ISO 9001: 2008 Quality Management Systems Auditor/Lead Auditor Training Course IRCA Registration No. A17044 PRESENTED BY United Registrar of Systems ME (URS) PO Box: 7871, SAIF Zone, Sharjah, UAE. Te: $971 6 8876368 (Shah), +871 4 236 8785 (Oubsi In Association with C.M.C. INTERNATIONAL (UK) Ltd 16 Whitehead Drive, Kenilworth, Warwickshire CV8 “TP Tel: Int Code 44 (0) 1928 258033 Fax: Int Code 44 (0) 1926 258033 E-Mail: - info emeiuh.org. wavs emeiuk.orgContents Section 0 Contents Issue 26 Section 1 Introduction Issue 2 Section 2 ‘Basic Concepts and Definitions issue 9 Section 3 Evolution Quality System Standards Issue 5 Section 4 Cerification Bodies Issue 3 Section 5 ‘Quality Management Principles Issue 3 Section 6 ‘Analysis of ISO $001 Issue 6 Section? Review af Quality System Dacumentation Issue 6 Section 8 ‘Aucit Proparation and Assessment Issue 8 Section 9 ‘Auditor Competence, Responsibilities, Attibutes and Communication| Issue 4 Section 10 Report Writing and Follow Up Issue 4 Section 11 Continual improvement Issue 2 _ Section 12 _IRCA Auditor Registration Scheme - Issue 9 mes Seaton | tesve | Detass ‘AL | 0-_| Allsccnons revised due pubiation of SO 8000" 3580 : 4 econo clomane pees fee res ‘ga 2001 | 2 —T4 fotermnotoa — 4] TAT ehanges de fo EA eran ——— 8} 1 | Wording efeinuse 7 5 evsed - T—|2 | Giaration fsley on page 1 fevon of gualiy mama clamor page 2] i 1] 1 Removal fou cart. “21 | Revisor of autor rian requenenis and ada o codes af ond ‘paren [2] ‘ne 2002 | 6 | > - a3 [Teron] 8 | 2 Re erste secton oreo presetaton and abt process and audio man da 4 [ Revie secton be 6 pusteaton of SO T0017 a 2 3 2 1 3 T[Adireterenee waar fs 3 Bonita Lao 2 | Change ea = 2 [nt s8sed pane cow t | Revises page one & te Tet Sandad +] Sree — | Adton of detnions of Autor AUS cn’ and AGES et a 150 BOO: 2005 — [ray ‘Remove ofr! 001.1994 ard Logl A Scheme [2 nay 8 Rf SO S000. 2005, aaa — [Si] novos Eerieionia inert a GTR [Removal ol deftons lo dat exe net “Gavin of ucor on poge 3 — Iui70 “Changes dus to (SO 1702" wo Sg ORES — August Remove reference taiPC stor “Teal changes oreTecl des and vera oT Tetarcnce To PE “Ehange wae aay gugance to NOS (Changes due vo pubieaten ef 9004. 2008 PResena ne aefinnon lord ane ausor dain eviees Clancation on emer procedure page Added ieerence to 17024 2017 asst responses ‘seve Level 27 Apa 2013 CME Imorntors ‘Change w CA aaaress | Rese fi 18 [pasting of standards Secton Page 1 ot2Contents lesue Level 27 Agr 2015 CM Inernatena! Secon 0 Page 2of2Section 1 Introduction C.ML.C, InternationalIntroduction Introduction This course is designed to train potential Auditors/Lead Auditors in the principles and practices of assessment of Quality Management Systems for compliance with recognised rational and international standards. The course will aim to install a positive attitude into the audit skills developed using a variety of audit techniques. The course is equally suitable for personnel wishing to develop audit skills to carry out internal quality audits, or supplier assessments. ‘The course curriculum includes a mixture of lectures, practical exercises and a case study. The course has been developed to meet the requirements of the IRCA and will be updated as their requirements change, the requirements of ISO 9001 change or current auditing practice changes. ‘These course notes have been developed in twelve sections, which will cover all the topics covered throughout the week These course notes should be used as a reference throughout the week and will provide a useful reference tool when you start to carry out audits after the course has been completed. Prior to attending this course you should of attained the prior knowledge as detailed within the pre course pack sent to you. Objectives At the end of this course, delegates will have gained:- * an understanding of the correct use of terminology and vocabulary as used in ISO 9001, ISO 9004 and ISO 9000. «an understanding of the purpose of quality management systems and the eight quality management principles upon which the ISO 9000 series is based. * a detailed understanding of the standard ISO 9001, its relationship to ISO 9004 and ISO 9000 and how to effectively conduct audits against this audit criteria * an understanding of the differences between 1st, 2nd and 3rd party audits and the planning of audits in accordance with ISO 19011 «knowledge of the roles, responsibilities and characteristics of an auditor. * knowledge on how to prepare, interpret information, carry out and report the finding of an audit through effective interviewing, observation, sampling end note taking. ‘+ knowledge on how to report the finding of an audit, write factual and value adding reports, follow up and evaluate nonconformities that have been raised during an audit and close them out «an understanding of the role of certification bodies, UKAS, and the IRCA Ihave fevel $ February 2013 Section 1 Page Lof 2Introduction Methods of Assessment Daily Assessment Al the end of each day, delegates will take a 15-minute assessment covering to covered during the day and topics that have been covered earlier in the week Each assessment will consist of § short answer questions that are worth a total of 10 marks. Tutor Continuous Assessment. At the end of each day the tutor(s) will make an assessment of each delegate based on the following criteria: Atlendance for the full duration of the course Participation as part of the group. Performance when making presentations. Timekeeping, Contribution to discussions. Assessment of Learning Objectives Throughout the course, exercises will be given which will be assessed by the tutor to ensue achievement of the learning objectives as required by the IRCA. Delegates who score low scores will be offered additional tuition in order to gain a full understanding of the objective Delegates must pass the continuous assessment, which is a combination of the tutor assessment, achievement of the learning objectives and the end of day assessments if they are to be awarded a Certificate of Successful Completion. Certificates that are issued are valid for three years from the date of examination, Final Examination. On day five delegates will take one of the approved IRCA examination papers. The pass mark for this examination is 70% with a minimum of 40% in each of the four sections. Delegates who fail the paper will be allowed to take one re-sit (on a different paper) provided that they have passed the continuous assessment. The examination is a closed book exam and the only documentation allowed into the examination is an unmarked copy of the standard, Complaints and Appeals Any complaint or appeal against the final mark should be made in writing to the Course Manager at CMC Intemational where it will be reviewed and responded to in writing Issue level 3 Febniony 2018 Section | Page? of 2Section 2 Basic Concepts and Definitions C.M.C, InternationalBasic Concepts and Definitions Introduction The session briefly discusses some of the concepts and definitions associated with quality, quality assurance and auditing. Useful documents used to understand terms used in quality assurance are: 1SO 9000 “Quality Management Systems — Fundamentals and Vocabulary ISO 9001 “Quality Management Systems - Requirements” 1SO 9004 “Managing for the sustained success of an organisation’. A quality management system approach Audit ‘Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled Audit Criteria “Set of policies, procedures or requirements determined as a reference”. Regardless of whether an audit is a first, second or third party audit, there must be something to compare the actual findings with. An audit cannot be carried out against a process or activity where there are no established criteria, Audit Evidence Records, statement of fact or other information, which are relevant to the audit criteria and verifiable. Audit Findings Results of the evaluation of the collected audit evidence against audit criteria. Can indicate either conformity or non conformity with audit criteria or opportunities for improvements Audit Conclusions Outcome of an audit, provided by the audit team after consideration of audit objectives and all audit finding Requirements Requirements may be determined by the product, the customer or the standard Iksue Level 10 February 2012 Secion 2 Page tore SEME narrationsBasic Concepts and Definitions ‘Types of Audit A quality audit is defined (ISO 9000) as “a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which agreed criteria are fulfilled.” There are many types of quality audit activity such as; A Product Audit is an audit that verifies the conformance of a product against the requirements of the product specification and follows the processes of that particular product from start to finish ‘A Process Audit is one that identifies the inputs, outputs and any in process controls of a process and assesses the effectiveness of these controls to ensure consistency of the finished product or service. A System Audit is one that evaluates the conformance of an operating quality system against laid down requirements such as ISO 9001. ‘System Audits are divided into three categories: All Quality System Audits are carried out to check that the party being audited is working to the system they have documented, i.e. their documented quality system including their policy, objectives and measurable targe's A company is likely to be subjected to three different types of quality audit, for different reasons. The types of audit are: First party Audits (Internal quality audits) Internal quality audits are carried out by staff on their own system to ensure this is operating as stated in the documented quality system. In order to comply with 1S09001, audits must be scheduled on the basis and status of the activity being audited and the results of previous audits. Second party audits These audits are carried out by the customer (Organisation) on their suppliers. The audit is carried out against the requirements of the contract or proposed contract. The contract may include the supplier having a quality system. e.g. AQAP 1 or AQAP 3 for the Ministry of Defence - ISO/TS 16949 for the automotive industry. The principle is the same as for third party audits but of course, the auditor now has a vested interest and will apply more of his effort in the areas that most affect the product or service supplied to the auditor's company. isp Level 10 February 2013 Seton 2 PageBasic Concepts and Definitions Third party audit. This audit is usually carried out by the Accredited Certification Body. Companies successful in passing this audit are awarded certificated status to the nominated Quality Standard Alter the first assessment, these audits are usually called ‘surveillance visits’ which are carried out to monitor the company’s performance against their sysiem and the standard. Ata surveillance visit the auditor may check out all, or different parts of the system. Alter a notified period, normally three years, a re-assessment visit is again carried out by the certification body and the certificate may be renewed. If at any time the auditor finds that the company is not maintaining the standard as defined in by the requirements of the quality management system, the company will be required to apply agreed corrective action. If the company does not carry out the agreed corrective action certification can be withdrawn. Within all audits several strategies may be followed. ‘4 Horizontal Audit is an audit that plans to audit each clause of the standard in turn right across the organisation, A Vertical Audit (process audit) follows a product or service through the organisation or department(s) verifying every applicable clause as the product moves through the processes. Level 10Fetruny 2019 Secton 2 Page SetsSection 3_ Evolution of Quality System Standards C.M.C, InternationalEvolution of Quality System Standards and related standards Introduction Quality management systems have varying reputations within industry. There are some who believe that it is a bureaucratic system developed to keep consultants, auditors and quality managers in a job. The majority however believe that a good quality management system, when implemented and used, as a business tool will return benefils to the organisation in terms of product quality, customer satisfaction, internal efficiency and finally an improvement in company profit ‘The quality management system should be considered as a Business Operating System. Its purpose is to identify the best practice within an organisation which will lead to fulflment of customers requirements and a continual improvement in business efficiency and customer satisfaction. Quality System standards have been around for a long time. In 1962 NASA produced a document NPC200-2 lying down the quality standards for contractors in the space technology programme. This led to the introduction of the American, Standard MIL-Q-9858 which was published in 1963. From this standard the British MOD introduced their DEF-Stan 05-08 in 1970. Further developments in standards were made by the MOD and in 1984 the AQAP series of standards, AQAP 1, AQAP 4, and AQAP 9 were published. In 1972 the British Standards Institute published BS 4891 “A Guide to Quality Assurance”, At around the same time other quality assurance standards were being developed and introduced e.g. General Motors Quality Standard (GQS), Ford Q101, Food and Drugs Administration Act. All these different standards caused the government to set up the Warner Committee to investigate the development of a National Quality System Standard The Warner Report was published in 1977 and was followed by the introduction of BS 5750 in 1979. The major value of BS 5750 was that for the first time there was a common standard throughout the UK This standard was then adapted by the International Organisation for Standards (ISO) and was published on an international scale as the ISO 9000 series in 1987. This standard followed the pattern of BS 5750: 1979 which was also re issued as BS 5750: 1987. The continual improvement of the standard then continued and in 1994 the standard was reissued as ISO 9001: 1984, (Known in the UK as BS EN ISO 9001}. Issue Level6 Febery 2013Evolution of Quality System Standards and related standards The improvement programme is still ongoing and we now have the ISO 9000 family of standards. ISO protocols require that all standards be reviewed at least every five years to determine whether they should be confirmed, revised or withdrawn. The revision process is the responsibility of ISO's Technical Committee TC-176. The 2000 revision was the second part of a two-stage revision. The first stage was the 1994 revision with the second stage being a more thorough revision. ‘The main reason for the year 2000 revision was to give users the opportunity to add value to their activities and to improve their performance continually by focussing on the major processes within the organisation. The 2000 issue of standards resulted in a closer alignment of quality management systems with the needs of the organisation and better reflect the way organisations run their business activities. Minor revisions have been carried out again in 2008 with a revised standard published in November 2008, ISO 9001 Benefits © Applicability to all product categories, in all sectors and to all sizes of organisations. © Simple to use, clear in language, readily translatable and easily understandable. + Non Bureaucratic approach to management system documentation * Connection of quality management systems to organisational processes. * Provision of natural move towards improved organisational processes, * Greater orientation toward continual improvement and customer satisfaction. © Compatibility with other management systems such as [SO 14001, OHSAS 18001 Requirements ‘¢ Increased emphasis on the role of top management. * Consideration of product legal and regulatory requirements Establishment of measurable objectives. ‘® Monitoring of information on customer satisfaction and/or dissatisfaction as a measure of system performance ‘Increased attention to resource availability Determination of effectiveness of training. Measurement extended to system, processes. and product. Analysis of colleted data on the performance of the quality management system el 6 February 2073Evolution of Quality System Standards and related standards The ISO 9000 Family of standards and associated standards ‘The Standards The ISO 9000 family of standards have been developed to assist organisations, of all types and sizes, to implement and operate effective quality management systems The standards are based on a process model that uses eight quality management principles which reflect best practice and are designed to facilitate continual improvement of the business stimulating its overall efficiency in order to increase its competitive advantage and respond better to customers’ needs and expectations 1SO 9001: 2008 specifies requirements for quality management systems for use where an organisation's capability 10 provide products that meet customer and applicable regulatory requirements needs to be demonstrated The standard encourages the adoption of a process approach to quality management. Organisations are assessed and registered to ISO 8001. 1SO 9004: 2009 (titled Managing for the sustained success of an organisation — A quality management approach) provides guidance on quality management systems, including the processes for continual improvement, which contribute to the salisfaction of an organisation's customers and other interested parties. ISO 9004 2009 gives guidance on a wider range of objectives of a quality management system to improves an organisations overall performance. This standard is NOT guidance for implementing ISO 9001 and is not intended for certification or contractual use ISO _9000: 2005 describes fundamentals of quality management systems and specifies the terminology for quality management systems, 1SO_19011 provides guidance on managing and conducting environmental and quality system audits 1SO 17021 provides audit criteria that a certification body must meet in order to be allowed to conduct accredited audits against agreed international standards. SOME increatonal Sectun’ Page 34Section 4 Certification Bodies C.M.C, InternationalCertification Bodies Introduction The UK Government has long recognised the importance of accreditation and certification in boosting customer confidence. Indeed the Government has been involved from the start in establishing reliable accreditation processes in the UK, including the British Calibration Service (BCS) in 1966, the National Testing Laboratory Accreditation Scheme in 1981, the National Measurement Accreditation Service (NAMAS) and the National Accreditation Council for Certification Bodies (NAGCB) in 1985. The Government has also supported the development of good working relations between UK certification processes and similar activities in other countries. In 1996 NAMAS (renamed National Accreditation of Measurement and Sampling) and NACB - (National Accreditation of Certification Bodies) merged to form the United Kingdom Accreditation Service (UKAS). NAMAS now operate under the name of UKAS, This organisation is now the only organisation for the assessment and accreditation of certification bodies in the fields of sampling, testing, calibration, inspection and certification, including the certification of products, personnel, quality management systems and environmental management and audit systems, UKAS is @ member of the European co-operation for Accreditation (EA). EA was formed from the merger of EAL & EAC (European cooperation for Accreditation of Laboratories and European Accreditation of Certification), In addition to UKAS the following bodies have signed the EA memorandum, NACQS. (Belgium), ICHS (Denmark). ILAB (Ireland), Icelandic Accreditation “Scheme (Iceland), RVC (Netherlands), NA (Norway), IPQ (Portugal), SWEDAC (Sweden), SINCERT (\taly), DAR (Germany), and ELOT (Greece). The EA also represents European accreditation bodies at the Intemational Accreditation Forum (IAF), The IAF brings together on a worldwide basis accreditation bodies to facilitate the acceptance of accredited certificates across the world. Other memorandums of understanding that UKAS are a party to be ITQS for the information technology sector and E-Q-NET who are the European Network for quality system assessment and certification The UK Government's support for UKAS is set out in a Memorandum of Understanding and also in a Licensing Agreement which allows UKAS to use, and permit others to use, the National Accreditation Marks incorporating the Royal CrownCertification Bodies Certification Bodies These are independent, private sector organisations that have been accredited by UKAS, against ISO 17021 criteria, as being competent to carry out objective “third party’ assessments of Quality, Environmental and other Management Systems against the requirements of [SO 9001, ISO 14001 or other standard. Additional requirements are set out for certification bodies in ISO 22003 for certification bodies who wish to carry out assessments to ISO 22000:2008 for food safety. Accredited Certification Bodies/Registrars carry out an assessment of organisations, in order to recommend Certification/Registration to the applicable standard. There are however a number of Non Accredited certification bodies throughout the world. These bodies are not subject to any accreditation process. Organisations that are assessed by these bodies cannot claim accredited certification Accredited certification bodies have to provide evidence of auditor competence in all areas covers by the certification bodies’ scope of accreditation. They also have to use competent people to sit on their Independent Certification Board to review all reports raised. Accredited certification bodies are also subject to regular audit by UKAS or their equivalent Certification bodies are accredited by UKAS against 39 EA codes. Each code is broken down further, based on the NACE code. This list is based on the statistical nomenclature for economic activities published by the Commission of European Communities. This approach is intended to develop greater assurance that accredited certification bodies have real competence in the areas in which they operate. Certification bodies are required to demonstrate their head office competence to manage certification in each scope sector for which they are accredited. UKAS have accredited numerous UK certification bodies and non-UK bodies for the assessment of quality, environmental and many other management systems. Up to date information may be obtained from United Kingdom Accreditation Service 21-47 High Street Feltharn Middlesex TW13 4UN Telephone: 0208 917 8400; Fax. : 0208 917 8500 www. UKAS org les Level atu 2093 seco Page 2 Chie tnemotonsSection 5 Quality Management Principles C.M.C, InternationalQuality Management Principles Introduction: Quality Management Principles “ In order to manage an organisation successfully, it should be managed in a systematic and methodical manner. The requirement for any organisation to remain successful is to continually improve performance by addressing the needs of all interested parties. The following eight principles should be taken into account when developing a quality management system to meet the requirements of ISO 9001: 2008. By applying the following eight principles, organisations will produce benefits for customers, owners, people, supplier's local communities and