As9100 Interpretations

Bureau Veritas Certification Interpretations of The Standard.
Guidance for Quality Management System Auditors.

Expectations for Companies Certifying to AS9100.
Bureau Veritas Certification has established certain minimum expectations for companies who
wish to register their Aerospace Quality Management Systems (AQMS) to AS9100. These
expectations are based upon our understanding of the requirements of the standard and the
requirements for third party registration/certification to the standard gained through our
collective experience in auditing quality management systems of many varied applications.
Additionally, The ISO Technical Committee (TC) has developed several guidance documents for
various requirements of ISO9001:2000 that are applicable to the requirements of AS9100. These
documents are available to the public via Internet website http://www.bsi.org.uk/iso-tc176-sc2.
These documents are referred to throughout this document.
Auditor Notes:
This document is not intended to add to, minimize, or in any way modify the requirements of the
standard and the requirements for accredited certification to the standard. It is meant to be a
guidance tool for Bureau Veritas Certification auditors providing common understanding on the
intent of the standard and certification requirements in addition to providing clarification of the
text. For organizations seeking registration/certification, this document provides insight as to the
expectations of Bureau Veritas Certification auditors.
In order to claim conformity with AS9100, the organization has to be able to provide objective
evidence of the effectiveness of its processes and its quality management system. Clause 3.8.1
of ISO 9000:2000 defines Objective evidence as Data supporting the existence or verity of
something and notes that Objective evidence may be obtained through observation,
measurement, test or other means. Objective evidence does not necessarily depend on the
existence of documented procedures, records or other documents, except where specifically
mentioned in AS9100. In some cases, (for example, in clause 7.1{d} Planning of product
realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization
to determine what records are necessary in order to provide objective evidence.
1 OF 61
AS Interpretation Rev. 0 - May 9, 2007

AS9100 Interpretations
Element 4: Quality Management System
4.1: General
Section 4.1 includes the general requirements that must be met in order to establish, implement
and continually improve the effectiveness of a quality management system meeting the
requirements of the standard. These requirements are referenced to and/or further defined in
subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.
Continual improvement of the effectiveness of the quality management system may be reflected
in a number of different areas. These may include:

Quality objectives;
Corrective and preventive actions;
Internal audits;
External audits;
Review of customer satisfaction surveys and associated action items;
Operation meetings producing improvement actions;
Actions initiated by suggestion programs;
Process Changes;
Infrastructure and environment changes;
Management Reviews
If continual improvement has become a way of life for a company, it is unlikely that a
demonstration of company wide continual improvement will come from only a few sources.
System deterioration would not necessarily lead to non-conformity if all actions were positive
and the improvement path is still evident and logical. The system would be questionable if the
company did not recognize it or had not reacted to the issues appropriately.
Note: It is the responsibility of the company to demonstrate improvement rather than the
auditor to look for it. Accordingly, it is useful audit practice to ask management to
identify any improvement initiatives taken since the previous visit, and any planned for
the future.
4.1 a) Process identification Bureau Veritas Certification auditors will expect to see a process
model that explains the key processes of the business and how each relates and links to the
others. The depth of process explanation may be as detailed as the company chooses, but should
2 OF 61

be based on its customer and applicable regulations or statutory requirements, the nature of its
activities and its overall corporate strategy. In determining which processes should be
documented the organization may wish to consider factors such as:

Effect on quality
Risk of customer dissatisfaction
Statutory and/or regulatory requirements
Economic risk
Effectiveness and efficiency
Competence of personnel
Complexity of processes
Bureau Veritas Certification promotes the identification of Customer Oriented Processes

(COPS), Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS)
while defining processes however, this is not a requirement. The auditor must see evidence that
the organization has identified and defined their processes.
The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support
Package: Guidance on the Concept and Use of the Process Approach for Management Systems,
provides basic information for understanding application of the process approach. The bulletin
defines a process as: A Process can be defined as a Set of interrelated or interacting
activities, which transforms inputs into outputs. These activities require allocation of resources
such as people and materials (http://www.bsi.org.uk/iso-tc176-sc2).
4.1 b) Sequence and interaction of these processes The interactions of the processes must
somehow be described in the quality manual (4.2.2 c). The organization is not required to
produce system maps, flow charts, lists of processes etc. as evidence to demonstrate that the
processes and their sequence and interactions were identified. Such documents may be used by
organizations should they deem them useful, but are not mandatory. Graphical representation
such as flow-charting is perhaps the most easily understandable method for describing
interactions between processes. Other possible methods may include: documentation prepared
for implementation of the product management system (SAP, SYMIX, MRP, etc); deployment
flowcharts; and pictorial diagrams.
The Completion of the Bureau Veritas Certification process matrix provides the relationship
between the organizations processes and the requirements of ISO9001:2000 however does not
show the interaction between the identified processes. If the organization chooses to use the
process matrix to show interaction, it must be supplemented with another method to show
process interaction. The Bureau Veritas Certification process matrix must be completed in order
to assist in the scheduling of the organizations audits.
3 OF 61

4.1 c) Criteria and methods needed to ensure that both the operation and control of these
processes are effective. This could be demonstrated with stated objectives, instructions and or
procedures as required for consistent output of the processes.
4.1 d) Ensure the availability of resources and information necessary to support the operation
and monitoring of these processes. This may be through Management Review or other methods
for defining and determining resources.
4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to
requirements for monitoring, measurement, and analysis for needed improvement. The methods
employed and the timing of such analysis should be based upon priorities established by the
organization. Auditor expects to see measurable objectives established for each process. These
objectives should support the organizations overall objectives.
4.1 f) Implement actions necessary to achieve planned results and continual improvement of
these processes Same as described above. Auditor expects to see corrective action taken when
measurable objectives fall below target or defined action level.
Outsourced Processes: Outsourced processes must be controlled by the organization and these
controls must be defined/described within their system. Organizations are required to identify the
controls they apply for any outsourced processes. The facility quality manual must identify if
outsource processes are applicable. In addition, the client shall have written documentation on
the methods used to control the outsourced process(es). Examples of some outsourced processes
are:
Process completed wholly or partially by a sister facility outside the scope of registration.
Such as corporate performing design, purchasing or customer related processes. This may
include the entire element or a subsection i.e. corporate completes supplier evaluation and
re-evaluation of suppliers and the registered site initiates purchase orders.
Processes completed by an outside vendor or subcontractor such as heat treating, plating,
calibration, painting, powder coating, etc.
Documented objective evidence must be ascertained to ensure that these processes are being
controlled beyond the basic purchasing requirements, which are focused on controlling products
not processes. The organization is responsible to ensure that the outsourced process is meeting
applicable requirements to ISO9001:2000. Outsourced processes may be controlled through such
methods as (not limited to):

Internal Audits
Internal Agreements between two sites where only the audited site is under the scope of
registration (Interface Agreements Bureau Veritas Certification terminology)
4 OF 61


