and the compaction of asphalt course. As regards regulating laboratory tests the specification usually determines the number of test. When the works are started and in cases where difficulties as regards compliance with quality requirements are encountered, laboratory testing shall normally be intensified.

8.6.5 Reporting of Test result
Test results shall be recorded systematically in the specified format, which is signed by be testing authority and approved by head of Quality Control Department. The formats are designed by the Third Party laboratory who is representing as sub contractor or XXX – ABC.

8.6.6 Interpretation of Test Results
The Test results shall be plotted on a graph sheet showing the dates/sample numbers, type of materials, method of sampling, Test method, test date. The minimum and maximum criteria are set on the graphs; also the results are show in the table format. Any reports results falls out of criteria, the process shall be stopped. And a thought investigation made to the entire process, and the cause for faulty performance determined. Suitable remedial action shall be immediately taken and process brought under control.

8.6.7 Monitoring of Quality Control
Third party laboratory has designed also to take care of the quality control requirements but still the quality control engineer has authority and responsibility for monitoring the use of quality control system and ensuring that the procedures has been implemented, and achieved, any changes required in the sampling method, testing procedures and reporting, shall be discussed with clients/consultant and incorporated the requirements.
The Quality Control Engineer shall be responsible for the following:
a. Sampling and supervise the testing
b. Measurements and analyze the reports

8.6.8 Site laboratory
The site testing laboratory, including all furniture, testing equipment and apparatus as required by the Specifications shall be provided and maintained together with all provision of all necessary utilities (Electricity, water and drainage). The design and layout of the laboratory shall be provided to client/consultant engineer for their approval if required. The Site laboratory shall be equipped with basic required testing equipments and qualified lab technician, under supervision of QA/QC Engineer. Testing equipments are approved and calibrated by authorized agent in Qatar. Periodic maintenance is carried out necessary, special precautions are applied to avoid unnecessary adjustment and kept damage free. Testing procedures guidance shall be available to be followed by the technician. Also the all office equipments and stationary shall be available to print the reports. Testing which are not possible to carry-out in the site laboratory shall be forwarded to main office. The subcontracted third party laboratory shall provide site laboratory and all resources; however the control and morning of their activities shall liaise on QA/QC Engineer.

8.6.9 Third party testing laboratory
XXX- ABC shall appoint a third party laboratory approved by Public Works authorities of Qatar and Qatar General Organization for Standards and Metrology as subcontractor to carry out the testing activities at site. However XXX undertakes full responsibility to provide quality assurance and have full control on the subcontractor’s activities to meet the entire satisfaction of the Client/Consultant engineer and meet the specifications and standards. Their prequalification shall be submitted prior to deploy them for this task.

8.6.10 Testing and Preparing Test reports
Most of the test shall be carried out at subcontractor’s laboratory; the rest reports are prepared, documented and submitted to QA/QC Engineer. Consultant/Client shall have always access to visit and witness the tests. Reports are reviewed and submitted after complete all testing procedures. A copy of reports shall be documented and kept in the projects file. All the reports shall be retained for a period even after finished the guarantee period of the project or such similar manner considering the project time.

8.7 Control of Non-conforming products and works

Any materials not conforming to the relevant standards and projects specifications shall be removed from the site with approval and documented records. The work not satisfying the required project standards and specification and rejection of Client/Consultant engineer also shall me subject to remedial action with proper approval of rectification works as same. The identified nonconforming products are removed so that it will not get mixed up with other products. In the case of products where the defects are identified after delivery, it is identified and recalled, where applicable or necessary actions are done based on the level of the deviation. Only the General Manager can recall products delivered to the client.

Identification of nonconforming outputs (products/services) – Incoming Materials/Services:
It is the responsibility of the ZZZ manager to ensure that adequate processes and persons are maintained for inspections of Incoming materials (Raw Materials/equipment) to ensure that Nonconforming outputs (products and services) are not incorporated in the system. In case of identification of any, ZZZ’s manager shall ensure that corrective action is taken as per the procedure for corrective action

Identification of Nonconforming outputs – during service delivery/after service delivery:
It shall be the responsibility of the respective manager to ensure that adequate processes and persons are maintained for inspections of production/service to ensure that Nonconforming services are not produced and maintained. It shall be the responsibility of the respective manager to ensure that adequate processes and persons are maintained for inspections of final products to ensure that Nonconforming services are not sent to clients, this shall be done through various tests done in the laboratory. Customer complaints regarding non-conforming products are recorded in the customer complaint register and proceeded with corrective action, investigate the complaints and take necessary action to satisfy the customers.

Actions taken for Nonconformities:
Whenever the products/services delivered to customers are identified under Nonconforming products/outputs, a Noncompliance Report is initiated by the Process Owner.
In consultation with all the responsible functions, the process owners shall deal with nonconformities in one of the following ways

Correction
Segregation, containment, return or suspension of provision of products or service
Informing the Customer
Obtaining authorization for acceptance under concession

In case of Incoming materials Raw materials/equipment) details of nonconformity are informed to external providers for taking necessary actions and review of the “Controls applied for externally provided services’ shall be done by the process Owners and Management Representative In case of products delivered (finished products) details of nonconformity are shared with the responsible team/processes for taking necessary actions and details of actions are recorded in the Non Compliance Report QF 007.
The Non-compliance Report shall have as a minimum the following requirements

The description of the Nonconformity
The description of the action taken
The description of any concession if given
Identifies the authority deciding the action in respect to the Nonconformity.

9.0 Performance Evaluation

9.1 Analysis of Data

Management Representative reviews the data collected like customer complaints and identifies the statistical techniques for establishing, controlling and verifying process capability, product characteristics. As soon as suitable technique is identified, it is used in the relevant area. The analysis of data provides information relating to;

Customer satisfaction
Customer Complaints
Self – Assessment
Audit Results
Conformity to product requirements.
Nonconformities and product failures identified after delivery or use, provided the product or documented evidence is available to facilitate the determination of the cause
Characteristics and trends of process and products including opportunities for preventive action.
Suppliers Performance
Information on Quality objectives

Corrective actions taken are to ensure their effective. The Data Analysis record is maintained. The data from the above is analyzed periodically (at least once in 3 months) and statistical report is prepared and submitted to the top management (CHAIRMAN) for information and necessary follow-up for the corrective action and continual improvement of the system/area. Summary of the statistical analysis is produced in the Management Review Meeting.

9.2 Internal Audit

9.2.1 Internal audit planning:
The MR shall prepare the plan for Internal Audit once in a year and document in the Audit Plan (QF 009). Planning shall cover all areas of activities covered by the QMS. The MR shall ensure that there are at least two internal audits done in year and that all the processes are covered at least once in a year.
In case of any rescheduling or revising of audit plan, it is circulated to all concerned. After completion of audit, the management representative shall update the Audit Plan (QF 009).
Trained internal auditors who are independent of the process being audited shall conduct the internal audit or any third party external providers shall be subcontracted to carryout Internal Audit.
The management representative shall maintain a list of trained auditors (QF 010).

9.2.2 Qualification and training to internal auditors:
Internal audit is undertaken by qualified auditors. The management shall arrange recognized training course in the respective standards from external and qualified external providers to train the internal auditors.
Note: Minimum three audits should be attended with qualified auditor to be an internal auditor.
The MR shall also maintain qualified external providers as internal auditors (Records of training shall be maintained). The approval processes shall be as per the procedure for control of externally provided services (PR 008).
The MR shall ensure that the auditors shall have independency of the audit and does not audit own process.

9.2.3 Scheduling of audit:
The MR shall determine the scope of the audit based on the requirement of the QMS and need to adequacy and improvement prior to the communication of the audit programme. The scope of the audit shall be documented in the QMS Audit Programme (QF 034)

Previous audit results/ findings
Responsibility and authorities of auditees
Integrated management system Plan and standard operating procedures
Other documentation underQMS
Records of the concerned auditees department
Processes and their inter-relationships
Effectiveness of processes
Improvement requirements and opportunities
Working environment
Corrective action opportunities
Changes affecting the organization
Environmental importance of processes
Risks/ opportunities & effectiveness of action taken (where applicable)
Internal/ external issues

Auditor shall carry out the audit activity within the scope and exercise the objectivity of the audit.

9.2.4 Auditing and reporting

The selected auditors shall perform the internal audit as per the scope of the audit and shall record the objective evidence of audit findings in Audit Observation Sheet QF011).
After completion of the audit, the auditor(s) shall discuss with the auditee section head all findings and categorize the findings based on the objective evidence collected and audit criteria.
All the findings (both positive and negative) shall be reported through the Audit Observation Sheet (QF011) or the subcontractor’s Audit Reports. Negative findings and Observations shall be written down in Non-compliance Report (NCR) (QF007). All NCR’s shall be forwarded to the respective section heads (process owners) to take corrective action and follow up.
The Auditor/ MR shall ensure that the results of the internal audit are reported to the respective Management.
Note: The MR can where applicable request the external providers (internal auditors) to document the audit findings XXX’s format or external providers format as deemed most appropriate.
Audit finding shall be categorized into the following criteria

No.	Category	Descriptions of criteria
1	Major	Major Lapse /breakdown in the system which may affect customer requirements/product requirements Documented procedure/process not followed completely. Legal requirements not complied to with severe legal liabilities
2	Minor	Minor lapse/ breakdown in the system which may affect customer requirements/product requirements Documented procedure/process not followed occasionally Legal requirements not complied but without any legal liabilities
3	Observations	No breakdown in the system yet but possibility of breaking down sooner or later
4	OFI (Opportunity for Improvement)	Best practices which could be used for improvement of the process or product Positive Improvement identified in the process/product Suggestions in the system which may benefit the process/product in terms of time, cost or quality.

The section head (process owner) shall write down the corrective action, proposed completion dates and put their signatures in consultation with management representative.

The management representative shall follow up on the corrective action and verify it prior to close out. NCR shall be closed out giving priority, based on its complexity and time required but not later than next audit.

Follow up and analysis activities

The proposed close out dates of the corrective actions are agreed upon with the auditee by the MR. Follow-up audit is conducted by the auditors designated by the MR at specified target dates/planned audit in the report and write the follow-up comments in the Non-compliance Report (IMSF007).

The effectiveness of corrective action is reviewed by the auditor within the specified period and is documented in the Non-compliance Report (IMSF007). The MR/auditor shall ensure that where it is related to OHS, the relevant process owners have communicated, consulted and have effectively engaged participation of workers for identification of root cause.

The Non-compliance Report (IMSF007) is closed by the person who initiated the report or management representative only when corrective action is implemented and effectiveness results achieved. Non-conformities raised in the areas where the Management Representative is responsible for the activity have to be closed out by the General Manager/external Auditor.

The MR shall discuss the trends of corrective actions and non-conformances found audit and status in the management review meeting for any further improvement.

1.2 Management Review

Management review meetings are conducted at least once in a year and where possible it shall be conducted twice in a year. The MR shall notify the sections regarding the MRM through a memo.

The General Manager (GM) shall chair the MRM. The members of this meeting shall be:

General Manager – Roads & Maintenance Division
Assistant Manager – Roads and Maintenance Division
Management Representative (MR)
Document controller (DC)
All section heads
Any other special invitee

The members submit the input summary data (IMSF003) and LOG Sheet (Objective) IMSF022 to the Management Representative or General Manager- ABCwho ensure that input summary submitted is adequately addressed. In case of the absence of any of members an alternate representative will be deputed and the member shall notify the MR or GM in writing.

Based on the input submitted, management review meeting is conducted and the General Manager review effectiveness of the entire IMS system and record his comment.

The MR prepares minutes of meeting (IMSF004) including any corrective actions identified, person responsible for implementation and target date for its completion are recorded in minutes of meeting.

The MR monitors the implementation of actions initiated in a meeting and provides the details by including as input for the next management review meeting.

The MR maintains the records of MRM.

10. Improvement

The General Manager – XYZ Division, Management Representative and the respective section managers identify the areas for improvement based on the Quality policy and objective of the company. The areas of improvement shall also be based on:

Corrective action reports
Management review meeting output
Audit reports
Analysis of data
Risk assessment study
Legal identification and compliance evaluation

Respective section manager shall make prioritized action plan for the areas of continual Improvement and the same shall be followed to complete the assignment in time. Respective section managers shall sum-up the benefits that has been achieved by adapting the continual improvement assignment and the same shall be presented to the management during Management Review Meetings.The continual improvement shall be identified in all areas of operation and every effort shall be taken to ensure that the continual improvement is on continual basis. The Management Representative shall sum-up all the areas of improvement and shall document the same in Continual Improvement Projects Plan Form (QF 014) received from all the sections prior to the management review meeting

ISO 9001 Example of Risk assessment

Risk assessment of MR department

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	severity	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Severity	Occurrence	Detection	RPN
Quality Management System & Implementation	External origin standards are not updated	Affects the quality and system	3	SC	Lack of checking in the new standards	3	Master list of external origin standards to be updated regularly.	Master list of external origin standards are reviewed by MR frequently	5	45	—	—	—	—	—	—	—
Quality Management System & Implementation	Master lists are not maintained properly	Affects the system	3	SC	Lack of awareness	4	Master lists to be updated regularly.	Master list are reviewed by MR frequently	4	48	—	—	—	—	—	—	—
Quality Management System & Implementation	Unintended use of obsolete documents	Affects the system	4	CC	Obsolete documents are not removed from all points of use	4	Obsolete documents are identified and seperated	By frequent checking	5	80	“Obsolete copy” is stamped in all obsolete documents for easy identification	Management Representative	Action taken to be verified after three months	4	3	4	48
Quality Management System & Implementation	MRM not conducted at regular intervals	Affects the system	3	SC	Improper communication	4	To follow the MRM plan	Verifying the conduction of MRM periodically	3	36	—	—	—	—	—	—	—
Quality Management System & Implementation	Internal Audits not conducted on time	Quality system failure	4	SC	Audit plan not followed	2	to follow the audit plan	Review of audit report	1	8	—	—	—	—	—	—	—
Quality Management System & Implementation	Management of change not done	Affect the system	4	SC	Lack of awareness	3	monitoring in review meetings	by reviewing the minutes of meeting	3	36	—	—	—	—	—	—	—
Quality Management System & Implementation	NCR’s not closed on time	affect the system	4	SC	Root cause analysis not done properly	2	Updated NCR tracking sheet	periodic review of NCR tracking sheet	4	32	—	—	—	—	—	—	—

Risk assessment of HR department

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Human Resources – Competency	Training not conducted properly	Affects the quality and system	4	SC	Improper planning for training	3	Training to be planned appropriately and updated in the Annual Training Calendar	Verified by Top management	4	48	—	—	—	—	—	—	—
Human Resources – Competency	Non availability of competent personnel (or) Selecting unskilled personnel	Affects the quality and system	5	CC	Competence requirements are not defined for recruitment	4	Personnel recruited based on defined competence requirements	Verifying the personnel competence by process heads	5	100	Competency standard to be defined before the recruitment process	Human Resource personnel	Action taken to be verified after three months	5	3	4	60
Human Resources – Competency	Decrease in employee efficiency	Affects the delivery	3	SC	Improper communication and Employee not motivated	4	Motivate the employee through meetings to improve their efficiency	By reviewing the operator efficency reports.	4	48	—	—	—	—	—	—	—
Human Resources – Competency	Updation of Legal and other applicable requirement are not done	Affects the system	4	SC	Legal requirements are not checked periodically	3	Monitoring the master list of Statutory and Regulatory requirements regularly	Verified by Top management	5	60	—	—	—	—	—	—	—
Human Resources – Competency	Residency not renewed on time	Affects the operations & planning	4	SC	not reviewing employee file periodically	4	residency to be processed on time	Monitoring of the employee file regularly	2	32	—	—	—	—	—	—	—

Risk assessment of Sales

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Sales	Wrong entry of size designation	Affects the quality	3	SC	Type Error	3	Reviewing of Customers’ purchase order by Commercial officer	Daily review of SOS order in plan usage	4	36	—	—	—	—	—	—	—
Sales	Order without contract review	Affects the quality and delivery	4	SC	Delay in releasing contract review	3	Perform contract review as soon as possible once the job is completed	Verified during operations planning	3	36	—	—	—	—	—	—	—
Sales	PSL Level, H2S Level, Material class, Temp not specified in customer PO	Affects the quality	3	SC	Customer requirements not clearly identified in the purchase order	3	Reviewing of customer purchase order against product requirements by Commercial officer	Review of requirements in Contract Review	4	36	—	—	—	—	—	—	—
Sales	Delivery date committed without proper planning	Affects the Delivery	4	SC	Date committed based on Customer requirements	3	Review the Customer Requirements against Purchase Order by Commercial officer	During operations planning	4	48	—	—	—	—	—	—	—
Sales	Wrong delivery address	Affects the Delivery	4	SC	Type error and destination not reviewed	2	Reviewing of delivery information against purchase order before disptach	Review before dispatch	5	40	—	—	—	—	—	—	—
Sales	Delay in invoicing of the job	Affects the cash flow	2	SC	commmunation gap	1	Communication through proper channel	keep record of all completed jobs in job register	5	10	—	—	—	—	—	—	—
Sales	no proper communication of the customer requirement	Delay in quotation submission	4	SC	No proper follow up	3	monitoring & follow up of all enquiries	Daily review of enquiry register	5	60	—	—	—	—	—	—	—
Sales	Customer complaints not handled properly	Loss of customer	4	SC	poor internal communication	1	Communication through proper channel	proper communication to avoid complaints	2	8	—	—	—	—	—	—	—

Risk assessment of Design

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Design	Error in design inputs	Affects the product quality	4	SC	Inadequate operating conditions	3	Design inputs are to be reviewed based on the customer or standard requirements before performing the process to prevent errors.	During design input review	4	48	—	—	—	—	—	—	—
Design	Inadequate design outputs	Affects the product quality and delivery	4	SC	Relevant personnel was not aware about the requirements	3	Training to be given to the concerned personnel.	During design output review	3	36	—	—	—	—	—	—	—
Design	Error in drawing	Affects the product quality	5	CC	Necessary details not mentioned properly in the drawing	4	Verification of the drawing to be done before issue.	During design output review	5	100	During design output Machine shop Manager shall ensure that adequate details are available in the drawing and to be verified as per given the requirements.	Machine shop Manager	Actions taken verified	5	3	4	60
Design	Personnel competency	Affects the product quality	4	CC	Failure in design	3	Training to be given to the concerned personnel.	During design output review	4	48	—	—	—	—	—	—	—
Design	Selection of material	Affect the product integrity	4	CC	Product non conformance	4	Specifications / MTCs shall be reviewed during the design input	During design input review	3	48	—	—	—	—	—	—	—
Design	Tolerance level not mentioned properly	Affects the product quality	4	SC	Human error	3	All the design outputs are to be reviewed during design output review based on the inputs and to be verified before approval.	During design output review	4	48	—	—	—	—	—	—	—

Risk assessment of Procurement

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Procurements	Supplier late delivery	Affects the delivery	3	SC	Delay in production process (Unavailability of Raw material)	4	Some amount of raw material to be maintained in stock	Regular checking of stock list	3	36	—	—	—	—	—	—	—
Procurements	Error in documents provided by the supplier	Affects the quality	3	SC	Typo error	3	Inform the supplier to prevent typo error	Verify the documents regularly once received from supplier	4	36	—	—	—	—	—	—	—
Procurements	Indent not raised in specified time interval	Delay in Receiving Raw Material. Affects the delivery	3	SC	Planning not done properly in Planning stage	5	Machine Manager shall provide the requirements to the procurement personnel in advance	During operations planning	2	30	—	—	—	—	—	—	—
Procurements	Quality requirements not specified clearly in the purchase order	Indent not raised in the specified time interval	5	SC	Material received with the wrong specification. Affects the Quality	4	Monitoring the PO before approval.	Based on the review during approval of PO.	5	100	Training given to concerned personnel about the quality requirements	Procurement personnel	Action taken to be verified after three months	5	3	4	60
Procurements	Improper identification of supplier	Affects the quality and delivery	4	SC	The Person who prepares PO was unaware of the quality requirements	4	Updating of such data to be done regularly	Periodic checking of supplier rating	5	80	Prepare supplier delivery performance and rejection quantity data regularly	Procurement personnel	Action taken to be verified after three months	4	3	4	48
Procurements	Specification not specified clearly in the purchase order	The specification should be as per standard requirements.	3	SC	Item Description not Created as Per Requirement	4	Delay in Receiving Bought Out Items. Affects the delivery	Before approval of purchase orders, Quality dept. verifies the requirements	5	60	—	—	—	—	—	—	—
Procurements	Supplier performance rating is not done periodically due to delay in preparing data (such as delivery time and rejection quantities)	Reliability of the goods and services	4	SC	Supplier evaluation not done before purchase of critical goods & services	2	Critical goods and services are identified.	Critical goods and services are purchased from the list of appoved suppliers only	2	16	—	—	—	—	—	—	—
Procurements	Material not available at regular supplier	affects the planning and delivery	4	SC	Dead stock at supplier premises	3	The goods and services are not considered as critical category.	Master list of suppliers	3	36	—	—	—	—	—	—	—