society at large. Each of the major clauses of ISO 9001: 2008 is based on these eight management principles. )* Customer Focus \* Leadership Involvement of People Process Approach ‘System Approach to Management Continual Improvement Factual Approach to Decision Making Mutually Beneficial Supplier Relationships ‘A quality management principle is a comprehensive and fundamental rule or belief, for leading and operating an organisation, aimed at continually improving performance over the long term by focusing on customers while addressing the needs of all other stakeholders, ese Level Movember 2008 Seaton Page 1 10 SCM inieratons|Quality Management Principles Customer Focus: Organisations depend on their customers and therefore should understand current and future customer needs, should meet customer requirements and strive to exceed customer expectations. Customers play a major role in the future profitability of an organisation. In order to retain customers, the organisation must understand the current requirements and potential future requirements and their customers Applying the principle of a customer-focused organisation leads to the following actions: ‘+ Understanding the whole range of customer needs and expectations for products, delivery, price, dependability etc © Ensuring a balanced approach among customers and other stakeholders (owners, people, suppliers, local communities and society al large) needs and expectations * Communicating these needs and expectations throughout the organisation * Measuring customer satisfaction and acting on the results * Managing customer relationships Beneficial applications of this principle include: * For policy and strategy formulation, making customer needs and the needs of other stakeholders understood throughout the organisation * For goal and target setting, ensuring that the relevant goals and targets are directly linked to customer needs and expectations + For operational management, improving the performance of the organisation to meet customer needs + For human resources management, ensuring the people have the knowledge and the skills required to satisfy the organisation's customersQuality Management Principles Leadership: Leaders establish unity of purpose, direction and the internal environment of the organisation. They should create and maintain the internal environment in which people can become fully involved in achieving the organisations objectives. The management of an organisation must provide direction, leadership and provide a Suitable environment for the organisation to function. By doing this the management provide the opportunity for people to become fully involved in achieving the organisations objectives. Applying the principle of leadership leads to the following actions * Being proactive and leading by example * Understanding and responding to changes in the external environment * Considering the needs of all stakeholders including customers, owners, people. suppliers, local communities and society at large * Establishing a clear vision of the organisation's future © Inspiring, encouraging and recognising people's contributions * Setting challenging goals and targets + Implementing strategy to achieve these goals and targets Beneficial applications of this principle include * For policy and strategy formulation, establishing and communicating a clear vision of the organisation's future * For goal and target setting, translating the vision of the organisation into measurable goals and targets + For operational management, empowered and involved people achieve the organisation's objectives + For human resource management, having an empowered, motivated, well informed and stable workforce. CME Inernsonat °Quality Management Principles Involvement of people: People at all levels are the essence of an organisation and their full involvement enables their abilities to be used for an organisations benefit. People at all levels of an organisation have the ability to influence an organisation in its ability to achieve its objectives. By involving people, using their skills and knowledge, the organisation provides an environment where people can assist and be involved in achieving the organisations objectives Applying the principle of involvement of people leads to the following actions by the people Accepting ownership and responsibility to solve problems Actively seeking opportunities to make improvements Being innovative and creative in furthering the organisation's objectives Deriving satisfaction from their work, enthusiastic and proud to be part of the organisation Beneficial applications of this principle include * For policy and strategy formulation, people effectively contributing to improvement of the policy and strategies of the organisation * For goal and target setting, people sharing ownership of the organisation's goals + For operational management, people being involved in appropriate decisions and process improvements * For human resource management, people being more satisfied with their jobs and being actively involved in their personal growth and development, for the organisation's benefitQuality Management Principles Process Approach A desired result is achieved more efficiently when related resources and activities are managed as a process. Any activity that receives inputs and converts them into outputs can be considered a process. For an organisation to be effective they must manage alll processes in the most effective manner. The systematic identification and management of the processes employed within an organisation and the interactions between such processes may be referred to as the process approach. Applying the principle of process approach leads to the following activities: + Defining the process to achieve the desired results. ‘© Identifying and measuring the inputs and outputs of the process. + Evaluating possible risks, consequences and impacts of processes on customers, suppliers and other stakeholders of the process. ‘* Establishing clear responsibility, authority and accountability for managing the process. Beneficial applications of this principle include + For policy and strategy formulation, utilising defined processes throughout the organisation will lead to more predictable results, better use of resources, shorter cycle times and lower costs. + For goal and target setting, understanding the capability of processes enables the creation of challenging goal and targets. * For operational management, adopting the process approach for all operations results in lower costs, prevention of efrors, control of variation, shorter cycle times and more predictable outputs. + For human resource management, establishing cost efficient processes for human resource management, such as hiring, education, and training, enables the alignment of these processes with the needs of the organisation and produces a more capable workforce. Think Process Plan 1 Materials Do N ie Resources i Information Services z methods s measurements Check S Output Act Improve Processes Continually. leeue Love 2 Hovomtor 2008 Section Page 5 of 10 CME inemstonaQuality Management Principles System Approach to Management: Identifying, understanding and managing a system of interrelated processes for a given objective contribute to the effectiveness and efficiency of the organisation. Managing the interrelationship between all the identified processes will assist in achieving the end objective. The output from one process may become the input to another process. This area of the organisations activity must be managed Applying the principle of system approach to management leads to the following action: * Defining the system by identifying or developing the process that affect a given objective. + Structuring the system to achieve the objective in the most efficient way. + Understanding the interdependencies among the processes of the system * Continually improving the system through measurement and evaluation. + Establishing resources constraints prior to action Beneficial applications of this principle includ * For policy and strategy formulation, the creation of comprehensive and challenging plans that link functional and process inputs. * For goal and target setting, the goals and targets of individual processes are aligned with the organisation's key objectives. * For operational management, a broader overview of the effectiveness of processes, which leads to understanding the causes of problems and timely improvement actions? + For human resource management, provides a better understanding of roles and responsibilities for achieving common objectives thereby reducing cross functional barriers and improving teamwork. PCM inienniansl eens weeQuality Management Principles Continual Improvement: Continual improvement in the organisation’s overall performance should be a permanent objective of the organisation. (Improvement refers to the actions taken to enhance the features and characteristics of products andior to increase the effectiveness and efficiency of processes used to produce and deliver them). Applying the principle of continual improvement leads to the following actions: * Making continual improvement of products, processes and systems an objective for every individual in the organisation © Applying basic improvement concepts of incremental and breakthrough improvement © Using periodic assessments against established criteria of excellence to identify areas for potential improvement + Continually improving the efficiency and effectiveness of all processes * Promoting prevention based activities * Providing all employees with the appropriate education and training, on methods and tools of continual improvement such as a) The Plan-Do-Check-Act cycle b) Problem solving methods © Establishing measures and goals to guide and track improvements, Beneficial applications of this principal include: * For policy and strategy formulation, creating and achieving more competitive business plans through the integration of continual improvement with strategic and business planning. * For goal and target setting, setting realistic and challenging improvement goals and providing the resource to achieve them © For operational management, involving people in the organisation in the continual improvement of processes. © For human resource management, providing all people in the organisation with the tools, opportunities, and encouragement to improve products, processes and systems. Issue Love! 3 Novemeer 2006, Seaton 5 Page 7! 10 SCRE nernstenQuality Management Principles Factual Approach to Decision Making: Effective decisions are based on the analysis of data and information Managers at all levels within an organisation are required to make decisions that will influence the direction of an organisation with regard to its achievement of its objectives, Applying the principle of factual approach to decision making leads to the following actions * Taking measurements and collecting data and information relative to the objective * Ensuring the data and information are sufficiently accurate, reliable and accessible © Analysing the data and information using valid methods + Understanding the value of appropriate statistical techniques * Making decisions and taking action based on the results of logical analysis, balanced with experience and intuition Beneficial applications of this principle include: + For policy and strategy formulation, strategies based on relevant data and information are more realistic and more likely to be achieved + For goal and target setting, using relevant comparative data and information to set realistic and challenging goals and targets * For operational management, data and information are the basis for understanding both processes and system performance to guide improvements and prevent future problems * For human resource management, analysing data and information from sources such as people surveys, suggestions and focus groups to guide the formulation of human resource policies. lesue Level 3 November 2008, Seaton 5 Page 8 of 1Quality Management Principles Mutually beneficial Supplier Relationships: An organisation and its suppliers are interdependent and a mutually beneficial relationship enhances the ability of both to create value. The products received from suppliers are an important element of the final product delivered to the customer. By improving the relationship between the organisation and is suppliers can only benefit the customer in the areas of quality, reliability and consistency. Applying the principle of mutually beneficial supplier relationships leads to the following action: * Identifying and selecting key suppliers + Establishing supplier relationships that balance short-term gains with long term considerations for the organisation and society at large Creating clear and open communications Initiating joint development and improvement of products and processes, Jointly establishing a clear understanding of customers’ needs Sharing information and future plans Recognising supplier improvements and achievements Beneficial applications of this principle include: For policy and strategy formulation, creating competitive advantage through the development of strategic alliances or partnerships with suppliers * For goal and target setting, establishing more challenging goals and targets through early involvement and participation of suppliers + For operational management, creating and managing supplier relationships to ensure reliable on-time, defect free delivery of supplies; * For human resource management, developing and enhancing supplier capabilities through supplier training, and joint improvement effortsSection 6 Audit Criteria C.M.C. InternationalISO 9001: 2008 — The Audit Criteria Introduction In order to carry out a comprehensive audit against the requirements of ISO 9001: 2008, we need to understand the audit process and the audit criteria. Audit Process In accordance with ISO 17021, the audit must be carried out in two distinct stages. Generally referred to as stage one and stage two. Stage one is primarily a readiness review to ensure that the clients’ management system is sufficiently developed / implemented and ready for stage two. Stage two assesses the implementation of the system. The first part of stage one is the review of the client's documentation against the requirements of the standard In addition to the requirements given in clause 4.2, other key points that must be reviewed are: Are the processes identified and appropriately described Has the organisation identified its processes and appropriately described them within its documented management system. The identification and description of the process could be in the form of a flowchart showing the overall product process flow. This will depend on the size and complexity of the organisation Are the mandatory procedures documented? There are six mandatory procedures that must be fully documented. (Not necessarily six individual procedures) Are the exclusions acceptable? The exclusions as recorded in the Quality Manual need to be reviewed and compered to the scope, the industry sector and the auditors’ competence in the industry sector. Is the stated scope clear and not ambiguous or misleading? The scope of the organisation's management system must be clear and reflect the activities that are covered by the management system. The manufacture of electrical devices is not specific enough whereas the manufacture of electronic switches is acceptable.1SO 9001: 2008 - The Audit Criteria Audit Criteria The correct use of a quality management system should ensure that defects in the quality of the product or service are prevented rather than being detected after the product has been manufactured or service supplied. The correct implementation of a quality management system should also lead to the continual improvement of the system and therefore the continual improvement of the product or service supplied which results in ‘customer satisfaction, The standard consists of the following sections Introduction 0.1 General This section gives a general introduction to the standard explaining its relationship to product specifications, its use and reference to the quality management principles. 0.2 Process Approach ‘An explanation of the process approach and the reason behind the process approach, its advantages and the process model. CONTINUAL IMPROVEMENT OF THE —=} QUALITY MANAGEMENT SYSTEM [ > \3 = vc \y L/ Product =— realistion Proxinct Management Responsibility Customers Customers Sarstietion | Requirements __ | iL __—_.] Input 6 Page 2 of 36ISO 9001: 2008 — The Audit Criteria Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organisations policies, Do; Implement the processes Check: Monitor and measure processes and product against policies, objectives and requirements for the product and report the results. Act: Tale actions to continually improve the processes. ISO 9001:2008 is a process based quality management standard. The model on which it is based recognizes that customers and other interested parties play a significant role in defining inputs. Monitoring the satisfaction of customers and other interested parties is necessary to evaluate and validate whether the requirements of customers and other interested parties have been met. 0.3 Relationship with ISO 9004 Written to compliment other but can be used independently. 0.4 Compatibility with other management systems Assessment and registration to ISO 9001 is not an indication that the organisation is legally compliant. Conformance with statutory and regulatory requirements relating to the product is reviewed as part of the audit but ISO 9001 is not a standard that indicates legal compliance of the organisation to standards such as the Health & Safety at Work act. Scope Within the scope of ISO 9001: 2008 it highlights the fact that the requirements that are specified within the standard are aimed primarily at achieving customer satisfaction and applicable statutory and regulatory requirements by the effective application of a quality management system which include processes for continual improvement and the prevention of nonconformity. Because of the varying types of industry around, the 2000 standard introduced the principle of "Permissible Exclusions’. This allows an organisation to exclude certain requirements of section seven from their management system. Any exclusion must however be justified and processes cannot be excluded if they affect the organisation's ability, nor absolve it from its responsibility, to provide product that meets customer and applicable regulatory requirements. 2.0 Normative References ISO 9000: 2005 3.0 Terms and definitions Supplier, Organisation, Customer Product also means service The main sections of ISO 9001:2008 are 4.0 Quality System Requirements 5.0 Management Responsibility 60 Resource Management 7.0 Product Realisation 8.0 Measurement, Analysis and improvement CME ntersstona Secton 6 Page 9 of 38ISO 9001: 2008 — The Audit Criteria Each one of these sections (4 ~ 8) is broken down into further requirements, It is recognised that there are further detailed processes below these that may need addressing in the organisations system. 4.0 Quality Management System 4.4 General Requirements ( \)) ‘Legible and readily identifiable Retrievable (Identifiable Storage Protection Retention time Disposition Various clauses throughout the standard include the statement See 4.2.4. This identifies a mandatory requirement to keep records in accordance with this clause. Sete Inernabonal Secton 6 Pago 6 of 61SO 9001: 2008 - The Audit Criteria Section 5 Management Responsibili 5.1 Management Commitment 5.2 Customer Focus 5.3 Quality Policy 5.4 Planning 5.4.1 Quality Objectives 5.4.2 Quality Management System Planning 5.5 Responsibility, Authority & Communication 5.5.1 Responsibility & Authority 5.5.2 Management Representative 5.5.3 Internal Communication 5.6 Management Review 5.6.1 General 5.6.2 Review Input 5.6.3 Review OutputISO 9001: 2008 - The Audit Criteria 5.1 Management commitment — Siu! Leadership, commitment and the active involvement of the top management are essential for developing and maintaining and effective and efficient quality management system to achieve benefits for interested parties. To achieve these benefits, it is necessary to establish, sustain and increase customer satisfaction. Top management should consider actions such as * Establishing a vision, polices, strategic objectives * Leading by example Top management should also define methods for measurement of the organisation's Performance in order to determine whether planned objectives have been achieved. Methods include * Financial measurement, + Measurement of process performance throughout the organisation, + External measurement, such as benchmarking and third-party evaluation, * Assessment of the satisfaction of customers, people in the organisation and other interested parties, * Assessment of the perceptions of customers and other interested parties of performance of products provided, and * Measurement of other success factors identified by management. When developing, implementing and managing the organisation's quality management system, management should consider the quality management principles outlined in section On the basis of these principles, top management should demonstrate leadership in, and commitment to, the following activities: + Understanding current and future customer needs and expectations, in addition to requirements, = Promoting policies and objectives to increase awareness, motivalion and involvement of people in the organisation; * Establishing continual improvement as an objective for processes of the organisation; * Planning for the future of the organisation and managing change; * Setting and communicating a framework for achieving the satisfaction of interested parties, Evidence of commitment to the development and implementation of the management system and continually improve its effectiveness by: Communicating the importance of meeting customer, regulatory & legal requirements Establishing Policies and objectives Conducting Management reviews Ensuring availability of resources "CME irtemationa Secton 6 Rage 8a 6ISO 9001: 2008 - The Audit Criteria The emphasis here is on top management to show commitment to the system by positive commitment, direction and provision of resources. Auditors will need to establish if this commitment does exist. This can be very difficult in an audit situation but objective evidence should be sought in the form of policies, records of reviews, establishment of business objectives and evidence of continual improvernent. Many of these examples of objective evidence will be again identified later in the standard, 5.2 Customer focus — Every organisation has interested parties, each having needs and expectations. Interested parties of organisations include: + Customers and end-users, + People in the organisation, + Owners/investors (such as shareholders, individuals or groups, including the public sector, that have a specific interest in the organisation), ‘+ Suppliers and partners, and + Society in terms of the community and the public affected by the organisation or its products. The success of an organisation depends on understanding and satisfying the current and future needs and expectations of present and potential customers and end users, as welll as, understanding and considering those of other interested parties. Top management shall ensure that customer requirements are determined and are met with the aim of enhancing customer satisfaction, Customer needs are generally identified when an enquiry or order is received. In order to achieve customer satisfaction, the organisation must ensure that all needs and expectations are identified including those that are not specifically specified by the customer. i.e. legal and regulatory requirements. Again the emphasis is on top management to ensure that this process is operational. Objective evidence to support this will be found when reviewing the sales order processes. In general the whole organisation should be customer focused, and the top management have the responsibility to ensure that this structure is in place. When referring to legal and regulatory requirements we are referring to product requirements, and not other legal requirements such as Health & Safety at work, or environmental legislation CMC bemstona!ISO 9001: 2008 - The Audit Criteria 5.3 Quality Policy Top management should use the quality policy as a means of leading the organisation toward improvements of its performance. ‘An organisation's quality policy should be an equal and consistent part of the organisation's overall policies and strategy. In establishing the quality policy, top management should consider; + The level and type of future improvement needed for the organisation to be successful, The expected or desired degree of customer satisfaction, The development of people in the organisation, The needs and expectations of other interested parties, The resources needed to go beyond ISO 9001 requirements, and The potential contributions of suppliers and partners. The organisation must establish a Quality Policy, and ensure that is: - Appropriate to the purpose of the company Includes a commitment to meet requirements and continually improvement Provides a framework for establishing and reviewing quality objectives Is communicated and understood Is reviewed for continuing suitability Again the emphasis is on top management to establish the Quality Policy. The content of the policy shall include all items specified in 5.3 (i.e. commitment to meet requirements, continual improvement, and a framework for objectives and be periodically reviewed) and then be communicated to appropriate levels within the organisation. 