Process performance data

Purchasing Process
ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on
'Outsourced Processes: An outsourced process can be performed by a supplier that is totally
independent from the organization, or which is part of the same parent organization (i.e. a
separate department or division that is not subject to the same quality management system). It
may be provided within the physical premises or work environment of the organization, at an
independent site, or in some other manner The organization has to demonstrate that it
exercises sufficient control to ensure that this process is performed according to the relevant
requirements of ISO 9001:2000, and any other requirements of the organizations quality
management system. The nature of this control will depend, among other things, on the
importance of the outsourced process, the risk involved, and the competence of the supplier to
meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).
TABLE A: Cross-linked references

4.1 General requirements
a) Identify
the
processes,
including
outsourcing, needed for the quality
management system and their application
throughout the organization (see 1.2),
b) Determine the sequence and interaction of
these processes,
Relevant further clauses

5.4.2 QMS planning
7.1 Planning of product realization
8.1 General
5.4.2 QMS planning

7.1 Planning of product realization
4.2.2 (c)
c) Determine criteria and methods needed to 7.1 (c)
ensure that both the operation and control 7.3.3 (c)
of these processes are effective,
7.4.1 (Criteria for selection)
7.5.2
d) Ensure the availability of resources and Whole of 6
information necessary to support the
operation and monitoring of these
processes,
e) Monitor, measure, and analyze these Whole of 8.2
processes, and,
f) Implement actions necessary to achieve Whole of 5, 6, 7 and 8
planned
results
and
continual
improvement of these processes.
These processes shall be managed by the
5 OF 61

organization in accordance with the
requirements of this International Standard.
Where an organization chooses to outsource
any process that affects product conformity
with requirements, the organization shall
ensure control over such processes. Control
of such outsourced processes shall be
identified within the quality management
system.
4.2: Documentation Requirements

4.2.1: General
The Quality Management System (QMS) documentation shall include:
4.2.1 a) Statements showing the organizations quality policy (see 5.3) and quality objectives
(see 5.4.1).
4.2.1 b) A quality manual (see 4.2.2).
4.2.1 c) Procedures that this standard requires (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3).
4.2.1 d) Documents that the organization will need to ensure that the planning, operation, and
control of their processes is effective.
4.2.1 e) Records that this standard requires (see 5.6.1, 6.2.2, 7.1, 7.2.2, 7.3.2, 7.3.4, 7.3.5, 7.3.6,
7.3.7, 7.4.1, 7.5.2, 7.5.3, 7.5.4, 7.6, 8.2.2, 8.2.4, 8.3, 8.5.2, and 8.5.3).
4.2.1 f) quality system requirements imposed by the applicable regulatory authorities.
BV Certification: This requirements effectively invokes all pertinent requirements of the industryapplicable regulatory agencies (e.g. FAA, CAA, JAA, etc.) such as those included in FAR Part 21,
145, etc. While the BV Certification auditor may not look for conformance to those specific
regulatory requirements a nonconformance against a closely related requirement in Standard AS9100
may be cited.
The organization shall ensure that personnel have access to quality management system documentation
and are aware of relevant procedures. Customer and/or regulatory authorities representatives shall
have access to quality management system documentation.
6 OF 61

BV Certification: It is expected that all personnel have access to relevant documentation, in any
appropriate format. Documentation can include procedures, work instructions, forms, travelers, drawings
and work standards. For complex operations, job packages should be at the workstation. In other
situations, it is sufficient for the co-worker to demonstrate knowledge of where the relevant
documentation is located.
The right of access by customer and/or regulatory authorities appears in several clauses throughout the
standard. A broad statement permitting right of access to quality documentation at the organizations
facilities, coupled with flow down to suppliers and sub-tier suppliers (see section 7.4) is sufficient to
satisfy this requirement. See also the Interpretation comments under section 4.2.4, below.
4.2.2: Quality Manual

Exclusions from the quality management system must be described and justified within the
quality manual (see 4.2.2 a). The documented procedures established for the quality
management system must be included or cross-referenced in the quality manual (see 4.2.2 b). A
description of the interaction between the organizations processes needs to be identified in the
quality manual (see 4.2.2 c).
The applicable processes might include those relating to four general categories: 1) Management
Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and
Monitoring. Most companies will prefer to focus on their own COPS, MOPS, and SOPS.
Manual content and design - There are many ways of documenting the quality management
system and organizations should adopt the approach that is most useful for effective operation of
their system.
Examples include:

Flowcharts;
Written text;
Diagrams;
System maps;
Process maps;
Process Turtles.
7 OF 61

The quality manual may have many forms. Although many organizations structure their
documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A
quality manual doesn't have to exist as a separate document. The quality manual may:
Be a direct collection of QMS documents including procedures;
Be a grouping or a section of QMS documentation;
Be more than one document or level;
Be in one or more volumes;
Be a stand alone document or otherwise;
Be a collection of separate documents.
The ISO 9001:2000 standard offers companies a possibility to establish effective, user-friendly
systems. This edition offers the current users a unique opportunity to streamline their quality
management system documentation.
A separate document "addressing" all the clauses of the standard is not required by the standard neither does the standard require the quality manual to "address" or "cover" the requirements of
the standard. The manual may be documented specifically to the organizations processes.
4.2.2 a) Scope The organization may exclude portions of the standard that do not apply to their
quality management system due to the nature of the product or service that they supply. ISO
9001:2000 clearly limits and identifies which activities may be excluded. The justification for
exclusion and those considered not applicable must be clearly documented in the quality manual.
If, for example, design does not apply to the quality management system, the standard stipulates
(in section 1.2 Application) how a reduction in scope of the standard may be justified and
documented within the quality manual. Bureau Veritas Certification has defined exclusion
applicability to be within the clause Design and Development (7.3) only. All other potential
exclusions within section 7 must be identified as not applicable or not applicable at this time.
ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support
Package: Guidance on ISO 9001:2000 clause 1.2 'Application:
ISO 9001:2000 clause 1, Scope, defines the scope of the standard itself. This should not be
confused with the scope of the QMS, which is a term commonly used within the context of QMS
certification/registration to describe the organization and products to which the QMS applies
(http://www.bsi.org.uk/iso-tc176-sc2).
Auditor should discuss the difference between the scope of certification and the scope of the QMS
(i.e. what is on or will be on the organizations certificate).
The scope of the QMS should be based on the nature of the organization's products and their
realization processes, the result of risk assessment, commercial considerations, and contractual,
statutory and regulatory requirements.
8 OF 61

If an organization chooses to implement a quality management system with a limited scope, this
should be clearly defined in the organization's Quality Manual and any other publicly available
documents to avoid confusing or misleading customers and end users (this includes, for example,
certification/registration documents and marketing material).
Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual
is applicable for all sites and that any changes are centrally controlled (see 4.2.3)
4.2.2 b) Documented Procedures The manual must include reference to, at a minimum the six
required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may
reference other documentation but must list those required documents in some format. This may
be in the form of a link or other such reference.
The notes after sub clause 4.2.1 in ISO9001: 2000 make it clear that where the standard
specifically requires a documented procedure, the procedure has to be established, documented,
implemented and maintained. It also emphasizes that the extent of the QMS documentation may
differ from one organization to another due to:

The size of the organization and the type of activities;