Risk assessment of Operation

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Operation	Ineffective production plan	Affects delivery	3	SC	Improper planning	3	Production plan to be prepared effectively in advance.	By verifying Production Plan	5	45	—	—	—	—	—	—	—
Operation	Non Availability of Project Execution Plan	Affects Quality	3	SC	Project Process Sequence in is not in Correct Order	3	Awareness on Job Training to be given	Project Execution Plan	5	45	—	—	—	—	—	—	—
Operation	Non availability of equipments, tools and inserts	Affects production and delivery	4	SC	Periodic checking of tools and inserts used for production are not done.	3	Tools and inserts are to be maintained regularly in stock.	By reviewing required tool and inserts	3	36	—	—	—	—	—	—	—
Operation	Non availability of raw material	Affects production and delivery	3	SC	Material not available in stock	4	Some quantity of Materials are to be maintained in stocks.	By reviewing the stock list.	4	48	—	—	—	—	—	—	—
Operation	Internal non-conformance	Affects quality and delivery	5	CC	Requirements are not addressed properly in the daily production control sheet	4	Ensure that the requirements are to be addressed properly	By reviewing through in-process inspection	4	80	Verification of the Production control sheet by the Quality Engineer for the proper addressing of the requirements before the issue of the documents	Quality Engineer	Action taken to be verified after three months	5	3	3	45
Operation	Improper handling	Affects the quality	4	SC	Unskilled person	3	Training to be given for concerned personnel	By monitoring the personnel	3	36	—	—	—	—	—	—	—
Operation	Emergency requirement for any product / item	Difficulty in purchasing the items	3	SC	Improper planning	2	Minimum 3 supplier for the critical items to be identified	By verifying the Approved supplier list	4	24	—	—	—	—	—	—	—
Operation	Employee performance reduced (or) Not competent enough to perform a new activity.	Affects the quality and timely delivery	3	SC	Adequate training not provided	3	Required training to perform the job to be given for concerned personnels	Training Matrix	4	36	—	—	—	—	—	—	—
Operation	Shortage of work/office space inside our facility	Affects work	2	–	Adequate space not available.	3	Proper layout for the work space to be designed	By verifying layout	3	18	–	–	–	–	–	–	–
Operation	Requirement for changing of shifts	Affects the routine activities	4	SC	Improper planning	3	Required shifts to be arranged	By Production monitoring	3	36	–	–	–	–	–	–	–
Operation	Working hours affected due to Ramadan	Affects the timely delivery	4	SC	Improper planning	3	Proper planning to be done prior start of the job	By verifying production plan	1	12	—	—	—	—	—	—	—
Operation	Not enough knowledge to perform the operations	Quality of the work will be affected.	4	SC	Incompetent personnel on the job	3	Training to be given for concerned personnel	Skill competency matrix	3	36	—	—	—	—	—	—	—
Operation	Difficulty in identifying the parts of the assembly product in dismantled condition	Affects the product quality & delivery	4	SC	Part identification number not visible on the sub assembly parts	3	Identification tagging to be maintained throughout the processes with reference to production plan/Job Number	Identification on each item by either SRV # or Job #	4	48	—	—	—	—	—	—	—
Operation	Products damaged due to improper handling (within the facility / while transporting to the customer)	Affects the product quality	4	SC	Improper Handling of the material	3	Proper protection for critical components to be provided	By verifying at the time of dispatch	3	36	—	—	—	—	—	—	—
Operation	Unexpected Power cuts	Affects the delivery	1	–	Ministry issue	1	Alternate power source to be made available	Requested for alternate power source arrangement	2	2	—	—	—	—	—	—	—
Operation	Errors identified in the Manufacturer provided features.	Affects the customer satisfaction	4	SC	Poor quality of products delivered by manufacturers	3	Supplier evaluation needs to be conducted periodically	By supplier evaluation	3	36	—	—	—	—	—	—	—
Operation	Productivity effects due to Climate change	Affect the quality & delivery	4	SC	Additional responsibility & authority to be provided to on-site personnel	4	Identify contingency plan to mitigate climate change by identifying alternated production site	Additional responsibility & authority to be provided to on-site personnel	1	16	—	—	—	—	—	—	—

Risk assessment of Maintenance

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Maintenance	Periodic maintenance not done	Affects cost and delivery	3	SC	Carelessness of the operator	3	Proper preventive maintenance shall be done as per the plan	Frequent checking to be done	3	27	—	—	—	—	—	—	—
Maintenance	Delay in completion of break down	Affects cost and delivery	4	SC	Non availability of spares	4	Maintaining minimum stock (spare parts) in store	Checking with break down register	5	80	Critical spares shall be identified and maintained in stock	Machine shop Manager	Action taken to be verified after three months	4	3	4	48
Maintenance	Delay in preventive maintenance	Affects cost and delivery	4	SC	Preventive maintenance schedule not followed	4	Preventive maintenance to be done as per the schedule	Frequent checking to be done	3	48	—	—	—	—	—	—	—
Maintenance	Improper preventive maintenance	Affects cost and delivery	3	SC	Checklists prepared are inappropriate to the machine to be maintained	3	Checklists are to be prepared as per the manufacturer’s specification	Checking with Manufacturer’s specification	5	45	—	—	—	—	—	—	—
Maintenance	Incompetent personnel	Affects quality & cost	4	SC	Selection criteria not defined	3	Skill competency matrix prepared	Review of training effectiveness	3	36	—	—	—	—	—	—	—
Maintenance	Delay in availability of machines spares	Affects cost and delivery	4	SC	non availability of spares locally	3	Plan to have spares in stock	Review of the suppliers list	4	48	—	—	—	—	—	—	—
Maintenance	Non availability of support from the manufacturer of the machine	affects cost and delivery	4	SC	Authorised services of manufacturer is not available locally	4	Outsourcing the service	Communication with service providers	2	32	—	—	—	—	—	—	—

Risk assessment of Quality Control

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Quality Control/ Quality Assurance	Indication found in Mill TC	Affects the quality	4	SC	Typo error	3	Inform the supplier to prevent typo error while preparing Mill TC	By checking MTC during incoming inspection	4	48	—	—	—	—	—	—	—
Quality Control/ Quality Assurance	Instrument error	Affects the quality	5	SC	Improper handling of the instuments	4	Training to be given to conerned personnel about instrument handling	Monitor the personnel while handling the instruments	4	80	Instrument to be sent for calibration. Out of calibration requirements to be ensured.	QA/QC Engineer	Action taken to be verified after three months	5	3	3	45
Quality Control/ Quality Assurance	Some instruments are not calibrated beyond due date	Affects the quality	3	SC	Calibration plan not updated	3	Calibration due date to be checked by concerned personnel regularly	Using calibration plan	4	36	—	—	—	—	—	—	—
Quality Control/Quality Control/ Quality Assurance	Difficulty in identifying the material	Affects the system and quality	4	SC	Identification tag not tied on the product	3	Identification tag is tied after the completion of process.	By verifying visually	3	36	—	—	—	—	—	—	—
Quality Control/ Quality Assurance	Improper identification and traceability	Affects the system	4	SC	Identification number not replaced when damaged	3	Identification number properly replaced when it is found damaged	Monitored regularly by Concerned personnel	4	48	—	—	—	—	—	—	—
Quality Control/Quality Control/ Quality Assurance	Delivery of Non-conforming products	Customer dissatisfaction	5	CC	Final inspection not performed prior dispatch	3	Final inspection is performed by the QC Engineer prior to dispatch	Using Production and quality plan	2	30	Products to be called back and assessed as per control of NC products.	QA/QC Engineer	Action taken to be verified after three months	5	1	2	10
Quality Control/ Quality Assurance	Wrong material taken for the production	Product nonconformity	5	CC	identification of the material not done properly	3	Color code is assigned for the materials.	By verifying color code & traceability of the material prior to use.	2	30	Precautions shall be taken to prevent such errors by verification of the traceability before use.	QA/QC Engineer	Action taken to be verified after three months	5	1	2	10
Quality Control/ Quality Assurance	Incompetent personnel	Affect quality of the product	4	SC	No proper training provided to the personnel	3	Training matrix is prepared	By verifying the effectiveness of the training	2	24	—	—	—	—	—	—	—

Risk assessment of Store

Process Function	Potential Failure Mode	Potential Effect(s) of Failures	sev	Class	Potential Cause(s)/Mechanism(s) of Failures	Occur	Current Process Controls Prevention	Current Process Controls Detection	Detect	RPN	Recommended Action(s)	Responsibility & Target Completion Date	Action Taken	Sev	Occ	Det	RPN
Store	Material received without Supplier Invoice	Affects the system	3	SC	Supplier unawareness	3	Inform the supplier to provide invoice	When receiving material	4	36	—	—	—	—	—	—	—
Store	Wrong entry of Part No. / heat code	Affects the system and quality	3	SC	Human error / Typo error	3	Create awareness about the importance of this activity	Check the store issue and receiving records	5	45	—	—	—	—	—	—	—
Store	Rust formation on machined part	Affects the quality	4	SC	Rust preventive oil not applied / exposed to moisture	4	Rust preventive oil applied and stored after machining	Visual Inspection during cycle count	5	80	Instruction given to the concerned personnel about the rust prevention methods	QA/QC Engineer / Stores Incharge	Action taken to be verified after three months	4	3	4	48
Store	Exposed Sealing surfaces damages	Affects the quality	3	SC	Improper preservation	2	Stored in a separate area to prevent damages	Regularly	6	36	—	—	—	—	—	—	—
Store	Delivery note issued to customer with wrong information	Customer dissatisfaction	4	SC	no proper information	2	store receipt voucher is prepared to identify the received items	store receipt voucher is prepared to identify the received items & verified by QA/QC	4	32	—	—	—	—	—	—	—
Store	Unexpected Power cuts	Affects the quallity	2	–	Ministry issue	1	Alternate power source to be made available	Requested for alternate power source arrangement	3	6	—	—	—	—	—	—	—
Store	Wrong shipment done to the customer	Customer dissatisfaction	4	SC	Communication Gap	1	Proper communication to be done through proper channel	store keeper to ensure the correct information is taken for the shipment	3	12	—	—	—	—	—	—	—

Example of Procedure for Welding Inspectors Qualification & Training

1.0 SCOPE

The scope of this procedure is to demonstrate the requirement of a welding inspector to perform welding inspection for production welding, procedure qualification welding, or performance qualification welding in XXX

2.0 RESPONSIBILITY

It is the responsibility of QA/QC In-charge to ensure qualified/trained inspector is available to perform welding inspection
It is the responsibility of the Production Manager to ensure the welding is inspected by a qualified/trained welding inspector prior to the next operation
It is the responsibility of the QC Engineer to make sure that the welding is inspected by a qualified/trained inspector prior to release.

3.0 LEVELS OF CERTIFICATION

There are three levels of certification in XXX viz:
- Welding Inspector(WI) – The person who certified in accordance with this procedure by an appointed Certified Welding Inspector or Certified Sr. Welding Inspector
- Welding Inspector Supervisor (WIS) – A certified welding inspector with AWS or CWISP as CWI or CSWIP
- Welding Inspector Trainer (WIT) – A certified or Sr Certified welding inspector with at least 10 years of experience in welding inspection

4.0 PERSONNEL QUALIFICATION

In order to go for welding inspector training the personnel should have the following minimum qualification:

A person qualified in NDE in accordance with ISO 9712, EN473, ASNT SNT-TC-1A or Equivalent standard for a minimum of Level 2 in any two or more of the disciplines such as MPI, PT, RT, UT, and VT.
A qualified engineer in Mechanical or Metallurgy with at least three years of experience in welding-related works.
A Supervisor in welding and fabrication with at least 10 years of experience in welding-related supervision with a level 2 in any of the 2 NDE processes.

5.0 MINIMUM QUALIFICATION TRAINING

A welding inspector shall be trained to do the welding inspection by training and examination in weld visual and understanding various types of defects, method of inspection, in-process inspection, and testing. A Welding Inspector shall be capable of determining weld defects through NDE inspection he is qualified

6.0 CONSULTATION AND PARTICIPATION

A welding inspector shall not approve any welding without proper inspection. If any doubt in making a decision about the welding for its acceptance he shall contact the company-appointed welding inspector. In the event, the company appointed a welding inspector or a certified welding inspector the MR shall make arrangements to contact a CSWIP or an ASME Authorised Inspector for consultation.

AUTHORITY AND RESPONSIBILITY OF WELDING INSPECTOR

TASKS	WI	WIS	WIT
Production Welding
Selection of WPS – Material & Process	X	X	X
Selection of welding process	X	X	X
Selection of welder/welding operator	X	X	X
Weld visual – Root, Intermediate and Final	X	X	X
Weld NDE – Appropriate stages in accordance with the QP	X		X
Acceptance criteria		X	X
PQR Welding
Verify welding equipment appropriateness	X		X
Verify edge preparation compliance	X		X
Verify joint geometry compliance	X		X
Witness procedure qualification			X
Verify welding procedure qualification compliance			X
Develop welding procedures			X
Preparation of WPS		X	X
Monitoring & recording data	X	X	X
Visual Inspection Root – Intermediate and Final		X	X
Weld NDE Review		X	X
Witnessing Mechanical/Chemical Testing	X	X	X
Acceptance criteria		X	X
Performance Qualification
Witness welder performance qualification	X	X	X
Verify welder qualification compliance			X
Verify welder qualification records compliance			X
Request welder performance requalification			X
Inspection
Perform visual examinations	X		X
Verify examination procedure compliance			X
Review examination results compliance			X
Develop visual inspection procedures (before, during, and after welding)			X
Provide NDE inspection planning and scheduling (before, during and after a project)			X
Review welding inspection reports			X
Verify implementation of nondestructive and destructive evaluation methods			X
Prepare visual inspection requirements			X
Prepare NDE requirements			X
Report investigation results of quality inspection disputes			X
Prepare destructive testing requirements			X
Safety
Verify safety requirements compliance			X
Develop safety procedures & policies			X
Quality Assurance
Perform audits & surveillance			X
Develop quality assurance pans			X
Prepare base material control requirements			X
Prepare weld consumables control requirements			X
Prepare audit and surveillance plans			X
Prepare documentation control requirements			X

Training
Develop and provide a training program			X
Develop visual inspection training			X
Verify implementation of visual inspection training			X
Develop & provide a training program for the AWI			X
Provide technical leadership for welding inspectors			X
Develop quality assurance training program			X
Verify implementation of quality assurance training			X
Evaluation
Evaluate AWIs performance			X
Evaluate WIs performance			X
Perform inspection results trend analysis			X

RECORD

Welding Inspector Qualification Training Records.
CWI – Certification.
CSWIP – Certification

ISO 9001:2015 Internal Audit checklist

The following checklist can be used for both internal audits as well as Gap Analysis tools.

	ISO 9001:2015 Checklist
Clause 4:	Context of the organization
4.1	Understanding the organization and its context
1	Has the organization determined the external and internal issues relevant to the Purpose & strategic direction of its QMS and that can affect its ability to achieve the intended results?
2	Does the organization monitor and review information about these external and internal issues?
3	Has the organization determined whether climate change is a relevant issue?
4.2	Understanding the needs and expectations of interested parties
1	Has the organization determined the interested parties that are relevant to the QMS?
2	Has the organization determined the requirements of these interested parties relevant to the QMS?
3	Does the organization monitor and review the information about these interested parties and their relevant requirement?
4.3	Determining the scope of the quality management system
1	Has the organization established the scope of its QMS?
2	Has the organization determined the boundaries and applicability of the QMS?
3	While determining the scope, has the organization determined the external and internal issues, requirements of relevant interested parties, products and services of the organization?
4	How does the organization applies all the requirements of ISO 9001:2015 if they are applicable within the determined scope of its quality management system?
5	Does the scope of the organization’s quality management system is available and be maintained as documented information?
6	Does the scope state the types of products and services covered?
7	Is any of the requirement of ISO 9001:2015 which the organization has determined not applicable to the scope of its quality management system? If yes has the organization provided justification for not being applicable?
8	While determining Applicability, does the organization determine if it affects its ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction?
4.4	Quality management system and its processes
4.4.1
1	Has the organization established, implemented, maintained and continually improved its QMS , including the processes needed and their interactions, in accordance with the requirements of this ISO 9001:2015 Standard?
2	Has the organization determined the application of these processes and their application throughout the organization?
3	Has the organization determined determine the inputs required and the outputs expected from these processes;
4	Has the organization determined the sequence and the interaction of these processes?
5	Has the organization determined the resources needed for the organization?
6	Has the organization ensured the availability of the resources needed for these processes?
7	Has the organization determined and applied the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes?
8	Has the organization assigned the responsibilities and authorities for these processes?
9	How does the organization address the risks and opportunities as determined in accordance with the requirements of 6.1?
10	Has the organization evaluated these processes and implemented any changes needed to ensure that these processes achieve their intended results?
11	Has the organization improved in its processes and its QMS?
4.2.2
1	Has the organization maintained documented information to support the operation of its processes?
2	Do the organization retain documented information as evidence that the processes have been carried out as planned?
Clause 5	Leadership
5.1	Leadership and commitment
5.1.1	General
1	Does the top management demonstrate leadership and commitment by taking accountability for the effectiveness of its QMS?
2	Has the top management ensured that the quality policy and quality objective are established?
3	Is the quality policy and quality objective compatible with the context and strategic direction of the organization?
4	Has the organization integrated the requirements of QMS with the business processes?
	How is the top management promoting the use of the process approach and risk-based thinking?
	Is the top management ensuring that the resources needed for the QMS are available?
	Is the importance of the effectiveness of QMS and meeting QMS requirements communicated?
	Does the top management ensure that the QMS is achieving its intended results?
5	Does Top Management engage, directs and supports the persons required to contribute to the effectiveness of the QMS requirements?
6	Is Top Management promoting improvements?
7	Is Top Management supporting other relevant management roles to demonstrate their leadership as it applies to their area of responsibilities?
5.1.2	Has the organization determined and provided the persons required for the effective maintenance of QMS and for operation and control of its processes?
1	Does the Top Management demonstrate leadership and commitment by ensuring that customer and applicable statutory and regulatory requirements are determined, understood and are consistently meeting the requirements?
2	how does the top management ensures that the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed?
3	Is the focus on enhancing customer satisfaction maintained?
5.2	Policy
5.2.1	Establishing the Quality policy
1	Has the Top Management established, implemented and maintained a quality policy?
2	Is quality policy appropriate to the purpose and context of the organization and does it support its strategic directions?
3	Does the Quality policy provide the framework for setting quality objectives?
4	Does the Quality policy includes a commitment to satisfy applicable requirements?
5	Does the Quality policy includes a commitment to continual improvement of the quality management system.?
5.2.2	Communicating the quality policy
1	Is Quality policy maintained as documented information?
2	Is Quality policy communicated, understood and applied within the organization?
3	Is Quality policy appropriate and made available to the relevant interested parties?
5.3	Organizational roles, responsibilities and authorities
1	Has the Top management ensured that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization?
2	While assigning the responsibilities and authorities, do the top management ensure that the quality management system conforms to the requirements of ISO 9001:2015?
3	While assigning the responsibilities and authorities, do the top management ensure that the processes are delivering their intended output?
4	While assigning the responsibilities and authorities, does the top management ensure that the performance of its QMS and opportunities for improvement are reported to them?
5	While assigning the responsibilities and authorities, does the top management ensure that there is the promotion of customer focus throughout the organization?
6	While assigning the responsibilities and authorities, do the top management ensure that the integrity of QMS is maintained when changes to the QMS are planned and maintained?
Clause 6	Planning
6.1	Actions to address risks and opportunities
6.1.1
1	While planning for QMS, does the organization consider the issues referred to in clause 4.1 and the requirements referred to in clause 4.2?
2	Has the organization determined the risks and opportunities that have to be addressed so that QMS can achieve its intended results, enhance desirable effects, prevent, or reduce undesired effects and achieve improvement?
6.1.2
1	Has the organization planned actions to address these risks and opportunities?
2	How does the organization integrate and implement the actions into its quality management system processes?
3	How does the organization evaluated the effectiveness of these actions?
4	Is the action taken to address risks and opportunities proportionate to the potential impact on the conformity of products and services?
6.2	Quality objectives and planning to achieve them
6.2.1
1	Has the organization established quality objectives at relevant functions, levels and processes needed for the QMS?
2	Are the quality objectives consistent with the quality policy?
3	Are the quality objectives measurable and do they take account of applicable requirements?
4	Does the organization have quality objectives which are relevant to the conformity of products and services and enhancement of customer satisfaction?
5	Are the quality objectives monitored, communicated and updated as required?
6	Does the organization maintain documented information on the quality objectives?
6.2.2
1	For achieving quality objectives the organization determines what will be done, what resources are required, who will be responsible, when will it be completed and how are the result to be evaluated?
6.3	Planning for change
1	While determining changes for the QMS, are changes carried out in a planned manner?
2	While planning for change, does the organization consider the purpose of the change and their potential consequence; the integrity of the QMS; the availability of resources; and the allocation and reallocation of responsibilities and authorities?
7.1	Resources
7.1.1	General
1	Has the organization determined and provided the resources needed for the establishment, implementing, maintaining and continually improvement of the QMS?
2	Has the organization considered the capabilities and constraints of existing internal resources?
3	Has the organization considered what needs to be obtained from external providers?
7.1.2	People
1	Has the organization determined and provided the persons required for the effective maintenance of QMS and for the operation and control of its processes?
7.1.3	Infrastructure
1	Has the organization determined and maintained the infrastructure needed for the operation of its processes and to achieve conformity of product and services?
7.1.4	Environment for the operation of processes
1	Has the organization determined, provided and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services?
7.1.5	Monitoring and measuring resources
7.1.5.1	General
1	Has the organization determined and provided the necessary resources needed when monitoring and measuring are used to verify conformity to product and service to requirements?
2	Are resources suitable for the type of monitoring and measurement activities undertaken?
3	Are resources maintained to ensure their continuing fitness for their purpose?
4	Does the organization retain appropriate documented information as evidence of fitness for the purpose of the monitoring and measurement resources?
7.1.5.2	Measurement traceability
1	Is there a requirement for measurement traceability?
2	Where measurement traceability is a requirement, is measurement equipment calibrated or verified at a specified interval or prior to use?
3	Is the calibration done against measurement standards traceable to national or international standards?
4	Where no such standard exists, are documented information retained for the basis used for calibration or verification?
5	How is the measuring equipment identified in order to determine their status?
6	How is the measuring equipment safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results?
7	Does the organization determine and take appropriate action if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose?
7.1.6	Organizational knowledge
	Does the organization determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services?
2	Does the organization maintain this knowledge and make it available to the extent necessary?
3	While addressing changing needs and trends, does the organization consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates?
7.2	Competence
1	Does the organization determine the necessary competence of its employees whose work affects the performance and effectiveness of the QMS?
2	Does the organization ensure that its employees are competent on basis of appropriate education, training or experience?
3	Does the organization take applicable actions to acquire the necessary competence and evaluate the effectiveness of action taken?
4	Does the organization retain the appropriate documented information as evidence of competence?
7.3	Awareness
1	Does the organization ensure that the persons doing work under the organization’s control are aware of its quality policy, relevant quality objectives, their contribution to the effectiveness of QMS including the benefits of improved performance and the implications of not meeting QMS requirements?
7.4	Communication
1	Does the organization determine the internal and external communication relevant to the QMS including on what it will communicate, when to communicate, with whom to communicate, how to communicate, and who communicates?
7.5	Documented Information
7.5.1	General
1	Does the organization’s QMS include documents required by ISO 9001:2015 and documents determined by the organization necessary for the effectiveness of the QMS?
7.5.2	Creating and updating
1	While creating and updating documented information, does the organization ensure it is appropriate in terms of identification descriptions?
2	While creating and updating documented information does the organization ensure that it is in proper format and in the correct media?
3	While creating and updating documented information, does the organization ensure that there are appropriate review and approval for suitability and adequacy?
7.5.3	Control of documented information
7.5.3.1
1	Does the organization control its documented information to ensure that it is available and suitable for use, whenever it is needed?
2	Is the documented information adequately protected?
7.5.3.2
1	Is the distribution, access, retrieval and use of documented information adequately controlled?
2	Is the documented properly stored and adequately preserved and it is legible?
3	Is there control of changes (e.g. version control)?
4	Are their adequate control in place for retention and disposition?
5	Is external origin documented information necessary for planning and operation of QMS appropriately identified and controlled?
6	Are records protected for unintended alterations?
Clause 8	Operations
8.1	Operation planning and control
1	Does the organization plan, implement and control the processes needed to meet the requirement for the provision of product and services and to implement the action determined in clause 6?
2	Does the organization determine the requirements for the products and services?
3	Has the organization established criteria for the processes and acceptance of products and services?
4	Does the organization determine the resources needed to achieve conformity to the product and service requirements?
5	Does the organization implement controls of the processes in according with the criteria?
6	Does the organization determine, maintain and retain necessary documented information to have confidence that the processes have been carried out as planned and to demonstrate the conformity of products and services?
7	Is the output of this planning suitable for the organization’s operations?
8	Does the organization control its planned changes and review the consequences of unintended changes?
9	Does the organization take action to mitigate any adverse effects of its unintended changes?
10	How does the organization ensure that outsourced processes are controlled?
8.2	Requirements for products and services
8.2.1	Customer communication
1	Does the organization communicate with customers to provide information relating to products and services, handling enquiries, contracts or orders including any changes?
2	Does the organization obtain customer feedback relating to products and services including customer complaint?
3	Does the organization communicate with the customers relating to handling or controlling customer property?
4	Has the organization established requirements for contingency action, where required?
8.2.2	Determining the requirements for products and services
1	How does the organization determine the requirements for products and services to be offered to customers?
2	How are the requirements defined and does it include applicable statutory regulatory requirements and those considered necessary by the organization?
3	How does the organization ensure that it meets the claims for its products and services?
8.2.3	Review of the requirements for products and services
1	How does the organization ensure it can meet product and service requirements?
2	How does the organization conduct a review before committing to supply products and services?
3	How does the organization review the requirements specified by the customer, including the requirements for delivery and post-delivery activities?
4	How does the organization review the requirements not stated by the customers but necessary for the specified or intended use when known?
5	How does the organization review the statutory & regulatory requirements applicable to the product and services and requirements specified by the organization?
6	How does the organization review and resolve contract or order requirements differing from those previously defined?
7	When the customer does not provide a documented statement of their requirement, how does the organization conform to the customer’s requirements before acceptance?
8	Does the organization retain documented information on the results of the review and on any new requirements for the products and services?
8.2.4	Changes to requirements for products and services
1	How does the organization ensure that the relevant documented information is amended and the relevant persons are made aware of the changed requirements when the requirements for the products and services are changed?
8.3	Design and development of products and services
8.3.1	General
1	Has the organization established, implemented and maintained a D&D process that is appropriate to the subsequent provision of products and services?
8.3.2	Design and development planning
1	In determining the stages and controls for D&D, has the organization taken into consideration the nature, duration and complexity of D&D activities?
2	In determining the stages and controls for D&D, has the organization taken into consideration the required process stages including D&D reviews?
3	In determining the stages and controls for D&D, has the organization taken into consideration the D& D verification and validation activities?
4	In determining the stages and controls for D&D, has the organization taken into consideration the responsibilities and authorities involved in the D&D process?
5	In determining the stages and controls for D&D, has the organization taken into consideration the external and internal resources needed?
6	In determining the stages and controls for D&D, has the organization taken into consideration the need to control interfaces between persons involved in D&D?
7	In determining the stages and controls for D&D, has the organization taken into consideration the need for the involvement of customers and users?
8	In determining the stages and controls for D&D, has the organization taken into consideration the requirements of the subsequent provision of products and services?
9	In determining the stages and controls for D&D, has the organization taken into consideration the level of the control expected for the D&D by customers and other relevant interested parties?
10	In determining the stages and controls for D&D, has the organization taken into consideration the documented information needed to demonstrate that design and development requirement has been met?
8.3.3	Design and Development inputs
1	Has the organization determined the essential requirements for the specific types of products and services to be designed and developed?
2	Does the organization consider the following functional and performance requirements; statutory and regulatory requirements; standards or code of practices that the organization has committed to implement; information derived from previous design and development activities; potential consequences of failure due to the nature of the product and services?
3	Does the organization ensure that the inputs are adequate for D&D purpose, complete and unambiguous?
4	Does the organization resolve the conflicting D&D inputs?
5	Are documented information for D&D inputs retained?
8.3.4	Design and development controls
1	Has the organization applied the necessary controls to D & D processes to ensure that the result to be achieved are defined?
2	Has the organization conducted a review to evaluate the ability of the results of D& D to meet the requirements?
3	Has the organization conducted the verification to ensure that D&D meet input requirements?
4	Has the organization conducted the validation to ensure that the resulting product and service meet the requirements of the specified application or intended use?
5	Has the organization taken necessary action on the problems determined during reviews, verification or validation activities?
6	Has the organization retained documented information on the above-mentioned activities?
8.3.5	Design and Development outputs

1	Does the organization ensure that D&D outputs meet the input requirements?
2	Does the organization ensure that D&D outputs include (or have reference) monitoring and measuring requirements and acceptance criteria?
3	Has the organization identified, reviewed and controlled changes made during, or subsequent to the D & D of the product and services to ensure that there is no averse to the impact on conformity to requirements?
4	Does the organization ensure that D&D outputs specify the characteristics of the products and services that are essential for their intended use?
5	Does the organization retain documented information for D&D output?
8.3.6	Design and Development changes
1	Has the organization identified, reviewed and controlled changes made during, or subsequent to the D & D of the product and services to ensure that there is no averse to the impact on conformity to requirement?
2	Has the organization retained the documented information on D&D changes, the result of reviews, authorization of the changes and the action taken to prevent adverse impact?
8.4	Control of externally provided processes, products and services
8.4.1	General
1	Does the organization ensure that the externally provided processes, products and services conform to the requirements?
2	Does the organization determine the controls needed when the product and services from the external providers are incorporated into their own product and services?
3	Does the organization determine the controls needed when the product and services from the external providers are provided directly to the customer by external providers?
4	Does the organization determine the controls needed when the process or part of the process is provided by the external providers?
5	Has the organization determined and applied the criteria for selection, evaluation, monitoring of performance and re-evaluation of external providers?
6	Has the organization retained the documented information of these activities and any action arising out or evaluation/re-evaluation?
8.4.2	Type and extent of control
1	Does the organization ensure that the externally provided processes, product and services do not adversely affect its ability to consistently deliver conforming products and services to the customers?
2	Does the organization ensure that the externally provided process remains within the control of its QMS?
3	Has the organization defined the controls to be applied to an external provider and its resulting outputs?
4	Has the organization taken into consideration the potential impact of the organization’s ability to consistently meet customer and applicable statutory and regulatory requirement?
5	Has the organization taken into consideration the effectiveness of the controls applied by the external providers?
6	Has the organization determined the verification or other activities, necessary to ensure that the externally provided processes, products and services meet requirements?
8.4.3	Information for external providers
1	Does the organization ensure the adequacy of requirements prior to their communication to the external provider?
2	Does the organization communicate to the external providers its requirements for the processes, products and services required?
3	Does the organization communicate to the external providers its requirements for the approval of the product and services; methods, processes and equipment; the release of product and services?
4	Does the organization communicate to the external providers its requirements for competence including any qualification of persons?
5	Does the organization communicate to the external providers its requirements for external provider’s interactions with the organizations?
6	Does the organization communicate to the external providers its requirements for control and monitoring of the external providers’ performance to be applied by the organization?
7	Does the organization communicate to the external providers its requirements for verification or validation activities that the organization or its customer intends to perform at the external providers’ premises?
8.5	Production and Service provision
8.5.1	Control of production and service provision
1	Has the organization implemented production and service provision under controlled conditions?
2	Are there any documented information available that defines the characteristics of the product, services or activities to be performed and the results to be achieved?
3	Are any suitable monitoring and measuring resources available? Are they being used?
4	Are monitoring and measuring activities being performed at appropriate stages?
5	Are competent persons (including qualification) being appointed?
6	Is the infrastructure and environment being used suitable for operation of processes?
7	Has the organization implemented any actions to prevent human error?
8	Has the organization implemented any release, delivery and post-delivery activities?
9	Where resulting output cannot be verified by subsequent monitoring or measurement, has the organization conducted validation and periodic revalidation of the process for production and service provision?
8.5.2	Identification and traceability
1	Has the organization used any suitable means to identify output when it is necessary to ensure the conformity of products and services?
2	Has the status of outputs with respect to monitoring and measuring requirements throughout the production and service provision being identified by the organization?
3	Has the organization controlled the unique identification of the outputs when traceability is a requirement?
4	Has the organization retain the documented information necessary to enable traceability, when traceability is a requirement?
8.5.3	Property belonging to customers or external providers
1	When property belonging to customers or external providers is under the organization’s control or being used by the organization, does the organization exercise adequate care?
2	Does the organization identify, verify, protect and safeguard customers’ or external providers’ property?
3	When the property or the customer or external provider is lost, damaged or otherwise, fount to be unsuitable for use, does the organization report this to the customer or external provider? Does the organization retain documented information on what has occurred?
8.5.4	Preservation
1	Does the organization preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements?
8.5.5	Post-delivery activities
1	Does the organization meet requirements for post-delivery activities associated with the product and services?
2	In determining the extent of post-delivery activities does the organization considers the statutory & regulatory requirements; the potential undesired consequences associated with its product and services; customer requirement & feedback; nature, use and intended lifetime of its product and services?
8.5.6	Control of change
1	Do the organization conduct review and control changes for production or service provision to ensure continuing conformity with requirements?
2	Does the organization retain documented information describing the results of the review of changes, the person(s) authorizing the change and any necessary actions arising from the review?
8.6	Does the organization retain the documented information on the release of products and services and it include information relating to the evidence of conformity with the acceptance criteria; traceability of the person authorizing the release?
1	Has the organization implemented planned arrangements, at appropriate stages, to verify that the product and service requirements have been met?
2	Does the organization ensure that the release of product and service proceed only after the planned arrangement is satisfactorily completed or approved by the relevant authority and as applicable by the customer?
3	Does the organization retain the documented information on the release of products and services and does it include information relating to the evidence of conformity with the acceptance criteria; and traceability of the person authorizing the release?
8.7	Control of nonconforming outputs
8.7.1
1	Does the organization ensure that the outputs which do not conform to their requirements are identified and controlled to prevent their unintended use or delivery?
2	Is the action appropriate to the nature of the nonconformity and its effect on the conformity of products and services?
3	Do the organization also consider nonconforming product and services detected after delivery of products, during and after the provision of services?
4	When non-conforming products and services are detected does the organization take correction action and/or segregation, containment, return, or suspension of the provision of product & services and/or informing the customer and/or obtaining authorization for acceptance under concession?
5	Does the organization retain documented information that describes the nonconformity; describes the actions taken; describes any concession obtained; identifies the authority deciding the action in respect of the nonconformity?
Clause 9	Performance evaluation
9.1	Monitoring, measurement, analysis, and evaluation
9.1.1	General
1	Did the organization plan how to monitor, measure, analyze, and evaluate its QMS?
2	Did the organization plan how to monitor QMS performance and effectiveness?
3	Did the organization figure out what needs to be monitored and select methods?
4	Did the organization determine its QMS monitoring requirements?
5	Does the organization select monitoring methods that can produce valid results?
6	Did the organization establish when monitoring should be done and who should do it?
7	Did the organization plan how to measure QMS performance and effectiveness?
8	Did the organization figure out what needs to be measured and did the organization select methods?
9	Did the organization determine its QMS measurement requirements?
10	Does the organization select measurement methods that can produce valid results?
11	Did the organization establish when measuring should be done and who should do it?
12	Did the organization plan how to analyze QMS performance and effectiveness?
13	Did the organization select analytical methods that are capable of producing valid results?
14	Did the organization decide when monitoring and measurement results are analyzed?
15	Did the organization plan how to evaluate QMS performance and effectiveness?
16	Did the organization select evaluation methods that are capable of producing valid results?
17	Did the organization decide when monitoring and measurement results are evaluated?
18	Do the organization monitor, measure, analyze, and evaluate the organization’s QMS?
19	Does the organization monitor the performance and effectiveness of the organization’s QMS?
20	Do the organization record monitoring results and does the organization retain and control these records?
21	Does the organization measure the performance and effectiveness of the organization’s QMS?
22	Do the organization record measurement results and does the organization retain and control these records?
23	Does the organization analyze the performance and effectiveness of its QMS?
24	Do the organization record analytical results and does the organization retain and control these records?
25	Does the organization evaluate the performance and effectiveness of its QMS?
26	Do the organization record evaluation results and does the organization retain and control these records?
9.1.2	Customer satisfaction
1	Does the organization establish methods that the organization can use to monitor customer perceptions?
2	Does the organization figure out how the organization is going to obtain information about how customers feel about how well it is meeting their needs and expectations?
3	Does the organization figure out how the organization is going to review information about how customers feel about how well it is meeting their needs and expectations?
4	Do the organization monitor how well customer needs and expectations are being fulfilled?
5	Do the organization monitor how the organization’s customers feel about how well the organization is meeting their needs and expectations (do the organization monitor the organization’s customers’ perceptions)?
9.1.3	Analysis and evaluation
1	Does the organization analyze its monitoring and measurement results?
2	Does the organization analyze and evaluate appropriate data and information?
3	Does the organization use its analytical results to evaluate performance?
4	Does the organization evaluate the performance of its QMS?
5	Does the organization determine if it needs to improve its performance?
6	Does the organization evaluate the performance of its external providers?
7	Does the organization use its analytical results to evaluate effectiveness?
8	Does the organization evaluate the effectiveness of its QMS?
9	Does the organization determine if it needs to improve its effectiveness?
10	Does the organization evaluate the effectiveness of its planning?
11	Does the organization determine if its plans were effectively implemented?
12	Does the organization evaluate the effectiveness of its actions?
13	Does the organization evaluate the effectiveness of actions taken to address risks?
14	Does the organization evaluate the effectiveness of actions taken to address opportunities?
15	Does the organization use its analytical results to evaluate conformity?
16	Does the organization evaluate the conformity of products and services?
17	Does the organization use its analytical results to evaluate satisfaction?
18	Does the organization evaluate the degree of customer satisfaction?
9.2	Internal Audit
9.2.1
1	Does the organization conduct internal audits at planned intervals?
2	Did the organization plan a program that can find out if QMS meets the Organization’s own requirement and ISO 9001:2015 requirements?
3	Did the organization plan a program that can find out if QMS is effectively implemented and maintained?
9.2.2
1	Did the organization plan, establish, implement, and maintain an audit program?
2	Did the audit program include the frequency, methods, responsibilities, planning requirements, and reporting?
3	Does the audit program take into consideration the importance of the process concerned, changes affecting the organization, and the results of previous audits?
4	Did the organization define the audit criteria and scope of each audit?
5	Does the organization ensure that the audit is conducted by the auditors to ensure objectivity and impartiality of the audit process?
6	Does the organization ensure that the results of the audits are reported to relevant management?
7	Does the organization take appropriate correction and corrective action without undue delays?
8	Does the retain documented information as evidence of the implementation of the audit program and the audit results?
9.3	Management review
9.3.1	General
1	Does the Top Management review the organization QMS at planned intervals?
2	Does the review ensure QMS’s continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organization?
9.3.2	Management review inputs
1	Does the review take into consideration the status of actions from previous management reviews?
2	Are the changes in external and internal issues relevant to QMS considered?
3	Does the review take into consideration information on the performance and effectiveness of the QMS?
4	Does the review take into consideration customer satisfaction and feedback from relevant interested parties?
5	Does the review take into consideration the extent to which the quality objectives have been met?
6	Does the review take into consideration the process performance and conformity of products and services?
7	Does the review take into consideration nonconformities and corrective actions?
8	Does the review take into consideration monitoring and measuring results?
9	Does the review take into consideration audit results?
10	Does the review take into consideration the performance of external providers?
11	Does the review take into consideration the adequacy of resources?
12	Does the review take into consideration the effectiveness of actions taken to address risks and opportunities?
13	Does the review take into consideration the opportunities for improvement?
9.3.3	Management review outputs
1	Do the outputs of the Management review include decisions and actions related to the opportunities for improvement; any need for changes to the QMS; and resources needed?
2	Does the organization retain documented information as evidence of the result of the management review?
Clause 10	Improvement
10.1	General
1	Has the organization determine and select opportunities for improvement?
2	Has the organization implemented any necessary action to meet customer requirements and enhance satisfaction?
3	Has the organization taken action for improving products & services to meet requirements as well as to address future needs and expectations?
4	Has the organization taken action for correcting, preventing, or reducing undesired effects?
5	Has the organization taken action for improving the performance and effectiveness of the QMS?
10.2	Nonconformity and corrective action
1	When any nonconformity (including complaints) occurs, does the organization take action to control and correct it and deal with the consequences?
2	When any nonconformity (including complaints) occurs, does the organization evaluate the need for action to eliminate the causes of the nonconformity?
3	Does the organization reviews and analyzes the nonconformity?
4	Does the organization determine the causes of the nonconformity?
5	Does the organization determine similar nonconformity exist or could potentially occur?
6	Has the organization implemented any action needed?
7	Has the organization reviewed the effectiveness of the corrective action taken?
8	Has the organization updated risk and opportunities determined during planning if necessary?
9	Has the organization made changes to the QMS if necessary?
10	Are the corrective actions appropriate to the effects of the nonconformities encountered?
10.2.2
1	Does the organization retain documented information on the nature of the nonconformities and any subsequent actions taken; and the result of any corrective action?
10.3	Continual improvement
1	Does the organization continually improve the suitability, adequacy, and effectiveness of the QMS?
2	Does the organization consider the results of analysis and evaluation, and output from management review to determine if there are needs or opportunities to be addressed as part of continual improvement?

Back to the Home Page

If you need assistance or have any doubts and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.

Procedure to contain spread of COVID-19 in workplace settings

1. SUMMARY

Coronavirus Disease 2019 (COVID-19) is a respiratory disease caused by the SARS-CoV-2 virus.
Infection with SARS-CoV-2, the virus that causes COVID-19, can cause illness ranging from mild to severe and, in some cases, can be fatal. Symptoms typically include fever, cough, and shortness of breath. Some people infected with the virus have reported experiencing other non-respiratory symptoms. Other people, referred to as asymptomatic cases, have experienced no symptoms at all.
According to the CDC, symptoms of COVID-19 may appear in as few as 2 days or as long as 14 days after exposure.

2. REVISION AND APPROVAL

Rev.	Date	Nature of Changes	Approved By
00	04/06/2020	Original issue.	CEO

3. INTRODUCTION

Offices and other workplaces are relatively close setting, with shared spaces like (corridors, elevators & stairs, parking places, cafeteria, meeting rooms and conference halls etc.) and thus COVID-19 infection can spread relatively fast among employees, staffs and visitors. Thus there is a need to prevent importation of infection in workplace settings and to respond in a timely and effective manner in case suspect case of COVID-19 is detected in these settings, so as to limit the spread of infection.

4. SCOPE

This Procedure outlines the preventive and response measures to be observed to contain the spread of COVID-19 in workplace settings. The HR and Admin Manager along with Department Head are responsible for implementation of the Procedure.

5. BASIC PREVENTIVE MEASURES

The basic preventive measures include simple public health measures that are to be followed to reduce the risk of infection with COVID-19. These measures need to be observed by all (employees and visitors) at all times. These include:

Physical distancing of at least one meter to be followed at all times.
Use of face covers/masks to be mandatory.
Practice frequent hand washing (for at least 40-60 seconds) even when hands are not visibly dirty and use of alcohol based hand sanitizers (for at least 20 seconds).
Respiratory etiquettes to be strictly followed. This involves strict practice of covering one’s mouth and nose while coughing/sneezing with a tissue/handkerchief/flexed elbow and disposing off used tissues properly.
Self-monitoring of health by all and reporting any illness at the earliest

6. PREVENTIVE MEASURES FOR OFFICES/SITES:

The HOD and HR & Admin Manager will ensure that Guidelines with respect to preventive measures specific to offices that has been/will be issued by Minister of Heath Kuwait is being followed. Any staff reportedly suffering from flu-like illness should not attend office and seek Medical advice from local health authorities. Such persons, if diagnosed as a suspect/confirmed case of COVID-19 should immediately inform the office authorities. Any staff requesting home quarantine based on the containment zone activities in their residential areas should be permitted to work from home. MOH guidelines with respect to organizing meetings, coordinating visitors shall be scrupulously followed.

All the Departments are advised to take all necessary measures such as :-

Install thermal scanners at the entry of buildings and Sites as feasible. Mandatory placing of hand sanitizers at the entry of buildings/Sites. Those found having flu-like symptoms may be advised to take proper treatment/quarantine etc.
Discourage, to the maximum extent, entry of visitors in the office/ Sites. Routine issue of visitors/temporary passes should be suspended with immediate effect. Only those visitors whom have proper permission of the Deputy Director or above who they want to meet should be allowed after being properly screened.
Meetings, as far as feasible, should be done through video conferencing. To minimize or reschedule meetings involving large number of people unless necessary.
Avoid non-essential official travel.
Undertake essential correspondence on official email and avoid sending files and documents to other offices, to the extent possible.
Facilitate delivery and receipt of Courier at the entry point itself of the office building, as far as practicable.
Ensure proper cleaning and frequent sanitization of the workplace, particularly of the frequently touched surfaces.
Ensure regular supply of hand sanitizers, soap and running water in the washrooms.
All employees may be advised to take care of their own health and look out for respiratory symptoms/fever and, if feeling unwell, should leave the workplace immediately after informing their reporting Managers.
The leave sanctioning authorities are advised to sanction leave whenever any request is made for self-quarantine as a precautionary measure.
Advise all employees who are at higher risk i.e. older employees, pregnant employees and employees who have underlying medical conditions, to take extra precautions. The Departments may take care not to expose such employees to any front-line work requiring direct contact with the public.

7. DO’s AND DON’Ts FOR ALL EMPLOYEES

1) Do’s

To maintain personal hygiene and physical distancing.
To practice frequent hand washing. Wash hands with soap and water or use alcohol-based hand rub. Wash hands even if they are visibly clean.
To cover your nose and mouth with handkerchief/tissue while sneezing and coughing.
To throw used tissues into closed bins immediately after use.
To maintain a safe distance from persons during interaction, especially with those having flu-like symptoms.
To sneeze in the inner side of your elbow and not to cough into the palms of your hands.
To take their temperature regularly and check for respiratory symptoms.
To see a doctor if you feel unwell (fever, difficulty in breathing and coughing). While visiting doctor, wear a mask/cloth to cover your mouth and nose.

2) Don’ts

Shake hands.
Have a close contact with anyone, if you’re experiencing cough and fever.
Touch your eyes, nose and mouth.
Sneeze or cough into palms of your hands.
Spit in Public.
Travel unnecessarily, particularly to any affected region.
Participate in large gatherings, including sitting in groups at cafeteria.
Visit gyms, clubs and crowded places etc.
Spread rumors or panic.

8. MEASURES TO BE TAKEN ON OCCURRENCE OF CASE OF COVID-19:

Despite taking the above measures, the occurrence of cases among the employees working in the office cannot be ruled out. The following measures will be taken in such circumstances:

1. When one or few person(s) who share a room/close office space is/are found to be suffering from symptoms suggestive of COVID-19:
  1. Place the ill person in a room or area where they are isolated from others at the workplace. Provide a mask/face cover till such time he/she is examined by a doctor.
  2. Report to concerned health authorities will be immediately informed.
  3. A risk assessment will be undertaken by the departmental Head along with Safety manager and accordingly further advice shall be made regarding management of case, his/her contacts and need for disinfection.
  4. The suspect case if reporting very mild / mild symptoms on assessment by the health authorities would be placed under home isolation, subject to fulfillment of criteria laid down in MOH guidelines
  5. Suspect case, if assessed by health authorities as moderate to severe, he/she will follow the MOH guidelines.
  6. The rapid response team consisting of Admin and Hr. Manager, safety manager and the Dept. Head of the concerned department shall be requisitioned and will undertake the listing of contacts.
  7. The necessary actions for contact tracing and disinfection of work place will start once the report of the patient is received as positive. The report will be expedited for this purpose.
2. If there are large numbers of contacts from a pre-symptomatic/asymptomatic case, there could be a possibility of a cluster emerging in workplace setting. Due to the close environment in workplace settings this could even be a large cluster (>3 cases). The essential principles of risk assessment, isolation, and quarantine of contacts, case referral and management will remain the same. However, the scale of arrangements will be higher.
3. Management of contacts:
  The contacts will be categorized into high and low risk contacts by the Safety Manager. The high risk exposure contacts shall be quarantined for 14 days. They will follow the guidelines on home quarantine as given by MOH, Kuwait. These persons shall undergo testing as per MOH, Kuwait protocol. The low risk exposure contacts shall continue to work and closely monitor their health for next 14 days.
4. Risk profiling of contacts
  Contacts are persons who have been exposed to a confirmed case anytime between 2 days prior to onset of symptoms (in the positive case) and the date of isolation (or maximum 14 days after the symptom onset in the case).
  1. High-risk contact
    - Touched body fluids of the patient (respiratory tract secretions, blood, vomit etc; e.g. being coughed on, touching used paper tissues with a bare hand)
    - Had direct physical contact with the body of the patient including physical examination without PPE
    - Touched or cleaned the linens, clothes, or dishes of the patient.
    - Lives in the same household as the patient.
    - Anyone in close proximity (within 1 meter) of the confirmed case without precautions.
    - Passengers in close proximity (within 1 meter) in a conveyance with a symptomatic person who later tested positive for COVID-19 for more than 6 hours.
  2. Low-risk contact
    - Shared the same space (worked in same room/similar) but not having a high-risk exposure to confirmed case of COVID-19.
    - Travelled in same environment (bus/train/flight/any mode of transit) but not having a high-risk exposure.

9. CLOSURE OF WORKPLACE

If there are one or two cases reported, the disinfection procedure will be limited to places/areas visited by the patient in past 48 hrs. There is no need to close the entire office building/halt work in other areas of the office and work can be resumed after disinfection as per laid down protocol (see para 10).
However, if there is a larger outbreak, the entire building will have to be closed for 48 hours after thorough disinfection. All the staff will work from home, till the building is adequately disinfected and is declared fit for re-occupation.

10. DISINFECTION PROCEDURES IN OFFICES

1. Indoor areas including office spaces

Office spaces, including conference rooms should be cleaned every evening after office hours or early in the morning before the rooms are occupied. If contact surface is visibly dirty, it should be cleaned with soap and water prior to disinfection. Prior to cleaning, the worker should wear disposable rubber boots, gloves (heavy duty), and a triple layer mask.
Start cleaning from cleaner areas and proceed towards dirtier areas.
All indoor areas such as entrance lobbies, corridors and staircases, escalators, elevators, security guard booths, office rooms, meeting rooms, cafeteria should be mopped with a disinfectant with 1% sodium hypochlorite or phenolic disinfectants. High contact surfaces such elevator buttons, handrails / handles and call buttons, escalator handrails, public counters, intercom systems, equipment like telephone, printers/scanners, and other office machines should be cleaned twice daily by mopping with a linen/absorbable cloth soaked in 1% sodium hypochlorite. Frequently touched areas like table tops, chair handles, pens, diary files, keyboards, mouse, mouse pad, tea/coffee dispensing machines etc. should specially be cleaned.
For metallic surfaces like door handles, security locks, keys etc. 70% alcohol can be used to wipe down surfaces where the use of bleach is not suitable.
Hand sanitizing stations should be installed in office premises (especially at the entry) and near high contact surfaces.
In a meeting/conference/office room, if someone is coughing, without following respiratory etiquettes or mask, the areas around his/her seat should be vacated and cleaned with 1% sodium hypochlorite.
Carefully clean the equipment used in cleaning at the end of the cleaning process.
Remove PPE, discard in a disposable PPE in yellow disposable bag and wash hands with soap and water.
In addition, all employees should consider cleaning the work area in front of them with a disinfecting wipe prior to use and sit one seat further away from others, if possible

2. Outdoor areas

Outdoor areas have less risk then indoor areas due to air currents and exposure to sunlight. These include bus stops, railway platforms, parks, roads, etc. Cleaning and disinfection efforts should be targeted to frequently touched/contaminated surfaces as already detailed above.
3. Public toilets

Sanitary workers must use separate set of cleaning equipment for toilets (mops, nylon scrubber) and separate set for sink and commode). They should always wear disposable protective gloves while cleaning a toilet.

70% Alcohol can be used to wipe down surfaces where the use of bleach is not suitable, e.g. metal. (Chloroxylenol (4.5-5.5%) / Benzalkonium Chloride or any other disinfectants found to be effective against coronavirus may be used as per manufacturer’s instructions)
Always use freshly prepared 1% sodium hypochlorite.
Do not use disinfectants spray on potentially highly contaminated areas (such as toilet bowl or surrounding surfaces) as it may create splashes which can further spread the virus.
To prevent cross contamination, discard cleaning material made of cloth (mop and wiping cloth) in appropriate bags after cleaning and disinfecting. Wear new pair of gloves and fasten the bag.
Disinfect all cleaning equipment after use and before using in other area
Disinfect buckets by soaking in bleach solution or rinse in hot water

4. Personal Protective Equipment (PPE):

Wear appropriate PPE which would include the following while carrying out cleaning and disinfection work.

Wear disposable rubber boots, gloves (heavy duty), and a triple layer mask
Gloves should be removed and discarded damaged, and a new pair worn.
All disposable PPE should be removed and discarded after cleaning activities are completed.
Hands should be washed with soap and water immediately after each piece of PPE is removed, following completion of cleaning.
Masks are effective if worn according to instructions and properly fitted. Masks should be discarded and changed if they become physically damaged or soaked.

5. Guidelines for use of mask

The correct procedure of wearing triple layer surgical mask

Perform hand hygiene
Unfold the pleats; make sure that they are facing down.
Place over nose, mouth and chin.
Fit flexible nose piece over nose bridge.
Secure with tie strings (upper string to be tied on top of head above the ears –lower string at the back of the neck.)
Ensure there are no gaps on either side of the mask, adjust to fit.
Do not let the mask hanging from the neck.
Change the mask after six hours or as soon as they become wet.
Disposable masks are never to be reused and should be disposed off.
While removing the mask great care must be taken not to touch the potentially infected outer surface of the mask
To remove mask first untie the string below and then the string above and handle the mask using the upper strings.
Disposal of used masks: Used mask should be considered as potentially infected medical waste. Discard the mask in a closed bin immediately after use.

10. HAND WASHING TECHNIQUE WITH SOAP AND WATER

11. Management of the cases and Contact

12. Disinfection of workplace

ISO 9001:2015 Clause 7.5 Documented Information

Definition:

ISO 9001:2015 defines documented information as meaningful data that is required to be controlled and maintained by the organization and the medium on which it is contained. Notes to this definition indicate that documented information can refer to the Quality Management System (QMS) and its processes, documentation, and records.

Documented information replaces the requirement for procedures, records and other items of documentation in ISO 9001:2015. Documented information can be of two types:

Documented information that needs to be maintained. This will cover procedures, policies, etc. that would have been referred to as “documented procedures” or just “documents” in ISO 9001:2008
Documented information that needs to be retained. This will cover what ISO 9001:2008 called “records”.

Introduction:

A particular support requirement is now documented information. Gone are the terms documents, documented procedures, and records; everything is now known as documented information whether that’s records, procedures, processes, etc. and in whatever form e.g. paper, electronic, etc. Documented information can be used to communicate a message, provide evidence of what was planned has actually been done, or knowledge sharing. Documentation Information is the information required to be controlled and maintained by an organization and the medium on which it is contained. It can be in any format and media and from any source such as paper, magnetic, electronic, or optical computer disc, photograph, master sample, etc. It can refer to:

quality management system, including related processes;
information created in order for the organization to operate (documentation);
evidence of results achieved (records).

One of the important objectives in the revision of the ISO 9001 series of the standard had been that the amount and detail of documentation required by the organization have to be more relevant to the desired results of the organization’s process activities. ISO 9001:2015 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to determine the correct amount of documented information needed in order to demonstrate the effective planning, operation, and control of its processes and the implementation and continual improvement of the effectiveness of its QMS. It is stressed that ISO 9001 requires (and always has required) a “Documented quality management system”, and not a “system of documents”.

The QMS needs to include documented information required by the ISO 9001 standard as well as documented information determined by the organization necessary for the effectiveness of the QMS. The organization must determine what documented information is necessary for the effectiveness of the management system. The extent of documented information for a management system can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services, the complexity of processes and their interactions, and the competence of persons. Auditors will need to understand the term ‘documented information’, however organizations are still free to use whatever terms suit their own requirements.

The following are some of the main objectives of an organization’s documented information:

Communication of Information: As a tool for information transmission and communication. The type and extent of the documented information will depend on the nature of the organization’s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.
Evidence of conformity: Provision of evidence that what was planned has actually been done.
Knowledge sharing
To disseminate and preserve the organization’s experiences. A typical example would be a technical specification, which can be used as a base for the design and development of a new product or service.

Documented Information has the following sub-clauses:

7.5.1 General
7.5.2 Creating and Updating
7.5.3 Control of Documented Information

7.5.1 General

The Organization’s QMS must include all documented information required by ISO 9001 and the documented information determined by the organization as being necessary for the effectiveness of the QMS. The extent of documented information can differ from one organization to another due to the size of the organization and its type of activities, processes, products, and services; complexity of processes and their interactions; competence of persons.

The requirement of this clause is linked to clause 4.4 (Quality management systems and its processes) which requires an organization to “maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned.”Clause 7.5.1 specifies all the different types of documentation needed for your QMS. The need to have additional documentation beyond those specified in this standard may depend upon – customer; regulatory and your own organizational requirements. Other factors to consider may include the complexity of products/Services and processes, type of activities, the effect on quality, the risk of customer dissatisfaction, economic risk, effectiveness and efficiency, the competence of personnel. Clause 7.5.1b requires you to have documents needed to ensure the effectiveness of the QMS. Each organization must determine what documentation is needed to achieve this based upon the complexity of products/services and processes, type of activities, effect on quality, the risk of customer dissatisfaction, economic risk, effectiveness and efficiency, the competence of personnel. There is no need for a Quality manual and six mandatory procedures in ISO 9001:2015. A document is an information that is written or recorded on some medium such as paper or computer. A document may specify requirements for e.g. a drawing or technical specification, may provide direction for e.g. quality plan, or show results or evidence of activities performed for e.g. records. The term “Documented Information” is used for all document requirements in ISO 9001:2015. For specific terminology used in ISO 9001:2008 such as “document” or “documented procedures”, “quality manual” or “quality plan”, ISO 9001:2015 defines requirements to “maintain documented information”. In ISO 9001:2008 the term “records” was used to denote documents needed to provide evidence of conformity with requirements. In 9001:2015 this is now expressed as a requirement to “retain documented information”. The organization is responsible for determining what documented information needs to be retained, the period of time for which it is to be retained and the media to be used for its retention. The requirement to “maintain” documented information may also include the possibility that the organization can “retain” that same documented information for a particular purpose, for e.g. to retain previous versions of it. When the term “information” rather than “documented information” is used, the organization may choose not to document the” information”. (e.g. in clause 4.1 states: “The organization shall monitor and review the information about these external and internal issues”). The organization can decide whether or not it is necessary or appropriate to maintain documented information.

Documented information needed to be maintained by the organization for the purposes of establishing a QMS (high-level transversal documents) includes:

The scope of the quality management system (clause 4.3).
Documented information necessary to support the operation of processes (clause 4.4).
The quality policy (clause 5.).
Quality objectives (clause 6.2).
This documented information is subject to the requirements of clause 7.5.

Documented information maintained by the organization for the purpose of communicating the information necessary for the organization to operate may include and not limited to(clause 4.4)

Organization charts
Process maps, process flow charts and/or process descriptions
Procedures
Work and/or test instructions
Specifications
Documents containing internal communications
Production schedules
Approved supplier lists
Test and inspection plans
Quality plans
Quality manuals
Strategic plans
Forms

These are low-level specific documents and ISO 9001:2015 does not specifically require any of them. But in case such documents are part of QMS, they are subjected to all the controls given in clause 7.5.2 (creating and Updating) and clause 7.5.3(Control of documented information).

Documented information needed to be retained by the organization for the purpose of providing evidence of result achieved (records) includes:

Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
Evidence of fitness for the purpose of monitoring and measuring resources (clause 7.1.5.1).
Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 7.1.5.2).
Evidence of competence of the person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
Results of the review and new requirements for the products and services (clause 8.2.3).
Records needed to demonstrate that design and development requirements have been met (clause 8.3.2)
Records on design and development inputs (clause 8.3.3).
Records of the activities of design and development controls (clause 8.3.4).
Records of design and development outputs (clause 8.3.5).
Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
Records of the evaluation, selection, monitoring of performance and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1)
Evidence of the unique identification of the outputs when traceability is a requirement (clause 8.5.2).
Records of the property of the customer or external provider that is lost, damaged or otherwise found to be unsuitable for use and of its communication to the owner (clause 8.5.3).
Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken (clause 8.5.6).
Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s) (clause 8.6).
Records of nonconformities, the actions are taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity (clause 8.7).
Results of the evaluation of the performance and the effectiveness of the QMS (clause 9.1.1)
Evidence of the implementation of the audit programme and the audit results (clause 9.2.2).
Evidence of the results of management reviews (clause 9.3.3).
Evidence of the nature of the nonconformities and any subsequent actions taken(clause 10.2.2).
Results of any corrective action (clause 10.2.2).

In addition, Organizations may develop other records that are be needed to demonstrate the conformity of their processes, products and services, and quality management system, and in case such document is part of QMS, they are subjected to all the controls given in clause 7.5.2 (creating and Updating) and clause 7.5.3(Control of documented information).

7.5.2 Creating and Updating

When creating and updating documented information the organization must ensure appropriate identification and description (e.g., a title, date, author, or reference number); format (e.g., language, software version, graphics), and media (e.g., paper, electronic); review and approval for suitability and adequacy.

While ISO 9001:2015 does not require a documented procedure for creating, updating, and control of documented information, still we need a procedure for creating, updating, and ultimately control of documented information. Your system for managing documented information doesn’t itself have to be documented, which is a big change from ISO 9001:2008, which required documented procedures for both document control and control of records, documenting them will act as evidence that adequate organization knowledge is available with the organization regarding creation, updating, and control of documented information. ISO 9001:2015 doesn’t require you to write a procedure for how you control documented information. Should you do it anyway? Yes! It’s a potentially complicated topic that should be communicated in a consistent manner. Describe your system within maintained documented information (i.e., a documented procedure) and you’ll have much less confusion.

You have to ensure the following practices are in place when you create and update documented information:

Identification: Documents and records must-have titles, document numbers, or something that indicates their identity. As long as you can differentiate between different documented information, knowing which ones address which topics, then you’ve met this requirement.
Format: The documents must be usable for their purpose. The format must be appropriate to the purpose and users, and the media must be accessible and understandable. For example, if the medium is electronic, then users would need to have access to a computer or other interface that can display the electronic media. Another example might relate to a company that has a high percentage of employees who speak Marathi their documentation would need to be graphically formatted (to make language irrelevant) or translated into Marathi, the language predominantly spoken by the employees.
Review and approval for suitability and adequacy: Somebody must review and approve the documented information before it’s used. Who performs this function is completely up to you. There are many ways to signify review and approval: signatures, initials, email approval, electronic signatures, meeting minutes, or click-box approval within a document control program. Review and approval do have to be traceable, meaning it must be clear who performed it. It should also be secure, which means the organization has prevented imposters from making reviews/approvals under somebody else’s name.

7.5.3 Control of Documented Information

7.5.3.1

Documented information required by Your QMS and by ISO 9001 must be controlled to ensure it is available and suitable for use, where and when it is needed; It must is adequately protected from loss of confidentiality, improper use, or loss of integrity.

7.5.3.2

For the control of documented information, the organization must address, as applicable: distribution, access, retrieval, and use; storage and preservation, including preservation of legibility; control of changes (e.g., version control); retention and disposition. Documented information of external origin determined by the organization to be necessary for the planning and operation of the system must be identified as appropriate, and controlled. Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

Once the documented information exists, the next logical step is controlled. Here are the control requirements from ISO 9001:2015:

Availability: The documented information exists where it’s supposed to exist. The organization has dedicated the resources to create the documented information and the information is suitable for the need it was intended to fill.
Protection: The documented information is protected from tampering, unauthorized changes, and damage. People who shouldn’t see the documented information are prevented from seeing it. Appropriate safeguards put in place by the organization to ensure information isn’t misused in any way. System passwords and employee training are two ways to accomplish this.
Distribution: You can assess the documented information. Employees don’t struggle to find it, and they understand how to interpret its meaning. If a computer or program is necessary to access the documented information intended for employees, then employees can operate it. In the case of retained information (e.g., records), they can be retrieved within a reasonable amount of time.
Storage: The organization specifies where the documented information is located. This applies to retained documented information (records) and maintained documented information (documents). The location is accurate and verifiable, and there are controls to preserve the information.
Preservation could include periodic backups of computer files and periodic monitoring to ensure continued legibility. The controls for “preservation” are very similar to the controls for “protection,” described above.
Change control: The organization is able to ensure that the correct versions of documented information are available. When documented information is revised, the revisions are incorporated into the information in use (after review and approval). There are safeguards in place to prevent employees from incorrectly accessing and using obsolete information.
Retention: We say how long we retain documented information. Remember, the term “retain” refers to records, so this is the requirement for establishing a retention time. Every record in your system could conceivably have a different retention time, and ISO 9001:2015 provides no guidance on the appropriate retention times of records. This is completely up to the organization and its needs.
Disposition refers to what happens to the record after the retention times have elapsed. Typical dispositions include archive, shred, or recycle.

Finally, ISO 9001:2015 addresses external documents and preventing unintended alterations of retained information. An external document is published outside the organization and used within the scope of the management system. Examples of external documents possibly requiring control include:

Troubleshooting and/or calibration manuals published by equipment manufacturers
Test procedures, specifications, and/or engineering drawings published by customers or other bodies
Instructions, specifications, and/or procedures published by suppliers
Standards published by industrial organizations applicable to the organization
International standards such as ISO 9001

Once external documents have been determined, they must be identified, and they must be controlled. Like internal documents, there must be a title, document number, or another unique identifier. Such identification typically comes from the source that publishes the document, and the organization simply adopts it. Make sure that all the other aspects of “control” are applied to external documents.

The last requirement provided by ISO 9001:2015 concerns retained documented information that provides evidence of conformity. In other words, records that prove you met requirements. The organization must ensure that people can’t make unauthorized changes to records. This is a restatement of the protection and preservation requirements already discussed.

What to control?

“Do I need to control this?” is one of the most frequently asked questions in organizations working toward, or maintaining, a formal management system. Given the universe of documented information possibly requiring control, the question is understandable. Besides, most people would rather not control something if they don’t have to. Here are some questions to ask when determining whether a document should be controlled:

Does the documented information guide the production of products (i.e., goods or services) provided by the organization?
Does the documented information guide the verification, inspection, or testing of products provided by the organization?
Does the documented information define customer and/or product requirements?
Is the documented information used for controlling processes?
Is the documented information used for decision-making by production personnel?
Is the documented information used for collecting data that could be used later for decision-making within the scope of the management system (e.g., a form)?
Is the information so critical that failure to keep it updated would pose a risk to the organization or its customers?
Does the documented information address or relate to a requirement from ISO 9001?

If the answer to one or more of these questions is yes, then the documented information should probably be controlled. For illustration purposes, consider the following scenarios:

An interoffice memo is posted on a wall in the fabrication department. The memo gives a number of functional and packaging requirements for a product that’s fabricated there. Because of where the document has been posted and the information it contains, the memo should be controlled. Ignore the fact that memos are rarely controlled; in this case, it provides customer requirements, guides decision making, and relates directly to ISO 9001 requirements. Even if the memo duplicates information contained elsewhere in controlled specifications, the uncontrolled memo would still be a problem. Eventually, there will be a discrepancy between the information on the memo and the information contained in the controlled specifications. The organization should either control the posted memo or get rid of it.
A training department develops videos to train employees on the proper setup and operation of production lines. The videos are included in the training program for new hires and existing employees. In this case, document control is required because the videos define process control, guide the production of products, and relate to the training requirements of IS0 9001.
Product defect samples are displayed in a lighted glass cabinet in the visual inspection area, The samples illustrate the limits of various defects that can be considered acceptable to customers, and they’re used when inspectors aren’t certain of the criteria. Currently, the display cabinet is labelled “for reference only.” Despite this declaration. the samples should be controlled because they define customer requirements.
An organization develops a checklist that’s used to record the results of product inspection. The blank checklist defines exactly what’s to be inspected as indicated by the spaces that inspectors must complete. These blank forms need to be controlled as documents and then as records once they’re completed.

These scenarios highlight the fact that documented information needn’t be limited to traditional procedures, work instructions, and the like. The term “documented information” can encompass a wide range of things, all of which might require control, depending on the information they contain. Some examples include Databases, Photos, Drawings, diagrams, sketches, audio, video, Product samples, and defect samples, Paint swatches for color matching, Checklists, Flow diagrams, Blank forms, etc

Organizations preparing to implement a QMS

For organizations that are in the process of implementing a QMS, and wish to meet the requirements of ISO 9001:2015, the following comments may be useful.

For organizations that are in the process of implementing or have yet to implement a QMS, ISO 9001:2015 emphasizes a process approach. This includes:

determining the processes necessary for the effective implementation of the quality management system determining the interactions between these processes.
documenting the processes to the extent necessary to assure their effective operation and control. (It may be appropriate to document the processes using process mapping tools. It is emphasized, however, that documented process mapping tools are not a requirement of ISO 9001:2015).

2. Analysis of the processes should be the driving force for defining the amount of documented information needed for the quality management system, taking into account the requirements of ISO 9001:2015. It should not be the documented information that drives the processes.

Organizations wishing to adopt an existing QMS

For organizations that currently have a QMS the following comments are intended to assist in understanding the changes to documented information that may be required or facilitated by the transition to ISO 9001:2015:

An organization with an existing QMS should not need to rewrite all of its documented information in order to meet the requirements of ISO 9001:2015. This is particularly true if an organization has structured its QMS based on the way it effectively operates, using a process approach.
An organization may be able to carry out some simplification and/or consolidation of existing documented information in order to simplify its QMS.

Demonstrating conformity with ISO 9001:2015

For organizations wishing to demonstrate conformity with the requirements of ISO 9001:2015, for the purposes of certification/registration, contractual, or other reasons, it is important to remember the need to provide evidence of the effective implementation of the QMS.

Organizations may be able to demonstrate conformity without the need for extensive documented information
To claim conformity with ISO 9001:2015, the organization has to be able to provide objective evidence of the effectiveness of its processes and its quality management system. Clause 3.8.3 of ISO 9000:2015 defines “objective evidence” as “data supporting
the existence or verity of something” and notes that “objective evidence may be obtained through observation, measurement, test, or other means.”
Objective evidence does not necessarily depend on the existence of documented information, except where specifically mentioned in ISO 9001:2015. In some cases, (for example, in clause 8.1 (e) Operational planning and control, it is up to the organization to determine what documented information is necessary in order to provide this objective evidence.
Where the organization has no specific documented information for a particular activity, and this is not required by the standard, it is acceptable for this activity to be conducted using as a basis the relevant clause of ISO 9001:2015. In these situations, both internal and external audits may use the text of ISO 9001:2015 for conformity assessment purposes.

Documentation requirements in tabular form

From the text, it is normally evident when “documented information” relates to “records” as evidence of performed activity/process and when “documents information” relates to how to perform an activity/ process. Normally the standard refers to “shall maintain documented information” when the meaning is how to perform an activity/process and “shall retain documented information” when the meaning is to keep evidence of performed activity/process.
These are the minimum documentation requirements. Organizations themselves can decide that they need additional documented information.

Clause	Documentation Requirement
Clause 4.3 Determining the scope of the quality management system	The scope of the organization’s quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its quality management system. Click here for an example of how a scope could be derived
4.4.2 (Quality management system and its processes)	To the extent necessary, the organization shall: a) maintain documented information to support the operation of its processes; b) retain documented information to have confidence that the processes are being carried out as planned. Example of Quality Manual
5.2.2 (Communicating the quality policy)	The quality policy shall: a) be available as documented information; b) be communicated, understood and applied within the organization; c) be available to interested parties, as appropriate; Examples of the Documented statement of Quality Policy
6.2 (Quality objectives and planning to achieve them)	The organization shall maintain documented information on quality objectives. Example of functional objectives
7.1.5.1 General(Monitoring and measuring resources)	The organization shall retain appropriate documented information as evidence of fitness for the purpose of monitoring and measuring devices. Example of formats for Details of Instruments
7.1.5.2 (Measurement traceability)	When measurement traceability is a requirement or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be: a) calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information; Example of Instrument calibration history card
7.2 (Competence)	The organization shall: d) retain appropriate documented information as evidence of competence. Example of format for List of Employees Example of format for Employee Training Plan &Record Example of format for Staff Induction Program Example of format for Competency Matrix Example of format for Skill Matrix Example of format for Training Need Identification
7.5.1 General (Documented information)	The organization’s quality management system shall include: a) documented information required by this International Standard; b) documented information determined by the organization as being necessary for the effectiveness of the quality management system. NOTE The extent of documented information for a quality management system can differ from one organization to another due to: – the size of the organization and its type of activities, processes, products, and services; – the complexity of processes and their interactions; – the competence of persons.
8.1.e (Operational planning and control)	determining and keeping documented information to the extent necessary 1) to have confidence that the processes have been carried out as planned; 2) to demonstrate the conformity of products and services to their requirements. NOTE “Keeping” implies both the maintaining and the retaining of documented information. Example of format for Process plan Example of template for Project Quality plan Example of format for the Quality plan
8.2.3.2 (Review of requirements related to products and services)	The organization shall retain documented information, as applicable: a) on the results of the review; b) on any new requirements for the products and services. Example of format for contract review Example of format for verbal order register
8.3.2 (Design and development planning)	In determining the stages and controls for design and development, the organization shall consider: j) the documented information needed to demonstrate that design and development requirements have been met. Example of Procedure for design and development Example of format for Design planning Example of format for Development Inquiry Register
8.3.3 (Design and development inputs)	The organization shall retain documented information on design and development inputs. Example of format for the Design input record
8.3.4 (Design and development control)	The organization shall apply controls to the design and development process to ensure that: f) documented information of these activities is retained Example of format for design and development review Example of format for Design verification report Example of format for Design validation
8.3.5 (Design and development output)	The organization shall retain documented information on the design and development outputs. Example of format for the Design output Example of a list of design output
8.3.6 (Design and development changes)	The organization shall retain documented information on: a) design and development changes; b) the results of reviews; c) the authorization of the changes; d) the actions are taken to prevent adverse impacts. Example of format for the Design change record
8.4.1 General (Control of externally provided products and services)	The organization shall retain documented information of the results of these activities and any necessary actions arising from the evaluations. Example of format for List of approved suppliers Example of format for Evaluation Rating of Suppliers Example of Procedure for Purchasing Example of Supplier audit checklist Example of format for Supplier Registration form
8.5.1 (Control of production and service provision)	Controlled conditions shall include, as applicable: a) the availability of documented information that defines: 1) the characteristics of the products to be produced, the services to be provided, or the activities to be performed; 2) the results to be achieved; Examples of Inspection and test plan Example of Procedure of Production Examples of the Production schedule Example of format for Machine preventive Maintenance Chart Example of format for Machine Breakdown Maintenance Report
8.5.2 (Identification and traceability)	The organization shall control the unique identification of the outputs when traceability is a requirement and shall retain the documented information necessary to enable traceability. Example of Tags Example of the format of Equipment register
8.5.3 (Property belonging to customers or external providers)	When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred. Example of format for a list of customer-supplier items Example of format for list of customer drawing
8.5.6 (Control of changes)	The organization shall retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review. Example of procedure for Change Management Examples of change management log Example of the change request form
8.6 (Release of goods and services)	The organization shall retain documented information on the release of products and services. The documented information shall include: a) evidence of conformity with the acceptance criteria; b) traceability to the person(s) authorizing the release. Example of format for Pre Delivery Inspection Report
8.7.2 (Control of nonconforming outputs)	The organization shall retain documented information that: a) describes the nonconformity; b) describes the actions taken; c) describes any concessions obtained; d) identifies the authority deciding the action in respect of the nonconformity. Example of format for Product N.C Register Example of format for Cause-Effect Analysis Example of Procedure for control of non-conforming Output
9.1.1 General (Monitoring, measurement, analysis, and evaluation)	The organization shall retain appropriate documented information as evidence of the results Example of format for Internal audit summary Example of format for Analysis of Quality objectives Example of format for NCR closer report Example of format for Incoming Inspection report Example of the Inspection plan Example of format for First piece /last off Inspection report Example of format for In-process Inspection report Example of format for visual Inspection for packaging
9.2.2 (Internal Audit)	The organization shall: f) retain documented information as evidence of the implementation of the audit programme and the audit results. Example of Procedure for Internal QMS Audit Example of the form of Internal Audit Observation Sheet Example of the form of Internal Audit Summary Sheet Example of Format of List of Internal Auditors Example of formats for Audit Schedule and Audit Plan Example of Format of Internal Audit corrective action report
9.3.3 (Management review)	The organization shall retain documented information as evidence of the results of management reviews. Example of a record of Management review conducted Example of Procedure for Management Review Template of Management Review Agenda and Minutes
10.2.2 (Nonconformity and corrective action)	The organization shall retain documented information as evidence of: a) the nature of the nonconformities and any subsequent actions are taken; b) the results of any corrective action. Example of Procedure for Correction and Corrective action Example of the form of Corrective action Example of format for Continual Improvement Plan Example of procedure for non-conforming output

Furthermore, in ISO 9001:2015 in several places uses the wording “shall determine”. The word “determine” implies a discovery process that results in knowledge. There is no explicit “documentation” requirement, but where “determine” is used the organization should at least be able to demonstrate and give confidence of completeness and control of such activities/processes.

CLAUSE	DOCUMENTATION REQUIREMENT
4.1 (Understanding the organization and its context)	The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system.
4.2 (Understanding the needs and expectations of interested parties)	Due to their impact or potential impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine: a) the interested parties that are relevant to the quality management system; b) the requirements of these interested parties that are relevant to the quality management system.
4.3 (Scope)	The organization shall determine the boundaries and applicability of the quality management system to establish its scope.
4.4 (QMS and its processes)	The organization shall determine the processes needed for the quality management system and their application throughout the organization and shall: a) determine the inputs required and the outputs expected from these processes; b) determine the sequence and interaction of these processes; c) determine and apply the criteria and methods (including monitoring, measurements, and related performance indicators) needed to ensure the effective operation and control of these processes; d) determine the resources needed and ensure their availability; e) assign the responsibilities and authorities for these processes; f) address the risks and opportunities as determined in accordance with the requirements of 6.1; g) evaluate these processes and any needed to ensure that these processes achieve their intended results; h) improve the processes and the quality management system.
6.1.1 (Actions to address risks and opportunities)	When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: a) give assurance that the quality management system can achieve its intended result(s); b) enhance desirable effects; c) prevent, or reduce, undesired effects; d) achieve improvement.
6.2.2 (Quality objectives and planning to achieve them)	When planning how to achieve its quality objectives, the organization shall determine: a) what will be done, b) what resources will be required, c) who will be responsible, d) when it will be completed, and e) how the results will be evaluated.
7.1.1 General(Resources)	The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the quality management system.
7.1.2 (People)	The organization shall determine and provide the persons necessary for the effective implementation of its quality management system and for the operation and control of its processes.
7.1.3 (Infrastructure)	The organization shall determine, provide and maintain the infrastructure necessary for the operation of its processes to achieve conformity of products and services.
7.1.4 (Environment for the operation of processes)	The organization shall determine, provide and maintain the environment necessary for the operation of its processes and achieve conformity of products and services.
7.1.5 (Monitoring and measuring resources)	The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements. The organization shall determine if the validity of previous measurement results have been adversely affected when measuring equipment is found to be unfit for its intended purpose and shall take appropriate action as necessary.
7.1.6 (Organisational knowledge)	The organization shall determine the knowledge necessary for the operation of its processes and to chief conformity of products and services. When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.
7.2 (Competence)	The organization shall: a) determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of the quality management system;
7.4 (Communication)	The organization shall determine the internal and external communications relevant to the quality management system including: a) on what it will communicate, b) when to communicate, c) with whom to communicate, d) how to communicate e) who communicates.
8.3.3 (Design and development inputs)	The organization shall determine requirements essential for the specific type of products and services being designed and developed. The organization shall consider: a) functional and performance requirements; b) information derived from previous similar design and development activities; c) statutory and regulatory requirements; d) standards or codes of practice that the organization has committed to implement; e) potential consequences of failure due to the nature of the products and services.
8.4.1 General( Control of externally provided processes, products and services)	The organization shall determine the controls to be applied to externally provided processes, products and services when: a) products and services from external providers are intended for incorporation into the organization’s own products and services; b) products and services are provided directly to the customer(s) by external providers on behalf of the organization; c) a process, or part of a process is provided by an external provider as a result of a decision by the organization. The organization shall determine and apply criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements.
8.4.2 (Type and extent of control)	The organization shall: a) determine the verification, or other activities, necessary to ensure that the externally provided processes, products, and services meet requirements.
9.1.1 General (Monitoring, measurement, analysis, and evaluation)	The organization shall determine: a) what needs to be monitored and measured; b) the methods for monitoring, measurement, analysis, and evaluation needed to ensure valid results; c) when the monitoring and measuring shall be performed; d) when the results from monitoring and measurement shall be analyzed and evaluated.
9.1.2 (Customer satisfaction)	The organization shall monitor customers’ perceptions of the degree to which their needs and expectations have been fulfilled. The organization shall determine the methods for obtaining, monitoring and reviewing this information.
10.1 General (Improvement)	The organization shall determine and select opportunities for improvement and implement necessary actions to meet customer requirements and enhance customer satisfaction.

ISO 9001:2015 CLAUSE 7 SUPPORT

After addressing the context, commitment, and planning, organizations will have to look at the support needed to meet their goals and objectives. This includes resources, targeted internal and external communications, as well as documented information that replaces previously used terms such as documents, documentation, and records. The organization needs to supply competent resources to deliver its goods and services. Again, nothing new here, awareness has been strengthened so now everyone needs to know the implications of not conforming to the management system requirements. The organization needs to consider the need for both internal and external communications relevant to the management system – what, when, and with whom it will communicate. The final support requirement is going to generate a lot of heat but not much light – documented information. Gone are the terms documents, documentation, and records. However, the requirements for the management of documented information are not new, exceptional, or excessive. One skeleton which is finally laid to rest is the idea that everyone needs work instructions no matter how experienced or senior they are in the organization. Auditing awareness and communication should be easier; the requirements are crisper. The organization needs to:

Determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the management system.
Determine the necessary competence of person(s) doing work under its control that affects its discipline speciﬁc performance.
Ensure that these persons are competent on the basis of appropriate education, training, or experience.
Where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken
Retain appropriate documented information as evidence of competence

Clause 7, Support, has five sub-clauses.

7.1 Resource

In addition to clause 7.1, there are other references to resources throughout the standard, for example:

4.4.d – determine the resources needed for QMS processes and to ensure their availability
5.1.1.e– top management ensure resources needed for QMS are available
6.2.2.b –The organization should determine what resources are needed to achieve quality objectives
6.3.c –The organization should consider the availability of resources for planning any changes in QMS
8.1.c –the organization should determine any resources needed to achieve conformity to product and service requirements.
8.3.2.e – the organization should consider the internal and external resource needs for the design and development of products and services.
8.5.1.b – the availability and use of suitable monitoring and measuring resources
9.3.2.d – management review of the adequacy of resources
9.3.3. – management review of resource needs

7.1.1 General

The organization should determine and provide resources needed to establish, implement, maintain, and continually improve the QMS. And should consider the capabilities of, and constraints on, existing internal resources; and what needs to be obtained from external providers.

This clause updates the ISO 9001:2008 clause 6.1 on Resources. It removes any mention of resources for customer satisfaction. Customer satisfaction is mentioned at multiple clauses, including 9.1.2. It adds consideration of internal resources and external providers. Additional resource considerations are the capabilities of, and constraint on existing internal resources and what needs to be obtained from external providers. The top management has the responsibility to ensure the availability of resources to develop and maintain your QMS. Clause 7.1 requires you to determine the nature and availability of such resources. This is typically done through business and quality planning. Having adequate resources is vital to ensure product conformity or satisfy customer requirements – e.g. having adequate personnel, materials, and equipment to ensure timely production and delivery of the product. Use business planning (clause 5.1.1), quality management planning (clause 6.2.2), planning for QMS processes (clause 4.4), and also during planning for any change in QMS(clause 6.3) to identify and determine the nature of resource needs of QMS each process and plan for its availability. The actual amount of resources needed may vary from day to day and over time. This is one reason why top management must review QMS performance regularly(clause 9.3.3). While planning for your resources needed the organization must consider what existing internal resources it has considering its capabilities and constraints and what needs to be obtained by external providers. Consider developing performance indicators for each major category of resources used, (e.g. machinery and equipment; human resources; facility and environment; transport; communication systems; etc.) to determine the effective use of such resources. This applies even in case the resources are being made available by the external provider. Where the resource planning process is performed off-site (e.g. at head-office), your QMS must include the off-site processes within your QMS and ensure that such processes comply with ISO 9001 requirements. Evidence of the off-site facility’s compliance may include – a copy of their ISO 9001 certification; results of their internal audits to ISO 9001; auditing the outsourced facility; etc. The expectation is to flow down to the off-site facility, the relevant ISO 9001 requirements that you would have to implement, had you carried out the process at your own facility.

7.1.3 Infrastructure

The organization should determine, provide, and maintain the infrastructure for the operation of the processes to achieve conformity of products and services. Infrastructure may include buildings and associated utilities; equipment including hardware and software; transportation resources; information and communication technology.

The only relevant requirement is that we must “determine, provide and maintain” that which is necessary to make conforming products and services requirement. Compliance with this requirement would require evidence that the organization has, “determined”, and then continue to “provide and maintain” the required infrastructure. This need not be a document and consensus among those interviewed will suffice. This also assumes there is a consensus that the infrastructure is reliable based on its maintenance.

Planning for the types of infrastructure resources needed for your business may include facility, production equipment, IT equipment and software, laboratory, packaging, dies, molds, tooling, jigs, fixtures, storage, transportation, communication, office, materials, labor, utilities, and supplies, etc. The key strategic business factors to be considered for infrastructure planning include future needs, current availability, and capacity, cushion for growth, contingency planning, linkage to current and future product programs. This planning may be done through business planning (clause 5.1.1), quality management planning (clause 6.2.2), planning for QMS processes (clause 4.4), and also during planning for any change in QMS(clause 6.3). The actual deployment of such resources may be determined by each process owner. You are required to maintain your infrastructure. Your planned preventive maintenance program should include controls for schedule and timing, availability and training of personnel, types, and scope of maintenance, maintenance, and competency/training records, tracking to maintenance objectives, use, storage and control of spare parts, control of any maintenance outsourcing, etc. The notes identify the types of infrastructure that might be considered:

Buildings and associated utilities – Is the building and equipment suitable? For example, if you are manufacturing metal stampings or storing metal products, a leaky roof, non-enclosed travel paths between buildings, etc may not be suitable to ensure you can consistently provide conforming products (if “rust-free” is a requirement). Water treatment services, beyond public water/sewer, may be required to ensure regulatory compliance where processes produce wastewater unsuitable for discharge into the sewer, etc. This should be the focus of consideration for buildings and associated utilities. Some auditors may inquire as to contingency plans to ensure your infrastructure is maintained. Most organizations have at least a basic contingency plan either for compliance or customer assurance.
Equipment including hardware and software – This is pretty obvious that the organization must have the proper equipment, however, the addition of the “hardware and software” wording has given pause to quite a few both in the 2008 version and in this one. The intent is that the organization understand their equipment, but also maintain and upgrade as appropriate, the related software. This may be specific to a piece of manufacturing equipment within the building, a measuring system or device in the lab, or it may also be the organization’s ability to meet the customers’ needs with regard to communication (such as being able to send/receive design files, programs for programmable machinery, etc). And the expectation is that someone knows the status of these items and has a plan to maintain them.
Transportation – Again, this is pretty obvious. If the product must be maintained at a certain temperature, for example, the proper fleet (either internal or by an external provider) must be maintained. If a certain number of trips is required to provide just-in-time delivery, a scheduling process must be maintained, etc. And there should be a contingency plan in the event of service interruption.
Information and communication technology – Customer requirements often specify their preferred method of communication and order processing, and the organization must be able to meet their criteria (ie – electronic purchase orders & acknowledgments, advance ship notices, electronic billing, etc)

7.1.4 Environment for the Operation of Processes

The organization should determine, provide, and maintain the environment necessary for the operation of processes and to achieve conformity of products and services. A Suitable environment for the operation of processes can be a combination of human and physical factors such as social (for e.g. non-discriminatory, calm, non-confrontational, etc), psychological (for e.g. stress-reducing, burnout prevention, emotional protective), physical (for example, temperature, heat, humidity, light, airflow, hygiene, noise). These factors can differ depending on the type of product and service provided by the organization

The organization shall determine, provide and maintain the environment necessary for the operation of its processes and achieve conformity of its goods and services. The “NOTE” adds, “physical, social, psychological, environmental and other factors (such as temperature, humidity, ergonomics, and cleanliness)”.The clause NOTE adds social and psychological environments, adds factors of ergonomics and cleanliness, and drops the examples of noise, lighting, and weather from the ISO 9001:2008 standard. The environment for the operation of the process is Work Environment which includes controls for ergonomics, personnel safety, and facility conditions that are conducive to achieving product quality. Some of the factors to consider in determining and managing the work environment include ergonomics (worker movement; fatigue; manual effort and loads, etc), workplace location, heat, light, humidity, airflow, noise, vibration, hygiene, cleanliness, pollution, adequate facilities (lockers, lunchroom, cafeteria, washrooms, etc); health and safety regulations; cleanliness of premises; etc. the extent to which the above environmental factors may apply to any organization will vary based on size, risk, and other considerations. The ISO 9001:2015 also wants the organization to look into social issues such as a nondiscriminatory environment, and also a calm and non-confrontational environment. psychological Issues such as stress-reducing, burnout prevention, and emotional protection, etc. should also be not ignored by the organization. The focus should be on employee safety, welfare, and product conformity. Performance indicators to measure the effectiveness of processes that determine and control the effective use of infrastructure may include equipment maintenance – uptime/downtime; productivity – equipment and workforce; accident and safety incidents; non-value-added use of floor space; excessive handling and storage; the number of instances specific resources were not available or delayed; Though there is no need for a documented information requirement, social and psychological surveys can be shown as objective evidence in these areas.

7.1.5 Monitoring and Measuring Resources

7.1.5.1 General

The organization should determine and provide the resources needed for valid and reliable monitoring and measuring results, where monitoring or measuring is used for evidence of conformity of products and services to specified requirements. The organization should ensure that the resources provided are suitable for the type of monitoring and measurement activities being undertaken and are maintained to ensure continued fitness for their purpose. The Organization should retain appropriate documented information as evidence of fitness for the purpose of monitoring and measurement resources.

7.1.5.2 Measurement Traceability

Where measurement traceability is a requirement(statutory or regulatory or customer or relevant interested party expectation) or considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring instruments must be verified or calibrated at specified intervals or prior to use against measurement standards traceable to international or national measurement standards. The organization must retain the basis used for calibration or verification as documented information if no such standard exists as documented information. Measuring instruments must be identified in order to determine their calibration status; It must be safeguarded from adjustments, damage, or deterioration that would invalidate calibration status and subsequent measurement results. The organization should determine if the validity of previous measurement results has been adversely affected when an instrument is found to be defective during its planned verification or calibration, or during its use, and take appropriate corrective action as necessary.

This clause is specifically about monitoring products and services for conformity. This clause replaces old clause 7.6 on Control of Monitoring and Measuring Equipment and is one of the structural changes in the 2015 revision. the use of the term “equipment” has been changed to “resources”. It needs evidence of the fitness for purpose of the resources. Humans may carry out the activity without equipment. Calibrated equipment now termed “instruments”. Monitoring and measuring the quality system has a whole clause (9 Performance Evaluation) dedicated to it. This clause is sticking only with monitoring and measuring devices and equipment used to monitor the product (or service). So, the organization must ensure they have identified and put in place the appropriate resources including (7.1.2 People, 7.1.3 Infrastructure, 7.1.4 Environment) and now 7.1.5 Monitoring and measuring resources.

Requirements for what needs to be measured and the acceptance criteria may come from the customer, regulatory, industry, and your own organization. Product realization planning must determine the following what specific product and process characteristics need to be monitored and measured, the criteria for product acceptance, the type of Monitoring and Measurement Device needed, frequency i.e. at what stages of realization to do it, sample size, etc. You must then determine what Monitoring and Measurement Device is appropriate for each measuring or monitoring requirement. Consideration must be given to the measurement capability (precision) of the Monitoring and Measurement Device which may have to be several times greater than the tolerance criteria for product measurement. This would depend on the industry you are in and the criticality of end-use for the product for e.g. the precision requirements for ball bearings may be much greater than say for cutting cloth to make a shirt. Personnel using Monitoring and Measurement Devices must have competence and training in the use of Monitoring and Measurement Devices in terms of their function, range, and precision of measurement, reliability, use, and maintenance. Monitoring and Measurement Devices may include measurement and testing tools, equipment, hardware, and software. They may be owned by your organization, your employees, or the customer. Monitoring and Measurement Devices may be used to verify product as well as to measure process conformity for e.g. a temperature controller on an oven. Besides Monitoring and Measurement Device’s used for product conformity, you may need to calibrate and control certain Monitoring and Measurement Device’s used in related and peripheral processes such as production equipment, tooling, maintenance, etc. To ensure valid measurement and monitoring results, the Monitoring and Measurement Device must be controlled. A process is required, to control the identification of monitoring measurement, selection, purchase, status, identification, calibration, verification, adjustment or readjustment, use, handling, maintenance and storage, training, handling of nonconforming Monitoring and Measurement Device’s, etc. You must keep appropriate records to demonstrate effective operation and control of your Monitoring and Measurement Device processes. These records must include calibration and verification records traceable to national, international, or other benchmarks used for calibration.

All Monitoring and Measurement Devices used for product verification must be capable of being calibrated, verified, or both. Calibration is setting or correcting a Monitoring and Measurement Device, usually by adjusting it to match or conform to a dependably known and traceable standard for e.g. adjusting a micrometer or caliper to conform to master blocks traceable to national standards. Verification is confirming that the Monitoring and Measurement Device is meeting or performing to acceptable national measurement standards and does not involve any correction or adjustment for e.g. verifying a ruler or tape measure against a calibrated ruler that has been calibrated to a national standard. A ruler or tape measure is generally not capable of being calibrated and when it gets out of calibration its use must be discontinued. There are Monitoring and Measurement Device’s that are capable of being both calibrated and verified for e.g. a CMM- coordinate measuring machine and may require both to be done in specific situations based on the frequency of use and criticality of measurement. This requirement also applies to the use of computer software whose capability and calibration status must be established prior to initial use and reconfirmed (verified) at defined intervals.

You must define the frequency and method of calibration for each type and level i.e. whether used in the shop floor, laboratory, or standard of Monitoring and Measurement Device. Your calibration records must identify what standard you used for calibration and show traceability of the standards you use at your facility to national or international standards. In rare circumstances, national or international standards may not exist for calibrating a specific Monitoring and Measurement Device. In such situations consider using industry, manufacturer, or even your own organizational standard to validate the accuracy and reliability of your Monitoring and Measurement Device. Consult with your customer if the contractual circumstances require it. Your quality plan must define the measurement and monitoring required and the type of Monitoring and Measurement Device needed for it, including the frequency of measurement and acceptance criteria. Depending on the risk and precision and reliability of measurements needed, you might consider doing statistical studies on Monitoring and Measurement Device’s referenced in your quality plans. Ensure that personnel performing such statistical studies are trained and competent to do so. A multitude of software tools is available to manage and control Monitoring and Measurement Devices. There are many acceptable methods to identify Monitoring and Measurement Device and their calibration status. The methods you select must consider the manufacturers’ recommendations, frequency of use, environment the Monitoring and Measurement Device is used in, risk in misuse or incorrect tool being used, etc. Where a Monitoring and Measurement Device is found to be out of calibration, you must take appropriate corrective action to contain and re-verify the product affected, to the extent practical. This is in addition to containing, repair and recalibrating the defective Monitoring and Measurement Device. Customer or internal engineering changes may result in a change in product measurement, requirements, and/or the Monitoring and Measurement Device to be used. These changes would normally be reflected in your quality plan. If you use external calibration services, you are still expected to impose the specific control requirements of this clause to the external organization.
Performance indicators such as the monthly trends in the number of out of calibration Monitoring and Measurement Device’s, or the number of Monitoring and Measurement Device’s past their calibration due date, number of Monitoring and Measurement Device’s being used and not controlled, reduction in untrained personnel found using Monitoring and Measurement Device’s, etc. Use these indicators to tighten and improve the effectiveness of your Monitoring and Measurement Device process. You could use a product quality plan, documented procedure, or other combination of specific practices, procedures, documents, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have.

The organization should ensure that the resources provided are suitable for the specific type of monitoring and measurement activities being undertaken. The organization should have the right instruments and equipment on hand and they must be capable of determining “good” from “bad”. The word “suitable” provides the expectation that the instruments be accurate, reliable, and precise enough to make appropriate judgments about the product (and services). This includes the very common disciplines of calibration, reproducibility & reliability studies, etc to ensure the instruments used to measure product (and service) are suitable. They should be maintained to ensure their continued fitness for their purpose. Once the organization has selected and confirmed the appropriate monitoring and measuring devices, they must have a surveillance program to ensure their continued suitability. The organization should retain appropriate documented information as evidence of fitness for the purpose of monitoring and measurement resources. There should be documented records of these activities. Where measurement traceability is a statutory or regulatory requirement a customer or relevant interested party expectation or considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring instruments must be verified or calibrated at specified intervals or prior to use against measurement standards traceable to international or national measurement standards. Where no such standards exist, the basis used for calibration or verification shall be retained as documented information. There must be a generally accepted calibration program that should always include traceable standards and a schedule for verification/calibration. The use of traceable standards is required because simply having something to measure your devices by does not necessarily ensure an adequate calibration program. For example, using old worn gauge blocks, pins, hardness standards, etc is not a best practice. Your standards (in addition to your instruments) should be maintained and traceable to an international standard to ensure the validity of your monitoring and measuring program. The devices must be identified in order to determine their calibration status; This is the simplest thing to do – a simple calibration sticker will suffice. Keep in mind that it is NOT required that stickers be on every device, but why not do it? If each instrument has its own unique serial number and is properly identified and can be cross-referenced to its calibration status, that meets compliance requirements. However, auditors just feel a better warm and fuzzy feeling if there is a sticker including “last calibrated” or “next calibrated”. And even if you do have a database or master list of instruments that tell you the status of each instrument, a quick glance at the instrument itself doesn’t hurt to ensure your instruments are maintained 100% of the time. The devices must be safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. Safeguarding from damage and deterioration is the simplest of these three. Obviously protective cases, protective films, filters, etc keep an instrument in its tip-top condition. Regular maintenance helps too – removable of dust, atomized grease, etc. Safeguarding from adjustments is a little more difficult, but can be easily achieved by removing adjustment tools from general use, using seals on access panels, etc. Most auditors are reasonable with regard to this, however, if someone wanted to make an adjustment to an instrument, there are many ways to work around the safeguards. It is unlikely to happen, and between calibration, checks can add an additional assurance that instruments are safeguarded against adjustments.The organization should determine if the validity of previous measurement results has been adversely affected when an instrument is found to be defective during its planned verification or calibration, or during its use, and take appropriate corrective action as necessary. The addition of intermittent checks (between calibration checks) helps to mitigate the impact should an instrument be found to be out of calibration. For example, if a micrometer is calibrated monthly and on today’s monthly check it is found to be out of calibration, every measurement it has taken for the past 30 days must be validated. This can require isolation of product, product recall, etc in the absence of any other evidence of compliance. Between calibration, checks help to detect adjustments, errors, etc. ISO9001:2008 used to include a reference to the “ability of computer software to satisfy the intended application shall be confirmed.” This was an attempt to ensure that dependence on software is confirmed (rather than simply taking a computer’s word for it). The idea was to prove out software and use common sense before turning it over. For example, implementing the use of a coordinate measuring machine requires a great deal of validation. A poorly programmed measuring routine can result in software rejecting “good” parts due to measurement or calculation errors. This section was intended to prevent that. However, the language was not clear and was often met with blank stares by those who were asked to demonstrate compliance in this area. So the specific reference to software was removed. The use of the word “suitable” at the beginning of this section applies to all monitoring and measuring equipment (including software), so the removal of it has little or no real effect.

7.1.2 People

The organization should determine and provide the persons necessary for the effective implementation of its QMS and also for the operation and control of its processes.

7.2 Competence

The organization must determine the necessary competence of person(s) doing work under its control that affects the performance and effectiveness of its QMS; It must ensure that these persons are competent on the basis of appropriate education, training, or experience and where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; It must retain documented information as evidence of competence. Applicable actions can include, for example, training, mentoring, or reassignment of currently employed persons; or hiring or contracting of competent persons. “Competence” is defined in the section on terms as the ability to apply knowledge and skills to achieve intended results. Demonstrated competence is sometimes referred to as “qualification”.

7.3 Awareness

Persons doing work under the organization’s control must be aware of the quality policy; relevant quality objectives; their contribution to the effectiveness of the QMS, including benefits of improved quality performance; and the implications of not conforming with system requirements.

This clause requires determining what is needed/necessary. Ensure persons are competent to meet those needs. Where there are gaps, fill the gaps. And maintain records. Top management is responsible for ensuring the availability of resources which includes HR. Clause 5.3 requires top management to define the organization’s roles and their responsibilities and authorities. Clause 7.1.2 required that adequate Human Resources be determined and provided. And here in clause 7.2, the specific requirements for controlling HR are defined. In clause 7.3 awareness needed by the personnel working under its control is defined. Planning for HR process controls must include determining competency criteria, skills evaluation, identification of training needs, types of training, provision of training, how training effectiveness is evaluated, methods to communicate an awareness of the importance of quality requirements and meeting quality objectives, to all employees. Although training may end up being the best solution, don’t overlook other actions, such as changing processes, improving procedures, rotating jobs, outsourcing, or recruiting fully trained and competent people. Criteria for competency must be developed based on appropriate education, skills, training, and experience for activities, tasks, functions, and processes. The level and detail of such qualifications, skills, training, and experience will depend upon the complexity of the product, process, technology, and customer and regulatory requirements. It is up to your organization to determine the necessary criteria for the various functions and activities affecting products and QMS based on these factors. A “Skills Matrix” is a useful tool used by organizations to determine and manage the competency levels required by different activities and functions. An organization may create a comprehensive training program that is fully integrated with the quality management system. It should begin with the identification of processes. Then the processes are described and that becomes the basis of the training program – ensuring the persons performing the work understand the processes and are competent to perform them. And as persons are chosen and assigned to processes, they are evaluated based on their previous education and experience versus the requirements of the process, and where gaps are identified, they are provided with additional training.

Organizations undergo significant changes through growth or decline, acquisitions, new technology, and new products and processes, Also, many organizations are now outsourcing their production labour to save on payroll costs and benefits. Labour-related nonconformities can easily arise in such cases. Planning for your HR process must ensure that contract and agency personnel performing work affecting product quality have adequate competency and training. Appropriate records must be kept of such training.

Quality awareness must be focused on meeting customer and regulatory requirements and Quality objectives. The organization must also promote awareness of its quality policy. The process to promote quality awareness may include the use of methods such as – cross-functional teams, involvement in quality planning, quality circles, improvement suggestions, product workshops, zero defect programs, product review checklist, etc. QMS personnel must be motivated to achieve the organization’s quality objectives. The process to motivate employees may include the use of methods such as – employee recognition awards, ongoing training programs, performance reviews, employee surveys, poster campaigns, etc,. You must determine and keep appropriate records of education, training, skills, and experience. These records must demonstrate the effective operation of the HR process controls. Performance indicators to measure the effectiveness of the HR process in determining competency and training needs of the workforce could include – employee turnover, employee complaints, number of instances unqualified personnel was found performing QMS activity, number of instances competency criteria were not met, and number of instances no training or competency records maintained; etc.

7.4 Communication

The organization should determine the internal and external communications relevant to the QMS, including: on what it will communicate; when to communicate; with whom to communicate; how to communicate.

Communication is a complex and difficult activity. Poor communication leads to chaos, poor performance, poor morale, and other bad things. Good communication can foster a sense of community, teamwork, and a clear sense of purpose and direction. The organization must decide what, when, with whom, and how we will communicate both internally and externally. Problems may arise due to incomplete, ambiguous, or inaccurate information being transmitted; transmission to the wrong person, too late or at the wrong time; use of inappropriate or unreliable media, etc. Communication problems are probably the most common cause of QMS nonconformities. Tracking some of the more serious communication issues could serve as useful performance indicators to determine and improve communication process effectiveness. Clause 4.4 control of processes requires you to determine the sequence and interaction of QMS processes. Each process requires inputs to flow from one process and outputs to flow to another process. There is a continuous (communication) flow regarding tangible (materials and product) and intangible (information) inputs and outputs taking place within your organization.
Top management must plan for internal and external communication methods and resources at a high level using the business planning process and deploy these methods through the information technology, logistics, and HR processes. Each process owner must identify the methods of communication such as a computer, documents, telephone, meetings, directives, visual, etc, used and determine whether these methods are appropriate and are they effective for the purpose intended? – (do they prevent non-conformities from arising due to the reasons mentioned above?). Process owners should provide feedback on communications effectiveness to the processes providing and controlling such resources. Communication by the MR on the effectiveness of the QMS must not only take place at the top management level but also at appropriate levels within the organization. If everyone is responsible for the quality, then all process owners, as well as their personnel, are entitled to receive periodic feedback on their areas of responsibility.

Included in this determination of relevant QMS communication, according to the requirements, are the following five items that need to be included in your communication plan:

What will be communicated – What communications will you have for your QMS? You will most likely need to communicate on product and service nonconformances, but do you have to communicate all of them (such as spare parts that you determine to be scrap)? Do you have legal requirements to report on certain elements of your QMS, such as problems that occur in a nuclear power plant? Will you report to the media, shareholders, or other stakeholders on some topics but not others?
When you will communicate – If you are reporting on the nonconforming product, how long will you wait until you report? When will you communicate on a change in your company’s location? Do you have contractual or legal requirements that dictate these items? When do you need to let shareholders and stakeholders know of important developments in your Quality Management System?
With whom you will communicate – You will likely have customers in your list of people to communicate with, but what other stakeholders will be included in some, if not all, of your communications? Will your list of people to communicate with include employees, shareholders, suppliers, customers, business partners, or members of the public? Will you report to the media or shareholders depending on the communication topic? Do you have legal requirements to let a government agency know of certain QMS-related information?
How you will communicate – There are many ways to communicate, and some will work better than others for different information and for different stakeholders. You could use email, phone, text, press release, or even in-person discussions depending on what you need to communicate and to whom. All of these factors need to inform your decisions on communication.
Who will do the communication – This may change depending on the information to be relayed or the severity of the information. Critical failures may need to be communicated by the CEO, while smaller nonconformances may be communicated by a project team. You may even have dedicated individuals who can speak to the media about your company, and this should be part of your communication plan.

While there is no requirement in ISO 9001:2015 that your communication plan needs to be documented information it might be a good idea to do so if it is complicated. If you are a small organization that will have the CEO do all communication, and you will only communicate what is defined in your contracts and legal requirements, you may not need to document your plan, but if it becomes more complex with different people communicating to different parties, in different ways, on different topics, a documented plan might be a good idea.

Example: Communications

Entity	What	When	How/ How OFTEN	Who
Customer	Product/ service agreement Quality policy Delivery Audits Improvements Risks	Contract initiation renewal or amendment After changes to policies or processes	Contract Service reviews Internet	Marketing Manager/customer executive
Suppliers	Contract agreement Quality Policy Contract amendments	Contract initiation and renewal After changes to policies or processes	Contract Service Review	Purchasing Manager/ Purchasing executive
Staff	Quality policy Applicable legislation and regulatory requirements Customer requirements Customer satisfaction All applicable policies and processes	At induction and refresher training After changes to policies or processes	Awareness training Newsletters Company/team meetings Intranet Notice boards	HR Manager/ Team leader
Regulators	Applicable legislation and regulatory requirements Changes in legislation and regulation	At contract start and refresher training After changes to policies or processes After taking on new work	Awareness training Company/team meetings Intranet Notice boards	legal advisor /HR Manager
Shareholders	corporate governance Results	Contract initiation and renewal After changes to policies or processes	Newsletters Intranet Annual report	/GM

Example: Communications

If you need assistance or have any doubt and need to ask any question, contact me at preteshbiswas@gmail.com or call at +919923345531. You can also contribute to this discussion, and I shall be happy to publish them. Your comment and suggestion is also welcome.

ISO 9001:2015 CLAUSE 8 OPERATION

The bulk of the management system requirements lies within this single clause. Clause 8 addresses both in-house and outsourced processes, while the overall process management includes adequate criteria to control these processes, as well as ways to manage planned and unintended change. Whatever the organization is in business to achieve, clause 8 is it. The overall process management includes having process criteria, controlling the processes within the criteria, controlling planned change and addressing unintended change as necessary. The organization shall plan, implement and control the processes needed to meet its discipline-speciﬁc requirements. This also relates to implementing the actions determined in 6.1 (actions to address risks and opportunities) and 6.2 (objectives and plans to achieve them). The organization is required to:

Establish criteria for the processes (possibly in work instructions)
Implement control of the processes, in accordance with the criteria (possibly through training and awareness)
Keep documented information to the extent necessary to have conﬁdence that the processes have been carried out as planned (possibly within its QMS, or integrated MS)
Control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects (possibly through the management of change process)
Ensuring outsourced processes are controlled. This would include control and/or inﬂuence (depending on its ability to do so — the size of the order, importance to an external organization, etc.).

Typical audit evidence would relate to: the type and extent of control/inﬂuence to be applied are deﬁned within its QMS, processes for assessing the importance/risk of the outsourced activity and deriving suitable controls, and monitoring the effectiveness of the controls, etc. This could involve purchasing, risk/compliance, and operations/production functions within the organization. The context of the organization and the relevant needs and expectations of interested parties will clearly have a bearing on the extent of control/Inﬂuence expected of its outsourced processes.

Clause 8, Operation, has seven sub-clauses:

8.1 Operational Planning and Control
8.2 Determination of Requirements for Products and Services
8.3 Design and Development of Products and Services
8.4 Control of Externally Provided Products and Services
8.5 Production and Service Provision
8.6 Release of Products and Services
8.7 Control of Nonconforming Process Outputs, Products, and Services

8.1 Operational Planning and Control

The Organization should plan, implement, and control the processes, as outlined in 4.4, needed to meet requirements for the provision of products and services and to implement the actions determined in 6.1 by determining product and services requirements; establishing criteria for the processes and for the acceptance of products and services; determining the resources needed to achieve conformity to product and service requirements; implement control of the processes in accordance with the criteria; determining, maintaining and retain documented information to the extent necessary to have confidence that the processes have been carried out as planned and to demonstrate the conformity of products and services to requirements. The output of this planning should be suitable for the organization’s operations. The organization should control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization should ensure outsourced processes are controlled in accordance with 8.4.

Clause 8.1 requires that operations be conducted through processes that are planned and controlled regardless of whether the organization or an outside party performs the process. Requirements for products and services are required to be determined and criteria established for acceptance. Identification of resources needed to achieve conformity is required. Planned changes are required to be controlled and action is taken to mitigate the effects of unintended consequences of changes. Documented information is required to be kept (retained) to demonstrate the conformity of product and service to requirements and that processes have been carried out as planned. The individual planning step in the 2008 version focuses on determining how to verify conformity, the 2015 version is oriented around the notion of managing and adequately resourcing a set of processes so that a state of control is achieved even when intended or unintended changes occur. It also indicates a requirement to review consequences and mitigate adverse effects as necessary. The clause also requires that the organization keep documented information to have confidence that these processes have been carried out as required. Note that the requirement for processes to accomplish all the operational activities is not repeated in each clause. A lack of repetitious requirements in each clause does not mean processes and documented information are not required. The first sentence of clause 8.1 makes the point that the organization “shall plan, implement and control the processes needed to meet the requirements for the provision of products and services.” It also reinforces the relationship between clauses 4.4 and 6. Therefore, even though ISO 9001:2015 may appear to some to have reduced the requirements for processes and controls, we believe clause 8.1, coupled with clauses 4 and 6, requires an organization to define, document, control, and keep records at least at the same level as previously required, and perhaps to an even greater level of comprehension.

Many organizations long ago adopted the process approach to managing operations, and thus may already be close to conforming. They may review the language in the new standard and tweaking processes and documented information, as appropriate. The organization needs to incorporate any additions, deletions, or modifications that are perceived as necessary or desirable to conform with these more process-oriented requirements and possibly to improve process effectiveness. Subtle “new” requirements related to control of changes and mitigating adverse effects should also be considered. On the other hand, some organizations may not have embraced the process approach to operational controls. Less documentation may be required, but ISO 9001:2015 requires that the organization understand the processes needed to deliver conforming products to customers. These processes must be understood not only with respect to the products themselves but also in the broader context of the objectives of the organization and any other requirements of the QMS (including interested parties and risks and opportunities). It may be advisable to:

Create a quality plan for a product or service to describe how the QMS will be modified and applied to all operations. Such a plan could include or reference procedures and records to be maintained and analyzed.
Consider using the product design and development process approach for designing processes. This is a requirement in the automotive industry. It has become a best practice demonstrated in many organizations even though ISO 9001 does not explicitly require adherence to the design and development requirements for internal process designs. This enhances both the effectiveness and efficiency of processes.
Identify key performance measures for both products and processes and align them with your quality and business objectives.

The only requirement in clause 8.1 for documented information is to retain or maintain documented information as necessary to provide confidence that the processes have been carried out as required. Organizations should also consider maintaining documented information describing the operational processes and how they are to be carried out. The requirement to plan, implement, and control the processes needed to meet the requirements for the provision of products and services would be very difficult to achieve if documented information is not created and maintained for all processes of the QMS

The focus of clause 8.1 is on controls governing the making of product to meet customer requirements and all the QMS processes that, directly or indirectly, make this happen. Operation processes may include customer-related processes (sales and marketing), design and development, production, shipping, receiving, packaging, measurement, and monitoring of product and processes, etc., whether performed onsite or off-site. Some of the support processes that come to bear on Operations include document control, record control, human resources, infrastructure provision and maintenance, IT, purchasing and materials management, laboratory services and control of monitoring and measuring devices, business planning, etc. The output of Operation planning may be implemented in many different ways. It does not necessarily have to be all in one document, but may sometimes include several documents such drawings, machine set-up, inspection criteria, process sheets, etc. These must be readily available to those performing these processes.
You may also consider using a specific product, contract or project quality plans to accomplish this. Your quality plans should include the processes needed, process sequence and control parameters, specific resources needed to make, verify and deliver the product, product acceptance criteria and quality objectives, product, and process monitoring and measurement control plans to control and correct any product or process nonconformities, reference to support processes, documents needed such as work instructions or engineering specifications, etc. and details of records to be kept. Focus on defect prevention in planning the controls for product realization. Quality objectives may include defect rates, scrap rates, etc. Requirements or criteria for the product may include physical properties, dimensional, functional, etc, and their related measurements, tolerances, and acceptance levels. In many instances, depending on the nature of the product, the customer may specify objectives and requirements, and criteria for the product realization processes as well. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production processes. These documents may include contracts, specifications, orders, product quality plans, work instructions, a documented procedure, etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Where any of the product realization processes are done off-site (e.g. at head-office), your QMS must include the off-site processes within your QMS and ensure that such processes comply with ISO 9001 requirements. The expectation is to flow down to the off-site facility, the relevant ISO 9001 requirements that you would have to implement, had you carried out the process at your own facility. Performance indicators to measure the effectiveness of product realization in meeting requirements and achieving quality objectives will be specific to each realization process and focus on reducing variation and waste in realization processes and related use of resources. Objectives may be used to monitor and improve process productivity, reduction of cycle time, errors, omissions, and failures, etc. You must also consider indicators to measure product performance such as – reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework, improvement in on-time delivery, product returns from customers, etc.

8.2 Determination of Requirements for Products and Services

8.2.1 Customer Communication

The organization must establish the processes for communicating with customers to provide information relating to products and services; inquiries, contracts, or order handling, including changes; obtaining customer feedback relating to product and services including customer complaints; handling or controlling customer property, and establishing specific requirements for contingency actions, when relevant.

8.2.2 Determination of Requirements related to Products and Services

The organization must ensure while determining the requirements for the products and services to be offered to customers that the product and service requirements (including those considered necessary by the organization), and applicable legal requirements, are defined. The organization must also ensure that it has the ability to meet the defined requirements and substantiate the claims for the products and services it offers.

8.2.3 Review of Requirements for Product and services

8.2.3.1 The organization must ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer; The review should include the requirements specified by the customer, including the requirements for delivery and post-delivery activities; requirements not stated by the customer, but necessary for the specified or intended use, when known; requirements specified by the organization; statutory and regulatory requirements applicable to the products and services; contract or order requirements differing from those previously expressed. The organization must ensure that contract or order requirements differing from those previously defined are resolved. When the customer does not provide a documented statement of their requirements, the organization must confirm them before accepting them. In some situations, such as internet sales, when a formal review is impractical for each order, the review can cover relevant product information, such as catalogs.

8.2.3.2 The organization should retain documented information on the results of the review and on any new requirements for the products and services.

8.2.4 Changes to requirements for products and services

The organization should ensure that relevant documented information is amended, and relevant persons are made aware of the changed requirements. when the requirements for products and services are changed.

Clause 8.2.1 requires the organization to conduct communications with customers. The detailed requirements for communications with customers include:

Providing product- and service-related information
Handling customer orders of all types and changes thereto
Getting customer feedback including complaints
Exercising appropriate controls for any customer-owned property
Establishing requirements for contingency actions

Clause 8.2.1 requires processes to accomplish specific types of information exchange. It requires five specific types of communication with customers to be included in the organization’s processes:

Product and service information, including customer requirements
Documented agreements with the customer, such as contracts, orders, changes, and other information needed to meet customer requirements
Customer feedback including complaints
The handling and treatment of customer-owned items were covered in great detail in clause 7.5.4 in ISO 9001:2008. The specific requirements of the 2008 version have been significantly simplified.
Any contingency actions that are relevant.

Clause 8.2.1 is similar to clause 7.2.3 of ISO 9001:2008. The point of grouping these items under customer communications is to emphasize that these communications need to be systematically planned like all other processes. In doing so, consider the information in clause 7.4 on communication and the requirements related to process management in clause 4.4. If the customer is the organization’s most important contact, shouldn’t we concentrate some key planning effort on the processes used to communicate with them? It is generally necessary that a careful record is maintained of the requirements. Often the process involves multiple discussions, reviews (clause 8.2.2), and even early design and development work (clause 8.3). Carefully thought-out methods are needed to efficiently retain this input information for later use in the design process and as input to the resolution of disputes that may arise.

Clause 8.2.2 requires the organization to determine the requirements related to its products and services. This includes:

Establishing a process for determining the requirements for the products offered to potential customers
Determining the requirements of the customer
Determining requirements for the organization
Determining requirements from applicable statutes and regulations
Determining that the organization has the ability to meet the requirements and substantiate claims related to its products and services

One of the key things that communication with customers needs to ensure is that customer requirements and other requirements for the product or service are clearly understood. But communication and understanding of customer requirements is only one piece of the requirements puzzle. Many products are regulated and customers may have no knowledge of the regulatory or statutory details. Often the organization has learned key things that must be done a certain way for the product or service to meet customer requirements. Customers cannot be expected to know about many of these things. It is the organization’s responsibility to understand all these requirements and their specific application. It is also the organization’s responsibility to determine whether it can successfully deliver a conforming product or service to the customer. Conformity is not difficult for organizations providing off-the-shelf catalog products manufactured to published specifications or standardized services with normal delivery requirements. However, if customers are purchasing complex systems with custom engineering and software according to a complex set of commercial terms, it is essential to obtain a clear understanding of customer requirements by whatever means possible, including activities such as holding face-to-face meetings and attending pre-bid meetings. Full determination of customer requirements can be an iterative process. Often there are known issues that may evolve into real requirements at a later stage. In such cases, documentation of the open issues and providing for the attendant business risk may prove to be an acceptable approach to meeting the requirements of this clause. The determination of customer requirements is a critical activity and generally involves several functions and levels in an organization. It is recommended that you maintain documented information to describe the process for the determination of all aspects of product and service requirements. The documented information should include both product requirements specified by the customer and product requirements not specified by the customer but necessary for intended or specified use. Also, unique regulatory and statutory requirements should be considered as well as commercial terms and conditions.

Clause 8.2.2b requires that the organization have the ability to meet requirements. Often with advanced products, there is a need to advance the state of the art as product development progresses. Such situations should be clearly identified and the business risks understood. In such cases, the deﬁned requirements could be the development of the needed technological advance. To avoid customer complaints or dissatisfaction, even for “requirements” that are not clearly stated (e.g., regulatory requirements or marketplace norms), the organization should consider a comprehensive understanding of customer requirements, perhaps even performing a failure modes and effects analysis (FMEA) on the processes as a form of risk assessment. Since the review process required in clause 8.2.2 is often iterative, retention of documented information of review results (eg, who reviewed what, when, and using what method) can be a practical necessity. While clause 8.22 does not require retention of any documented information on these determinations, it is recommended to have such records.

Clause 8.2.3 states the obligation of the organization to review the requirements of products and services, which includes:

Customer-specified requirements for the product or service, including any requirements for delivery or post-delivery actions
Requirements are known to be needed by the organization even though not specified by the customer
Applicable statutory and regulatory requirements applying to the product or service
Requirements of the final contract or order differing from those previously provided by or discussed with the customer

The review is required to:

Be performed prior to the organization’s commitment to producing the product or service
Ensure resolution of all order requirements that may differ from those previously defined
Include confirmation of the requirements in cases where the customer does not provide documented requirements o Retain documented information on the results of the review

The acceptance of an order or the submission of a quote or tender by an organization obliges the organization to meet the conditions stated in the order or to provide the goods and services included in the scope of the quotation or tender. The obligation assumed by the organization includes not only the products defined but also ancillary items such as conformance to stated delivery dates, adherence to referenced external standards, and compliance with the commercial terms and conditions applicable to the order, contract, quote, or tender as well as applicable statutory and regulatory requirements. The complexity of the order/quote review process depends on the products and services of the organization. A process for reviewing oral orders for off-the-shelf products with 24 hour delivery (e.g., software packages) will differ considerably from a process for reviewing a large order for a one-of-a-kind product with a two-year delivery (e.g., an order for a control system for an electric power-generating station). The review process must also accommodate, as applicable, electronic orders, blanket orders with periodic releases, unsolicited orders, orders through distributors or representatives, faxed orders, and an almost infinite combination of these and other possibilities. If the organization is involved in internet sales, creative thinking will be required to efficiently review customer requirements. With such a spectrum of possibilities, what is an organization expected to do to conform to the requirements? The first step should be to develop a clear understanding of the nature of the various kinds of customer requirements and fully understand each communication channel involved. If, for example, an organization publishes a catalog and accepts only written orders for catalogue—listed items to standard delivery times, then the order or contract- review procedure can be simple. The process could be a designated individual (e.g., a manager, a clerk) reviewing, initiating, and dating the written order. This simple process can be used as valid evidence that requirements can be met. If an organization must address possibilities that occur only rarely, the organization could simply note in documented information (i.e., a procedure) that any circumstances different from standard terms and conditions will be addressed by a specific quality plan. Such a plan can be generated as a unique occasion arises. Thus, a simple order-entry process can have a very simple, brief, and effective contract-review process. For the large, complex contracts or quotations, the review process may involve many organizational entities such as engineering, manufacturing, legal, finance, and quality assurance. Accordingly, the procedures governing such reviews can be complex and lengthy. A good guideline to keep in mind when developing a process to address the specific requirements of clause 8.2.3 is to balance the risks to the organization with the effort expended in a review of customer requirements, keeping in mind that the purpose of the review is to add value and not to create a bureaucratic morass. A formal process should be deployed that indicates who will do what and how often.

Clause 8.2.4 states that changes are required to be controlled and documented information updated to ensure that changes are properly included in documented information. When changes to product requirements, orders, contracts, or quotations occur, the organization is required to ensure that relevant documented information is amended and communicated, as appropriate, within the organization. These simple and fundamental requirements are often much harder to meet. Changes tend to come from all sorts of sources. Customer ﬂoor-level workers in today’s environment often talk directly to factory workers in customers’ plants. Cell phones are used to relate the latest changes to schedules and requirements. The situation can turn into chaos. Thus, control rules are needed so that decisions related to changes are made by the appropriate people with relevant and up-to-date information. These considerations should be a key part of considering process interactions. Often the rapid response is critical for the customer, so design the system in such a way that you can deliver just that. Considerations for Documented Information to Be Maintained and/or Retained, Keeping good records of changes is both a challenge and a practical necessity.

Customer-related processes must include controls for determining customer and regulatory requirements, a review of such requirements, and communication with the customer. Customer requirements extend beyond product specifications and may include on-time delivery, packaging, labelling, mode of delivery, documentation, communications, QMS requirements, after-sales servicing, etc. Many of these requirements may also come from regulatory, industry or from within your own organization. Depending on the product or service, you must determine if any industry or regulatory requirement is applicable to product characteristics or process parameters that affect the product’s safety or compliance with regulatory requirements. You must consider all laws and regulatory requirements that may affect your product, materials, labour, production processes, your facility and work environment, etc. Where some or all of the processes – for determining customer requirements; for contract review and customer communication; etc., are done offsite, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. The nature of the requirements review may be different for different types of product or services. Your review records must show the basis of the review. Make sure you do your due diligence and risk analysis before you commit to contractual arrangements. I have seen many companies get into serious financial trouble, for taking on products transferred from another supplier because they did not assess all the risks. Manufacturing risk analysis is an assessment of your organization’s capacity and capability to effectively and efficiently provide the customer-specified deliverables. Risk analysis should include timing, resources, development costs and investments, the potential for, and effects of, possible failures in processes, including suppliers. You should also consider financial and profitability risks. Sometimes it may take a few months to receive an order or contract from the customer after you have sent them your quotation. Your review process must ensure that you compare the customer’s order or contract with your latest quotation, and resolve any differences (accept or re-negotiate) before you accept the order or contract. Your customer relations management process must include a sub-process for change control and must include – a review of the change either from the customer or internal from the organization and its impact on fit, form, functionality, other processes, financial, delivery, etc. Have a process for change control. For significant issues or changes, obtain customer approval in writing for any waivers or changes of contractual or QMS requirements. Customer communications may take many forms such as software and interfaces for design and development, logistics, customer satisfaction feedback, etc. You must ensure that personnel at all levels have the competency and training to use these communications media and tools. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – contracts, specifications, orders, product quality plans, work instruction, a documented procedure, etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of customer-related processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in quote cycle time, pre and post-award review cycle time, order-entry errors and omissions, etc., and improvement in conversion ratio (i.e. ratio of contracts/orders awarded to quotes).

8.3 Design and Development of Products and Services

Clause 8.3, on design and development controls, has six subclauses:

8.3.1 General

The organization should establish, implement, and maintain a design and development process. such that they are adequate for subsequent production or service provision.

8.3.2 Design and Development Planning

While planning for design and development, the organization must consider the following in determining the stages and controls for design and development:

nature, duration, and complexity of the design and development activities;
the required process stages, including applicable design and development reviews;
the required design and development verification and validation activities;
the responsibilities and authorities involved in the design and development process;
the internal and external resource needs for the design and development of products and services;
the need to control interfaces between persons involved in the design and development process;
the need for involvement of customers and users in the design and development process;
the requirements for the subsequent provision of products and services;
the level of control expected for the design and development process by customers and other relevant interested parties;
the documented information needed to demonstrate that design and development requirements have been met

8.3.3 Design and Development Inputs

The organization must determine the requirements essential for the specific type of products and services being designed and developed, including, as applicable, functional and performance requirements; applicable legal requirements; information derived from previous similar design and development activities; standards or codes of practice the organization has committed to implement; potential consequences of failure due to the nature of products and services; Ensure inputs are adequate for design and development purpose, complete, and unambiguous. Resolve conflicts among Design and Development inputs.

8.3.4 Design and Development Controls

The organization should apply controls to the design and development process to ensure that results to be achieved by the design and development activities are clearly defined; Design and development reviews are conducted as planned; Verification activities are conducted to ensure that the design and development outputs have met the design and development input requirements; Validation activities are conducted to ensure that the resulting products and services are capable of meeting the requirements for the specified application or intended use (when known). The organization must take any necessary actions on the problems determined during the reviews, or verification and validation activities. The organization must maintain any documented information about these activities. Design and development reviews, verification, and validation have distinct purposes. They can be conducted separately or in any combination. as is suitable for the products and services of the organization.

8.3.5 Design and Development Outputs

The organization must ensure that design and development outputs meet the input requirements for design and development. They should be adequate for the subsequent processes for the provision of products and services. They must include or have a reference of monitoring and measuring requirements, and acceptance criteria, as applicable. They must ensure products to be produced, or services to be provided, are fit for the intended purpose and their safe and proper use. The organization must retain the documented information resulting from the design and development process.

8.3.6 Design and Development Changes

The organization should identify, review and control changes made (during the design and development of products and services, or subsequently) to design inputs and design outputs to the extent that there is no adverse impact on conformity to requirements. The organization must retain documented information on design and development changes, the result of the review, the authorization of changes, and action is taken to prevent adverse impact.

Design and development activities needed for products and services are required to be planned and controlled through an established, implemented, and maintained process. This process may be used for both products and services and for associated processes. It is required to include the following:

Planning to determine design stages considering activities such as verification and validation, control of design interfaces, design review, resources needed for design and development, customer involvement, and the documented information needed to confirm that input requirements are met.
Determination of the design and development inputs required, including such things as functional requirements, regulatory and statutory requirements, applicable standards or codes, information from earlier projects, and potential consequences of failure. Conflicting requirements are required to be resolved.
Design and development controls, including clear delineation of the results to be achieved, planning and conducting design and development reviews and verification activities to ensure design outputs meet input requirements, and validation to ensure the products and services meet the requirement for the application intended.
Design and development outputs are required to meet input requirements, to be adequate for subsequent processes in the provision of the product or service, and to ensure the products and services are fit for their intended purpose.
Design and development changes are required to be identified, reviewed, and controlled. This includes changes to design inputs or outputs. Controls are required to ensure that changes do not have an impact on the products and service conformity.
The organization is required to retain documented information resulting from the design and development process, including design and development changes.

The intent is to ensure that the organization plans and controls design and development projects. The key reason for this emphasis on planning is to maximize the probability that the project will meet the defined requirements. If the design and development processes are well planned and controlled, an additional benefit should be that projects are completed on time and within budget, Planning is required at the level of detail needed to achieve the design and development objectives—not to generate an excessive amount of paperwork. Stages of the project need to be determined, and responsibilities, authority, and interfaces need to be defined. Requirements need to be established for the incorporation of review, verification, and validation into the design and development project. The organization needs to determine how communications will be structured (e.g., weekly meetings, periodic reports, or other methods). In many cases, a number of organizations are involved in this process, and the success of the design and development project often rests heavily on proper identification, understanding, and control of design interfaces.

You must include product design and development in your QMS scope if you contract or convey the perception that you design a product, regardless of whether you buy, outsource, or actually do design and development. The scope of your design and development activity must consider all aspects of the product and product realization processes to ensure its conformity to requirements. This includes product identification, handling, packaging, storage, and protection during internal processing and delivery to the customer. Product design and development sometimes result in new manufacturing processes or changes to existing manufacturing processes. This clause is equally applicable for designing and developing manufacturing processes. Product design and development planning must focus on error prevention rather than detection in product quality as well as product realization processes. You must have an overall plan for your design project. Your plan must specify the design and development stages, activities and tasks, responsibilities, timeline and resources, specific tests, validations, and reviews, and outcomes. There are many tools available for planning ranging from a simple checklist to complex software. The degree and details of planning may vary according to size and length of contract or project, complexity, risk, product life, customer and regulatory requirements, past experience with a similar product, etc. You have flexibility in determining the scope of the stages, review, verification, and validation required for your product design and development projects. Your plan must be dynamic and updated as requirements and circumstances change. You must track progress against your plan at regular intervals or project milestones and update the plan as the activity progresses. Your design and development plan must include methods to communicate information, responsibilities, results, discussions, reviews, and resources. You must take a multi-disciplinary approach that includes as needed, other functions (besides design) such as quality, engineering, purchasing, sales, tooling, production, etc. Your plan must clearly identify these other functions and their specific role and responsibilities regarding the project. Consider including customer and supplier personnel at appropriate stages to do work and review results or progress. A multi-disciplinary approach applies collective and relevant knowledge and skills of these different functions to carry out or review design and development activities. The design and development project plan serves as both a document and a record as it is updated for completion for various activities. Where some or all of clause 8.3 design and development activities are done off-site, then you must show the linkages and interaction of these offsite activities with your on-site QMS processes. You must identify and document all processes addressing this clause as part of yours. For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities These documents may include contracts, technical drawings, and specifications, a documented plan for design and development, work instructions, a documented procedure, etc., combined with unwritten practices, procedures and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Many organizations use various software tools to document their product or process design and development plans. If the nature of your business does not require you to design and develop the product (e.g. you manufacture strictly from customer-provided engineering drawings and specifications), then you must clearly state this exclusion to your QMS scope, in your quality manual. Performance indicators (to measure the effectiveness of design and development processes in meeting requirements and achieving quality objectives) should focus on reducing variation in and improving these processes and related use of resources. Indicators may include a reduction in design cycle time, development cycle time, specification errors, omissions, changes, design and development costs, etc., as well as measurable improvements in products developed.

You must identify, document, and review design inputs requirements for function, performance, safety, regulatory, quality, reliability, durability, life, timing, maintainability, cost, identification, traceability, packaging, special or safety characteristics from the customer or regulatory body, and other requirements essential to the product. You must have a process that should be part of your design and development plan to identify, document, review, deploy and use design input information such as documents coming from various sources such as customer contracts, drawings, and specifications, your own organization’s database of previous design and development projects, competitor analysis, industry standards, feedback from suppliers, field data. Design and Development usually require the input and involvement of many other functions and processes such as contract review, product realization, purchasing, top management, etc. within the organization and your process must manage this interaction by defining responsibilities and means of communications. The inclusion of these controls in your design and development plan is one of many effective ways to achieve this. Such a multi-disciplinary approach has the benefit of applying the collective and relevant knowledge and skills of these different functions to carry out or review design and development activities.
You must identify and include any special and safety characteristics in your process control documents such as quality plans, product drawings, operator instructions, and other documents used to make or verify the product. Note that special requirements can also include process parameters such as temperature, timing, concentrations, etc. You must review all input requirements, review design and development progress, verify product design and validate developed products at various stages of your design and development process. The nature, frequency, and scope of these controls must be defined in your design and development plan or other documents. You must carry out these controls according to your plan and keep appropriate records.

Do design reviews at one or more milestones of the design and development project, depending on customer requirements, the size, complexity, and risks involved. The purpose of these reviews is to evaluate results to requirements, check project progress and costs to plan and take actions on any problems encountered. You must take a multi-disciplinary approach for doing these reviews and keep appropriate records of issues discussed, actions to be taken, responsibilities and timeline for completion. All design and development reviews must be included in your design and development plan. Product design Verification includes design reviews, comparing the new design to a similar proven design if available, performing alternate calculations, performing tests and simulations, reviewing the design documents before release, etc. Verification is checking product or process to input requirements, whereas validation is checking product or process is suitable for its intended use does it perform/function in the way intended by your customer or your organization. Manufacturing process design verification includes design review, process capability studies, testing various process parameters, performing tests and trials, reviewing the manufacturing process design documents before release, etc. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Product and manufacturing process validation includes – design reviews, comparison between customer requirements and internal development plans, design and development validation against customer requirements and design and development input requirements, corrective action, and lessons learned from documented process failures and product nonconformities. If you outsource any part of your design and development activity, then you must exercise the same controls required by clause 8.3 on the outsourced work and the organization doing the work, had it been done internally. Any problem you have encountered during the verification and validation or identified during review must be resolved.

Design and development output may be product or documentation or both. Product may be a prototype or finished product and documentation could be a computerized or hard copy drawing or specification. Check design and development output against the input requirements specified in 8.3.3, before you use it any further. Provide appropriate design and development output information to:

Purchasing material or service specifications
Production output such as product specifications, special characteristics, drawings, diagnostics, etc.
Service output such as product specifications; performance reliability and maintenance criteria.

Initially, this information may be used for trials and validation, before being firmed up. Many documents are created from the design and development output stage such as drawings, quality plans, work instructions, etc. These documents must be controlled as per clause 7.5.3 such as approval, revision control, distribution, etc. Where any sophisticated design and development tools such as AutoCAD are used requiring specific competency or training, ensure you provide and keep appropriate records of competency and training of personnel performing design and development activities and use of these tools.

Make sure your process for design and development changes follows the appropriate steps of clause 8.3 ie define the plan, have inputs and outputs, verify and validate to the extent necessary to meet customer requirements, and control product, quality, and business risks. Changes may come from the internal, customer, or regulatory sources. Get all requests for product or manufacturing process design changes in writing from your customer. The impact of the change must be evaluated on materials used, design process, manufacturing process, characteristics and use of the developed product, regulatory compliance, cost, etc. While planning for change the organization must follow all the requirements as given in clause 6.3 planning for change and must also determine all risk and opportunities as given in clause 6.1. Documented information on design and development changes, the result of the review, the authorization of changes, and action is taken to prevent adverse impact must be maintained.

8.4 Control of Externally Provided Products and Services

8.4.1 General

The organization must ensure that externally provided processes, products, and services conform to specified requirements. The organization must apply the specified requirements for control of externally provided products and services when products and services are provided by external providers for incorporation into the organization’s own products and services; products and services are provided directly to the customer by external providers on behalf of the organization; a process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or function. The organization must determine and apply criteria for evaluation, selection, monitoring of performance, and re-evaluation of external providers based on their ability to provide processes or products and services in accordance with specified requirements. The organization must retain appropriate documented information of the above-mentioned activities and any necessary action arising out of the evaluation.

8.4.2 Type and Extent of Control

The organization should ensure that externally provided processes, products, and services do not adversely affect the organization’s ability to consistently deliver conforming products and services to its customers. The organization should ensure that externally provided processes remain within the control of its quality management system. It should define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output. In determining type and extent of controls to be applied to the external provision of processes, products, and services, the organization must consider the potential impact of the externally provided processes, products, and services on the organization’s ability to consistently meet customer and applicable legal requirements and effectiveness of the controls applied by the external provider. The organization must establish and implement verification or other activities necessary to ensure the externally provided processes, products, and services meet the requirements.

8.4.3 Information on External Providers

The organization must ensure the adequacy of specified requirements prior to their communication to external providers. The organization should communicate to external providers applicable requirements for the following:

products and services to be provided or the processes to be performed on behalf of the organization;
approval or release of products and services, methods, processes or equipment;
competence of personnel, including necessary qualification;
their interactions with the organization’s quality management system;
control and monitoring of the external provider’s performance to be applied by the organization;
verification activities that the organization, or its customer, intends to perform at the external provider’s premises.

Externally provided processes, products and services include

purchasing from a supplier
an arrangement with an associate company
outsourcing processes to an external provider.

The controls required for external provision can vary widely depending on the nature of the processes, products, and services. The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes, products, and services;

Clause 8.4 covers the requirements to control purchased product including your outsourced process, control suppliers you buy from, and requirements to control your buying process. The purchased product includes raw materials, components, subassemblies, supplies, tooling, machinery and equipment, sequencing, sorting, rework, testing, calibration, maintenance, etc. Note that clause 8.4 requirements apply to items that go into the product, manufacture the product, check the product or deliver the product; whether paid for or customer provided. These may include materials, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property (drawings, specifications or proprietary information), product returned for servicing under warranty, product sent for outsourced work, etc. You must have specifications/criteria for the purchased product. These specifications may come from your organization, customer, regulatory bodies, supplier or industry. As documents, these specifications must be controlled as per clause 7.5.3. Many times the customer may require the use of pre-approved purchased products and suppliers. The onus is still on you to ensure that purchased product from customer-designated sources meets all requirements. You must control both, the product you buy, as well as the supplier you buy from. Your controls must primarily be based on prevention of nonconformities in both product and supplier performance. Determine how important the purchased product is to design, manufacture, assemble and maintain your end product. Factors such as targets for product quality, life, reliability, durability, maintainability, and cost must be applied to the purchased product going into your end product. Categorize your purchased products and services accordingly. Then determine what controls you need to ensure consistent purchased product quality and consistent supplier performance. You can then apply different controls for different purchased products. There are several ways to evaluate your suppliers. Besides product quality, your criteria for supplier selection and evaluation may include the potential supplier’s financial capability, technical and manufacturing capability, and capacity, reliability, reputation, flexibility to handle changes, support, service, cost, etc. The importance of these criteria will vary according to the items materials or services you purchase, and so you can apply different criteria to different suppliers. You can categorize your suppliers accordingly based on these criteria. It might be useful to maintain a list of all qualified suppliers. In addition to the initial evaluation and approval of suppliers, you are required to carry out ongoing monitoring and measurement of their performance. Use supplier monitoring indicators to evaluate the consistency, capability, and reliability of their performance for quality, delivery, support, etc. On-time delivery is very important and disruptions (due to waiting for materials) at your customers or even your own facility must be avoided. Depending on the risks related to materials supplied and supplier performance, you might consider requiring some of your key suppliers to comply with some or all of ISO 9001 requirements and perhaps even certification. You must identify your purchasing processes whether on-site or off-site. For each process, you must document the controls for purchased products and suppliers. You must also show the linkage and interaction of purchasing processes with other processes such as design, manufacturing, tooling maintenance, calibration. Where any of your controlled suppliers have gone through a significant organizational change you must verify the continuity and effectiveness of their QMS. You must keep records of all supplier evaluations (whether initial or periodic), including any corrective actions placed on them for any nonconformities. You must identify and document all processes addressing this clause as part of your QMS. For these processes, you must also identify what specific documents, controls, and resources are needed.You could use a documented procedure or other combination of specific practices, procedures, documents, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have. Performance indicators to measure the effectiveness of purchasing processes in meeting requirements and achieving quality objectives should focus on measuring supplier performance and reducing variation in and improving purchasing processes and related use of resources. Indicators for supplier performance may include reduction of defects in supplied product, scrap, waste, and rework, improvement in on-time delivery, service, cost, etc. Indicators for the purchasing process may include a reduction in supplier- quote review cycle time, contract award cycle time, purchase order-entry errors and omissions, receiving errors & omissions, etc.

As indicated earlier, you can apply different controls for different suppliers and products depending on your initial supplier evaluation and their ongoing product quality and delivery performance. In any case, these controls must be included or referenced in your quality or inspection plans. To the extent that you decide to do verification of purchased product, you also have flexibility in when you do the verification. You can do it on receipt or at any time prior to use in production. Make sure you appropriately control un-inspected product. This may include identification and storage to prevent unintended use. Consider using supplier quality plans, inspection plans, etc., to verify that the purchased product meets specified purchase (product and QMS) requirements. Verification of purchased products can range from doing no verification to 100% verification. You have flexibility in determining the scope of purchased product verification. Your inspection process must define and document the acceptance criteria and sampling plan for product conformity and what measurement tools needed and records needed to show effective control of purchased product quality and supplier performance.

Your purchase documents such as purchase order, contract, blanket order, your organization’s supplier quality manual, etc. must specify your requirements for the purchased product; the supplier’s QMS and any other initial or on-going controls you deem necessary for ensuring consistent supplier performance. You must define how you ensure the adequacy of these documents before you communicate them to your supplier. A review of the adequacy of purchasing documents may include their completeness, accuracy, correctness, quantity, timing, cost, approval, etc., by one or more functions; computerized controls, etc. In larger organizations, this may be a separate process on-site or off-site. In either case, it must be identified and controlled. While clause 8.4.3 does not specify keeping of records, you must show evidence of carrying out (issue purchase documents) and review of these documents

An outsourced process is any value-adding or conversion activity related to your product or service, that is performed by an external organization such as a subcontractor, sister facility, etc. Note that the external organization may perform the outsourced activity at their facility or yours. A manufacturing company may outsource welding, heat treatment, or painting of product. A software company may outsource software development. A bank may outsource check clearing services. You must be able to demonstrate sufficient controls over outsourced processes to ensure that such processes are performed according to the relevant requirements of ISO 9001:2008. The nature and scope of such control will depend on the nature of the outsourced or subcontracted process and the risk involved. Outsourced processes may be controlled in any number of ways, e.g., providing the vendor with product specifications; your supplier quality manual that they must meet; asking for inspection and test results or certificates of compliance; validation of outsourced process; conducting product and QMS audits of your vendor; etc. The expectation here is that you flow down to your vendor, the relevant ISO 9001 requirements that you would have to implement, had you performed the process at your own facility.

CLAUSE 8.5 Production and Service Provision

8.5.1 Control of Production and Service

The organization should implement production and service provision under controlled conditions. Include these controlled conditions, as applicable:

availability of documented information that defines characteristics of products and services.
availability of documented information that defines activities to be performed and results to be achieved.
availability and use of suitable monitoring and measuring resources
implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes and process outputs, and acceptance criteria for products and services, have been met.
use and control of suitable infrastructure and process environment for the operation of the process.
appointment of a competent person and, where applicable, required qualification of persons;
validation, and periodic revalidation, of ability to achieve planned results of any process for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement.
implementation of products and services release, delivery, and post-delivery activities.

This clause provides a list of control requirements that you may use, if applicable to your business. Identify and control all operational processes. Show the interaction of these processes with other processes. Use your product, project, or contract quality plan to control your operational activities. Schedule your operations taking into consideration customer delivery requirements, production capacity and capability, material availability and usage, personnel availability and usage; storage; etc. Carefully define and document the interaction of your operation scheduling process with your logistics processes such as inventory management, customer communication, traffic and shipping control, packaging and labeling, sales, and billing. Use quality plans to control your operation processes. Quality plans address what has to be made, how much has to be made, when it has to be made, by whom, in what sequence, how it has to be made, what equipment to use, what measurement and monitoring tools to use, what to inspect, when to inspect, how much to inspect, what to do if problems arise, etc. Your quality plan must cover all operation process steps from receipt of materials, production, packaging, storage, delivery, and even post-delivery activities such as installation or training. Your quality plans are dynamic and must be updated for the changes in product specifications or process parameters; resources used; monitoring or measurement requirements, etc. Your quality plans should reference any work instructions specified for the process steps. Work instructions may be viewed as a subset of your quality plan and may relate to a specific task or activity of your overall product realization process for e.g. setting up a machine, performing an inspection, packaging a product, If you determine that work instructions are needed at specific points in your process, then they must be readily available and relevant i.e. current or right version. Note that work instructions may exist in many forms such as narrative, graphical, audio, video, physical display, etc. To improve your QMS, it will be very useful to draw a flow chart to link the flow and interaction of the activities and sub-processes covered by these clauses, e.g. many organizations overlook reviewing and updating their quality plans for corrective action taken to address a manufacturing process problem. Operational personnel must have timely access to all information relevant to their activities including specific work instructions if necessary. There may be a serious risk to production flow if such information is unavailable or untimely. You must identify and document all processes addressing this clause as part of your QMS For these processes, you must also identify what specific documents are needed for effective planning, operation, and control of production activities. These documents may include – a product quality plan; work instructions; documented procedure; etc., combined with unwritten practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the nature and extent of documented controls you need to have. Performance indicators to measure the effectiveness of operational processes in meeting requirements and achieving quality objectives should focus on reducing variation in and improving production processes and related use of resources.

Validation is usually required where the product cannot be verified without damaging or destroying the product, e.g. some types of welding, heat treatment, painting, electroplating, rust-proofing, etc. In such instances, the quality of these activities may only be discovered after use. This would generally not be accepted due to safety (e.g. weld) or aesthetic (evidence of rust or dullness of chrome) reasons. In the case of a service such as pizza delivery within 30 minutes of order placement, if the timeliness of delivery is not verifiable, then validation would be required. However, most service-oriented businesses (e.g. delivery; call center) have some form of monitoring during service execution to ensure service quality. Validation involves conducting capability studies using a combination of resources technology, equipment, materials, environment, competent personnel, and production and testing methods that consistently result in a quality product or service. Validation may also require customer or regulatory approval of the process. You must keep appropriate records of process validation showing both the achievement of planned results as well as the ongoing maintenance of such capability. If you change any part of the proven process capability for e.g. materials, equipment or personnel, etc., you must revalidate i.e re-prove the changed process. It is up to each organization to determine what combination of resources and methods will provide the required consistent process capability and quality of product or service. Include as appropriate, these validation controls in your quality plans.

Product-related indicators may include a reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste and rework; improvement in on-time delivery. Production process-related indicators may include a reduction in set-up time, run rates, process cycle time, production scheduling and operator errors and omissions, etc.

8.5.2 Identification and Traceability

The organization should use suitable means to identify “process outputs” where necessary to ensure conformity of products and services. The organization should identify the status of “process outputs” with respect to monitoring and measurement requirements throughout production and service provision. The organization should control the unique identification of “process outputs” where traceability is a requirement. It should retain any documented information necessary to maintain traceability. “Process outputs” are results of any activities which are ready for delivery to the customer or to an internal customer (e.g., the receiver of inputs to the next process). “Process outputs” can include products, services, intermediate parts, components, etc.

There are three distinct control requirements specified here.

Product identification: It means knowing the identity of your or customer-supplied product from incoming receipt of materials, raw material storage, use in production, work in progress, finished product storage, and delivery of the product to the customer. Product identification can be controlled using physical and electronic methods.
Product status: It means knowing the quality status (good or bad) of materials and products through each of the above stages. Product status can be controlled using physical and electronic methods.
Unique Product Identification: It is not a mandatory requirement under ISO 9001 unless contractually required by customers or regulatory bodies. In certain industry sectors such as the automotive or aerospace or pharmaceutical industry, unique product identification is mandatory for safety, regulatory, and risk management reasons. This usually involves keeping detailed records of product manufacturer such as material, equipment, personnel, processes, production, inspection and test details, etc., for individual products or production batches. These records help to trouble-shoot product and process problems, resolve customer complaints, and enable continual improvement of product and process. In many instances, it also reduces cost, risk, and use of resources by narrowing the problem down to a specific cause or instance. Depending on the product, the OEM may specify the degree of unique identification and traceability required.

While this clause does not call for specific documented information, these controls may be included in your Operation processes through your product quality plans, work instructions, and other specific documentation. Examples of product identification and test status include physical tags, bar code labels linked to computer records; MRP systems tracking specific production runs/lots, automated production transfer processes, etc. Performance indicators to measure the effectiveness of processes that control identification and traceability may include a reduction in identification errors and omissions; product quality status errors and omissions; and traceability errors and omissions.

8.5.3 Property Belonging to Customers or External Providers

The organization should exercise care with property belonging to customers or external providers while under the organization’s control or being used by the organization. The organization should identify, verify, protect, and safeguard the customer’s or external provider’s property provided for use or incorporation into products and services. It should report to the customer or external provider when their property is incorrectly used, lost, damaged, or otherwise found to be unsuitable for use. Customer property can include material, components, tools and equipment, customer premises, intellectual property, and personal data.

Customer or External provider property may include material, production equipment, tooling, measuring and test equipment, facilities, transport vehicles, returnable packaging, intellectual property such as drawings, specifications or proprietary information, product returned for servicing under warranty, product sent for outsourced work, etc.
All customer property is exposed to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable or obsolete for use. You must establish controls for each of these risks. Notify the customer/ External provider in writing if their property is lost, damaged, or otherwise found to be unsuitable such as perishable past its shelf life for use. Control to minimize the risks to customer/External provider property include inventory management, preservation, and storage, identification, status and traceability indicators, maintenance, notification, traffic flow, authorized use, restricted access, etc. Marking customer/External provider property with a unique identification number that can be traced to a record that provides details of ownership is one of many acceptable controls. While this clause does not call for specific documented information, these controls may be included in your product realization processes through your product quality plans, work instructions, and other specific documentation. Many of the controls needed for clause 8.5.2 Identification and traceability and clause 8.5.4 Preservation apply to customer property. The processes, controls, and documentation for these other clauses could be expanded to include customer property. Performance indicators to measure the effectiveness of processes that control customer property may include a reduction in identification errors and omissions, loss due to damage or unsuitability, scrap, rejects, etc., as well as increased customer property turnover rates.

8.5.4 Preservation

The organization should ensure the preservation of “process outputs” during production and service provision, to the extent necessary to maintain conformity to requirements. Preservation can include identification, handling, packaging, storage, transmission or transportation, and protection.

All raw materials, work in progress, finished product, supplies, customer provided materials or product, product sent for outsourced work, etc., are subject to the risk of being damaged, lost, misused, misplaced, stolen, become unsuitable, perishable, or obsolete i.e. past shelf life for use. This could occur during receipt, handling, storage, use in production, and transportation to the customer, etc. These could be controlled using identification, status and traceability indicators, inventory cycle counts and condition evaluation, stock rotation methods such as FIFO, just in time, tracking shelf life, special, controls for restricted access, handling and storage of hazardous materials, climate and environment, maintenance procedures, bar codes, training, use of special equipment for handling, condition reports, etc. These controls may be included in your product realization processes through your product quality plans, work instructions, and other specific documentation. Many of the controls needed for clause 7.5.3 Identification and traceability apply to the preservation of the product.
Performance indicators to measure the effectiveness of processes that control preservation of product may include a reduction in obsolete and spoils materials an product (e.g., fresh produce, fruits, or frozen foods), identification errors and omissions, rejects, waste, scrap, etc., and increase in inventory turnover and material/product availability, and product safety.

8.5.5 Post-Delivery Activities

The organization should meet requirements, as applicable, for post-delivery activities associated with products and services. In determining the extent of post-delivery activities that are required the organization should consider risks associated with products and services; Customer feedback; legal requirements; nature, use, and intended lifetime of products and services; Post-delivery activities can include actions under warranty provisions, contractual obligations (such as maintenance services) and supplementary services (such as recycling or final disposal)

Post Delivery activities mean based on customer agreement or other agreement, the organization may be responsible for providing support for their product or services after delivery. This could include technical support, routine maintenance or total recall, recycling, reusable packaging, returnable containers, etc. The extent of post-delivery activity will depend on:

Statutory and regulatory requirements: If statutory or regulatory requirements dictate post-delivery activities or warranties, they must be addressed
the potential undesired consequences associated with its products and services: The organization must consider potential consequences, and how they intend to respond, the scope of their reaction plan, etc
nature, use and an intended lifetime of its products and services: This is very commonly stated in the organization’s return policy or statement of liability. Some organizations clearly state that there are no warranties (or post-delivery activities) offered, expressed, or implied. If this is the case (and in the absence of any other requirements in this list), this section can be addressed simply by acknowledging that there are no post-delivery activities.
customer requirements: If the customer requires post-delivery, support, warranty, protection through delivery and receipt, etc, the post-delivery activities should be clearly described.
Customer feedback: Customer feedback should be considered when determining the scope of post-delivery activities. This also implies that the scope of those post-delivery activities may change over time in response to customer feedback.

8.5.6 Control of Changes

The organization should review and control changes for production or service provision to the extent necessary to ensure continuing conformity with requirements. The organization should retain documented information describing the results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review.

The organization is required to review and control changes for all of the previously discussed “production and service provision” topics including 8.5.1 Control of production and service provision (all of the controls established in the first place), 8.5.2 Identification and traceability, 8.5.3 Property belonging to customers or external providers, 8.5.4 Preservation and 8.5.5 Post-delivery activities. So, just as the QMS must have defined each of these items, any changes to them must be controlled. Changes that are not clearly communicated create confusion. Changes that have not been adequately reviewed and vetted may be implemented and result in an undesired outcome. Changes, in general, create instability, and a robust change management process is critical to ensure changes are fully reviewed, approved, communicated, understood, and validated when they are implemented. Records describing the results of the review of changes, personnel authorizing the change, and any necessary actions arising from the review have to be maintained.

8.6 Release of Products and Services

The organization should implement planned arrangements at appropriate stages to verify product and service requirements have been met. Retain evidence of conformity with acceptance criteria. The release of products and services to the customer should not proceed until the planned arrangements for verification of conformity have been satisfactorily completed unless otherwise approved by a relevant authority and, as applicable, by the customer. The organization should retain documented information for traceability to the person(s) authorizing the release of products and services for delivery to the customer. The organization should also retain documented information for evidence of conformity with the acceptance criteria.

You must identify, monitor, and measure product/service characteristics to verify conformity to requirements. Product characteristics may be dimensional, functional, performance, reliability, durability, maintainability, life, cost, etc. Requirements may come from your customer, your own organization, regulatory and industry sources. You must plan what characteristic(s) to measure, type of measurements, what measurement device to use, how often to measure, sample size, acceptance criteria, and records needed for each product or product type. Use your quality plan to document these controls. Your product, project, or contract quality plan must define the stages at which various monitoring and measurement will be carried out at incoming receipt of materials from suppliers or outsourced work, storage, internal production processes, finished product, packaging, at time of shipping and post-installation. Monitoring and measurement may be done by your personnel, subcontracted or outsourced labor, or by the customer. You must ensure that all personnel performing monitoring and measurement are trained and competent.
If you plan on releasing during any stage of production or shipping finished product, where all planned inspections and measurements to that stage have not been completed, ensure that you obtain prior written approval/waiver from a relevant internal authority or the customer. Where practical, consider completing all missed planned inspections and measurements before product delivery. You must identify and document all product realization processes that may address this clause, as part of your QMS, e.g. receiving, production, shipping, etc. For such processes, you must also identify what specific documents are needed for effective planning, operation, and control.
You could use a product quality plan, any documented information, or other combination of specific practices, procedures, and methods. Look at the risks related to your product, processes, and resources in determining the extent of documented controls you need to have. Performance indicators to measure product conformity may include a reduction in defect rates, PPM’s (defective parts per million), scrap rates, waste, rework, improvement in on-time delivery, product returns from the customer, etc. Performance indicators to measure the effectiveness of product realization processes in achieving product conformity include productivity, reduction of cycle time, errors, omissions, and failures, etc.

8.7 Control of Nonconforming Process Outputs, Products, and Service

8.7.1

The organization should ensure process outputs, products, and services that do not conform to requirements are identified and controlled to prevent unintended use or delivery. The organization should take appropriate action based on the nature of nonconformity and its impact on the conformity of products and services. This is applicable also to nonconforming products and services detected after delivery of products during or after the provision of service. The organization should deal with nonconforming outputs in one or more of these ways:

correction;
segregation, containment, return, or suspension of the provision of products and services;
informing the customer;
obtaining authorization for acceptance under concession.

The organization should verify conformity to requirements when nonconforming process outputs, products, and services are corrected.

8.7.2

The organization should retain documented information that describes the nonconformity, action taken, concessions obtained, identifies the person or authority that made the decision regarding dealing with nonconformity.

ISO 9001:2015-Clause 8.7 applies to processes, products, and services that do not conform to customer requirements, applicable regulatory requirements, or your own organization requirements. Nonconformities may relate to suppliers and outsourced work, your own organizational activities, or product shipped to customers. Your organization must have controls and responsibilities to identify, contain i.e. prevent further processing or use, keep records of the nature and other details of the nonconformity, notify appropriate personnel and customer, where appropriate, evaluate what disposition action needs to be taken, carry out timely disposition, determine policies for release for further processing or shipment to the customer, obtain customer concessions, rework and re-verification, establish performance indicators to measure the effectiveness of the control of nonconformance process, etc.
Product or material found with no identification or its quality status is not known, should be treated as a nonconforming product and controlled as mentioned above. If you find that a nonconforming product has been shipped, without a customer concession, you must take appropriate action to reduce the immediate and consequential effect of the nonconformity. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. It might be appropriate in specific circumstances to notify the customer and resolve the situation to your customer’s satisfaction. A similar rationale may be applied where the product has been shipped that does not meet regulatory requirements. Depending upon the seriousness and scope of the nonconformity, you might consider taking action to eliminate the nonconformity as well as a corrective action to eliminate the root causes of the nonconformity. You need to be aware of any reporting requirements imposed by regulatory bodies and comply with them.
A concession authorization allows you to ship nonconforming products, under controlled conditions. A deviation authorization allows you to manufacture a product different from the original specification, under controlled conditions. In both these situations, make sure that you obtain these authorizations in writing prior to shipping or manufacturing the nonconforming product. All product realization processes must show the interaction with your process for a nonconforming product. Performance indicators to measure the effectiveness of control of nonconforming products may include a reduction in cycle time to evaluate and dispose of nonconforming products, reduced errors in preventing unintended use or delivery, improved alternate use of the nonconforming product, and cost recovery, etc.