5.4 Planning 5.4.1 Quality Objectives =) G\us!| The organisation's strategic planning and the quality policy provide a framework for the setting of quality objectives. Top management should establish these objectives, leading to improvement of the organisation's performance. The objectives should be capable of being measured in order to facilitate an effective and efficient review by management. When establishing the objectives, management should also consider: = Current and future needs of the organisation and the markets served Relevant findings from management reviews, Current product and process performance. Levels of satisfaction of interested parties, Sell-assessment results, benchmarking, competitor analysis, opportunities for improvement, and » Resources needed to meet the objectives.ISO 9001: 2008 ~ The Audit Criteria This clause places further emphasis on top management to set objectives that are measurable. The objectives should relate to the quality policy and although some objectives can be to maintain a certain level, there should be evidence of continual improvement. The objectives set should inclide a commitment to meet product requirements. When setting objectives, the acronym SMART should be remembered Specific, Measurable, Achievable, Realistic and Timely. The auditor will need to see objective evidence of objectives that have been set by top management and evidence of measurement of progress toward the set objective. The objectives should be consistent with the company quality policy. This could be as simple as entries in the management review minutes or as detailed as a business plan showing progress toward the objectives Auditors will need to understand the methods that a company have employed to measure progress towards their objectives. Examples of quality objectives could be found in the following areas: ‘* Reduction in the number of nonconformities ‘= Maintenance or improvement in delivery times © Improvement in warranty Reduction in number of customer complaints © Improvements in customer satisfaction Reduction in the number of suppliers/subcontractors 5.4.2 Quality Management System Planning “2 Gn. This clause again requires top management to identify the resources needed to achieve the quality objectives and provide evidence of planning. The quality planning must include the processes of the quality management system, the resources needed and the continual improvement of the quality management system. Quality planning can be in the form of specific contract or project plans depending on the industry in question. Other organisation will simple document their methods of achieving the quality objectives as procedures, flow charts, process sheets, care plans, HACCP plans etc. Changes to the system must be in a controlled manner so that quality objectives can be maintained and continual improvement of the management system is achieved. tesue Lovet B Apr 2073ISO 9001: 2008 — The Audit Criteria 5.5 Responsibility, Authority and Communication 5.5.1 Responsibility and Authority, S\!\ Top management should define and then communicate the responsibility and authority in order to implement and maintain an effective and efficient quality management system. People throughout the organisation should be given responsibilities and authority to enable them to contribute to the achievement of the quality objectives and to establish their involvement, motivation and commitment The responsibilities & authorities must be defined and communicated to show how they interrelate, These could be found within procedures, separate job descriptions, specific quality plans. The interrelationship of different job functions could be shown as an organisation chart or described as part of various job descriptions. 5.5.2 Management Representative ‘A management representative from the organisations own management should be appointed and given the authority by top management to manage, monitor, evaluate and coordinate the quality management system. This appointment is to enhance effective and efficient operation and improvement of the quality management system. The representative should report to top management and communicate with customers and other interested parties on matters pertaining to the quality management system, The Management Representative wil: Ensure processes are established implemented & maintained Report on performance and improvement Promote awareness of customer requirements throughout the organisation The Management Representative has the responsibility to ensure that the system is established and maintained, The management Representative must be a member of the organisations own management. The operational duties within the system (audits, document control) can be delegated but responsibility remains with the Management Representative. Communication of customer requirement can be shown by notice boards, intranet site updates etc. This can be verified by talking to employees! Issue Level ape 2073 i. Imematonal Secuen 6 Page 120136ISO 9001: 2008 — The Audit Criteria 5.5.3 Internal communication The management of the organisation should define and implement and effective and efficient process for communicating the quality policy, requirements, objectives and accomplishments. Providing such information can aid in the organisation's performance improvement and directly involves its people in the achievement of quality objectives. Management should actively encourage feedback and communication from people in the organisation as a means of involving them. Activities for communicating include, for example: = Management-led communication in work areas, * Team briefings and other meeting, such as for recognition of achievement, + Notice-boards, in-house journalsimagazines, * Audio-visual and electronic media, such as e-mail and websites, and + Employee surveys and suggestion schemes, * Notice boards Communication between all functions and personnel of the company must be effective and demonstrated. Again auditors will need to talk to employees to assess their awareness of the quality management system and how they affect the effectiveness’ of the system, 5.6 Management Review 5.6.1 General Top management should develop the management review activity beyond verification of the ” effectiveness and efficiency of the quality management system into a process thal extends to the whole organisation, and which also evaluates the efficiency of the system. Management reviews should be platforms for the exchange of new ideas, with open discussion and evaluation of the inputs being stimulated by the leadership of top management. To add value to the organisation from management review, top management should control the performance of realisation and support processes by systematic review based on the quality management principles. The frequency of review should be determined by the needs of the organisation, Inputs to the review process should result in outputs that extend beyond the effectiveness and efficiency of the management system. Outputs from reviews should provide data for use in planning for performance improvement of the organisation, Top management should establish a process to review the whole system at planned intervals. The review should include a review of system effectiveness and efficiency, quality policies and objectives, current activities and make changes as required to ensure suitability and effectiveness of quality system1SO 9001: 2008 ~ The Audit Criteria 5.6.2 Review inputs The inputs (0 the Management review must include information/data derived from: - Results of audits Customer feedback Process performance & product conformance Preventive & corrective actions status Follow up on actions from previous reviews Changes that could affect the quality system Recommendation for improvement Other inputs could be financial, social and relevant statutory or regulatory changes 5.6.3 Review output The output from the review will include: - Improvements to the management system, product & processes Any resources needed iverson Section 6 Page 14 036ISO 9001; 2008 - The Audit Criteria 6.0 Resource Management 6.1 Provision of resources 6.2 Human resources 6.2.1 General 6.2.2 Competence, awareness and training 6.3 Infrastructure 6.4 Environment eve Lovet 0 Cte intesnona! Seeton 6 Page 15 36ISO 9004: 2008 - The Audit Criteria 6.1 Provision of Resources Top management should ensure that the resources essential to the implementation of strategy and the achievement of the organisation's objectives are identified and made available. This should include resources for operation and improvement of the quality management system, and the satisfaction of customers and other interested parties Resources maybe people, infrastructure, work environment, information, suppliers and partners, natural resources and financial resources, Management must provide enough resources to implement and maintain the management system and continually improve its effectiveness and Enhance customer satisfaction by meeting customer requirements. Sufficiont resources are essential if an organisation is to achieve its business strategies and objectives, Resources to be considered would include training resources, facilities and management. Other resources that may be considered are those that impact on the environment. 6.2 Human resources 6.2.4 General Management should improve both the effectiveness and effitiency of the organisation, including the quality management system, through the involvement and support of people. As an aid to achieving its performance improvement objectives, the organisation should encourage the involvement and development of its people: * By providing ongoing training and career planning * By defining their responsibilities and authorities, * By establishing individual and team objectives, managing process performances and evaluating results, + By facilitating involvement in objective setting and decisions making. + By recognising and rewarding, * By facilitating the open, two-way communication of information, * By continually reviewing the needs of its people, * By -creating conditions to encourage innovation, * By ensuring effective teamwork, + By communicating suggestions and opinions, by using measurements of its people's satisfaction, and By investigating the reasons why people join and leave the organisation This clause requires an organisation to ensure that personnel performing work affecting conformity to product quality requirements shall be competent on the basis of appropriate education, training, skills and experience. CMC inemation Secton 6 Page 180 36ISO 9001: 2008 - The Audit Criteria 6.2.2 Competence, Tr: ing and Awareness When considering the need of competence for employees, sources such as future demands, succession needs, new processes and equipment should also be considered, The organisation shall determine necessary competence needs, provide training or other appropriate action, evaluate the action taken, communicate relevant information relating to their position and responsibility and maintain records of education, training, skills and experience. 6.3 Infrastructure Management should define the infrastructure necessary for the realisation of products while considering the needs and expectations of interested parties. The infrastructure includes resources such as plant, workspace, tools and equipment (hardware and software), support services, information and communication technology, and transport facilities. Other issues that may be considered could include layout planning to reduce material handling, Key equipment spares identification, and contingency plans 6.4 Work Environment Management should ensure that the work environment has a positive influence on motivation, satisfaction and performance of people in order to enhance the performance of the organisation. Creation of a suitable work environment, as a combination of human and physical factors, should include consideration of Safely rules and guidance, and use of PPE Ergonomics Facilities for people Hygiene, cleanliness, noise vibration and pollution + Heat Humidity Information Management should treat data as a fundamental resource for conversion to information and the continual development of an organisation's knowledge, which is essential for making factual decisions and can stimulate innovation. In order to manage information, the organisation should identify its information needs, use data, information and knowledge to set and meet its strategies and objectives and ensure appropriate security and confidentially of information. Natural resources Consideration should be given to the availability of natural resources that can influence the performance of the organisation. While such resources are often out of the direct control of the organisation, they can have significant positive or negative effects on its results, The organisation should have plans, or contingency plans, to ensure availability or replacement of these resources in order to prevent or minimise negative effects on the performance of the organisationISO 9001: 2008 - The Audit Criteria Financial resources Resource management should include activities for determining the needs for, and sources of, financial resources. The control of financial resources should include activities for comparing actual usage against plans, and taking necessary action. Management should plan. make available and control the financial resources necessary to implement and maintain an effective and efficient quality management system and to achieve the organisation's objectives. Management should also consider the development of innovative financial methods to support and encourage improvement of the organisation’s performance. Improving the effectiveness and efficiency of the quality management system can influence positively the financial results of the organisation, for example a) internally, by reducing process and product failures, or waste in material and time, or b) externally, by reducing product failures, costs of compensation under guarantees and warranties, and costs of lost customers and markets. Reporting of such matters can also provide a means of determining ineffective or inefficient activities, and initiating suitable improvement actions. The financial reporting of activities related to the performance of the quality management system and product conformity should be used in management reviews. The Organisation shall determine and manage the work environment needed to achieve product conformity: - Issue Levelt nt eine mera Section 6 Page 18.1361SO 9001: 2008 — The Audit Criteria Section 7 Product Realisation 7.4 Planning of Product Realisation 7.2 Customer related processes 7.2.4 Determination of requirements related to the product 7.2.2 Review of requirements related to the product 7.2.3 Customer communication 7.3 Design and development 7.3.4 Design and development planning 7.3.2 Design and development inputs 7.3.3 Design and development outputs 7.3.4 Design and development review 7.3.5 Design and development verification 7.3.6 Design and development validation 7.3.7 Control of design and development changes 7.4 Purchasing 7.4.4 Purchasing Process 7.4.2 Purchasing Information 7.4.3 Verification of purchased product 7.5 Production and service provision 7.5.1 Control of production and service provision 7.5.2 Validation of processes for production and service provision 7.5.3 Ide ication and traceability 7.5.4 Customer property 7.5.5 Preservation of product 7.6 Control of monitoring and measuring equipment (CME intemal Secon Page 18 of 98ISO 9001: 2008 — The Audit Criteria 7.0 Product Realisation ‘An Organisation may wish to exclude some of the requirements of section seven. This can only be done if it does not affect their ability nor absolve them of their responsibility to provide product that meets the customer requirements and applicable regulatory requirements, This may be due to: The nature of the organisations product (The organisation does not carry out design) The customer requirements (A labour only supplier so there is no purchase requirement) Auditors must be aware that when carrying out an audit they must confirm that only acceptable requirements of section seven have been excluded. They need to review all processes that affect the product or service being delivered. The organisation must justify any exclusion within their quality manual. Where an auditor identifies activities that fall within section seven, then registration to ISO 9001: 2008 shall not be recommended CC inematonal Secon 6 Page 20.136ISO 9001: 2008 — The Audit Criteria 7.4 Planning of realisation processes Top management should ensure the effective and efficient operation of realisation and support processes and the associated process network so that the organisation has the capability of satisfying its interested parties. While realisation processes result in products. that add value to the organisation, support processes are also necessary to the organisation and add value indirectly. Any process is a sequence of relaled activities or an activity that has both input and output. Management should define the required outputs of processes, and should identify the necessary inputs and activities required for their effective and efficient achievement. The interrelation of processes can be complex, resulting in process networks. To ensure the effective and efficient operation of the organisation, management should recognise that the output of one process may become the input to one or more ather processes. Understanding that a process can be represented as a sequence of activities aids management in defining the process inputs. Once the inputs have been defined, the necessary activities, actions and resources required for the process can be determined, in order (o achieve the desired outputs. Process should be documented to the extent necessary to support effective and efficient operation. Documentation related to process should support = identifying and communication the significant features of the processes, * training in the operation of processes, = sharing knowledge and experience in teams and work groups, * measurement and audit of processes, and = analysis, review and improvement of processes. ‘The role of people within the processes should be evaluated in order = to ensure the health and safety of people, + toensure that the necessary skills exist, * to support coordination of processes * to provide for input from people in process analysis, and + to promote innovation from people The planning and documenting of the processes in a Suitable format to include: - Quality objectives for products, projects or contracts The process steps The required verification, validation, monitoring, measurement, inspection and test activities specific to the product and the criteria for product acceptance Keep records to support process conformance Cin Inara Section 6 Page 21 of 36ISO 9001: 2008 - The Audit Criteria 7.2 Customer-related processes Management should ensues the organisation has defined mutually acceptable processes for communicating effectively and efficiently with its customers and other interested parties. The organisation should implement and maintain such processes to ensure adequate understanding of the needs and expectation of its interested parties, and for translation into requirements for the organisation. These processes should include identification and review of relevant information and should actively involve customers and other interested parties. Examples of relevant process information include: * Requirements of the customer or other interested parties * Market Research, including sector and end user data * Contract requirements. * Competitor analysis = Benchmarking 7.24 Detert ation of requirements related to the product Determine customer requirements including, delivery and post delivery activities. Requirements not specified by customer but are necessary for the products intended use. Statutory & regulatory requirements applicable to the product. Any additional requirements considered necessary by the organisation 7.2.2 Review of requirements related to the product The Company must review the requirements mentioned in 7.2.1 to determine that The product requirements are defined Contract or order requirements differing from those previously expressed are resolved The organisation has the ability to meet the defined requirements Maintain records of the review Verbal orders must be confirmed Where product requirements are changed, the organisation shall ensure that relevant documents are amended and the relevant personnel are made aware of the changes. 