The complexity of processes and their interactions and
The competence of personnel
- when referencing the documented procedures, the relationship between the requirements of
this International Standard [AS9100] and the documented procedures shall be clearly shown.
BV Certification: Points of reference may be throughout the manual when discussing pertinent
subjects (imbedded in the text). All of the referenced procedures may be listed together in an appendix
/ attachment to the manual. Or, the pertinent procedure(s) may be called out at the beginning or end of
each major section of the manual. A cross reference matrix is especially effective - linking specific
clauses in the Standard to corresponding paragraphs in the quality manual down to specific
paragraphs in the detailed procedure (or W/I as appropriate). Regardless of the approach, the intent of
the Standard is that there be a clear, unbroken, definitive trail from a particular requirement in the
Standard, into and through the quality manual, down to the procedural (and or work instruction) level
such that users of the documentation can clearly and readily arrive at a description of how that
requirement in the Standard is satisfied / fulfilled in the organizations system documentation.
4.2.2 c) Interaction between processes This requirement ties closely to section 4.1 b), which is
discussed in the previous paragraphs. The interactions between the quality management system
processes do not have to be separately described, or illustrated, by charts, tables or maps. If an
organization chooses to use a process map to show interaction, just using arrows is not sufficient
9 OF 61

a description or other depiction is required for interactions. An example might be an interaction
matrix listing COPS across the top and SOP & MOP down the side.
Although many organizations may choose such a form, it is not a mandatory method.
Interaction between processes may be described, for instance, by way of references and/or crossreferences within the procedures, where the procedures form part of the Quality Manual. If the
procedures are not part of the Quality Manual, then the manual can not be consider acceptable to
the standard requirements, they can be in an appendix, addendum or hyper linked to the manual
if the system is electronic.
4.2.3: Control of Documents

A documented procedure is required for control of documents.
Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000
Introduction and Support Package: Guidance on the Documentation Requirements of ISO
9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).
4.2.3 a) Approve documents procedure must identify the approval process.
4.2.3 b) Review and update All management system documentation must be covered by some
review strategy. The procedure must identify a period of time in which all documents are
reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different
intervals / criteria and / or by different methods (i.e. at each use, through internal audits, via
formal recalls and reviews, etc.), review should be conducted by personnel competent to do so.
Bureau Veritas auditors should assess whether review methodology demonstrates effective
document controls. Note statutory / regulatory and customer / industry requirements may also
impact review methodology. A method must be in place to show review was completed where
there were no changes. Those documents that are updated must be put back through the
organizations required approval process (4.2.3 a).
4.2.3 c) Changes and current revision status The procedure must identify how changes and
revisions to documents are identified. These must be identifiable for each document. How does
the user know what the changes are?
4.2.3 d) Availability of documents procedure must identify how documents are made available
to employees. Auditor will expect to see that documents are readily available to employees
through out the facility at their points of use.
4.2.3 e) Documents are legible and readily identifiable auditor will expect to see that
documents are maintained and remain legible and easily identifiable.
10 OF 61

4.2.3 f) Documents of external origin Documents of external origin are those that are produced
from outside the organization that are used by the organization in support of the quality
management system processes. The procedure must address if documents of external origin are
applicable and if so how these documents are controlled by the facility. The auditor expects to
see that controls are in place to ensure current versions are used and documents are controlled
within the facility.
4.2.3 g) Obsolete documents Procedure must address how obsolete documents are controlled to
prevent unintended use and if retained how these documents are identified.
The organization shall coordinate document changes with customers and/or regulatory authorities in
accordance with contract or regulatory requirements.
BV Certification: The degree and type of documentation change coordination (if required at all)
will be defined by the customer and/or regulator agency. Additionally, the organization may add to
(but not contradict) details. Coordination may be as little as mere notification, to distributing
approved copies, up to and including formal approval by the customer / agency) prior to
implementation. Documents typically subject to this requirement include pre-approved contracts,
statements of work, inspection/test plans, frozen or fixed process plans and routings. The BV
Certification auditor will seek documented, objective evidence that such coordination has taken
place (as appropriate) and as prescribed in the organizations documented procedure.
Note: For multi-site/corporate certifications the auditor will expect to see that System
documentation and changes are centrally managed (usually performed at the headquarters
location).
4.2.4: Control of Records

Records required by the organization may be in any format deemed suitable for the organizations
method of operation. A documented procedure must be in place and define the controls needed
for:

Identification the procedure must identify the system/process is in place to identify

records. Have all required records been identified. Refer to Annex B of the ISO/TC
176/SC 2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the
Documentation Requirements of ISO 9001:2000.
Storage where records are stored specific location i.e. Quality filing cabinet in the QC
Laboratory.
Protection how individual records are protected i.e. tape back up every 24 hours (for
electronic records), fireproof safe, filing cabinet etc.
11 OF 61


Retrieval any special requirements for retrieval. Generally dependant on location and
protection. May be a request process.
Retention time identification of how long each record will be maintained.
Disposition of records method for disposing of records i.e. shredding, burned, trash
A spreadsheet or other document may be used to identify the above requirements.

The documented procedure shall define the method for controlling records that are created by and/or
retained by suppliers.
BV Certification: The organization is ultimately responsible for all pertinent quality records that
apply to a given contract or order. Most such quality records are produced by the organization
themselves but many are also created at the lower levels in the supply chain at the organizations
supplier(s) and at the suppliers sub-tier sources. It is not uncommon for pertinent quality records to
exist at three or four levels down in the supply base. Typically, only the most significant records make
their way back to the organization. Those records that typically bubble up are certifications and
inspection / test reports, nonconforming product concessions / waivers, etc. The majority of records
relating to the order / contract continue to reside at a level lower in the supply chain. Those records
retained by lower-level sources must still be subject to the organizations control. This control is often
managed and asserted by / through purchase order flowdown requirements from the organization
to the lowest level supplier / subcontractor involved. Such flowdown requirements may specify
record retention periods, protection, disposition, disposal and may describe the conditions under
which the record holder must forward the records to the organization.
Records shall be available for review by the customer and regulatory authorities in accordance with
contract or regulatory requirements.
BV Certification: This requirement most obviously applies to records maintained by the
organization. It equally applies to pertinent quality records retained by the organizations suppliers
and by the suppliers sub-tier sources. Pertinent records (at any level in the supply chain) may be kept
on-site, or at an off-site repository or by a remote records management service. In any event, retrieval
of such records should be relatively convenient and timely so as not to impede availability to
customers and regulatory authorities. Compliance to this requirement is often managed and assured by
/ through purchase order flowdown requirements from the organization to the lowest level supplier
/ subcontractor involved. Such flowdown typically invokes the right of access to all pertinent
quality records that may exist at any/all levels in the supply chain.
4.3
Configuration Management: The organization shall establish, document and maintain a

configuration management process appropriate to the product. NOTE: Guidance on
configuration management is given in ISO 10007.
12 OF 61

BV Certification: Requirements for a Configuration Management (CM) process apply to virtually all
companies and products / services and especially to those organizations performing Design and
Development activity and to those responsible for the design of the product / deliverable. The
formality and complexity of the CM process will vary depending on the product. CM can be applied
to products, processes and processed materials (including individual components as well as
assemblies). A configuration is most often described in terms of its integral configuration items.
Fundamental building blocks of a CM process typically include: design change control, document
change control, process change control, product identification and traceability. Changes in any of
those disciplines might translate into configuration change. Documentation that helps define a
specific configuration might include drawings, specifications, bills of materials, routings/travellers,
change requests, First Article Inspection Reports, nonconforming product documents (including
deviations and waivers), where used listings, etc. Configuration baselines must be established,
and any subsequent changes must be identified and controlled. After a significant number of changes,
a new baseline (model, part number, etc.) may be established.
Element 5: Management Responsibility

Note that this section has nine references to top management. This is defined in ISO
9000:2000, 3.2.7 as person or group of people who directs or controls an organization at the
highest level. It is therefore essential to examine top managements commitment to, and
support for, the QMS (and to record objective evidence to support any conclusions reached).
5.1: Management Commitment

It is necessary for auditors to obtain (and record) objective evidence of management
commitment.
This would include:
5.1 a) Evidence that top management has communicated to the organization the importance
of meeting customer requirements as well as statutory and regulatory requirements. This can
be achieved through meetings, newsletters, bulletin boards, training records etc.
NOTE - statutory and regulatory requirements are broad based and include all applicable
requirements for processes, products and activities.
5.1 b) Top Managements establishment of and input into, and commitment to, the quality
policy (its definition, delivery and maintenance) through management review or other
meetings.
5.1 c) Documented quality objectives (for all processes).
13 OF 61

5.1 d) Top Managements active participation in management review meetings.
5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate
resources are available.
In short, how well they address requirements 5.2 through 5.6.
5.2: Customer Focus

Customer requirements and customer satisfaction are directly linked with the process approach
concept in the standard. Auditors will seek objective evidence to demonstrate that the customer
requirements are indeed being met, whether the satisfaction is revealed in customer survey
results, repeat sales or any other type of mechanism that would reveal trends and lead to
improved customer satisfaction. Management review minutes might be a record where
Customer Focus is addressed. You might also look at Quality plans and or product plans that
include customer related requirements.
5.3: Quality Policy

It is expected that there is evidence that Top Management fully back the quality policy. The
standard identifies five specific points which requires that top management ensures that the
policy;
5.3 a) Is appropriate to the purpose of the organization
5.3 b) Includes a commitment to meeting requirements and to continual improvement of the
quality system
5.3 c) Provides framework for establishing and reviewing quality objectives
5.3 d) Is communicated and understood at appropriate levels in the organization
5.3 e) Is reviewed for continuing suitability.
Auditors must determine if the Quality Policy meets the intent and is understood, by
interviewing personnel at all levels. Although the exact policy does not need to be recited by
interviewees, the awareness of the quality policy and how their job affects the company
objectives should be determined. If personnel interviewed do not know what their measurable
objectives are and/or do not know what the organizational objectives are that they have a direct
14 OF 61

effect on, the auditor would be further directed to evaluate managements communication of the
policy and objectives.
The Quality Policy must be documented (typically in the quality manual because it must be
controlled). The Quality Policy does not have to include objectives but should create a
framework for establishing them. The Quality Policy should be stated in such a way that it aims
toward continual improvement. It should be reviewed and possibly revised to meet higher
aspirations.
Bureau Veritas Certification does not require that the policy include the words continual
improvement in the written policy, however it must be ascertained that it is implied and known
through out the organization.
To meet the intent of this clause, the auditor would be looking for a clearly defined Quality
Policy that is sufficiently detailed to provide a framework for quality objectives that can be
monitored for continual improvement. An auditor would not want to see a vague policy, such as
Our Policy is to Maintain Status Quo.
When interviewing top management, their input into, and commitment to, the quality policy
needs to be determined. Is it theirs, or have they clearly just signed something written for them
by the management representative?
Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.
5.4: Planning
5.4.1 Quality Objectives
Auditor must determine that the organization has developed measurable quality objectives for
relevant functions and levels of the organization. Bureau Veritas Certification expects overall
objectives to be established at the facility/corporate level and objectives established for each
identified process. Process objectives shall support the organizations overall objectives.
The organization must establish what the relevant functions of the organization are, however at
a minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects,
or individual objectives would be at the discretion of organization. The auditor may want to ask
what criteria were used to determine if functions are relevant or not. It would be left up to the
company to determine if a cost or added value benefit would result from including or not
including functions of the operation when establishing quality objectives.
15 OF 61

If some functions or levels have been excluded, it may be necessary to explore, evaluate (and
record) the reasons for such omissions (which might be quite acceptable at that particular stage
in the continual improvement process).
The organization must identify quality objectives that can be measurable, such as vendor ontime rating, on-time delivery, all employees will have completed an ISO 9001 awareness
class and all machines will have clearly defined procedures on their usage. If the objectives
were not measurable (including a time-based element where appropriate), they would not meet
the intent of the standard.
The objectives do not have to be defined in a specific document although the objectives are
required to be documented (see 4.2.1 a). Objectives can either be defined in associated
procedures or instructions, or could be recorded in meeting minutes such as management review
records. The organization must have a process that ensures that all the objectives are clear and
communicated to all employees who can influence the defined objective(s). The organization
should be able to demonstrate that the objectives are being measured and reviewed (see 4.2.4 and
8.5.1).
5.4.2: Quality Planning

Auditors have to use their judgment in evaluating the entire collected audit evidence in order to
assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning
was done, by interviewing the personnel involved in establishing or achieving specific quality
objectives.
Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements
of which were contravened, rather than to clause 5.4.2.
Determining effective and efficient planning may be found by evidence of:

All those planning activities undertaken to establish the QMS in accordance with
clause 4.1.
The existence of an effective, documented, and implemented QMS that provides
collective evidence demonstrating that these planning activities have been performed
effectively.
Deficiencies in the quality system that may indicate that these planning activities
were not quite effective.
The evidence and use of Strategic Plans, Business Plans, Management Review
results, Contingency Plans, Quality Objectives, any programs or plans, documented
or not, such as Minutes of meetings, Memos, Internal communications.
16 OF 61

Where there is lack of documented evidence, an auditor may satisfy him/herself through
interviewing the personnel at those levels and functions involved in achieving particular
objectives to determine the level of planning.
Another methodology allowing audit of effective planning involves review of the progress in
implementation of such plans aimed at adhering to individual objectives.
5.5: Responsibility, Authority and Communication

5.5.1: Responsibility and authority
In order for the auditor to be satisfied that the intent of this element has been met, he/she may
review organization charts, job descriptions or a responsibility matrix.
Identification of
responsibility and authority could be written into procedures and/or work instructions, as well.
The auditor may also use interviews of individuals to determine if responsibility and authority
has been communicated effectively.
5.5.2: Management Representative

Responsibilities to include:
5.5.2 a) Ensuring that the processes needed for the quality management system are established,
implemented and maintained.
5.5.2 b) Reporting on the performance of the system to top management.
5.5.2 c) ensuring the promotion of awareness of customer requirements, and
5.5.2 d) the organizational freedom to resolve matters pertaining to quality.
BV Certification: The Management Representative (MR) need not be a member of the Quality
organization, though this is most often the case. Any management-level individual from any
organization / discipline is acceptable. Of utmost importance is that the MR has freedom within the
companys organizational, political, cultural and communication arenas. This freedom necessitates
that the MR have access mobility, both vertically and horizontally, and especially across departmental
boundaries. It is expected that the MR have at least a dotted-line relationship with executive
management that may be exercised on an exception basis if/when internal influences impede the
MRs normal freedom. It is sometimes difficult to observe / demonstrate the MRs organizational
freedom. More apparent are situations where this freedom is limited, restricted or even nonexistent.
This problem may be evident in cases of unresolved Quality problems, recurring problems,
17 OF 61

ineffective/untimely corrective action responses, low customer satisfaction and perception, ineffective
internal audits, lack of system/process improvement, etc.
Promotion of customer awareness might include news releases, meetings, training, photographs,
models; examples of products demonstrating required visual attributes. We look for one
individual to be the management representative in terms of defined responsibility. However,
implementation of those responsibilities may be in the form of a defined and delegated team.
Note: The management representative is responsible for ensuring it happens not making it
happen, which is the job of line management.
Note: For multi-site/corporate certifications the auditor will expect to see that there is a
management representative with overall responsibility across all sites for ensuring that
requirements are established, implemented, maintained, and for reporting on performance.
5.5.3: Internal Communication

Although there is no mandate for documenting methods for communication, the auditor will
expect to find evidence of communication through interviews with employees. Evidence could
possibly include the employees understanding of process linkage and effectiveness, customer
satisfaction levels, preventive and corrective action information, on time delivery, quality costs,
returned material, non-conformances. This could be communicated by access to the computer
network, an information board, newsletters, or even process routers, checklists, and
multifunctional meetings (see 6.2.2 d). The type and extent of the documentation will depend on
the nature of the organizations products and processes, the degree of formality of
communication systems and the level of communication skills within the organization and the
organization culture.
5.6: Management Review

5.6.1: Management Review - General
IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time
registration/certification, a full round of Management Review meeting(s), including documented
evidence of all required inputs and outputs, must be completed prior to the
registration/certification audit (note a full internal audit cycle must be completed prior to this
review see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must
include inputs (as appropriate) from each site (see the standard 5.6.2 a g). Normally, the review
process is conducted at the headquarters location.
Top management shall review the quality management system at planned intervals not only for
continuing suitability and effectiveness, but also adequacy. Additionally, this review shall
18 OF 61

include assessing opportunities for improvement, the need for changes to the system, the quality
policy, and quality objectives.
These words are more prescriptive which cause a more proactive expectation and approach to
keeping the system current and useful and maintaining improvement activities. The auditor
cannot prescribe the intervals for reviews to occur, but can look for evidence that the frequency
is sufficient to accomplish the requirements of the standard. Although the dictionary would
suggest that suitable and adequate are the same, the standard seeks to distinguish both the system
from a global perspective of adequacy as well as the detailed suitability of the many processes
that comprise the system.
5.6.2: Management review input

The auditor will expect to see documented evidence that the (7) required inputs are discussed
during the review. Although a documented procedure for management review is not required,
records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs
are required in those records (see the standard 5.6.2 a g). Evidence of cross functional input is
also expected, which means one person alone could do the review, but there would need to be
evidence of multifunctional input in the evaluation of the system and its status and actions
concluded.
5.6.3: Management review output

Output should focus on decisions and actions related to system improvement (5.6.3 a), product
improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect
to see that some documented conclusions have been developed. The output record must include
evidence of action and progress for system improvement, customer requirements, resource needs
as it all relates to system health. It is important to note that a documented procedure may or may
not exist. It should also be noted that formal meetings for review may or may not happen and
still be complaint - such as in the case of being accomplished in stages; on going process review;
or by circulated documentation covering the system incrementally.
Element 6: Resource Management

6.1: Provision of Resources
The intent of this section is to ensure that adequate resources are provided to continually improve
the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction
by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating
19 OF 61

and determining resource needs. This may be through management review, production planning,
budget review, long range planning etc.
The auditor should determine that process activities are not prevented by a lack of resources.
Auditors may review instances where customer requirements were not met and determine if a
lack, or insufficiency, of any resources was causation factors of these instances. This
requirement also ties to paragraphs 5.1 and 5.6.3, which address managements responsibility to
determine and provide necessary resources. Additionally, any clear evidence of resource
problems links directly to this section.
6.2: Human Resources

6.2.1: General
The standard requires that personnel be competent. This could be demonstrated by a person
being qualified. Competence may be based on appropriate education, training, skills,
experience, and/or demonstrated performance.
6.2.2: Competence, awareness and training

The intent of this section is to ensure that suitably competent people are performing the activities
as defined in the quality system. Evidence of the effectiveness of the training or other means of
providing competent employees must be available. Employees must be aware of the impact that
they have on the overall quality system. The auditor would expect employees to be able to
verbalize how their job activities contribute to the achievement of the quality objectives.
6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating
training and other activities aimed at ensuring employee competence. Identification of
competency is essentially a precursor to identification of training needs. The organization should
determine knowledge and/or skills an employee would need to be considered competent, in their
opinion, to perform a particular job. The company could then determine if the employee
performing the job possesses that knowledge or skill and, if not, consider it a training need.
Changes in the business and its environment may necessitate new competencies, which may not
be available. Therefore the identification of competencies may need to be revisited. There is no
requirement for any particular frequency of such re-review. Competency may be defined in a job
description, position profile, or by any other method or associated documents such as specific
instructions or procedures. Usually competency is determined during performance reviews, if the
organization does not perform reviews of this nature, other methods for determining personnel
competence would need to be defined and records verified.
20 OF 61

6.2.2 b) Provide training or take other actions - The requirement allows for options other than
training to obtain competent personnel. Training includes all those activities where a learning
opportunity needs to be satisfied. It may take a number of forms:

Classroom style, tutor led training;

Hands on experience training;
Shadowing
Individual or group coaching;
Mentoring;
Briefings;
Distance learning;
Technology based training (CD ROMS, web based etc);
Workshops.
Organizations will choose whichever form best suits their needs at any particular moment. Other
actions to bridge competence gaps might include:

Recruitment;
Outsourcing;
Acquisitions;
Use of experts and/or consultants.
Documented procedures or work instructions
All such means are acceptable as long as an organization has ensured the availability of the
competencies needed.
6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring
that the training or other activity has produced the desired result. This requirement could be met
in a variety of ways, including, but are not limited to:

Observation of personnel performing their duties;

Written or oral exams;
Assessment of employee in achieving learning objectives during the course of
training program;
Audit of performance at work focusing, for example, on:
Productivity;
Reduction of rejects;
Efficiency;
Interviews with the persons;
Annual appraisal.
Performance reviews;
21 OF 61
the

Discussions;
Evaluation of performance, quality or other indicators;
Cost reviews;
Customer satisfaction assessment (see 8.2.1).
6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities
(perhaps by internal communication see 5.5.3) and how they contribute to the achievement of
the quality objectives - The requirement could be met in a variety of ways. Options include:

Training;
Memos, and/or meetings regarding the impact of various individual or departmental goals
on quality objectives;
Plant tours or briefings where an individuals work and goals are shown as an integral
part of the larger processes;
Cross functional teams working towards quality objectives and reporting their progress to
their departments.
Any activity that allows individuals to understand how their efforts affect quality objectives may
satisfy this requirement. All personnel need to know the specific measurable objective(s) for the
process that they work in; they should also know what organizational objective their process
effects. They should be able to demonstrate that they know what the actual measurable is, their
progress towards that goal, what the plan is to achieve the goal. If they do not know the actual
numbers, they should be able to communicate the topics of the measurable and know where the
actual measurements are maintained or posted.
6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to
include education, skills and experience, in addition to training, where appropriate. There are a
great variety of ways to record and provide evidence of training, education, skills and
experience. Records may include:
Diplomas;
Certificates;
Training log;
Annotations in shift logs;
Toolbox meeting notes;
Attendance lists;
Resumes;
Employment history;
Test results.
Such records may be filed in any location as long as the requirements of 4.2.4 are observed.
22 OF 61

6.3: Infrastructure
It is the organizations management who determines the adequacy of the infrastructure provided
by the organization. Auditors will seek objective evidence to demonstrate that the necessary
infrastructure exists for the quality management system to be effectively implemented, for
improvement of its effectiveness, and for fulfilment of customer requirements. Auditor would
expect to see a process in place for maintenance of the building(s), equipment and any other
supporting services. This is generally the responsibility of the maintence and IT departments.
6.4: Work Environment

The organization must identify and manage all those factors of the work environment that are
needed to supply a conforming product. These factors may include among others:
Human Factors
Creative work methods;
Opportunities for greater involvement of personnel;
Safety rules and guidance;
Ergonomics;
Special facilities for people.
Physical Factors
Heat;
Noise;
Light;
Hygiene;
Humidity;
Cleanliness;
Vibration;
Pollution;
Airflow.
Different types of businesses and industry sectors may vary dramatically with regard to an
acceptable work environment, so it is the organizations management who determines the
adequacy of the work environment provided by the organization.
For instance;
A training provider may need to ensure the training area is adequately lighted and
contains appropriate seating and visual aid capabilities.
Some manufacturing facilities may require clean rooms or humidity-controlled areas.
23 OF 61

Companies handling items easily damaged by electrostatic discharge may require special
flooring or equipment, and chemical storage areas may require special protective barriers.
As an additional example, an employee might perform a particular function that requires
repetitive wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the
overuse of the wrist could result in poorly torqued screws resulting in a possible quality defect.
The company should identify such a situation and provide a means of eliminating the potential
defect (i.e., air-driven screwdrivers). Evidence could consist of records of decreased quality
defects and/or medical problems related to that activity.
Element 7: Product Realization

Exclusions/non-applicability can be claimed with in element 7 only. Exclusion should
only be taken for clause 7.3 Design and Development and must be fully justified in the
quality manual. Other sections within element 7 may be claimed as not applicable or not
applicable at this time.
7.1: Planning of product realization

An organization needs to plan in advance for how they will manufacture their product or deliver
their service. The plans need to take into account the product requirements and any quality
objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1
b), what type of monitoring and/or inspection activities should be put in place to ensure the
product or service will meet the requirements (7.1 c), and what types of records should be kept
(7.1 d). While the sub-clause does not state that the output of this planning must be documented,
it does state that it must be in a form suitable for the organizations method of operations.
7.1 e) the identification of resources to support operation and maintenance of the product.
BV Certification: The resources to support operation and maintenance of the product may include
tech manuals, tooling, fixtures, lubricants, etc. This requirement is aimed at operational and
maintenance organizations, not at manufacturing organizations. The intent is for the operational and
maintenance organizations to positively identify the resources that they require to perform the
operational and maintenance activities related to the product in the field.
7.2: Customer Related Processes

7.2.1: Determination of requirements related to the product
This clause promotes an up-front determination of all requirements related to the product.
24 OF 61

This includes requirements for servicing which are now included as post-delivery activities,
which implies anything that is provided after the customer has received the product (i.e. repair
and/or warranty work, installation, maintenance, etc.).
Specific to 7.2.1 (a)

Post delivery activities may include among others:
Product support
Servicing where applicable
Specific to 7.2.1 (b)

Auditors should determine how the organization was proactive in evaluating if there were any
additional requirements for the product or services intended use. If the organization determined
there were not any additional requirements this should be evident in associated records, if there
were additional requirements then evidence should be present how they were addressed in the
affected process i.e. design, purchasing, manufacturing.
The analogy that can be used here is a screwdriver, everyone knows the intended use of a
screwdriver, put in and take out screws. However with a screwdriver, there are requirements that
are not stated but are intended for use, such as using a screw driver to open paint cans, could be
used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the
handle should be nonconductive, but none of these requirements might be stated by the customer,
but the manufacturing organization would need to address these non-stated requirements for the
screwdrivers intended use.
Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related to the
product (i.e., taking these requirements into account when designing a product or service). This
includes ensuring process control (i.e., ensuring that these requirements were met).
Statutory requirements are those that are stipulated by local/national governments that form part
of regional, national and international legislation.
Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health &
Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of
these. These requirements are not necessarily part of national legislation.
25 OF 61

Compliance with regulatory requirements issued by national regulators (i.e. by The Rail
Authority) may be mandatory for those organizations to which they apply if a statutory
instrument requires so.
Organizations are required to comply with a number of legal requirements to be allowed to
operate. Management must be aware of the requirements that apply to its products, processes
and activities and should include these requirements as part of the quality management system
(ISO 9004:2000 5.2.3). Auditor must verify that these requirements are identified.
Auditors have to be aware that as the national legislation may apply to product intended for the
domestic market, in the case of export sales, organizations will be required to consider the
statutory and/or regulatory requirements in the target country that may apply to (a) product(s)
supplied.
Organizations are not required to maintain the lists of applicable statutory and/or regulatory
requirements, nor need they maintain copies of these documents except as required by clause
7.3.2(b). Organizations must ensure that they have adequate access to / or knowledge of
applicable statutory and regulatory requirements.
7.2.2: Review of requirements related to the product

The sub-clause mandates that the organization shall not issue a quotation or accept an order until
it has been reviewed to ensure requirements are defined and the organization has the capability to
meet the defined requirements. It goes on to require that records of the review and any
subsequent actions be maintained. If the customer does not provide their requirements in writing
(i.e., telephone call), the requirements must be confirmed before they are accepted. If the
requirements are changed, all documents must be amended and relevant persons must be
notified. A note is included that covers situations such as internet sales where a formal review of
each order is impractical, stating, instead, that the review could cover the product information
provided in catalogs and advertising material.
d) risks (e.g. new technology, short delivery time scale) have been evaluated.
BV Certification: The potential for risks exists in virtually every contract or order. The
Standard mentions only two of the most obvious examples (i.e. new technology and short
delivery time scales). Types of potential risks vary greatly depending upon contractual
requirements, requirements of regulatory authorities, design responsibility, product requirements,
safety and airworthiness considerations, production processes, operational constraints, business
conditions / limitations, materials, procurement sources, outsourcing, etc., etc. Just a few
extreme examples that may pose risk include: potential labor strikes, facilities relocations or
26 OF 61

shutdowns, environmental or climatic factors, production capacity limitations, availability of
materials, adequacy of procurement sources, absence of key personnel, outage of vital
equipment, etc. To a reasonable and practical extent, any and all such potential risks should be
identified and their impact evaluated before accepting the contract or order. Records of contract
reviews should demonstrate / document some level of deliberate, thoughtful risk evaluation
activity, delineation of identified risks (if any), and resultant actions taken to mitigate or
eliminate the risks.
7.2.3: Customer communication

The organization must establish effective arrangements for providing the customer with product
information (i.e., catalogs or advertising that adequately describe the product or service), means
of handling inquiries and orders, and a method for handling customer comments (both
compliments and complaints).
There is no potential for excluding section 7.2, as every organization has external customers.
Where an organization with a stand-alone QMS is part of a larger group or corporation, and is
taking orders solely from a central Group or Corporate Sales Organization outside its certified
scope and delivering them to a central Group or Corporate Distributor outside its certified scope,
then the Sales and Distribution organizations are technically external customers, invoking 7.2
routines.
7.3: Design and development

This clause addresses product/service development as well as (conceptual) design, so
organizations involved in product/service development will have to address some or all of
section 7.3 of ISO 9001:2000.
Many companies perform some enhancements or minor reconfiguration of mature designs, and
are able to use the guidance of ISO 9004:2000 in order to address some or all of section 7.3 of
ISO 9001:2000.
Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO
9001:2000. Such organizations may have to introduce a comprehensive design system or
process, however may have to address design and development as it is applicable to the
organization. They may have to address some or all sections of 7.3 to the extent that they apply.
Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package:
Guidance on ISO 9001:2000 clause 1.2 'Application' provides excellent guidance and examples
on this topic (http://www.bsi.org.uk/iso-tc176-sc2).
27 OF 61

7.3.1 Design and development planning
Although the standard does not require a documented procedure, the design process needs to
demonstrate how the process is controlled and planned. The organization, however, will need to
provide some type of objective evidence as to what the planning activities include. This can be
accomplished with the use of time-lines, gant charts or any other planning method such as
Microsoft project manager. In addition the auditor should see objective evidence of how the
interfaces between other processes are managed, either through statements in associated
procedures, process mapping, matrix approach or in the time line planning.
- in respect of organization, task sequence, mandatory steps, significant stages and method of
configuration control
BV Certification: The organization is responsible for the identification the design and
development stages. AS9100 imposes some additional and specific clarification of the
information required: which elements of the organization are involved, where in the task
sequence the stages begin/terminate, significant stages and configuration control. These
additional requirements may be recorded in formal project plans, Gantt charts, checklists or in
similar documentation.
Where appropriate, due to complexity, the organization shall give consideration to the following
activities:
- structuring the design effort into significant elements;
- for each element, analyzing the tasks and the necessary resources for its design and
development. This analysis shall consider an identified responsible person, design content,
input data, planning constraints, and performance conditions. The input data specific to each
element shall be reviewed to ensure consistency with requirements.
BV Certification: Even though this section begins where appropriate, all except the very smallest
design and development projects will have defined stages and the stages usually will contain multiple
tasks. It is clear that the records need to demonstrate some level of planning. It is important that the
process owners are identified and that the required technical personnel are indeed available to work on
the project. Although not specifically required, a table of engineering manpower allocation (projects
with associated engineering hours) would be helpful to ensure that sufficient technical manpower is
available. It is important to note that should be evidence of a review of input data to ensure
consistency of requirements.
The different design and development tasks to be carried out shall be defined according to specified
safety or functional objectives of the product in accordance with customer and/or regulatory authority
requirements.
28 OF 61

BV Certification: This is a check at the planning stage to ensure that the design and development
activity actually will address all customer and regulatory requirements. The auditor will expect to see
evidence of this check. Refer also to Interpretation for section 4.2.1f, above, for a discussion of
regulatory requirements.
7.3.2 Design and development inputs

The auditor will need to review evidence that the inputs (7.3.2 a d) have been addressed based
on the nature of the product being produced, that they have been reviewed for adequacy and that
records are maintained of the activity.
7.3.3 Design and development outputs

The auditor should expect to see objective evidence that the outputs (7.3.3 a d) have been
verified against the design inputs. This can be accomplished by reviewing documents, plans, etc.
interfacing with the customer or internal processes and by comparison with past proven designs.
e) identify key characteristics, when applicable, in accordance with design or contract requirements.
BV Certification: As noted in Definitions (section 3, above), key characteristics may be identified by
the customer (and/or regulatory authorities), as well as by the organization. Once key characteristics
have been identified, usually at the Planning and/or Design and Development (D&D) Input stage, they
must be then addressed also as part of D&D Output. The organization must show that the developed
product specifically satisfies the input requirements for key characteristics.
All pertinent data required to allow the product to be identified, manufactured, inspected, used and
maintained shall be defined by the organization; for example:
- drawings, part lists, specifications;
- a listing of those drawings, part lists, and specifications necessary to define the
configuration and the design features of the product;
- information on material, processes, type of manufacturing and assembly of the
product necessary to ensure the conformity of the product.
BV Certification: The standard is clear; all documentation relating to the developed product must be
identified as part of the D&D output. These may be included in a summary report or as part of a
design review.
7.3.4 Design and development reviews

29 OF 61

Reviews shall be conducted in accordance to the time line or plan established at the beginning of
the design activity. Reviews shall show evidence that all activities required in each phase of the
design have been addressed or adjustments made. Records should show who attended the
reviews and that all concerned parties were present and that all actions were satisfied before
proceeding forward with the design process.
c) to authorize progression to the next stage.
BV Certification: Design and development (D&D) reviews may vary in terms of purpose, frequency,
complexity, formality, attendance and associated output documentation / review records. Regardless,
there must be clearly documented evidence that an authorized individual(s) has reviewed the results /
progress / status of each prescribed D&D stage / activity. Before the D&D plan can proceed to the
next stage a responsible/authorized person (or personnel) must provide documented, objective
evidence of progression approval (signatures being preferred). Progression authorization may appear
as a specific signoff on a review checklist, in review minutes, in evaluation reports, on D&D plans,
timeline charts, etc. An undocumented, passive agreement or consensus of opinion will not
sufficiently meet the intent of this requirement.
7.3.5 Design and development verification

Design verification basically means that the product can be produced as designed and that output
meets the intended inputs. Additionally it should show that the organization has the capability to
produce the product with existing equipment and has the personnel competencies or has the
ability to train or subcontract the required capabilities.
NOTE: Design and/or development verification may include activities such as:
- performing alternative calculations,
- comparing the new design with a similar proven design, if available,
- undertaking tests and demonstrations, and
- reviewing the design stage documents before release.
BV Certification: No interpretation necessary.
7.3.6 Design and development validation

Validation has to ensure capability of meeting intended use where known as well as specified
requirements, and has been completed prior to delivery and implementation wherever practicable
(typically as a prototype or first article). In most organizations they cant rely on the customer to
30 OF 61

perform the validation, the lack of a negative response from the customer does not meet the
intent of this clause. The organization should have records that the product designed will meet
defined user needs prior to delivery of the product to the customer. Methods of validation could
include simulation techniques, proto-type build and evaluation, comparison to similar proven
designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation
activity should be planned, executed with records maintained as defined in the planning activity
in 7.3.1.
NOTES:
- Design and/or development validation follows successful design and/or development
verification.
- Validation is normally performed under defined operating conditions.
- Validation is normally performed on the final product, but may be necessary in
earlier stages prior to product completion.
- Multiple validations may be performed if there are different intended uses.
7.3.6.1 Documentation of Design and/or Development Verification and Validation: At the completion
of design and/or development, the organization shall ensure that reports, calculations, test results, etc.,
demonstrate that the product definition meets the specification requirements for all identified
operational conditions.
BV Certification: This is added check to ensure, at the conclusion of the D&D effort that
documentation and supporting data that was generated during the design and subsequent
verification/validation does in fact meet all the input requirements. This clause supports the
conclusions that should have been reached at Design Review. The auditor would expect to see
evidence that verification and validation satisfy the input requirements.
7.3.6.2 Design and/or Development Verification and Validation Testing: Where tests are necessary for
verification and validation, these tests shall be planned, controlled, reviewed, and documented to ensure
and prove the following:
a) test plans or specifications identify the product being tested and the resources being used,
define test objectives and conditions, parameters to be recorded, and relevant acceptance
criteria;
b) test procedures describe the method of operation, the performance of the test, and the
recording of the results;
c) the correct configuration standard of the product is submitted for the test;
d) the requirements of the test plan and the test procedures are observed;
31 OF 61

e) the acceptance criteria are met.
BV Certification: When testing is used to support verification and validation, the test results must
meet the requirements presented in this clause.
7.3.7 Design and development changes

Design and development changes (after the original verification and validation) have to be
verified and validated as appropriate (as well as reviewed) and to include evaluation of the
effect of changes on constituent parts and products already delivered. If the organization
chooses not to perform re-verification and re-validation on every design change, then the auditor
should expect to see some very well defined criteria as to when the activity needs to occur. This
includes any changes that do not affect fit, form or function.
The organizations change control process shall provide for customer and/or regulatory authority
approval of changes, when required by contract or regulatory requirement.
BV Certification: The degree and type of the D&D change will often dictate the degree of
approval required. Other conditions for approval will be defined by the customer and/or
regulator agency. Additionally, the organization may add to (but not contradict) details.
Approval may be as little as mere notification, to distributing approved copies, up to and
including formal approval by the customer / agency) prior to implementation of the change.
Documents typically subject to this requirement include pre-approved drawings. The BV
Certification auditor will seek documented, objective evidence that such coordination has
taken place (as appropriate) and as prescribed in the organizations documented procedure.
7.4: Purchasing
7.4.1 Purchasing Process
It would be extremely uncommon for purchasing to be excluded from the quality management
system (i.e., perhaps applying to such situations as small consultancies using no subcontractors,
and using proprietary office materials and equipment that do not directly impact on product or
service performance but not to many other situations).
Where procurement is centrally controlled by a corporate procurement organization outside the
scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its
entirety. The audited organization is certainly responsible for providing purchasing information
(7.4.2) to the corporate procurement organization, and for verification of purchased product
(7.4.3) and perhaps participating in the re-evaluation process. In the event that a corporate
office or other entity, outside the scope of registration, performs any sections of purchasing this
32 OF 61

shall be considered an outsourced process per requirements identified in section 4.1. Bureau
Veritas Certification auditors would expect to see a documented agreement in place (i.e. an
Interface Agreement) between the organization and the supplier.
Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a
process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not
required, records of evaluation and actions arising from the evaluation are required to be
maintained.
The organization shall be responsible for the quality of all products purchased from suppliers,
including customer-designated sources.
BV Certification: In the context of this and other requirements of the Standard, product includes
parts, materials, process services, etc. It is readily apparent that an organization is ultimately
responsible for the quality of product purchased from its own suppliers / subcontractors. This
requirement extends the scope of the organizations responsibility to include that for product
purchased from customer-designated and/or customer-designated sources. The type and extent of
control exercised over customer-designated or customer-approved sources may be justifiably different
than that exercised over sources chosen / approved by the organization themselves. Regardless,
customer-approval and/or customer-designation of sources does not relieve the organization of the
responsibility to procure conforming product.
The organization shall
a) maintain a register of approved suppliers that includes the scope of the approval.
BV Certification: A register could be in most any format and media hardcopy, electronic, a paper
listing, an electronic file as part of a procurement software program, or even a manual card file. The
register must be a complete, finite compilation of all approved suppliers / vendors / subcontractors including those that are customer-designated / approved. The register must include sources that
provide goods, products and services that relate to the organizations products, processes and Quality
management system. Compiling the register(s) is a relatively simple and direct task. The second part
of this requirement . . . that includes the scope of the approval. involves more thought. The
scope of approval should describe the extent (or limitation) on what the source can (or cant) provide
or perform. The description of the scope can be narrative or coded. Some examples:
Acme Machining conventional metal machining except for chemical milling and wire EDM.
Acme Hardware Distributors all metal, mechanical fasteners except for rivets.
Acme Metal Distributors all ferrous and non-ferrous metals except for titanium and inconel.
Acme Heat Treating heat treating processes
.
33 OF 61

b) periodically review supplier performance; records [results] of these reviews shall be used as the basis
for establishing the level of controls to be implemented.
BV Certification: The periodicity of supplier performance reviews may vary across the
organizations supply base. That is, all suppliers may not have the same review frequency. Also, the
type and extent / scrutiny of the review may vary from one supplier to another. These performance
reviews should be planned and meaningful - often involving cross-functional involvement (i.e.
Quality, Purchasing, Manufacturing, Engineering). The reviews must be based on factual input data.
Recorded results are to be used to determine ongoing / future levels or control over the supplier.
Favorable performance results might justify relaxing / reducing the type/extent of control while
unfavorable results would suggest the need to tighten-up on the supplier.
c) define the necessary actions to take when dealing with suppliers that do not meet requirements.
BV Certification: This requirement relates closely to the requirement above (7.4.1 b) regarding
supplier performance reviews. Conditions / events that indicate that a supplier is not meeting
requirements might include: poor results from performance reviews, occurrences and repetition of
nonconformances, corrective action inadequacy and lateness, incoming inspection failures, untimely
delivery performance, etc. The organization needs to define / describe specific actions they will take if
the supplier is not meeting expectations / requirements. This usually includes an escalation process
beginning with simple documented notification, followed by corrective action requests, then possibly
special on-site audits and increased controls up to and including removal from the approved supplier
listing. The auditor will expect to see documented, objective evidence of actions taken.
d) ensure where required that both the organization and all suppliers use customer-approved special
process sources.
BV Certification: The intent of this requirement includes customer-approved and customerdesignated sources as well. The requirement applies not only to the organization and their immediate
suppliers but also to all lower-level, sub-tier sources involved in the contract or order. Compliance
to this requirement usually begins with thorough review of customer requirements, identifying those
sources that are customer-designated and customer-approved, then flowing-down (via purchasing
documents) the requirement to all applicable lower-level sources. It is not unusual for this requirement
to apply to sources that are 3-4 levels down in the supply chain.
e) ensure that the function having responsibility for approving supplier quality systems has the
authority to disapprove the use of sources.
BV Certification: The function having approval responsibility might not be confined to a single
person of department. