ISO IEC 9001:2015
0.1 General
The adoption of a quality management system is a
strategic decision for an organization that can help to improve its overall
performance and provide a sound basis for sustainable development initiatives.
The potential benefits to an organization of implementing a quality management
system based on this International Standard are:
a) The ability to consistently provide products and
services that meet customer and applicable statutory and regulatory
requirements;
b) facilitating opportunities to enhance customer
satisfaction;
c) addressing risks and opportunities associated
with its context and objectives;
d) the ability to demonstrate conformity to
specified quality management system requirements.
This
International Standard can be used by internal and external parties.
It is
not the intent of this International Standard to imply the need for:
-
uniformity
in the structure of different quality management systems;
-
alignment
of documentation to the clause structure of this International Standard
-
the use
of the specific terminology of this International Standard within the
organization.
The
quality management system requirements specified in this International Standard
are complementary to requirements for products and services.
This International Standard employs the process
approach, which incorporates the Plan-Do-Check-Act (PDCA) cycle and risk-based
thinking.
The
process approach enables an organization to plan its processes and their
interactions.
The PDCA cycle enables an organization to ensure
that its processes are adequately resourced and managed, and that opportunities
for improvement are determined and acted on.
Risk-based thinking enables an organization to
determine the factors that could cause its processes and its quality management
system to deviate from the planned results, to put in place preventive controls
to minimize negative effects and to make maximum use of opportunities as they
arise (see Clause A.4).
Consistently meeting requirements and addressing
future needs and expectations poses a challenge for organizations in an
increasingly dynamic and complex environment. To achieve this objective, the
organization might find it necessary to adopt various forms of improvement in
addition to correction and continual improvement, such as breakthrough change,
innovation and re-organization.
In this
International Standard, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
Information marked as “NOTE” is for guidance in
understanding or clarifying the associated requirement.
0.2 Quality management principles
This International Standard is based on the
quality management principles described in ISO 9000. The descriptions include a
statement of each principle, a rationale of why the principle is important for
the organization, some examples of benefits associated with the principle and
examples of typical actions to improve the organization’s performance when
applying the principle.
The
quality management principles are:
— customer focus;
— leadership;
— engagement of people;
— process approach;
— improvement;
— evidence-based decision making;
— relationship management.
0.3 Process
approach
0.3.1 General
This International Standard promotes the
adoption of a process approach when developing, implementing and improving the
effectiveness of a quality management system, to enhance customer satisfaction
by meeting customer requirements. Specific requirements considered essential to
the adoption of a process approach are included in 4.4.
Understanding and managing interrelated
processes as a system contributes to the organization’s effectiveness and
efficiency in achieving its intended results. This approach enables the organization
to control the interrelationships and interdependencies among the processes of
the system, so that the overall performance of the organization can be
enhanced.
The process approach involves the systematic
definition and management of processes, and their interactions, so as to
achieve the intended results in accordance with the quality policy and
strategic direction of the organization. Management of the processes and the
system as a whole can be achieved using the PDCA cycle (see 0.3.2) with an overall
focus on risk-based thinking (see 0.3.3) aimed at taking advantage of
opportunities and preventing undesirable results.
The
application of the process approach in a quality management system enables:
a) Understanding and consistently in meeting
requirements;
b) The consideration of processes in terms of added
value;
c) The achievement of effective process
performance;
d) Improvement of processes based on evaluation of
data and information.
Figure 1 gives a schematic representation of any
process and shows the interaction of its elements. The monitoring and measuring
check points, which are necessary for control, are specific to each process and
will vary depending on the related risks.
Figure 1 – Schematic representation of the
elements of a single process
0.3.2.
Plan-Do-Check-Act cycle
The PDCA
cycle can be applied to all processes and to the quality management system as a
whole. Figure 2 illustrates how Clauses 4 to 10 can be grouped in relation to
the PDCA cycle.
Note: Numbers in brackets refer to the clauses
in this International Standard Figure 2 – Representation of the structure of
this International Standard in the PDCA cycle
The PDCA
cycle can be briefly described as follows:
— Plan:
establish the objectives of the system and its processes, and the resources
needed to deliver results in
accordance with customers’ requirements and the organization’s policies, and
identify and address risks and opportunities;
— Do: implement what was planned;
— Check:
monitor and (where applicable) measure processes and the resulting products and
services against policies, objectives,
requirements and planned activities, and report the results;
— Act: take actions to improve performance, as necessary.
0.3.3. Risk-Based
thinking
Risk-based
thinking (see Clause A.4) is essential for achieving an effective quality
management system. The concept of risk-based thinking has been implicit in
previous editions of this International Standard including, for example,
carrying out preventive action to eliminate potential nonconformities,
analyzing any nonconformities that do occur, and taking action to prevent
recurrence that is appropriate for the effects of the nonconformity.
To
conform to the requirements of this International Standard, an organization
needs to plan and implement actions to address risks and opportunities.
Addressing both risks and opportunities establishes a basis for increasing the
effectiveness of the quality management system, achieving improved results and
preventing negative effects
Opportunities can arise as a result of a
situation favourable to achieving an intended result, for example, a set of
circumstances that allow the organization to attract customers, develop new
products and services, reduce waste or improve productivity. Actions to address
opportunities can also include consideration of associated risks. Risk is the
effect of uncertainty and any such uncertainty can have positive or negative
effects. A positive deviation arising from a risk can provide an opportunity,
but not all positive effects of risk result in opportunities.
0.4. Relationship with other management system
standards
This International Standard applies the framework developed by ISO to
improve alignment among its International Standards for management systems (see
Clause A.1).
This International Standard enables an
organization to use the process approach, coupled with the PDCA cycle and
risk-based thinking, to align or integrate its quality management system with
the requirements of other management system standards.
This
International Standard relates to ISO 9000 and ISO 9004 as follows:
— ISO 9000
Quality management systems — Fundamentals and vocabulary provides
essential background for the proper
understanding and implementation of this International Standard;
— ISO 9004
Managing for the sustained success of an organization — A quality management approach provides guidance for organizations
that choose to progress beyond the requirements of this International Standard.
Annex B provides details of other International
Standards on quality management and quality management systems that have been
developed by ISO/TC 176.
This International Standard does not include
requirements specific to other management systems, such as those for
environmental management, occupational health and safety management, or
financial management.
Sector-specific quality management system
standards based on the requirements of this International Standard have been
developed for a number of sectors. Some of these standards specify additional
quality management system requirements, while others are limited to providing
guidance to the application of this International Standard within the
particular sector.
A matrix showing the correlation between the
clauses of this edition of this International Standard and the previous edition
(ISO 9001:2008) can be found on the ISO/TC 176/SC 2 open access web site at:
www.iso.org/tc176/sc02/public.
1 Scope
This
International Standard specifies requirements for a quality management system
where an organization:
a) needs to demonstrate its ability to consistently
provide product or service that meets customer and applicable statutory and
regulatory requirements, and
b) aims to enhance customer satisfaction through
the effective application of the system, including processes for improvement of
the system and the assurance of conformity to customer and applicable statutory
and regulatory requirements.
All the requirements of this International
Standard are generic and are intended to be applicable to any organizations,
regardless of its type or size, or the products and services it provides.
NOTE 1 In this International Standard, the terms
"product" or "service" only apply to products and services
intended for, or required by, a customer.
2 Normative references
The
following documents, in whole or in part, are normatively referenced in this
document and are indispensable for its application. For dated references, only
the edition cited applies. For undated references, the latest edition of the
referenced document (including any amendments) applies.
ISO 9000:2015, Quality management systems —
Fundamentals and vocabulary.
3 Terms and definitions
For the
purposes of this document, the terms and definitions given in ISO 9000:2015
apply.
4.
Context of the organization
4.1 Understanding
the organization and its context
The organization shall determine external and
internal issues that are relevant to its purpose and its strategic direction
and that affect its ability to achieve the intended result(s) of its quality
management system.
The
organization shall monitor and review the information about these external and
internal issues.
NOTE 1
Issues can include positive and negative factors or conditions for
consideration.
NOTE 2 Understanding the external context can be
facilitated by considering issues arising from legal, technological,
competitive, market, cultural, social and economic environments, whether
international, national, regional or local.
NOTE 3 Understanding the internal context can be
facilitated by considering issues related to values, culture, knowledge and
performance of the organization.
4.2 Understanding
the needs and expectations of interested parties.
Due to their effect or potential effect on the organisation’s
ability to consistently provide products and services that meet customer and
applicable statutory and regulatory requirements, the organization shall
determine:
a) The interested parties that are relevant to the
quality management system.
b) The requirements of these interested parties
that are relevant to the quality management system.
The organization shall monitor and review
information about these interested parties and their relevant requirements.
4.3 Determining
the scope of the quality management system
The organization shall determine the boundaries
and applicability of the quality management system to establish its scope.
When
determining this scope, the organization shall consider:
a) The external and internal issues referred to in
4.1;
b) The requirements of relevant interested parties
referred to in 4.2;
c) The product and services of the organization.
The organization shall apply all the
requirements of this International Standard if they are applicable within the
determined scope of its quality management system.
The scope of the organization’s quality
management system shall be available and be maintained as documented
information. The scope shall state the types of products and services covered,
and provide justification for any requirement of this International Standard
that the organization determines is not applicable to the scope of its quality
management system.
Conformity to this International Standard may
only be claimed if the requirements determined as not being applicable do not
affect the organization’s ability or responsibility to ensure the conformity of
its products and services and the enhancement of customer satisfaction.
4.4 Quality
management system and its processes
4.4.1. The organization shall establish, implement,
maintain and continually improve a quality management system, including the processes needed and their
interactions, in accordance with the requirements of this international
standard.
The organization shall determine the processes
needed for the quality management system and their application throughout the
organization and shall:
a) Determine the inputs required and the outputs
expected from these processes;
b) Determine the sequence and interaction of these
processes;
c) Determine and apply the criteria and methods
(including monitoring, measurements and related performance indicators) needed
to ensure the effective operation, and control of these processes;
d) Determine the resources needed and ensure their
availability;
e) Assign the responsibilities and authorities for
these processes;
f) Address the risks and opportunities as
determined in accordance with the requirements of 6.1;
g) Evaluate these processes and implement any
changes needed to ensure that these processes achieve their intended results;
h) Improve the processes and the quality management
system.
4.4.2. To
the extent necessary, the organization shall:
a) Maintain documented information to support the
operation of its processes;
b) Retain documented information to have confidence
that the processes are being carried out as planned.
5 LEADERSHIP
5.1 Leadership
and commitment
5.1.1 General
Top
management shall demonstrate leadership and commitment with respect to the
quality management system by:
a) Taking accountability of the effectiveness of
the quality management system;
b) Ensuring that the quality policy and quality
objectives are established for the quality management system and are compatible
with the context and strategic direction of the organization;
c) Ensuring the integration of the quality
management system requirements into the organization’s business processes;
d) Promoting the use of the process approach and
risk-based thinking;
e) Ensuring that the resources needed for the
quality management system are available;
f) Communicating the importance of effective quality
management and of conforming to the quality management system requirement;
g) Ensuring that the quality management system
achieves its intended result;
h) Engaging, directing and supporting persons to
contribute to the effectiveness of the quality management system;
i) Promoting improvement;
j) Supporting other relevant management roles to
demonstrate their leadership as it applies to their areas of responsibility.
NOTE Reference to “business” in this
international standard can be interpreted broadly to mean those activities that
are core to the purposes of the organization’s existence; whether the
organization is public, private, for profit or not for profit.
5.1.2 Customer
focus
Top management shall demonstrate leadership and
commitment with respect to customer focus by ensuring that:
a) customer and applicable statutory and regulatory
requirements are determined, understood and consistently met;
b) The risks and opportunities that can affect
conformity of products and services and the ability to enhance customer
satisfaction are determined and addressed;
c) The focus on enhancing customer satisfaction is
maintained.
5.2 Policy
5.2.1 Establishing
the quality policy
Top
management shall establish, implement and maintain a quality policy that:
a) Is appropriate to the purpose and context of the
organization and supports its strategic direction;
b) Provides a framework for setting quality
objectives;
c) Includes a commitment to satisfy applicable
requirements;
d) Includes a commitment to continual improvement
of the quality management system.
5.2.2 Communicating
the quality policy
The quality policy shall:
a) Be available and be maintained as documented
information;
b) Be communicated, understood and applied within
the organization;
c) Be available to relevant interested parties, as
appropriate.
5.3 Organizational
roles, responsibilities and authorities
Top
management shall ensure that the responsibilities and authorities for relevant
roles are assigned, communicated and understood within the organization.
Top
management shall assign the responsibility and authority for:
a) Ensuring that the quality management system
conforms to the requirements of this international standard;
b) Ensuring that the processes are delivering their
intended outputs;
c) Reporting on the performance of the quality
management system and on opportunities for improvement (see 10.1), in
particular to top management;
d) Ensuring the promotion of customer focus
throughout the organization;
e) Ensuring that the integrity of the quality
management system is maintained when changes to the quality management system
are planned and implemented.
6.
Planning
6.1 Action
to address risks and opportunities
6.1.1 When planning for the quality management system,
the organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and Opportunities that
need to be addressed to:
a) Give assurance that the quality management
system can achieve its intended result(s);
b) Enhance desirable effects.
c) Prevent, or reduce, undesired effects;
d) Achieve improvement.
6.1.2 The organization shall plan:
a) Actions to address these risks and
opportunities;
b) How to:
1) Integrate and implement the actions into its
quality management system processes (see 4.4);
2) Evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities
shall be proportionate to the potential impact on the conformity of products
and services.
NOTE 1 Options to address risks can include
avoiding risk, taking risk in order to pursue an opportunity, eliminating the
risk source, changing the likelihood or consequences, sharing the risk, or
retaining risk by informed decision.
NOTE 2 Opportunities can lead to the adoption of
new practices, launching new products, opening new markets, addressing new
customers, building partnerships, using new technology and other desirable and
viable possibilities to address the organization’s or its customers’ needs..
6.2 Quality
objectives and planning to achieve them
6.2.1 The organization shall establish quality
objectives at relevant functions, levels and processes needed for the quality management system
The
quality objectives shall:
a) Be consistent with the quality policy;
b) Be measurable;
c) Take into account applicable requirements;
d) Be relevant to conformity of products and
services and the enhancement of customer satisfaction;
e) Be monitored;
f) Be communicated;
g) Be updated as appropriate.
The
organization shall maintain documented information on the quality objectives.
6.2.2 When
planning how to achieve its quality objectives, the organization shall
determine:
a) What will be done;
b) What resources will be required;
c) Who will be responsible;
d) When it will be completed;
e) How the results will be evaluated.
6.3 Planning
of changes
When the
organization determines the need for changes to the quality management system,
the changes shall be carried out in a planned manner (see 4.4).
The
organization shall consider:
a) The purpose of the change and their potential
consequences;
b) The integrity of the quality management system;
c) The availability of resources;
d) The allocation or reallocation of
responsibilities and authorities.
7 Support
7.1 Resources
7.1.1 General
The
organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of the
quality management system.
The
organization shall consider:
a) The capabilities of, and constraints on,
existing internal resources;
b) What needs to be obtained from external
providers.
7.1.2 People
The organization shall determine and provide the
persons necessary for the effective implementation of its quality management
system and for the operation and control of its processes.
7.1.3 Infrastructure
The organization shall determine, provide and
maintain the infrastructure for the operation of its processes to achieve
conformity of products and services.
NOTE Infrastructure can include:
a) Buildings and associated utilities;
b) Equipment including hardware and software;
c) Transportation;
d) Information and communication technology.
7.1.4 Environment
for the operation of processes
The
organization shall determine, provide and maintain the environment necessary for
the operation of its processes and to achieve conformity of products and
services.
NOTE
Environment for the operation of processes can include physical, social,
psychological, environmental and other factors (such as temperature, humidity,
ergonomics and cleanliness).
NOTE A suitable environment can be a combination of
human and physical factors, such as:
a) social (e.g. non-discriminatory, calm,
non-confrontational);
b) psychological (e.g. stress-reducing, burnout
prevention, emotionally protective);
c) physical (e.g. temperature, heat, humidity,
light, airflow, hygiene, noise).
These
factors can differ substantially depending on the products and services
provided.
7.1.5 Monitoring
and measuring resources
7.1.5.1 General
The organization shall determine and provide the
resources needed to ensure valid and reliable results when monitoring or
measuring is used to verify the conformity of products and services to
requirements.
The
organization shall ensure that the resources provided:
a) Are suitable for the specific type of monitoring
and measurement activities being undertaken;
b) Are maintained to ensure their continued fitness
for their purpose.
The organization shall retain appropriate
documented information as evidence of fitness for purpose of the monitoring and
measurement resources.
7.1.5.2
Measurement Traceability
When measurement traceability is a requirement,
or is considered by the organization to be an essential part of providing
confidence in the validity of measurement results, measuring equipment shall
be:
a) calibrated or verified, or both, at specified
intervals, or prior to use, against measurement standards traceable to
international or national measurement standards; when no such standards exist,
the basis used for calibration or verification shall be retained as documented
information;
b) identified in order to determine their status;
c) safeguarded from adjustments, damage or
deterioration that would invalidate the calibration status and subsequent
measurement results.
The organization shall determine if the validity
of previous measurement results has been adversely affected when measuring equipment
is found to be unfit for its intended purpose, and shall take appropriate
action as necessary.
7.1.6 Organizational
knowledge
The organization shall determine the knowledge
necessary for the operation of its processes and achieve conformity of products
and services.
This
knowledge shall be maintained, and be made available to the extent necessary.
When addressing changing needs and trends, the
organization shall consider its current knowledge and determine how to acquire
or access any necessary additional knowledge and required updates.
NOTE 1 Organizational knowledge is knowledge
specific to the organization; it is generally gained by experience. It is
information that is used and shared to achieve the organization’s objectives.
NOTE 2
Organizational knowledge can be based on:
a) Internal sources (e.g. intellectual property;
knowledge gained from experience; lessons learned from failures and successful
projects; capturing and sharing undocumented knowledge and experience; the
results of improvements in processes, products and services);
b) External sources (e.g. standards, academia,
conferences, gathering knowledge from customer or external providers).
7.2 Competence
The
organization shall:
a) Determine the necessary competence of person(s)
doing work under its control that affects the performance and effectiveness of
the quality management system;
b) Ensure that these persons are competent on the
basis of appropriate education, training, or experience;
c) Where applicable, take actions to acquire the
necessary competence, and evaluate the effectiveness of the actions taken;
d) Retain appropriate documented information as
evidence of competence.
NOTE Applicable actions can include, for
example, the provision of training to, the mentoring of, or the re-assignment
of currently employed persons; or the hiring or contracting of competent
persons.
7.3 Awareness
The organization shall ensure that persons doing
work under the organization’s control are aware of:
a) The quality policy;
b) Relevant quality objectives;
c) Their contribution to the effectiveness of the
quality management system, including the benefits of improved quality
performance;
d) The implications of not conforming with the
quality management system requirements.
7.4 Communication
The
organization shall determine the internal and external communications relevant
to the quality management system including:
a) On what It will communicate;
b) When to communicate;
c) With whom to communicate;
d) How to communicate;
e) Who communicates
7.5 Documented
information
7.5.1 General
The
organization's quality management system shall include:
a) Documented information required by this
International Standard;
b) Documented information determined by the
organization as being necessary for the effectiveness of the quality management
system.
NOTE The extent of documented information for a
quality management system can differ from one organization to another due to:
The size of organization and its type of
activities, processes, products and services;
The complexity of processes and their
interactions;
The competence of persons.
7.5.2 Creating and updating
When
creating and updating documented information the organization shall ensure
appropriate:
a) Identification and description (e.g. a title,
date, author, or reference number);
b) Format (e.g. language, software version,
graphics) and media (e.g. paper, electronic);
c) Review and approval for suitability and
adequacy.
7.5.3 Control
of documented information
7.5.3.1 Documented
information required by the quality management system and by this International Standard shall be controlled
to ensure:
a) It is available and suitable for use, where and
when it is needed;
b) It is adequately protected (e.g. from loss of
confidentiality, improper use, or loss of integrity).
7.5.3.2
For the
control of documented information, the organization shall address the following
activities, as applicable:
a) Distribution, access, retrieval and use;
b) Storage and preservation, including preservation
of legibility;
c) Control of changes (e.g. version control);
d) Retention and disposition.
Documented information of external origin
determined by the organization to be necessary for the planning and operation
of the quality management system shall be identified as appropriate, and be
controlled.
Documented information retained as evidence of
conformity shall be protected from unintended alterations.
NOTE Access can imply a decision regarding the
permission to view the documented information only, or the permission and
authority to view and change the documented information.
8 Operation
8.1 Operational
planning and control
The organization shall plan, implement and
control the processes (see 4.4) needed to meet the requirements for the
provision of products and services, and to implement the actions determined in
Clause 6, by:
a) Determining the requirements for the product and
services;
b) Establishing criteria for :
1) the processes
2) the acceptance of products and services;
c) Determining the resources needed to achieve
conformity to products and services requirements;
d) Implementing control of the processes in
accordance with the criteria;
e) Determining, maintaining and retaining
documented information to the extent necessary
1) to have confidence that the processes have been
carried out as planned;
2) to demonstrate the conformity of products and
services to their requirements.
The
output of this planning shall be suitable for the organization’s operations.
The organization shall control planned changes
and review the consequences of unintended changes, taking action to mitigate
any adverse effects, as necessary.
The
organization shall ensure that outsourced processes are controlled (see 8.4).
8:2 Requirements
for products and services
8.2.1 Customer
communication
Communication
with customers shall include:
a)
providing
information relating to products and services;
b) handling enquiries, contracts or orders,
including changes;
c) obtaining customer feedback relating to products
and services, including customer complaints;
d) handling or controlling customer property;
e) establishing specific requirements for
contingency actions, when relevant.
8.2.2 Determining
the requirements for products and services
The
organization shall establish, implement and maintain a process to determine the
requirements for the products and services to be offered to potential
customers.
When determining the requirements for the
products and services to be offered to customers, the organization shall ensure
that:
a) the requirements for the products and services
are defined, including:
1) any applicable statutory and regulatory
requirements;
2) those considered necessary by the organization.
b) the organization can meet the claims for the
products and services it offers.
8.2.3 Review
of the requirements for products and services
8.2.3.1 The organization shall ensure that it
has the ability to meet the requirements for products and services to be
offered to customers. The organization shall conduct a review before committing
to supply products and services to a customer, to include:
a)
Requirements
specified by the customer, including the requirements for delivery and
post-delivery activities;
b) Requirements not stated by the customer, but
necessary for the specified or intended use, when known;
c) requirements specified by the organization;
d) Statutory and regulatory requirements applicable
to the products and services;
e) Contract or order requirements differing from
those previously expressed.
The organization shall ensure that contract or
order requirements differing from those previously defined are resolved.
The customer’s requirements shall be confirmed
by the organization before acceptance, when the customer does not provide a
documented statement of their requirements.
NOTE In some situations, such as internet sales,
a formal review is impractical for each order. Instead, the review can cover
relevant product information, such as catalogues.
8.2.3.2 The organization shall retain documented
information, as applicable:
a.
on the results of the review;
b.
on any new requirements for the products and
services.
8.2.4 Changes to requirements for products and
services
The organization shall ensure that relevant
documented information is amended, and that relevant persons are made aware of
the changed requirements, when the requirements for products and services are
changed.
8.3 Design
and development of products and services
8.3.1 General
The organization shall establish, implement and
maintain a design and development process that is appropriate to ensure the
subsequent provision of products and services.
8.3.2
Design and development planning
In
determining the stages and controls for design and development, the
organization shall consider:
a) the nature, duration and complexity of the
design and development activities;
b)
the
required process stages, including applicable design and development reviews;
c) The required design and development verification
and validation activities;
d) The responsibilities and authorities involved in
the design and development process;
Tanggung jawab dan wewenang yang terlibat dalam proses desain dan
pengembangan;
e) The internal and external resource needs for the
design and development of products and services;
f) the need to control interfaces between persons
involved in the design and development process;
g) the need for involvement of customers and users
in the design and development process;
h) the requirements for subsequent provision of
products and services;
i) the level of control expected for the design and
development process by customers and other relevant interested parties;
j) the documented information needed to demonstrate
that design and development requirements have been met.
8.3.3 Design
and development Inputs
The organization shall determine the
requirements essential for the specific types of products and services to be
designed and developed. The organization shall consider:
a) functional and performance requirements;
b) information derived from previous similar design
and development activities;
c) statutory and regulatory requirements;
d) standards or codes of practice that the
organization has committed to implement;
e) potential consequences of failure due to the
nature of the products and services.
Inputs
shall be adequate for design and development purposes, complete, and
unambiguous.
Conflicting
design and development inputs shall be resolved.
The
organization shall retain documented information on design and development
inputs.
8.3.4 Design
and development controls
The
organization shall apply controls to the design and development process to
ensure that:
a) the results to be achieved are defined
b) reviews are conducted to evaluate the ability of
the results of design and development to meet requirements;
c) verification activities are conducted to ensure
that the design and development outputs meet the input requirements;
d) validation activities are conducted to ensure
that the resulting products and services meet the requirements for the
specified application or intended use;
e) any necessary actions are taken on problems
determined during the reviews, or verification and validation activities;
f) documented information of these activities is
retained.
NOTE Design and development reviews,
verification and validation have distinct purposes. They can be conducted
separately or in any combination, as is suitable for the products and services
of the organization
8.3.5 Design
and development outputs
The organization
shall ensure that design and development outputs:
a) Meet the input requirements;
b) Are adequate for the subsequent processes for
the provision of products and services;
c) Include or reference monitoring and measuring
requirements, as appropriate, and acceptance criteria;
d) Specify the characteristics of the products and
services that are essential for their intended purpose and their safe and
proper provision
The
organization shall retain documented information on design and development
outputs.
8.3.6 Design
and development changes
The organization shall identify, review and
control changes made during, or subsequent to, the design and development of
products and services, to the extent necessary to ensure that there is no
adverse impact on conformity to requirements.
The
organization shall retain documented information on:
a)
design
and development changes;
b)
the
results of reviews;
c) the authorization of the changes;
d)
the
actions taken to prevent adverse impacts.
8.4 Control
of externally provided products and services
8.4.1 General
The organization shall ensure that externally
provided processes, products, and services conform to requirements.
The organization shall determine the controls to
be applied to externally provided processes, products and services when:
a) products and services from external providers
are intended for incorporation into the organization’s own products and
services;
b) Products and services are provided directly to
the customer(s) by external providers on behalf of the organization;
c) A process, or part of a process, is provided by
an external provider as a result of a decision by the organization.
The organization shall determine and apply
criteria for the evaluation, selection, monitoring of performance, and
re-evaluation of external providers, based on their ability to provide
processes or products and services in accordance with requirements. The
organization shall retain documented information of these activities and any
necessary actions arising from the evaluations.
8.4.2 Type
and extent of control
The organization shall ensure that externally
provided processes, products and services do not adversely affect the
organization’s ability to consistently deliver conforming products and services
to its customers.
The
organization shall:
a) ensure that externally provided processes remain
within the control of its quality management system;
b)
define
both the controls that it intends to apply to an external provider and those it
intends to apply to the resulting output;
c)
take
into consideration:
1)
the
potential impact of the externally provided processes, products and services on
the organization’s ability to consistently meet customer and applicable
statutory and regulatory requirements;
2)
the
effectiveness of the controls applied by the external provider;
d) determine the verification, or other activities,
necessary to ensure that the externally provided processes, products and
services meet requirements.
8.4.3 Information for external providers
The organization shall ensure the adequacy of
requirements prior to their communication to the external provider.
The
organization shall communicate to external providers its requirements for:
a) The processes, products and services to be
provided;
b) The approval of:
1)
products and services,
2)
methods, processes or equipment;
3)
the release of products and services;
c) Competence, including any required qualification
of persons;
d) The external providers’ interactions with the
organization;
e) Control and monitoring of the external
providers’ performance to be applied by the organization;
f) Verification or validation activities that the
organization, or its customer, intends to perform at the external providers’
premises.
8.5 Production
and service provision
8.5.1 Control
of production and service provision
The
organization shall implement production and service provision under controlled
conditions.
Controlled
conditions shall include, as applicable:
a) The availability of documented information that
defines:
1)
the
characteristics of the produts and services;
2)
the
results to be achieved.
b) The availability and use of suitable monitoring
and measuring resources;
c) The implementation of monitoring and measurement
activities at appropriate stages to verify that criteria for control of
processes or outputs, and acceptance criteria for products and services, have
been met;
d) the use of suitable infrastructure and
environment for the operation of processes;
e) the appointment of competent persons, including
any required qualification;
f) the validation, and periodic revalidation, of
the ability to achieve planned results of the processes for production and
service provision, where the resulting output cannot be verified by subsequent
monitoring or measurement;
g) the implementation of actions to prevent human
error;
h) the implementation of release, delivery and
post-delivery activities.
8.5.2 Identification
and traceability
The organization shall use suitable means to
identify outputs when it is necessary to ensure the conformity of products and
services.
The organization shall identify the status of
outputs with respect to monitoring and measurement requirements throughout
production and service provision.
The organization shall control the unique
identification of the outputs when traceability is a requirement, and shall
retain the documented information necessary to enable traceability.
8.5.3 Property
belonging to customers or external providers
The organization shall exercise care with
property belonging to the customer or external providers while it is under the
organization’s control or being used by the organization.
The organization shall identify, verify, protect
and safeguard the customer’s or external provider’s property provided for user
or incorporation into the products and services.
When the property of a customer or external
provider is lost, damaged or otherwise found to be unsuitable for use, the
organization shall report this to the customer or external provider and retain
documented information on what has occurred.
NOTE A customer’s or external provider’s
property can include materials, components, tools and equipment, premises,
intellectual property and personal data.
8.5.4 Preservation
The organization shall preserve the outputs
during production and service provision, to the extent necessary to ensure
conformity to requirements.
NOTE Preservation can include identification,
handling, contamination control, packaging, storage, transmission or
transportation, and protection.
8.5.5 Post-delivery activities
The organization shall meet requirements for
post-delivery activities associated with the products and services.
In determining the extent of post-delivery
activities that are required, the organization shall consider:
a) Statutory and regulatory requirements;
b) The potential undesired consequences associated
with its products and services;
c) The nature, use and intended lifetime of its
products and services;
d) customer requirements;
e) Customer feedback.
NOTE Post-delivery activities can include
actions under warranty provisions, contractual obligations such as maintenance
services, and supplementary services such as recycling or final disposal.
8.5.6 Control
of changes
The organization shall review and control
changes for production or service provision, to the extent necessary to ensure
continuing conformity with requirements.
The organization shall retain documented
information describing the results of the review of changes, the person(s) authorizing
the change, and any necessary actions arising from the review.
8.6 Release of products and services
The organization shall implement planned
arrangements, at appropriate stages, to verify that the product and service
requirements have been met.
The release of products and services to the
customer shall not proceed until the planned arrangements have been
satisfactorily completed, unless otherwise approved by a relevant authority
and, as applicable, by the customer.
The organization shall retain documented
information on the release of products and services. The documented information
shall include:
a) evidence
of conformity with the acceptance criteria;
b) traceability to the person(s) authorizing the
release.
8.7 Control of nonconforming outputs
8.7.1 The organization shall ensure that outputs
that do not conform to their requirements are identified and controlled to
prevent their unintended use or delivery.
The organization shall take appropriate action
based on the nature of the nonconformity and its effect on the conformity of
products and services. This shall also apply to nonconforming products and
services detected after delivery of products, during or after the provision of
services.
The
organization shall deal with nonconforming outputs in one or more of the
following ways:
a) correction;
b) segregation, containment, return or suspension
of provision of products and services;
c) informing the customer;
d) obtaining authorization for acceptance under
concession.
Conformity
to the requirements shall be verified when nonconforming outputs are corrected.
8.7.2
The organization shall retain documented information that:
a) describes the nonconformity;
b) describes the actions taken;
c) describes any concessions obtained;
d) identifies the authority deciding the action in
respect of the nonconformity.
9. Performance evaluation
9.1 Monitoring, measurement, analysis and
evaluation
9.1.1 General
The
organization shall determine:
a) What needs to be monitored and measured;
b) The methods for monitoring, measurement,
analysis and evaluation needed to ensure valid results;
c) When the monitoring and measuring shall be
performed;
d)
When the
results from monitoring and measurement shall be analysed and evaluated.
The organization shall evaluate the performance
and the effectiveness of the quality management system.
The organization
shall retain appropriate documented information as evidence of the results.
9.1.2 Customer
satisfaction
The organization shall monitor customers’
perceptions of the degree to which their needs and expectations have been
fulfilled. The organization shall determine the methods for obtaining,
monitoring and reviewing this information.
NOTE Examples of monitoring customer perceptions
can include customer surveys, customer feedback on delivered products and
services, meetings with customers, market-share analysis, compliments, warranty
claims and dealer reports.
9.1.3 Analysis
and evaluation
The organization shall analyse and evaluate
appropriate data and information arising from monitoring, measurement.
The
results of analysis shall be used to evaluate:
a)
conformity
of products and services;
b)
the
degree of customer satisfaction;
c)
the
performance and effectiveness of the quality management system;
d)
if
planning has been implemented effectively;
e)
the
effectiveness of actions taken to address risks and opportunities;
f)
the
performance of external providers;
g) the need for improvements to the quality
management system.
NOTE
Methods to analyse data can include statistical techniques.
9.2 Internal
audit
9.2.1 The
organization shall conduct internal audits at planned intervals to provide
information on whether the quality
management system;
a)
conform
to:
1) The organization’s own requirements for its
quality management system;
2) The requirements of this international standard;
b) Is effectively implemented and maintained.
9.2.2
The
organization shall:
a)
plan,
establish, implement and maintain an audit programme(s) including the
frequency, methods, responsibilities, planning requirements and reporting,
which shall take into consideration the importance of the processes concerned,
changes affecting the organization, and the results of previous audits;
b)
Define
the audit criteria and scope for each audit;
c)
Select
auditors and conduct audits to ensure objectivity and the impartiality of the
audit process;
d)
Ensure
that the results of the audits are reported to relevant management;
e)
Take
necessary correction and corrective actions without undue delay;
f)
Retain
documented information as evidence of the implementation of the audit programme
and the audit results.
NOTE See ISO 19011 for guidance.
9.3 Management
review
9.3.1 General
Top management shall review the organization’s
quality management system, at planned intervals, to ensure its continuing
suitability, adequacy, effectiveness, and alignment with the strategic
direction of the organization.
9.3.2 Management
review inputs
The
management review shall be planned and carried out taking into consideration:
a) the status of actions from previous management
reviews;
b) changes in external and internal issues that are
relevant to the quality management system;
c) information on the performance and effectiveness
of the quality management system, including trends in:
1) customer satisfaction and feedback from relevant
interested parties;
2) the extent to which quality objectives have been
met;
3)
process
performance and conformity of products and services;
4) nonconformities and corrective actions;
5) monitoring and measurement results;
6) audit results;
7) the performance of external providers.
d) the adequacy of resources
e) the effectiveness of actions taken to address
risks and opportunities (see 6.1);
f) opportunities for improvement.
9.3.3 Management review outputs
The
outputs of the management review shall include decisions and actions related
to:
a) opportunities for improvement;
b) Any need for changes to the quality management
system;
c) resource needs.
The organization shall retain documented
information as evidence of the results of management reviews.
10. Improvement
10.1 General
The organization shall determine and select
opportunities for improvement and implement any necessary actions to meet
customer requirements and enhance customer satisfaction.
This
shall include:
a) improving products and services to meet
requirements as well as to address future needs and expectations;
b) correcting, preventing or reducing undesired
effects;
c) improving the performance and effectiveness of
the quality management system.
NOTE Examples of improvement can include
correction, corrective action, continual improvement, breakthrough change,
innovation and re-organization.
10.2 Nonconformity
and corrective action
10.2.1 When
a nonconformity occurs, including any arising from complaints, the organization
shall:
a) React to the nonconformity and, as applicable:
1) Take action to control and correct it;
2) Deal with the consequences;
b) valuate the need for action to eliminated the
cause(s) of the nonconformity, in order that it does not recur or occur
elsewhere, by:
1) reviewing and analysing the nonconformity;
2) Determining the causes of the nonconformity;
3) Determining if similar nonconformities exist, or
could potentially occur;
c) Implement any action needed;
d) Review the effectiveness of any corrective
action taken;
e) Update risks and opportunities determined during
planning, if necessary;
f) Make changes to the quality management system,
if necessary.
Corrective
actions shall be appropriate to the effects of the nonconformities encountered.
10.2.2 The
organization shall retain documented information as evidence of:
a) The nature of the nonconformities and any
subsequent actions taken;
b) The results of any corrective action.
10.3 Continual
improvement
The
organization shall continually improve the suitability, adequacy, and
effectiveness of the quality management system.
The organization shall consider the results of
analysis and evaluation, and the outputs from management review, to determine
if there are needs or opportunities that shall be addressed as part of
continual improvement.