7.2.3 Customer communication The Company must setup a system to: - Communicate product info: Handle enquiries, contracts & Orders Deal with customer feedback & complaints CME Inlernaona! Section 6 Page 220 36ISO 9001: 2008 — The Audit Criteria 7.3 Design and Development Top management should ensure that the organisation has defined, implemented and maintained the necessary design and development processes to respond effectively and efficiently to the needs and expectation of its customers and other interested parties. When designing and developing products or processes, management should ensure that the organisation is not only capable of considering their basic performance and function, but all factors that contribute to meeting the product and process performance expected by customers and other interested parties. For example, the organisation should consider life cycle, safety and health, testability, usability, user-friendiiness, dependability, durability, ergonomics, the environment, product disposal and identified risks. Management also has the responsibility to ensure that steps are taken to identify and mitigate potential risk to the users of the products and processes of the organisation. Risk assessment should be undertaken to assess the potential for, and the effect of, possible failures of faults in the products or processes, The results of the assessment should be Used to define and implement preventive actions to mitigate the identified risks. Examples of tools for risk assessment of design and development include = design fault modes and effects analysis, = fault tree analysis. + reliability prediction + relationship diagrams, * ranking techniques, and + simulation techniques. 7.3.4 Design & Development Planning The Company shall control the planning to include: - Stages of design and development Review, verification & validation Who is responsible for each stage Interfaces between different groups Plan must be kept up to date 7.3.2 Design and Development Inputs Define & document the inputs to include: - Function & performance requirements Legal & regulatory requirements, If previous design, then include information Other essential requirements Review the inputs and resolve problems. 8 Page 23 0136ISO 9001: 2008 - The Audit Criteria 7.3.3 Design and development outputs Outputs to include: - Output should meet the input requirements Provide appropriate information to purchasing, production and service Product acceptance criteria Specify characteristics of the product that are essential for the safe and proper use All output documents must be reviewed and approved prior to release. 7.3.4 Design and Development Review The Company must carry out documented reviews at suitable intervals to: - Ensure requirements can be met Identify problems & take corrective action Reviews will include appropriate persons involved in the design and a record of the review and any follow up action shall be maintained 7.3.5 Design and develop verification Verification Verify that the output meets the input requirements and keep a record of the results. 7.3.6 Design and development Validation Performed to ensure that the resulting product meets the user requirements. Keep records of validation and changes 7.3.7 Control of Design and development changes Changes shall be identified and records maintained The changes shall be reviewed, verified and validated, as appropriate, and approved before implementation The review shall evaluation of the effect of the change on constituent parts and parts already delivered. Issue Level Ag 2093 Cane erento Secton 6 Page 26 91 36ISO 9001: 2008 - The Audit Criteria 7.4 Purchasing Top management of the organisation should ensure that effective and efficient purchasing processes are defined and implemented for the evaluation and control of purchased products, in order that purchased products satisfy the organisation's needs and requirements, as well as those of interested parties. To ensure the effective and efficient performance of the organisation, management should ensure that purchasing processes consider the following activities: * timely, effective and accurate identification of needs and purchased product specifications; = evaluation of the cost of purchased product, taking account of product performance, price and delivery: = the organisation's need and criteria for verifying purchased products; = unique supplier process; * consideration of contract administration, for both supplier and partner arrangements; = warranty replacement for nonconforming purchased products: * logistic requirements; = product identification and traceability: = preservation of product; = documentation, including records; = control of purchased product which deviates from requirements: = access to suppliers’ premises: product delivery, installation or application history: supplier development; = identification and mitigation of risks associated with the purchased product. 7.44 Purchasing Process The Company shall ensure that purchased product conforms to specified requirements. Type and extent of control is dependent on the impact of the purchased product The company shall evaluate and select suppliers Criteria for selection, evaluation and re evaluation shall be established Keep records of evaluations and follow up 7.4.2 Purchasing information ‘The Company shall ensure that purchase information describes the product to be ordered including where appropriate: - Approvals of product, procedures, processes and equipment Requirements for qualification of personnel Quality management system requirementsISO 9001: 2008 — The Audit Criteria 7.4.3 Verification of purchased product The Company shall: - Verify purchased product If verification is carried out at the supplier's location. then the method of product release must be defined. 7.5 Production & Service Operations Top management should go beyond control of the realisation processes in order to achieve both compliance with requirements and provide benefits to interested parlies. This may be achieved through improving the effectiveness and efficiency of the realisation processes and associated support processes, such as, * reducing waste, training of people, communicating and recording information, developing supplier capability, improving infrastructure, preventing problems, processing methods and process yield, and methods of monitoring 7.5.1 Control of production and service provision ‘The Company shall contro! production & service through: - Making info available on the spec of the product Work instructions (as applicable) Use of suitable equipment Correct use & availability of measuring/monitoring equipment Implementation of monitoring activities Systems setup for product release, delivery and post delivery 7.5.2 Validation of processes for production and service operations 1a product cannot be verified then the organisation shall: - Define & validate the process to include: - Qualification of processes Qualification of equipment & personne! Use defined methods & procedures, What records are needed? Re-validation Issue Level B Aged 2013 (Cine tlematensISO 9001: 2008 — The Audit Criteria 7.5.3 Identification & Traceal ty The organisation can establish a process for identification and traceability that goes beyond the requirements in order to collect data, which can be used for improvement. ‘The need for identification and traceability may arise from = status of products, including component parts, status and capability of processes, benchmarking performance data, such as marketing, contract requirements, such as product recall capability, relevant statutory and regulatory requirements, intended use of application. hazardous materials, and mitigation of identified risks ‘The Company shall: Identify product through product realisation processes Identify the test status of product pass, fail, on-hold etc. If traceability is a requirement then a unique identification shall be used for the product and a record kept. 7.5.4 Customer property The organisation should identify responsibilities in relation to property and other assets owned by customers and other interested parties and under the control of the organisation, in order to protect the value of the property. Examples of such property are ‘= ingredients or components supplied for inclusion in a product, product supplied for repair, maintenance or upgrading, packaging materials supplies directly by the customer, customer materials handled by service operations such as storage, services supplied on behalf of the customer, such as transport customer property to a third party, and = customer intellectual property, including specifications, drawings and proprietary information The Company shall exercise care with customer property while under its control or being used by the organisation, Identify, verify, protect and maintain it If property is lost, damaged or found unsuitable for use: - Keep a record and inform the customer CHG mternotanal Secten 6 Page 27 of 96ISO 9001: 2008 — The Audit Criteria 7.5.5 Preservation of product Management should define and implement processes for handling, packaging, storage, Preservation and delivery of product that prevent damage, deterioration or misuse internal Processing and final delivery of the product. Management should involve suppliers and Partners in defining and implementing effective and efficient processes to protect purchased material Management should consider the need for any special requirements. arising from the nature of the product. Special requirements can be associated with software, electronic media, hazardous materials, products requiring special people for service, installation or application, and products or materials that are unique or irreplaceable ‘The Company shall preserve conformity of the product during processing & delivery This shall include: - identification, handling, packaging, storage and protection. 7.6 Control of monitoring and measur 1g equipment Management should define and implement effective and efficient measuring and ‘monitoring processes, including methods and equipment for verification and validation of Products and processes to ensure the satisfaction of customers and other interested Parties, These processes include surveys, simulations, and other measurement and monitoring activities. The organisation should consider means to eliminate potential errors from processes, Such a8 mistake proofing to minimise the need for control and measuring devices, The Company shall: - Identify measurements and the equipment used Calibrate & adjust equipment Prevent un-authorised adjustments Prevent damage. deterioration of equipment Keep records of calibration Validate previous results and take action if equipment is found out of calibration Iesue Level & Apa 2013, CHC iematonat Section 6 Page 28.01 36ISO 9001: 2008 - The Audit Criteria Section 8.0 Measurement, Analysis and Improvement 8.1 General 8.2 Monitoring and Measurement 8.24 Customer Satisfa 8.22 Internal Audit, 8.2.3 Monitoring and Measurement of Processes 8.24 Monitoring and Measurement of Product 83 Control of Nonconforming Product 84 Analysis of Data 8.5 Improvement 8.5.1 Continual Improvement 8.5.2 Corrective Action 8.5.3 Preventive Action Cine terion Seaton 6 Pago 20135ISO 9001: 2008 - The Audit Criteria 8.1 General Measurement data are important for making fact-based decisions. Top management should ensure effective and efficient measurement, collection and validation of data to ensure the organisation's performance and the satisfaction of interested parties. This should include review of the validity and purpose of measurements and the intended use of data to ensure added value to the organisation. Examples of measurement of performance of the organisation's processes include + measurement and evaluation of its products, = capability of processes, * achievement of project objectives, and * satisfaction of customer and other interested parties The organisation should continually monitor its performance improvement actions and record their implementation, as this can provide data for future improvements. The results of the analysis of data from improvement activities should be one of the inputs to management review in order to provide information for improving the performance of the organisation. The Company shall: plan, and implement the monitoring, measurement, analysis and improvement processes needed to Demonstrate conformity to product requirements Conformity of the quality management system Continually improve the effectiveness of the quality management system 8.2 Measurement & monitoring Top management should ensure that effective and efficient methods are used to identify areas for improvement of the quality management system performance. Examples of methods include * satisfaction surveys for customers and other interested parties + internal audits, ‘+ financial measurements, and + self-assessment Measurement and monitoring of customer satisfaction is based on review of customer- related information. The collection of such information may be active or passive. Management should recognise that there are many sources of customer-related information, and should establish effective and efficient processes to collect, analyse and Use this information for improving the performance of the organisation. The organisation should identity sources of customer and end-user information, available in written and verbal forms, from internal and exiernal sources. 18 Ape 201SO 9001: 2008 — The Audit Criteria Examples of customer-related information include = customer and user surveys = feedback on aspects of product, = customer requirements and contract information, = market needs, + service delivery data, = information relating to competition, Management should use measurement of customer satisfaction as a vital tool. The organisation's process for requesting, measuring and monitoring feedback of customer satisfaction should provide information on a continual basis. This process should consider conformity to requirements, meeting needs and expectations of customers, as well as the price and delivery of product. The organisation should establish and use sources of customer satisfaction information and should cooperate with its customers in order to anticipate future needs. The organisation should plan and establish processes to listen effectively and efficiently to the “voice of the customer’. Planning for these processes should define and implement data- collection methods, including information sources, frequency of collection, and data- analysis review. Examples of sources of information on customer satisfaction include = customer complaints communicating directly with customers. questionnaires and surveys, * subcontracted collection and analysis of data, + focus groups, * reports from consumer organisations, (JD Power) * reports in various media, and ‘sector and industry studies, + repeat business recommendations 8.2.1 Customer Satisfaction The Company shall - Setup a system for collecting information on customer perception Use this information as a measure of the performance of the quality system. The methodology for obtaining and using this information shall be determinedISO 9001: 2008 - The Audit Criteria 8.2.2 Internal audits Top management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The intemal audit process provides and independent tool {for use in obtaining objective evidence that the existing requirements have been met, since the internal audit evaluates the effectiveness and efficiency of the organisation Example of subjects for consideration be internal auditing include * effective and efficient implementation of processes, * opportunities for continual improvement, * capability of processes, * effective and efficient use of statistical techniques, * use of information technology, + analysis of quality cost data, + effective and efficient use of resources, = process and product performance resulls and expectations, * adequacy and accuracy of performance measurement, * improvement activities, and * relationships with interested parties. Management should consider the conversion of data from processes to financial information in order to provide comparable measures across processes and to facilitate improvement of the effectiveness and efficiency of the organisation. Examples of financial ‘measures include * prevention and appraisal costs analysis, * nonconformity costs analysis, * internal and external failure cost analysis, and life-cycle cost analysis The organisation shall conduct regular audits to ensure conformance to this standard & effectiveness of the system. Criteria, scope, frequency, methodology shail be defined A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results. The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. 8.2.3 Measurement & monitoring of processes The organisation should identify measurement methods and perform measurements to evaluate process performance. The organisation shauld incorporate these measurements into processes and use the measurements in process management Measurements should be used for managing daily operations, for evaluation of the processes that may be suitable for small-step or ongoing continual improvements, as well ECMC.tnereaonal Seaton 6 Page 920436ISO 9001: 2008 - The Audit Criteria as for breakthrough projects, according to the vision and strategic objectives of the organisation The Company shall apply suitable methods for monitoring and where applicable, measurement of the quality management system processes. Examples of process performance are: + Accuracy © Timeliness + Dependability © Cycle time or throughput + Effectiveness and efficiency of people © Reduction in process FMEA score When planned results are not achieved, correction and corrective action shall be taken, as appropriate. 8.2.4 Measurement & monitoring product The Company shall: - Carry out measuring & monitoring of product to verify that product requirements are met. Document evidence & acceptance criteria & who has the authority to release. Customer approval or finish inspection before product release. Measurement and monitoring the satisfaction of interested parties The organisation should identify the measurement information required to meet the needs of interested parties (other than customers), in relation to the processes of the organisation in order to balance the allocation of resources. Such information should include measurements relating to the people in the organisation, owners and investors, suppliers and partners, as well as society. Measurement examples are as follows a) For people in the organisation, the organisation should * “Survey the opinions of its people regarding how well the organisation satisfies their needs and expectations, and * Assess individual and collective performances and their contribution to organisational efforts. b) For owners and investors, the organisation should = Assess its capacity to attain defined objectives. = Assess its financial performance, = Evaluate the impact of external factors on its results, and * Identify the value contributed by the actions taken ©) For suppliers and partners, the organisation should = Survey the opinions of suppliers and partners on their satisfaction with the purchasing processes of the organisation + Monitor and supply feedback on the performance of suppliers and partners and their compliance with the organisation's purchasing policy. + Assess the quality of product purchased, contributions from suppliers and partners, and mutual benefits derived from the relationship. d) For society, the organisation should + Define and track suitable data relative to its objectives, in order to achieve ‘CMG Inierational Section 6 Page 22 of 36,ISO 9001: 2008 - The Audit Criteria satisfactory interaction with society, and * Periodically assess the effectiveness and efficiency of it actions and the perceptions of its performance by relevant parts of society. 8.3 Control of nonconformity Top management should empower people in the organisation with the authority and Fesponsibility to report nonconformities at any stage of a process in order to ensure timely detection and disposition of nonconformilies. Authority for response to nonconformities should be defined to maintain achievement of process and product requirements. The organisation should effectively and efficiently control nonconforming product identification, segregation and disposition in order to prevent misuse Document procedure to include: Controls and responsibilities Identification of NIC product Correction and corrective action Re-verification after corrective action 8.4 Analysis of data Decisions should be based on analysis of data obtained from measurements and information collected as described in this Intemational Standard. In this context, the organisation should analyse data from its various sources to assess performance against plans, objectives and other defined goals, and to identify areas for improvement including possible benefits for interested parties. Decisions based on facts require effective and efficient actions such as = Valid analysis methods, * Appropriate statistical techniques, and = Making decisions and taking actions based on results of logical analysis, as balanced with experience and intuition. Analysis of data can help to determine the root cause of existing or potential problems, and therefore guide decisions about the corrective and preventive actions needed for improvement The Company shall: Collect, analyse & identify improvements to determine effectiveness of the system, This data shall be used to determine: - Customer satisfaction/dissatisfaction Conformance to customer requirements Characteristics of processes, product and their trends Suppliers Evidence must show that the above data is being used for continual improvement Examples: ~ Scrap rates, customer satisfaction, retums etc. Cute Inerestonal Secnon 6 Page 34 of 361SO 9001: 2008 — The Audit Criteria 8.5 Improvement Management should continually seek to improve the effectiveness and efficiency of the processes of the organisation, rather than wait for a problem to reveal opportunities for improvement. Improvements can range from small-step ongoing continual improvement to strategic breakthrough improvement projects. The organisation should have a process in place to identify and manage improvement activities. These improvements may result in change to the product of process and even to the quality management system or to the organisation 8.5.1 Continual improvement The organisations objective here is to: Plan & manage the processes for continual improvement of the quality management system This shall be accomplished through the use of: - The Quality policies, objectives, audit results, analysis of data, corrective/preventive actions and the Management reviews. 8.5.2 Corrective Action Top management should ensure that corrective action is used as a tool for improvement Corrective action planning should include evaluation of the significance of problems, and should be in terms of the potential impact on such aspects as operating costs, costs of nonconformity, product performance, dependability and the safety and satisfaction of customers and other interested parties. People from appropriate disciplines should participate in the corrective action process. Also, the effectiveness and efficiency of processes should be emphasised when actions are taken and the actions should be monitored to ensure that desired goals and met. Corrective actions should be considered for inclusion in management review. In pursuing corrective action, the organisation should identify sources of information, and coliect information to define the necessary corrective actions. The defined corrective action should be focused on eliminating causes of nonconformities in order to avoid recurrence. Examples of sources of information for corrective action consideration include * Customer complaints, * Nonconformity reports, * Internal audit reports, * Outputs from management review, * Outputs from data analysis, + Outputs from satisfaction measurements, + Relevant quality management system records, * Process measurements, and + Results of self-assessment {sup Level 6 And 2013ISO 9001: 2008 — The Audit Criteria The organisation shall take action to eliminate the cause of nonconformities in order to prevent re-occurrence. Corrective action shall be appropriate to the effects of the nonconformity encountered The procedure shall include: - Reviewing Non-conformities Determine the cause Evaluate action to be taken to prevent re-occurrence Determining and implementing action Recording results Review effectiveness of corrective action 8.5.3 Preventive Action The organisation shall determine action to eliminate the cause of potential nonconformities in order to prevent their occurrence. The preventive actions shall be appropriate to the effects of the potential problems. ‘The procedure shall include: Determining potential nonconformities and their causes, Evaluating the need for action to prevent occurrence Determining and implementing action Records of the results Reviewing the effectiveness of preventive action taken These clauses clarify the difference between occurrence and re-occurrence when related to corrective and preventive action, Continual improvement of the organisation To aid in ensuring the future of the organisation and the satisfaction of interested parties, management should create a culture, which involves people actively seeking opportunities for improvement of performance in processes, activities and products To involve people, top management should create an environment where authority is delegated so that people are empowered and accept responsibilty to identify opportunities where the organisation can improve its performance its performance. This can be achieved by activities such as * Setting of objectives for people, projects and the organisation = Benchmarking competitor and best practice = Recognition and reward for achievement of improvement * Suggestion schemas Fesue Laval Api 2013 SUC Iniorationa Scien 6 Page 36.0136Section 7 Review of Quality System Documentation C.M.C. InternationalReview of Quality System Documentation Introduction It follows from our basic definitions that a documented quality management system is the formal recording of policies, procedures, responsibilities, etc, in some form or another. The mandatory documents for any system are as follows: A quality policy Quality objectives Quality manual Mandatory procedures as required by the standard Records required by the standard Identifying the processes and documenting the system Here the overall objectives of any organisation are to set out who does what, how they accomplish it and the sequence of events. The effort of identifying the various processes and recording them is in itself a very useful process since it concentrates the minds of managers and can simply identify where effort is being duplicated, wasteful practices, etc. Reviewing and confirming that the system reflects best current practice to meet objectives, Now that the procedures and processes by which a company conducts its business have been identified and where required, documented they should be justified in terms of the following: a) The company policy b) Common sense ©) — Environment d) Product Safety €) Legislation and/or applicable Standard Codes. Implementation After refining the procedures and processes the company must ensure that all personnel are trained, ready, willing and able to operate them. It is essential that the company should ensure that “those people who do the business” should have ai least some ownership over those processes from the earliest possible moment. If this approach is not taken then a significant amount of "selling the system” needs to be done to convince staff that this is he way in which the organisation intends to conduct itself The company itsel, its customers, regulatory authorities and certification bodies all have an interest in knowing whether the company’s activities are being performed as described in the documented quality management system. The system itself must include the mechanics for this and the most common format is documented evidence, i.e.. records. Typically these include records of contract review, training records, purchasing data, areas within the standard that specify the keeping of quality records. Issue Level 7 Api 2003 ‘secon Page 1 of 10Review of Quality System Documentation The Quality Plan It may be that a company decides not to document procedures for every aspect of it business but a proportion of their customers may require activities relating to their contracts to be documented. The company may address this by developing a quality pian. This is a document setting out the specific quality practices, resources and sequence of activities relevant to a particular product, service, contract or project. Itis very common for customers within certain industry sectors, e.g. aerospace, nuclear and automotive, etc., to request contract quality plans (controt plans) as a matter of routine even. though the organisation may have a documented quality management system which addresses all of their business. So, Why Document Anything? a) {tis a pre-requisite for an approved or certified system to ISO 9001 b) __Itis an aid to managing and facilitating change. ©) __Itbrings consistency to routine activities and helps ensure best practices, d) __Iteliminates excuses such as “nobody told me” e) __Itis 2 fashionable market tool. f) Enables system audit g) _ Toensure effective planning, operation and control of processes (4.2.14) There are a number of different views as to what a Quality Manual is and should be. ISO 9001: 2008 clause 4.2.2 calls for the Organisation to prepare a Quality Manual to include the scope of the system, justification for any exclusions, documented procedures or reference to them and the sequence and interaction of the processes. Before an audit of a company’s quality management system, the auditor must ensure that the requirements of clause 4.2 have been fully complied with Common Structure of a Documented Quality Management System Most organisations opt to document their system using the conventional four-tier system although it must be stressed that this is not the only method. 1, The Quality Manual ‘A document containing the scope and any exclusions, description and interaction of processes and reference or inclusion of to the quality system procedures. The manual would typically include the policy, and an organisation chart 2. Procedures, Flow Charts and/or Quality Plans ‘These describe the means by which the policy is to be implemented. They define the activity, who carries out the activity and when it is carried out. There are six mandatory requirements throughout the standard where documented procedures are a requirement. These are Document Control, Control of Quality Records. Internal Audits, Control of Nonconformity, Corrective Action and Preventive Action. These activities must be controlled by a documented procedure. The procedures however should not be rigid and inflexible, they should allow for staff to carry out their function using their skill and training,Review of Quality System Documentation 3. Work Instruction These detail the requirements for individual activities and how they are to be carried oul. This may include specific inspection and test procedures, computer operating instructions or machine operating instructions. It is not mandatory to have work instructions in place in order to meet the requirements of the standard. Work instructions are generally needed where the activity is complicated, not carried out very often, used as a training aid or specified by a customer. The standard uses the term in clause 4.2.1d, documents needed by the organisation to ensure effective planning, operation and control of its processes. This means that organisations determine where they need written procedures or flow charts, but only where they are considered necessary by management. It does not mean that writton procedures, flow charts or instructions are necessary for every aclivily. Many activities, not written down are perfectly well controlled by the use of qualified staft Note: Procedures and work instructions can be in the form of flow charts, pictorial diagrams or samples and do not necessarily have to be documented in a text format Procedures and work instruction that are held on a computer system are also acceptable. 4. Records These are the documents that are generated as procedures/instructions are operated They prove that tasks/activiies have been undertaken under the control of the documented quality management system. These are generally referred to as Objective Evidence. Throughout an audit, the auditor should be seeking objective evidence that will prove conformance to the quality management system. Objective evidence will generally include Inspection Records, Purchase Orders, Records of Calibration, and Attendance Records, Records of Management Review plus many others. Records shall always be maintained in accordance with 4.2.4 of the standard. In certain cases like the food processing industry, records provide a company with support of “due diligence” in a case where they may be prosecuted When an organisation decides to document its quality system, it may find that it can put everything into one document. Small companies often do this quite satisfactorily. Other companies find that it is not practical to document their system in this fashion and prefer to keep separate levels of documentation, Large organisations may have a need for five or six levels of documentation because of their organisational structure Whichever structure the organisation chooses to use, the auditor must approach the documentation review with an open mind.Review of Quality System Documentation What should the Quality Manual contain? Since many manuals are written for conformance with the standard. many companies write their level one manual in line with the clause numbers of the standard and make a statement against each one. This however is not a mandatory requirement. Within their manual, many companies also consider specific industrial guidelines / standards or codes of practice There is now a greatly reduced requirement for documented procedures. The emphasis of the audit should be placed on evidence of conformance rather than documentation. The organisation must however plan to achieve product conformity and customer satisfaction The planning should be based on the Plan Do Check Action Cycle. There are currently only six clauses of ISO 9001 that require documented procedures. This does not necessarily mean six individual procedures. It does however require in other areas, thal processes be planned and that records are made of various activities. Planning of process realisation can be in any format to suit the organisation. Flow Charts and Process Mapping could be a typical approach taken by organisations. One flow chart or map could be linked by either hyperlink or reference number to a second level flow chart, procedure or training requirement.Review of Quality System Documentation Processes Identification ‘A process takes inputs and tums them into an output using resources and being subject to specific controls. Almost everything we do and all activities can be considered a process. Within every organisation we have Primary and Secondary processes. By identifying and controlling the inputs, applying suitable methods of control and adequate resources, the desired output should be consistently achieved. Contos Process ay Resources Examples could be: ‘+ Assembling a headlamp * Assembling a sub assembly to go into the main assembly. (Sub process) + Training an operator to assemble the headlamp ‘One of the primary inputs into any process will be data or information. This could be the instruction to begin or a contract to start Other main or support inputs that should be considered are Materials. Machines Manpower Measurement Methods Environment Outputs from a process are the results of the transformation of the inputs These may include Product that is acceptable Product that is unacceptable Waste Issue Level? Apo 2009 section Page SotReview of Quality System Documentation E.g. Process inputs to train an operator to assemble a headlight assembly © Data — The identified training need * Materials- The components. * Machines- Fixtures, spanners, projector, tables & chairs. + Manpower- The instructor and operators, ‘* Measurement - Success of operators (test) Success of course (course critique sheet) business benefit (subsequent performance of operators). + Methods - Assembly Instructions, training method (inform, demonstrate, practice. reinforce). * Environment- Training venue, timing, Schedule. The main output is operators who can assemble the headiamp. Other outputs could be the test results and course critiques. Arestaurant example. © Information/Request- A request for a meal from a customer. * Materials- Ingredients, (purchased from approved and verified sources and storage). * Machines- Cookers, Fridges, (maintained, calibrated) Manpower- The Chief (Competent), Measurement - Feedback from customer, (written and verbal). returning customers, recommendations, reputation (how busy is the restaurant), © Methods - Recipe, Cooking instructions, HACCP * Environment- Cleanliness, pest control, cleaning processPTFd UO PvoT 4891 S1}2WO}OYd MP CL JOEK] ADAOD Ray a[quiassy Wat ing (EY AoWaYIY 0 qIng aquiassy sojeyey o} OULU, jeomen aiquassy a (mo[y Areutlig) — XTAWASSV dNWIdCVdaH uoneqaUnseg WaIshg MYJEND Jo MaIAEyAjquiossy Jou yadsuy AyjenstA, | Sulidg puke MosoS poyquiassy-d1g 91v007] AJOATIISOg pue dSON Nasu] 1OJOIYJOY 0} Vd aseg (smaios Z) X14 pur o]B007] 10Id JOY 0} AWULAL [BIVAIA I[quassy OE dO (mopy Arepuosas) — AX IGIWASSV dA WV IGVaH UopEjUEUINDOG WaIShg AJeND Jo MOIADYReview of Quality System Documentation RECORDS REQUIRED BY ISO 9001:2008 Clause | Records Required _ [5.6.1 Management reviews - [6.2.2 (e) | Education, training, skills and experience — 7.1(d) Evidence that the realization processes and resulting product fulfils requirements, ———_ 722 Results of the review of requirements relaiing to the product ‘And actions arising from the review _ “Design and developments inputs _— | Results of design and development reviews and any necessary aclions Results of design and development verifications and any necessary actions 7.36 | Results of design and development validation and any necessary aclions | 7.37 | Results of the review of design and development changes and any ____| necessary actions — Tat Results of supplier evaluations and aclions arising from the evaluations 7.52(d) As required by the organization to demonstrate the validation of processes where the resulting output cannot be verified by subsequent monitoring or measurement | 753 The unique identification of the product, where Waceability is a | | fequirement - oe | 75.4 Customer properly that is lost, damaged or otherwise found to be | unsuitable for use oe 7.6 (a) | Standards used for calibration or verification of measuring equipment _____, where no international or national measurement standards exist 76 | Validity of previous results when measuring equipment is found L conform with its results [76 Results of calibration and veri 8.22 Intemal audit results ee 824 Evidence of product conformity with the acceptance criteria and —_ ication of the authority responsible for the release of the product 83 Nature of the product nonconformities and any subsequent actions taken, | including concessions obtained ation of measuring equipment 852 "Results of corrective action J 85.3 Results of preventive action _ _ 1 Iesue Level? Apr 2015, Secon 7 Pape 0! 10Section 8 Audit Preparation and Assessment C.M.C. InternationalAudit Preparation and Assessment Introduction Throughout this section we are going to look at the activities that need to be covered from the point where the Lead Auditor has been assigned to carry out an audit of an organisation. rogramme Application mmm Certification Body gammd|Agree Contract Assess Cost J Optional Pre-Audit — 081 Stage one 1 eases Stage Two mmm Company Registration The Assessment Process The total assessment process is carried out over two stages as required by ISO 17021 a) Stage one, readiness review which includes document review. (Recommended that this is carried out on site) ) Stage two, on site audit These can be generally broken down into three further stages, which are: * Document review, * Process audit planning and Performing the audit The third stage (performing the audit) can be broken down even further into four stages, which are’ +The opening meeting * Conducting the audit + Recording the audit findings ‘+ The closing meeting The auditor must maintain complete confidentiality thraughout all phases of the audit lesus Level 9 Ad 2019 Section # Page 16120 CMC itematonalAudit Preparation and Assessment Auditor Time The following table is taken from the IAF Mandatory Document (IAF MD 5: 2013 which came into effect 4th March 2013. The guide does not stipulate minimum or maximum times but provides a framework to be used by certification bodies to determine appropriate auditor time. Employees are individuals whose work activity supports the scope of certification, Part fime should be treated as full time equivalent depending on hours worked. Auditor time includes time spent planning (including document review). Planning time should not should not reduce the total on site auditor time to less than 80% of the time shown in the auditor time chart, Annual surveillance time should be about one third of the total time spent an the initial audit Factors requiring additional auditor time could be, as example + Complicated logistics involving more than one building or location + Anaudit where an interpretation is required + High degree of regulation (food, drugs. etc) Factors permitting less auditor time could be as examples + Organisation is not design responsible and/or other element not covered ie, exclusion for measuring and monitoring. + NofLow risk product + Prior knowledge of system ie. already registered to another standard by the certification body. + Very small site i.e. one office + High percentage of employees doing the same job. ‘CMG inemanonal .Audit Preparation and Assessment above Number of ‘Aogitor Time for inial | Adaitive ‘and | Total auditor time] Employees audit (stage 1&2). | subtractive factors, Man Days (8 Hrs) - is 15 a 2 — 15 25 1525 3 2645 a T6 5 685, é - 864125 7 7 126-175 8 176275 @ 276-425 10 426-625 it | 626-875 z e675 8 1176-1550 14 1551-2025 6 2026-2675 16 ~ 2676-3450 7 BAB TABEO 8 _ A5T-5A50 9 BA5T-6800 2 3807-8500 2 8501-10708 B ~ >10700 Follow progression Issue Level 9 Api'20"2 ECM Inematns|Audit Preparation and Assessment Stage one The Document Review (Can be carried out on or off site but on site is recommended) The first part of the assessment process is the document review to establish if the organisations documented system meets the requirements of the standard. Are the mandatory documents identified The mandatory documents as detailed in 4.2.1 should be available and submitted for the document review. These include the Quality Policy, the Objectives, and the Quality Manual, the mandatory procedures plus other documentation required by the organisation to manage their business, Are the processes identified and appropriately described Has the organisation identified its processes and appropriately described them within its documented management system. All activities that receive inputs and then convert them into outputs are considered as a process. The identification and description of the process could be in the form of a flowchart showing the overall product process flow. This will depend on the size and complexity of the organisation Are the mandatory procedures documented There are six mandatory procedures that must be fully documented. (Not necessarily six individual procedures) Are the exclusions acceptable? The exclusions as recorded in the Quality Manual need to be reviewed and compared to the scope, the industry sector and the auditors competence in the industry sector. Is the stated scope clear and not ambiguous or misleading? The scope of the organisation's management system must be clear and reflect the activities that are covered by the management system. The manufacture of electrical devices is not specific enough whereas the manufacture of electronic switches is acceptable. The document review will need to establish if the documented system in whatever format the organisation has chosen, has the ability to meet the organisations objectives and does it provide a framework for measuring process and product criteria against pre determined targets, With the increase in electronic systems, the auditor may be required to drill down through a series of flow charts in order to review the system. For each of the identified processes, there should be clearly defined responsibilities, for the management of the process, the operation of processes and the validation of the process. Depending on which certification body is carrying out the review. it may be carried out either on or off site. There is a distinct advantage to carrying out the documentation review on site because the quality manual and the operating procedures can be related not only to the standard but the specific working environment of the company. s2ue Level A 2092 Secton 8 Page 4 020,Audit Preparation and Assessment Other areas that must be covered during the stage one are: + Evaluate location, and any site specific conditions + Review status, understanding of the standard, key performance indicators or significant aspects, processes, objectives, and general operation. + Any particular regulatory or statutory requirements, + Resource requirements + Internal audits & Management Review Outputs from stage 4 Audit plan From the description of processes, and the auditors review of processes, the auditor needs to plan how each process can be audited and what objective evidence they need in order to verify that the pracess is being controlled The audit plan should be based on the identified processes and cannot just be a verification that required procedures have been implemented. The plan should identify what the organisations objectives are; how they are measuring them and are they moving toward them or have they achieved them. The plan should also ensure that all activities mentioned in the scope are covered within the audit plan. The aucit plan should start with top management and the point where the objectives and targets are established and then show the audit trail that the auditor intends to follow in order to establish if these objectives and targets are established at the relevant levels, are they being measured against the targets, and are the results showing improvement. The programme must allow sufficient time for opening and closing meetings, report writing and to effectively audit all activities within the quality management system and all departments whose activities are relevant to the standard and scope of the assessment. The programme must also be agreed with the supplier, as the audit process is not there to interfere with the day-to-day operation of the organisation, Checklists As part of the on site process review, the auditor must establish what the inputs and expected outputs from each process are. Once identified, these then form part of the auditor's checklist. They can then evaluate the inputs and outputs against the checklist during the audit. The checklist should ideally follow the logical process flow of an organisation. The checklist is the auditor's toot to ensure that they have covered all the required processes within the organisation. The findings that are recorded against the checklist points should be clear and precise records of objective evidence. The final evaluation and decision will be based on the information and data that the auditor has recorded. Issue Lovet 9 apa 2013, Seaton Page 5 of 20Au Preparation and Assessment The purpose of the checklist is: - 1) to.guide the course of the assessment ii) to help control the pace of an audit. iii) to provide documented procedures to gather objective evidence iv) to provide a structured list of items to be questioned and evaluated v) _toidentify and communicate the scope of the assessment lis purpose is as an “side-memoir” and it should not be followed blindly and dogmatically. Its the servant not the master. In creating the checklist the auditor should consider: The objectives of the audit ‘The organisation or department being assessed The scope of the assessment The time available The questions that need to be addressed The checklist is an aide memoir, a memory jogger to ensure that the audit provides the objective evidence needed to make the necessary analysis of a quality system, The complexity and depth of the checklist may be varied depending on the experience of the auditor. The Audit Checklist Can be restrictive Could miss something if followed rigorously The report The report that is left with the client will contain issues that can be classified as nonconformities if not corrected by the time the stage two audit is conductedAudit Preparation and Assessment A Typical Audit Programme ‘Assessment No. ABC/001 ‘Standard: ISO 9001: 2008 Client Name & Address ~ [Seope: Design, Manufacture, ABC International Ltd Disinbution and After Sales Service of The Nice Industrial Park Air Conditioning Units The Nice Area Date ‘Time Lead Auditor ‘Auditor ‘Auditor F. Brown HGreen |G Smith Day 1-08.30 am | Team Briefing 09.00am —_| Opening Meeting - — 09.50 am Review NCs Sales Dept Goods in 11.30 am Mgt org -&I- - _ Objectives: —_ - 1230 am Lunch Lunch Lunch 01.30 pm Training ‘Advanced ‘Storage _ _| Planning oe 03.30 pm: Document Cont | Design Distribution 04.30 pm Review Review Review 05.00 pm: Close — Day 2- 09.00 am | Purchasing Development Shop | Calibration 4130am ————_| Prod Planning Machine Shop. Heat Treatment 12.30 pm | Luneh Lunch ~ | Lunch “| 01.30 pm Service Dept Fab Shop ‘Complaints 03.00pm ———_| Internal Audits Inspections ‘| Records (04.00 pm Audit Team Review a 04.30 pm Closing Meeting - 08.00 pm CloseAudit Preparation and Assessment Lead Auditor Responsibilities In addition to preparing the programme the Lead Auditor is also the Audit Manager and is responsible for the management of the audit including the audit team. Key items that are included in the preparation stage are + Selection of the audit team, When selecting the team, consideration must be given to the size of the organisation, the number of sites to be audited and the scope of the audit. At least one member of the team should have experience within the industry sector of the company being audited. Consideration should also be given to the competence of the auditors and independence of the auditors. ie no previous involvement in establishing the system to be audited. © Logistics The Lead Auditor is responsible for ensuring all necessary hotel arrangements have been made and that any transportation requirements are resolved. + Safely and Security The Lead Auditor is responsible for ensuring that any protective clothing needed is available. They are also responsible for obtaining any security clearance that may be required = Use of Company Facilities The only facilities needed by the audit team are facilities for report writing and possibly the use of a photocopier. Auditors should always remember that they are guests at the company. Pre Audit A Pre Audit is a service offered by all certification bodies although it is not mandatory for a company to have a pre- audit visit. It is however quite common in large organisations for a pre-assessment visit to take place, This will normally be conducted by the Lead Auditor on his/her own as a fact-finding mission to assist with the planning of the audit proper and in most cases will be ‘accomplished in one day. Selection of Guides The assessment will be greatly assisted if the guides allocated have knowledge of the standard, Consequently the guide will understand: a) Whatis happening b) The methods being applied by the auditor c) What the auditor is seeking d) The language used by the auditor, therefore eliminating ambiguity that might otherwise result from the auditor's questions. ChNe intonnenal cn 8 Page Bo 2Audit Preparation and Assessment The “spin-off” benefit to the auditee will be the opportunity to observe first hand the needs for amendments to the audit system and also the opportunity for the guide to observe alternative auditing techniques. Duties of Guides Assist the auditor by answering questions briefly, honestly and politely without volunteering information, which has not been directly requested Remember that a guide's function is what the name suggests and not that of auditor helping to uncover deficiencies. At the same time the guide should not be uncooperative but should remain helpful at all times, ‘The guide should acknowledge any objective evidence recorded by the auditor when requested by him/her to do so i.e. verifying the facts only. The smooth progress of the audit is helped considerably if a close rapport is quickly built between auditor and guide. Bearing in mind that it is not the function of the guide to make judgements or interpretations of situations observed, the guide can nevertheless save embarrassing situations later by discretely pointing to possible error on the part of the assessor. Under no circumstances should a guide argue with or iry to hustle an auditor to his next appointment, he must at all times bear in mind that the auditor runs the audit. Stage Two Team Briefing When the audit team consists of more than one auditor, time should be allowed for a briefing prior to the opening meeting. This will allow the Lead Auditor who will have already been in touch with the auditee to outline the company, its services, the structure of ils management system and allocate areas to be audited. It is also an opportunity for the audit team to ask any questions prior to commencing the audit. Performing the Audit The Audit Has the management system been effectively implemented? Can the organisation demonstrate its ability to consistently provide product that meets customer and applicable regulatory requirements. Does the system provide a process for continual improvement The main part of the assessment is to establish if the quality management system has been implemented, that the organisation can demonstrate its ability to consistently provide product that meets customer requirements and applicable regulatory requirements, and that the system provides processes for continual improvement and prevention of nonconformity. The auditor needs to establish and follow an audit trail from the management's establishment of policy, objectives and targets to the implementation and measurement of the objectives and targets.Audit Preparation and Assessment Auditors need to review each process against the procedure or plan and establish if the outputs meet the input requirements and any specific qualily objectives. At all times the auditor should bear in mind the eight quality management principles. Where organisations have opted to not have procedures for a particular process, they must be able to demonstrate that they have the process under control. This may be in the form of training staff to carry out particular activities. In general a mixture of procedures, documentation and training of staff will contro! all activities within the organisation Is the Process Effective in Providing the Required Results? The final part of the audit process is to establish if the processes are effective in providing the required result, The required results should be clearly defined as an ‘objective. One of the objectives of the organisation as set by management will be the commitment to continual improvement. The improvement should be measurable and should focus on achieving customer satisfaction. The auditor needs to evaluate the continual improvement of the organisation and relate this back to the policy. The final decision is taken by the Lead Auditor and is based on the information and data collected during the audit. Any nonconformity raised must be against the requirements of ISO 9001 or the organisations quality management system. The auditor when making the decision should ignore minor, trivial and irrelevant information. The decision must take into account, the organisations ability to continually meets customer requirements and improvements in both process and product measurables.All 3rd party audits should commence with a formal opening meeting with the management of the supplier. It should be remembered that this might be the first time that the two parties have met, This meeting is the place to set the rules of conduct and to address any outstanding issues. Typically the following agenda would be covered. Introduction of team The Lead Auditor should introduce the team explaining any particular specialists roles. Confirm the Scope and Assessment Standard and exclusions. Al this point he Lead Auditor should confirm the scope of the assessment, the standard to which the company are being assessed (ISO 9001, PS 900% AS9001) and the exclusions. Confirm the Audit Programme The Lead Auditor should conform the audit programme including breaks, lunch, any review meeting, and the time of the closing meeting. Explain the Reporting method The Lead Auditor should explain how the finding of the audit will be reported and the meaning of Major and Minor nonconformities Confidentially The Lead Auditor should conform that the audit is a confidential matter and that any information seen will be treated as such. It is worth mentioning that IRCA registered Auditors and Lead Auditors are bound by the code of conduct that requires confidentiality during al phases of the audit. Confirm office Accommodation Confirm office accommodation for report writing and briefings with the audit team if required, Check industrial relations and Health & Safety The Lead Auditor should check for any restricted areas, areas where protective clothing should be used and for any industrial relation problems that may affect the audi The Audit is taken on @ Sample Basis The Lead Auditor should explain that the audit is a sampling activity and subject to those limitations. Both acceptable and nonconforming aspects will be missed. The Lead Auditor should assure the management, however, that they will make samples as representative as possible and draw only reasonable conclusions. lesue Level 9 A 2013, Secon 8 Paga 11 of 20 CUE InternationalAudit Preparation and Assessment Duties of the Guides ‘The Guides should be introduced ang their role in the aucit explained Confirm time of the closing meeting When the above items have been covered, the Lead Auditor should ask for any questions prior to closing the opening meeting and starting the audit The Auditing Process Throughout the audit the Lead Auditor should control the audit and manage the other auditors giving help and advice where needed. On entering an area the auditor should run over the audit plan for that area with the departmental representative and the guide. It is wise to listen to their advice as to the best sequence for the audit and then the checklist items can be worked through. The auditor must also be sensitive to local customs and rules or regulations of the company being audited. This is especially important where issues off Health and Safety are concerned. Throughout the audit the auditor should speak to the management and staff in a polite and professional manner whilst maintaining an appropriate level of etiquette. The objective of these conversations and questions are to determine if the system conforms to the specified standard. If the auditor finds no nonconformities within an area he/she should move on to the next area and not continue the investigation hoping to identify nonconformity. Do not wander around unaccompanied due to reasons of health & safely, restricted or confidential areas. Do not give opinions. As an auditor you are not offering consultancy but you are encouraged to raise opportunities for improvement. Take clear and precise notes at all times as you will need to refer back to these at a later stage. Do not be argumentative or confrontational. Remember that you are a guest on the site. Do not audit for legal compliance when auditing a management system for conformance with ISO 9001 or other quality management system, the auditor is not there to audit the company for legal conformance. They must however ensure that the product or service conforms to applicable legislation. The auditor must take into account industry or product requirements but ensuring that the company meets its legal objectives is not the role of the auditor. The auditor is not qualified to assess these requirements. If the company has stated specific requirements within its documented system then they are auditable against the procedure. Issue Level 9 At 2013 seevon 8 Page 12 of 20Audit Preparation and Assessment The records selected for review during the audit are selected on a random sample basis. This will ensure a good coverage of all appropriate activities but as itis only a sample, itis not a guarantee that nonconformities do not exist even if the audit does not identify them. There is therefore a risk that nonconformities may go un noticed during an audit. This point must be covered at the opening meting and again at the closing meeting, The auditor should take notes of all relevant things seen during the audit. The decisions that the auditor makes will be based on the notes taken. The notes should include reference to documents seen like Purchase Orders, Inspection Records, Contract Numbers, and staff interviewed, The auditors notes should be retained as part of the audit records and as such must be legible and understandable The format of the notes taken is up to the individual auditor although many certification bodies have a standard form on which the audit notes should be recorded, Opportunities for improvement. One trap that the auditor should never fall into is stating how a certain function must be carried out. The auditor is there to carry out an. audit against a standard and not give advice or take the role of a consultant. Auditors however should assist in improving the management system and should be encouraged to raise observations or recommendations for improvement where a potential weakness may exist. If required to audit an integrated management system, which includes environmental conformance, then the auditor selected to carry out this audit should have the necessary skills to ensure that the company is legally compliant as far environmental legislation is concerned. Throughout the audit the auditor is locking for audit evidence that will verify conformance to the standard. It is not the role of the auditor to try and prove that a company does not conform to the standard. This would be seen as a negative altitude and would only hinder the audit process The biggest challenge for the auditor is obtaining information from the auditee during the interview. The interviewee should not feel threatened by the auditor. so it is up to the auditor to make the auditee feel at ease by being friendly, showing interest and listening to what the auditee has to say. There are typically three phases to an audit interview = The opening discussion = Collecting information * Conclusion At the end of the interview the auditor should thank the auditee for their help, tesue Lave 9 Aprt 2013, Section & Pago 18020Audit Preparation and Assessment Communication Communication is a two-way process. The process of auditing involves a number of interviews with management and statf. Each interview is a conversation between two people where the auditor wishes to extract information about a given topic. ‘Communication involves not only the transfer of information but also the need for it to be received and understood. TO HEAR IS TO FORGET TO SEE IS TO REMEMBER TO DO IS TO UNDERSTAND: A listener may not always hear what has been said. A variety of barriers may exist thereby impeding the message transfer e.g, loud noise from an adjacent power press, continued interruption by persons seeking advice from the listener, the physical disability of impaired hearing. If the message is a long one the listener may well have forgotten the beginning before the end is reached. It follows that while the sender may feel that the message is explicit the receiver nevertheless may not understand it or worse still they may feel that they have understood but in fact have got the meaning incorrect, An auditee may in fact not want to hear certain elements of a message and as a result shut them out, Under no circumstances must an auditor fall into that same trap, When they listen it must be to the complete reply. Questioning Techniques ‘There are 5 fundamental types of questions, and the selection of the type of question to ask is where the skill of the auditor will show, The question types are’ Open. Closed Clarifying Leading Antagonistic. Generally do not ask closed questions those requiring only a simple "yes or no” for an answer. A follow-up question will almost certainly be needed to extract information you seek. ‘There may be times when a closed question is required if for example the auditee is being evasive with their answers and you wish a precise yes or no answer. The technique of the six honest serving men from Kipling’s poem “The Elephant Child” provides a useful guide to the asking of open questions: tasve Leu! 9 Apt 2013, Section 8 Page 16 of 20Audit Preparation and Assessment “I keep six honest serving men They taught me all | knew Their names were WHAT and WHY and WHEN and HOW and WHERE and WHO" Asking questions beginning with What, Why, When, How, Where or Who make it very difficult for the auditee to answer with a monosyliable ‘The auditor's seventh honest serving man using the expression “SHOW ME" is an ideal way to extract information without the need for verbal response. ‘An auditor should not put words into an auditees mouth e.g. “You keep a record of all those concessions of course?" Avoid such leading questions. Do not ask multiple questions before obtaining a reply. Ask only one question at a time Do ask “what if’ to establish if the system is robust and what is the effect on product quality. Two of the most powerful questioning "tools" available to an auditor are: Silence If you feel that the auditee has left something unanswered, complete silence on your part for as long as ten or fifteen seconds can bring quite surprising results. An auditee will almost certainly try to fil the vacuum by expanding on their original response. Active listening The auditor needs to show the auditee that they are listening; there is little point in perfecting questioning techniques if the answer is going to pass unheard ~ it is hard for the auditor to listen while they are still talking, Auditors have 2 ears and 1 mouth, which give some indication of the proportions of how they should be used Itis difficult for an auditor to listen effectively if they are busy taking notes. When there is a need to take notes, it should be very brief, or made during a pause in the Conversation. It is often worth asking the audilee to pause for a moment while the auditor makes the note. The auditor should be an active listener. By making listening active the auditor is conveying to the auditee that they are worth listening too, that the auditor is interested, and is seeking to understand them and whal they do. The auditor must first give the auditee their full and undivided attention in an environment that has minimal noise and distractions. Then they should actively listen. Examples of active listening include Jeeue Level 9 Api 2098 Pace 15020Audit Preparation and Assessment ‘+ Maintaining eye contact with the auditee. + Nod your head, or smile when appropriate. * Give verbal feedback The important things to avoid are + Not actively listening «Anticipating the auditee’s answer, and interrupting the auditee to finish of the answer. Excuses for a Closed Mind 1. We tried that before 2, That's not our responsibility, 3. That's not my job 4. We are all too busy to do that 5. We don't have the time 6. We've never done it that way before 7. That's not our problem 8. Why change? It's working O.K. 9. It'l fal in the long run 10. We did all right without it 14. We've always done it this way “The following factors can all influence the success of an interview: Body language. Tone of voice Facial expressions Points of emphasis. Look of shock horror. Gestures, All of these communication factors should be taken into account while conducting and investigation if il is to prove productive Itis essential that the auditee should fee! comfortable and relaxed if the auditor is to extract the maximum amount of information Above all else the auditor must not allow an interview to become emotive. If the pre- audit research has been effective the auditor will be aware of any sensitive situations that exist and should endeavour to adopt an approach that avoids them. It goes without saying that the auditor must not get emotive because of the way the audit is. developing Itis an indisputable fact that hardly anybody welcomes being audited, For that reason it becomes necessary for an auditor to do everything within their power to gain the confidence of the auditee. ese Level Ape 2012 secien # Page 16020Audit Preparation and Assessment While every auditor must adopt their own way of extracting information there are certain principles that must be followed. It must be remembered that all the time the auditor is speaking they are not extracting information. STOP TALKING ~ LISTEN Remember, do not give opinions, you cannot tell the organisation how to run their business The audit should result in a win-win situation Team Briefing The lead auditor should review the finding of the audit team. The lead auditor is responsible for generating the audit report and signing/authorising the finding and any nonconformity identified The Closing Meeting When the audit has been completed the audit team must present their finding to the management and make their recommendation. Prior to the closing meeting the audit team should prepare their report under the supervision of the Lead Auditor. The Lead Auditor must approve all nonconformities raised based on the objective evidence recorded. The Lead Auditor makes the final recommendation Typically the following agenda would be covered. ‘Thank the management for their hospitality Give out a Disclaimer Statement A disclaimer statement is made during the closing meeting stating that although all the relevant requirements of the standard have been audited, the audit was based on a sampling activity, and that where no nonconformities have been identified does not necessarily mean that none exist, Confirm Confidentiality. The confidentiality of the audit findings would be reaffirmed, Confirm The Scope and exclusions that the Audit was carried out against ‘The team present their findings. The members of the team would present their finding explaining the objective evidence seen and how it contravenes the standard. The auditor should also present positive aspects of the audit like the co-operation of staff, Recommendation The Lead Auditor would the make the recommendation emphasising that the final decision rests with the certification body and not with the Lead Auditor. Issuo Level Apr 2073, Secon § Page 17 of 20 CME itetnatondAudit Preparation and Assessment Issue Documentation The Lead Auditor would then issue the nonconformily reports and agree dates for corrective actions. The audit team should not make recommendations on how to resolve the nonconformities. After covering these points the Lead Auditor should ask for questions and then clase the closing meeting The recommendation Registration cannot be recommended if there are any Major Nonconformities. identified Verification of Corrective Action Re Audit Receipt of objective evidence Verification of Corrective Action must include an evaluation of the effectiveness of the corrective action. Has the root cause been identified and corrected, The Audit Report The audit report will generally consist of an audit summary. any nonconformity and/or observation reports and an outline plan for the next audit Any nonconformity or observation raised should add value to the organisation. If petty nonconformities are raised, they will not add any value and will only serve to make the audit process @ negative activity. The audit process should be used as a tool to move the business forward and assist the continual improvement process. Having presented their findings the audit team should depart but on occasions the audit team may be faced with the meeting not going according to plan Senior person is not at the closing meeting. By the very nature of the closing meeting, most companies want their senior staff to be present to hear the recommendation first hand. However the Lead Auditor cannot insist that senior staff attend the meeting. The Lead Auditor should wait for a short period and try to ascertain if the senior management are going to attend. If they do. not attend the Lead Auditor should chair the meeting with those that are in attendance. The Lead Auditor must ensure thal the staff who are at the closing meeting have the authority to accept the finding of the report. Under no circumstances should the Lead Auditor cancel the closing meeting. Corrective action taken since the nonconformity was raised. It can happen that a minor nonconformity can be corrected quite quickly. If this tesue Level @ Ap 2013 Secon 8 Page 18 of20 EME nernaonalAudit Prepara n and Assessment has occurred then the Lead Auditor must be satisfied, that the corrective action is sufficient and then record this fact as part of the report. The nonconformity still remains as part of the report Company wishes to alter the scope of the audit or the standard to which they were assessed, The scope of the audit cannot be altered at the closing meeting. Minor changes to the wording in order to clarify the scope is allowed. The decision on which route to take then lies with the certification body. Follow up Vi Follow up visits are applicable where registration is not recommended. The follow up visit is made by the Lead Auditor to verify that the corrective actions have been effectively implemented and that the quality management system is now compliant with the standard. Surveillance Visits ‘Once the company has received confirmation of registration the cerlfication body will Programme surveillance visits to ensure that the company continues to maintain its quality management system. These visits are normally carried out on either a six or twelve monthly basis depending on the size of the company. Igsue Level Apa 2039 ‘Secton 8 Page 18 020Section 9 Auditor Responsibilities, Attributes and Communication C.M.C. InternationalAuditor Competence, Responsibilities, Attributes and Communication Introduction As you will now be aware, many internationally recognized standards exist within the field of quality assurance. Aside from the ISO 9000 series of standards relating to quality management systems and their respective guidance, there is a standard specifically largeted at the auditor. * 180 19011; 2011 - Guidelines on management systems auditing. Before considering how we go about organizing and performing an audit tis appropriate to examine responsibilities and what attributes should be brought to the task. It should be stressed that an auditor's responsibilities are not normally confined to those activities performed at the time of the audit If there is to be a team of auditors then one member will be appointed as the lead auditor. By doing this, they take the ultimate responsibility for all phases of the audit and as such, should be given the authority to make final decisions regarding the conduct of the audit An auditor may be defined as “A person who conducts an audit”. A lead auditor (Audit team leader) is: “An auditor qualified and appointed to lead an audit team for a specific task". These two definitions are extracted from ISO 19011 1G Internatcnat Section 9 Page 1 of 10Auditor Competence, Responsibilities, Attributes and Communication Competence and evaluation of auditors Each certification body/registrar should ensure that their auditors are competent to perform internal audits. The responsibility for this is normally with the audit program manager, with the competency requirements defined by management The following table is taken from ISO 17021: 2011 which defines the required knowledge and skills of auditors. X means the certification body shall define ihe criteria and depth of knowledge and _akils. X¢ indicates a need for deeper knowledge and skits J Conducting the | Reva Rang Treading he \ Centteaten pplication audit reports aut team ween review to determine | and making | out certieaton | team competence | decisions | roquirod. to select | me | audit team | | members, and | to determine the | | ud ranacs —at Soo mmorogoment pees Kewedge of ait x xe Xe cies fous and a one SE mmacgoment ae Pctranarmame | Soeumens ‘cae | cermcaten body's x a | x x processes 7 Knowedge of dient x business [ Knowledge of dient | x 1 x | proses, processes and | orgerioobo | Language skils x x applegate to a ievo's wih the cont | engonsaton | Notetaking and | x reporting skis | - | Presentation skis | xe Vinterviewng shile — x ‘ditmanagement | : xe stil | | | For hicoiedge of chen pci, posses ae igeriaalion Whe & Wear & prforting the ee. the expe needs to east thin that earn oF could be provided by Technical expr. here any aud is conducted ty olen th level sil equred Shou be nets win he tesm ae areas ns Moby every nando meebo ears The oan ager of @ combined rtd at shold have a in-depth howd a a leat cn of he standards and is ‘equred nave anaraness of ho ctnerstanenrse vendor hat parkauor 3088 NOTE Rit and camplonty am oer conedaratons shan ieccng te eel experce needed fr sry of hese funchons, issue Level § Ape 2013, Cute Iteration Section 8 Bago 2 ofAuditor Competence, Respon: ies, Attributes and Communication The determination and evaluation of competency process is now fundamentally important to ensure that auditors are competent to conduct audits with both the necessary audit discipline as well as the industry sector skills. Auditors may be required to audit different disciplines such as quality, environmental or health & safety, as well as different industry sectors, such as automotive, aerospace, and chemicals. Organisations need to ensure that the auditors used are competent for the relevant discipline and process. Competence and Evaluation of Auditors Each organisation should ensure that their auditors are competent to perform audits. The same principle is applicable for all types of audit, 1, 2" or 3° party audits. The responsibility for this is normally with the audit program manager, with the competency requirements defined by management. Evaluation Process ‘The evaluation process involves four main steps: Step 1 — Determine the competence of audit personnel to fulfil the needs of the audit program Step 2— Establish the evaluation criteria Step 3 — Select the appropriate evaluation method Step 4— Conduct the evaluation Each organisation should establish the levels of education, work experience, auditor training and audit experience an auditor needs to gain the knowledge and skills appropriate to the audit program. Examples include number of years of work experience, number of hours of auditor training, number of audits to observe, and number of audits conducted. The evaluation of auditors occurs at the following different stages: + The initial evaluation of persons who wish to become auditors + The evaluation of the auditors as part of the audit team selection process + The continual evaluation of auditor performance to identify needs for maintenance and improvement of knowledge and skills Methods of performing the evaluation include: Feedback and post audit reviews «Interviews © Observation * Testing ese Level 8 pn 2018 EME Imemaenat Secon 9 Page Sot 10Auditor Competence, Responsibilities, Attributes and Communication Achieving Auditor Competence Auditor knowledge and skills can be acquired using a combination of the following: * Formal education/training and experience that contribute to the development of knowledge and skills in the management system discipline and sector the auditor intends to audit Training programs that cover generic auditor knowledge and skills ‘* Experience in a relevant technical, managerial or professional position involving the exercise of judgment * Decision making, problem solving and communication with managers, professionals, peers, customers and other interested parties + Audit experience acquired under the supervision of an auditor in the same discipline. Knowledge and Skills Generic for Management System Auditors Auditors should possess the knowledge and skills necessary to achieve the intended results of the audits they are expected to perform, All auditors should possess generic knowledge and skills and should also be expected to possess some discipline and sector-specific knowledge and skills. Audit team leaders should have the additional knowledge and skills necessary to provide leadership to the audit team: ‘Audit principles, procedures and techniques: knowledge and skills in this area enable the auditor to apply the appropriate principles, procedures and methods to different audits, and to ensure that audits are conducted in a consistent and systematic manner + Management system and reference documents: knowledge and skills in this area enable the auditor to comprehend the audit scope and apply audit criteria © Organisational context: knowledge and skills in this area enable the auditor to comprehend the auditee’s structure, business and management practices, ‘+ Applicable legal and contractual requirements and other requirements that apply to the auditee: knowledge and skills in this area enable the auditor to be aware of, and ‘work within, the organisation's legal and contractual requirements. Discipline and Sector Specific Knowledge and Skills for Management System Auditors, Auditors should have the discipline and sector-specific knowledge and skills that are appropriate for auditing the particular type of management system and sector. It is not necessary for each auditor in the audit team to have the same competence; however, the overall competence of the audit leam needs to be sufficient to achieve the audit objectives. ‘Sector 8 Page 010Auditor Competence, Responsibilities, Attributes and Communication The discipline and sector-specific knowledge and skills of auditors include the following: * Discipline-specific management system requirements and principles, and their application + Legal requirements relevant to the discipline and sector, such that the auditor is aware of the requirements specific to the jurisdiction and the auditee's obligations, activities and products + Requirements of interested parties relevant to the specific discipline * Fundamentals of the discipline and the application of business and technical discipline-specific methods, techniques, processes and practices, sufficient to enable the auditor to examine the management system and generate appropriate audit findings and conclusions. + Discipline-specific knowledge related to the particular sector, nature of operations or workplace being audited, sufficient for the auditor to evaluate the auditee's activities, processes, and products (goods and services) + Risk management principles, methods and techniques relevant to the discipline and sector, such that the auditor can evaluate and control the risks associated with the audit program Specific for Quality Management System Auditors Quality management system auditors should have knowledge and skills in the following areas * Quality-related methods and techniques: to enable the auditor to examine quality management systems and to generate appropriate audit findings and conclusions. Knowledge and skills in this area should cover: © Quality terminology Quality management principles and their application Quality management tools and their application (for example statistical process control, failure mode and effects analysis, etc) * Processes and products, including services: to enable the auditor to comprehend the technological context in which the audit is being conducted. Knowledge and skills in this area should cover: © Sector specific terminology Technical characteristics of processes and products, including services Sector specific processes and practices Audit Team Leaders (Lead Auditor) An audit team leader should have acquired additional audit experience to develop the knowledge and skills required. This additional experience should have been gained by working under the direction and guidance of a different audit team leader osu Lawl 5 Api 2013 ‘Secton 9 Page Sl 10Auditor Competence, Responsibilities, Attributes and Communication Maintenance and Improvement of Competence Continual Professional Development Continual professional development is concerned with the maintenance and improvement of knowledge, skills and personal attributes. This can be achieved through means such as additional work experience, training, private study, coaching, attendance at meetings, seminars and conferences or other relevant activities. Auditors should demonstrate their continual professional development. The continual professional development activities should take into account changes in the needs of the individual and the organisation, the practice of auditing, standards and other requirements, Maintenance of Auditing Ability ‘Auditors should maintain and demonstrate their auditing ability through regular participation in audits of quality management systems. Auditor Responsibilities ‘An auditor should be able: + To apply audit principles, procedures and methods To plan and organize the work effectively To conduct the audit within the agreed time schedule To prioritize and focus on matters of significance * To collect information through effective interviewing, listening, observing and reviewing documents, records and data * Tounderstand the appropriateness and consequences of using sampling techniques for auditing + To verify the relevance and accuracy of collected information * To confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions, + To assess those factors that can affect the reliability of the audit findings and conclusions + To.use work documents to record audit activities * To document audit findings and prepare appropriate audit reports + To maintain the confidentiality and security of information, data documents and records + Tocommunicate effectively, orally and in writing (either personally or through the use of interpreters or translators) + To understand the types of risks involved with auditingAuditor Competence, Responsibilities, Attributes and Communication Audit Team Leaders (Lead Auditor) Responsibilities Audit team leaders should have additional knowledge and skills in audit leadership to facilitate the efficient and effective conduct of the audit. An audit team leader should be + To balance the strengths and weaknesses of the individual audit team members + To develop a harmonious working relationship among the audit team members + To plan the audit and make effective use of resources during the audit + To protecting the health and safety of the audit team members during the audit + To represent the audit team in communications with the auditee + To organize and direct audit team members + To provide direction and guidance to auditors-in-training + To lead the audit team to reach the audit conclusions + To prevent and resolve conflicts + To prepare and complete the audit report Personal Attributes Auditors should possess personal attributes to enable them to act in accordance with the principles of auditing. An auditor should be: * Ethical, Le. fair, truthful, sincere, honest and discreet + Open-minded. i.e. willing to consider alternative ideas or points of view * Diplomatic, ie. tactful in dealing with people * Observant, ie. actively observing physical surroundings and activities, + Perceptive, Le. aware of and able to understand situations Versatile, ie. able lo readily adapt to different situations + Tenacious, i.e. persistent, focused on achieving objectives * Decisive, i.e. able to reach timely conclusions based on logical reasoning and analysis * Self-reliant, i.e. able to act and functions independently while interacting effectively with others * Acting with fortitude, i.e, able to act responsibly and ethically, even though these actions may not always be popular and may sometimes result in disagreement or confrontation + Open to improvement, i.e, willing to learn from situations, and striving for better audit ese LevelAuditor Competence, Responsibilities, Attributes and Communication results © Culturally sensitive, i.e. observant and respectful to the culture of the auditee * Collaborative, i.e. effectively interacting with others, including audit team members and the auditee’s personnel An auditor should not Be critical - Record your discrepancy without verbal criticism. Especially do not criticize other parts of the system or the management to the auditee Be sidetracked - When following a particular trail do not allow yourself to be led in a different direction by other events. Argue - An auditor's job is to obtain audit evidence and record it, not to discuss the pros and cons of the situation, ‘Swear - This will leave you wide open to criticism and indeed is unethical Be late - Be punctual Be sarcastic - This is not conducive to establishing the right sort of auditor- auiditee relationship Compare - Neither a manager nor a machine operator wishes to know that others amongst their peers are doing a better job and it bears, no relevance to an audit Pass opinions - In an audit this is something an auditor should never do, Apportion blame - It is not your function as an auditor. While allocating nonconformity to a particular process, department and clause of the standard, you must refrain from anything further Independence of the Auditor Although auditor independence from the activity being audited is mandatory, within systems, designed to comply with ISO 9001, ISO 19011 also states: “Auditors need to be free from bias and any conflict of interest”. The auditee is defined in ISO 19011 as “The organisation to be audited”.Auditor Competence, Responsibilities, Attributes and Communication Responsibilities of the Auditee ‘* Cooperate with the auditor ‘+ Inform employees about the objectives of the audit and its scope * Provide access to relevant facilities and provide information when required by the auditor as objective evidence * Provide suitable guides for the auditor * Provide resources to the auditor to assist them in the audit + Review audit findings with the auditor at intermediary meetings and implement the necessary corrective action to agreed non-conformance Non Co- operation of Auditees. An organisation or members of ts management team may use a number of ploys that inhibit the progress of a comprehensive audit. A third party auditis essentially a sampling process. anyway and any tactics that reduce the extent of the audit are to be deplored but nevertheless may be experienced at some time or another by an auditor. These fall mainly into the category of time wasters such as © The WAFFLER who talks at great length about matters of no importance, + The LONG WAY ROUND where a guide wastes time by not taking the shortest route to the place of the audit * The FORGOTTEN DOCUMENT that makes it necessary to return to the other side of the plant. + The LATE ARRIVAL of a key member of the organisation's management. + The LONG LUNCH which the organisation may try to persuade the auditor to take. + The INTERRUPTION, which managers may engineer. + The CLEAN ROOM. An attempt may be made to preclude entry for audit + The PITY ME. Where the quality manager implies that his job is on the line if the organisation fails to get approval. + The BRIBE. Although distasteful and rarely experienced the offer of a bribe is not unknown where obtaining certification is vital to the organisation's existence. Ifitarises it is likely to be offered in a subtle manner. 1 International Section 9 Page 9 of 10| Section 10 Report Writing and Follow Up C.M.C. InternationalReport Writing and Follow Up Introduction The writing and categorising of non-conformity notes is one of the essential skills that an auditor must develop. The method and presentation of the findings of an audit will vary from company to company but no matter what format is used; effective reporting will lead to effective corrective actions being taken Itis the Lead Auditor's responsibilty to ensure that all reports raised during the course of an audit comply with the guidelines issued by his/her own organisation. Non-conformity Categories Itis unusual for a company to categorise its non-conformities for internal audits and they may or may not do so with Second Party audits of their suppliers. This does not does not mean however that the organisation in question should not prioritise the corrective action according to the magnitude of the problem and commensurate with the risks encountered. However a Third Party audit non-conformity require categorisation and they generally fall into two types - MAJOR and MINOR. Some certification bodies use other terminology Ministry of Defence audits to AQAP Standards used a third category best described as Critical but use a numbering system of 1 for Critical, 2 for Major and 3 for Minor non- conformity Non Conformity Categorisation IAF Guidance for the application of ISO 17021 define a non- conformity as The absence of, or the failure to implement and maintain, one or more quality management system requirements, or a situation which would, on the basis of available objective evidence, raise significant doubt as to the quality of what the organization is supplying. ISO 9000: 2005 defines nonconformity as Non fulfillment of a requirement Certification Bodies are free to publish different grades of deviation and areas for improvement AMAJOR non-conformity may therefore be defined as: > Absence of mandatory documentation > Specified standard requirement not implemented > Product not meeting legal requirements (CE Marking, Food Safety Management system, (HACCP) > High number of minor NC against one clause Examples of MAJOR non-conformity’s are:Report Writing and Follow Up Inappropriate, inadequate or total absence of procedures required by the Standard. In the case of a Third Party audit these should have been identified in the initial stages when the documentation is assessed. * Combined effect of failure to follow laid down procedures across a broad spectrum of the company's operations. * Consistent failure to carry out corrective actions within the agreed time-scale form previously identified NCRs. ‘+ Several examples of informal and unauthorised drawingiplanning changes. + Considerable number of items of measuring and standards equipment uncalibrated or outside the calibration date. > A-single Major Non Conformity will mean that approval of a company’s management system cannot be recommended. > Certification cannot be granted until all nonconformities have been corrected and the corrective action verified by the certification body by a site visit or other appropriate means. > Certification to ISO 9001 cannot be denied on the grounds that the organisation does not comply with matters not covered by the applicable standard. > Minor Non Conformity A single lapse against the requirements of the standard or the company’s. documented quality system. Examples of MINOR non-conformitys are Isolated examples of deficient record keeping on Contract Reviews or Design Reviews Isolated examples of test equipment uncalibrated or out of calibration date. Isolated examples of obsolete documents retained in quality manual, procedures manuals or work instructions, * Isolated examples of unauthorised and unrecorded drawing changes. + Isolated examples of drawings unchecked. Auditors must remember that any nonconformity raised should not be of a trivial nature. The audit process is there to add value to an organisation and the raising of non value adding nonconformities, will only result in the whole audit process not helping the organisation to move forward Observations/Opportunity for Improvement > process for adding value to the management system. > Identifying potential weaknesses in the system Certification Bodies have differing views with regard to the recording of observations and OF ls, There is merit in the recording of observations and OFIs. They enable an auditor to spotlight two different types of situation arising:Report Writing and Follow Up + Where an inconsistency/deficiency exists but cannot be registered as a non-conformity because it does not contravene the words of the Standard or the documented procedures although there is obviously something wrong and + Where a situation exists that does not justify the raising of a non-conformity report but itis likely to deteriorate to a condition of non-conformity if no attention is given to it to pre-empt that happening There is also a growing tendency amongst individual auditors to record an observation rather than a Minor NCR in the case of a borderline situation. This is only possible of course with those Bodies using observations as part of their assessment recording system Report Writing When writing a nonconformity report it must be: > Factual > Value adding It should not be: > Trivial > Of no benefit The first thing that must be considered is who is actually going to read the report and what action they will be required to take as a resul. In order to take action it is essential that all who need to read such a report can understand the problem it refers to. The company’s management representative and the management of the department concerned are obvious choices as they will most likely be the people who have to take the corrective action. The Lead Auditor will normally also discuss each individual non-conformity report with these people at the daily review or closing meeting. Hence any clarification required can be dealt with verbally However, there are also a number of other people who will read the report but may not be in a position to receive verbal clarification from the Lead Auditor. Therefore it is essential that the Lead Auditor ensures every non-conformity report raised by the team is both factual and explicit in order to meet the possible needs of the following:- Who is going to read the report. > The management of the auditee The auditors’s management ~ Colleagues who may have to verify the corrective action at the next surveillance visitReport Writing and Follow Up Auditors should avoid expressing their personal opinions and above all avoid appearing petty or pedantic, You and your organisation will be judged by the written reports long after the audit has been completed and the team has left the site In the case of 3rd party audits the non conformance reports require certain basic items of information to be recorded. These will generally include. Company name and site Department or area where the non-conformity was found Date Standard and clause number that the non-conformity has been raised against Unique reference number Category of the non-conformity The Audit evidence Name/Signature of Auditor Name/Signature of Auditee Certification Bodies will use their own design of NCR form but most of them will have special boxes within which to record the above information somewhere on the NCR form. A much larger section of the form will be available in which to record details of the non- conformity and its category (this is usually in a separate box) The details will include the nature of the non-conformity and will identify the non- conforming element (e.g. gauge number, operation, etc.) When an assessor is satisfied that he has audit evidence identifying a problem he will record the relevant details e.g. location. document, ttl, issue no., copy no., part no. etc. and get the accompanying guide to witness the recorded details, The wording must be clear and unambiguous and as brief as possible. Wherever possible tty to use the actual words or phrases of the standard or the company's own procedures to maintain objectivity, e.g. “The company were unable to provide evidence that the MK3 test bed had been calibrated against national or international standards as required by company procedure CALIONT Iss.2¢ Avoid generalities; always state sufficient objective evidence to indicate the scope of the problem, ¢.4 “From a random selection of 30 purchase orders raised on 10 sub-contractors over the past 6 months it was noted that 7 had been issued without any evidence of prior review and approval by the company’s General Manager as required by the company's procedure Pur/016 Iss.3" Swe tnt cra ‘Secon 10 Page dat ©Report Writing and Follow Up Auditors will vary their tactics as to the completion of non-conformity reports at this point. Some auditors will complete non-conformity reports at the time of establishing the objective evidence but there is advantage gained by the alternative tactic of recording the evidence and writing out the NCR at lunch breaks or other interim meetings especially ifit is an audit using more than one assessor. The Lead Auditor is responsible for the approval of all nonconformities, therefore itis a good policy for the objective evidence to be presented to the Lead Auditor prior to completing the NCR. If a number of Auditors have each identified one or two nonconformities against 2 Particular clause of the standard, individually they may only be classified as minor Ronconformities. In the role of Lead Auditor you are responsible for collating all evidence and in this situation the completion of one NCR which includes objective evidence from all areas would suffice. The nonconformity may possibly now be classified as a major. The NCR form will also have sections for recording names and signatures of the auditor and the team leader. Also a space for acknowledgement of the non-conformily by the company=s representative. Also catered for on this or an accompanying form will be spaces allocated to 1. the company’s proposed corrective action, completion date 2. follow-up action and close-out by the Certification Body. 3. name and signature of the Auditor and date of close out In the case of a 3rd Party Audit no advice will be given by the auditor on corrective action. Companies will use their own designs of NCR form for Second and First Party audits Corrective Action The major difference between a third party audit and a first or second party audit non- conformity is with regard to corrective action The auditor in a certification assessment will list the non-conformity but will not contribute with any advice on the methods used in taking that corrective action. However the Certification Body will expect a written proposal from the Company under audit on their intended corrective actions and their time scale. However in the case of a first or second party audit the auditor may agree with the departmental manager what form of corrective action will be applied to the non-conformity to putitright and ensure that there is no recurrence of the deficiency. They will also agree on a time-scale needed to carry out that corrective action, As a result of InternaVExtemnal Audits the Non-conformity Report Form (NCR) may take the tile Corrective Action Report Form (CAR), When evaluating corrective action, the auditor must ensure that the corrective action is Issue Level November 2010 EMC mnematona Secten 10 Page $6Report Writing and Follow Up effective and that the cortective action process reviews the root cause of the problem. Auditor may come across many differing methods for analysis of nonconformity, problem solving, and root cause analysis. The Assessment Report Cover Page Audit Summary Areas Audited Non conformities/OF! Plan for next visit vvvyy Whilst the nonconformity report may be the document that details areas for corrective action, this is only one part of the Assessment Report The structure of the assessments report will vary from one certification body to another but in general they will contain the same information. There will be @ cover page with the client details, report number, names of audit team members, names of client representatives, type of assessment ie. initial or surveillance, scope of the management system, number of employees, an accurate summary of the audit and the recommendation of the lead auditor. It is generally this page that both the lead auditor and the client sign as agreement that the assessment report is factual and that both parties agree with the findings ‘A second page will generally show which areas of the organisation were audited and which clauses of the standard were covered in those particular areas. The page will generally be in the form of a matrix and would also summarise any nonconformities or ‘observations raised by area The nonconformities will be either listed on separate pages or all on one page. Some nonconformity reports will also have a space for corrective action: other certification bodies will have a sepatate document or no specific document at all The final page will generally be an outline plan for the next visit. Issue Level 4 November 2010 CAKE nkemabona Section 10Section 11 Continual Improvement C.M.C, InternationalObjectives, Measurement and Continual Improvement Introduction In order for auditors to fully understand different methods that a company may use to analysis areas of concer, problems, and nonconformity, and then to implement corrective action and continual improvement, they need lo appreciate some of the different techniques that they may come across so that they can effectively assess them. These methods can also be used to mave an organisation toward its stated objectives. Objectives can be set in a number of different areas. These could include: Strategic objectives for the company, Process improvement objectives, Product improvement objectives In order to achieve objectives, they must be measurable The continual improvement process can take the form of two different approaches. * Strategic breakthrough projects. ‘= Small step continual improvements Improvement refers to the actions taken to enhance the features and characteristics of products and/or to increase the effectiveness and efficiency of processes used to produce and deliver them. Such actions include the following a) Defining, measuring and analysing the existing situation b) Establishing the objectives for improvement ©) Searching for possible solutions d) Evaluating these solutions e) Implementing the selected solutions £) Measuring, verifying, and analysing results of the implementation g) Formalising changes Continual improvement is the term used when quality improvement (increasing effectiveness and efficiency) is progressive and the organisation actively seeks and pursues improvement opportunities. A project manager generally manages strategic breakthrough projects. These would include the complete re-designing of a process in order to improve efficiency, reduce material handling, and reduce labour content. The results of these projects would generally result in the re-writing of the process plan and small step improvements would then continue Small step continual improvements are generally small improvements made by the organisation at a local level. Issue Level 2 Octber EEME Inornatons Seton 11 Paget 0t6Objectives, Measurement and Continual Improvement Typical Techniques/Quality Tools for problem solving and continuous improvement could include: ‘An analysis of overall equipment effectiveness Benchmarking Mistake proofing Parts per million analysis Pareto Analysis Process Flow Diagrams Theory of constraints Force field analysis, Cause & Effect-Fishbone Diagram Six Sigma PROBLEM SOLVING ferent ways of thinking when solving a problem Analytical Thinking Creative Thinking Analytical Thinking This is taking a problem and thinking it out stage-by-stage and progressing uniformly form one established fact to the next. It is objective and disciplined, it checks and verifies. When analytical thinking is introduced, judgements and decisions must then be made and acted upon. Cre: /e Thinking Iis difficult to define, it ranges freely, il makes random associations and it can find new and unexpected solutions. This type of thinking is associated with the subconscious mind; often a solution to a problem presents itself whilst you ate thinking of something totally different. Issue Level 2 Geter 2003 SCME iterations Secion 11 Page 2016Objectives, Measurement and Continual Improvement Examples Cause and Effect — Fishbone Diaaram. This technique enables a team of people to identify, explore, and graphically display, in increasing detail, all of the possible causes related to a problem or condition to discover its rot cause. Machinery! Equipment Late Delivery of Product Methods Materials ‘The second stage is to analyse each individual bone Machinery! Equipment coer LN [sae — NN Late Delivery . of Product Sklar oa Methods [Matsrais—] Each stage is then repeated by analyzing each bone and asking the question “Why does it happen’. Eg “Why do the cars keep breaking down? ase Lovel2 October 2003, CAC ruerotons Section 11 Page 3016Objectives, Measurement and Continual Improvement Cause-cars breaking down could be that the young drivers employed can only afford old cars. This could be broken down again “Why can they only afford old cars” Cause- low pay, therefore no money for better cars. Decisions are then made where possible to improve the effect on the end user, i.e. by eliminating some of the causes; the effect on the customer will imprave. Pareto Analysis Pareto analysis is used to: To display the relative importance of causes To choose a start point for problem solving To compare ‘before’ and ‘after’ To breakdown broad causes into components To compare data over different time periods ‘The Pareto Principle 80% of problems are often due to only 20% of the causes (The Vital Few) The remaining 80% causes account for only 20% of the problems or errors (The Trivial Many) 20% of the | 80% of the | Population cause Accidents Population cause Crime | Population provide Postage revenue Population provide | Telephone revenue Population drink | Beer Population drink | Wine Railway passengers provide British Rail Revenue Population use | Gas eae Leve 2 Octoner 2008, CINE Inenatona Seehon 11 Page 406Objectives, Measurement and Continual Improvement Six Sigma Process ‘A management philosophy that uses customer-focused measurement and aggressive goal setting to drive breakthrough performance in demonstrated and validated business results. Six Sigma methodologies were first developed at Motorola and have been adopted by General Electric, Ford, Allied Signal and many other high performance companies. ‘The six sigma process is now being used by many organisations, it can be summarised into the following steps Define Measure Analyse Improve Control CME Inematona! Secion 11 Pages 016Section 12 IRCA Auditor Registration Scheme C.M.C. InternationalIRCA Auditor Registration Scheme ‘The national registration scheme for auditors of quality management systems that exists in the UK is operated by the IRCA. (International Register of Certificated Auditors), The scheme is controlled by an independent governing board which consists of corporate members of the Chartered Quality Institute, CQl, (Formally the Institute of Quality Assurance IQA) with assessment experience and members nominated by representative user organisations and is administered at the CQI head office in London, Criteria for IRCA Auditor registration An auditor shall be competent in the discipline being assessed, familiar with the relevant quality system standards and able to exercise judgement against the criteria of the standards. Auditors must be able fo communicate clearly in writing and orally, An Auditor shall have a combination of qualifications and experience as required by the IRCA Criteria for internal Provisional Auditor Registration Minimum secondary level education, with 5 years’ work experience or 4 years work experience with a degree. One year should be in a quality related role. IRCA Certified ISO 9001 Foundation and IRCA Certified QMS Internal Auditing course Criteria for Internal Auditor Registration ‘The applicant should have at least secondary education and five years work experience. Four years is acceptable if the applicant has a degree or near degree qualification. At least one year should be quality work experience, The applicant must have successfully completed an IRCA certified QMS Internal Auditor course and an IRCA certified ISO 9001: 2008 Foundation course. The applicant must have also completed five audits totalling at least 15 hours. Criteria for Provisional Auditor Registration ‘The applicant should have relevant academic qualifications (secondary education). work ‘experience (Five years or Four years with a degree or near degree), quality experience (Two years) and have successfully completed either an IRCA certified QMS ISO 9001 2008 AuditoriLead Auditor course presented by an IRCA approved Training Organisation or a QMS 1SO 9001: 2008 auditor training course certified by another training approval body recognised and accepted by IRCA as being of an equivalent standard. This training should generally have been received within the three-year period prior to application Criteria for Auditor Registration To be registered as an auditor the applicant should meet the above requirements plus have auditing experience. (A minimum of 4 audits must be completed). All experience submitted must not total less than 20 days duration, at least 10 of which must have been acquired on site Issue feyel 10 Ape 2013 Section 12 Prge totIRCA Auditor Registration Scheme Criteria for Lead Auditor Registration To be registered as a Lead Auditor the applicant must meet the above requirements plus have carried out a minimum of 3 audits as leader of a team of two or more auditors. The duration of these audits shall not be less than 15 days, Criteria for Principal Auditor Registration, This grade is designed as an altemative to the Lead Auditor grade and is aimed at two categories of auditor. * Auditors with a background in quality consulting (whose key competences are implementing quality systems and performing all aspects of the audit process without assistance). = Auditors with a background in leading audit teamns (as lead auditors) but who now audit on their own (whose key competence is audit management and team leadership) Itis not intended that auditors hold both grades as they are considered to be equivalent grades. Full criteria for each grade can be found on the IRCA web site www.irca.org In addition to the above, all IRCA auditors are required to continuously update professional knowledge, personal skills and competencies. This is known as Continuing Professional Development (CPD). Auditors are required to have completed 45 hours of CPD spread equally over the previous three years. (GyeMe inernatr Section 92 Page 204IRCA Auditor Registration Scheme ‘The IRCA Code of Conduct that must be complied with by all registered auditors is as follows: IRCA Code of Conduct All certified auditors are required to agree to act in accordance with, and be bound by, the following Code of Conduct: 1. To act in a strictly trustworthy and unbiased manner in relation to both the organisation by which they are employed, contracted or otherwise formally engaged (the audit organisation) and any other organisation involved in an audit performed by them or by personnel under their direct control 2. To disclose to their employer any relationships they may have with the organisation to be audited before undertaking any audit function in respect of that organisation. 3. Notto accept any inducement, gift, commission. discount or any other profit from the organisations audited, from their representatives, or from any other interested person nor knowingly to allow personnel for wham they are responsible to do so. 4, Notto disclose the findings, or any part of them, of the audit team for which they are responsible or of which they are part, or any other information gained in the course of the audit to any third party, unless authorised in writing by both the auditee and the audit organisation to do so. 5. Not to act in any way prejudicial to the reputation or interest of the audit organisation, 6. Notto act in any way prejudicial to the reputation, interests or credibility of IRCA. 7. Inthe event of any alleged breach of this code, to co-operate fully in any formal enquiry procedure. More detailed information on IRCA registration is available from the tutors or by ‘contacting the IRCA at, International Register of Certificated Auditors 2° Floor Chancery Exchange 10 Furnival Street London EC4A 1AB Tel: 44 (0) 20-7245 6833 Fax: 44 (0) 20 - 7245 6755 www. irca.org Ise teva 10 Api 2013 ‘secon 12 Poge 44 (C) ENC Inerntonacal ‘Chartered Quality Insite peas CONFIDENTIAL TO IRCA APPROVED TRAINING ORGANISATIONS Examination QMS Specimen Paper for IRCA Quality Management Systems Auditor/Lead Auditor Training Courses (IRCA/2245) Please write your name and the date in the space below. Name: Date: THESE SPACES ARE FOR OFFICIAL USE ONLY Section Marker 1 Marker 2 Pass mark | Maximum 1 2s 10 2 10 20 3 15 30 4 15 30 Total 63 90 Name of Marker Confirmed Result This examina’ n is closed book. + Aclean copy of ISO 9001 and a bilingual dictionary are the only items permitted for reference * Electronic devices, including laptops and mobile phones, are not permitted into the examination room. Exceptions may be granted to students with special needs. Any such arrangement must be with the prior written agreement of the IRCA Approved Training Organisation and shall include a record of appropriate precautions that will be taken to ensure the fairness and security of the examination process and examination questions. IRCA/145 QMS Specimen 13/2 ©IRCA January 2013 ~ All rights reserved IRCA exarnination paper QMS Specimen, amended for use an certified course 17034 operated by CMC International (UK) Ltd Page 1 of 23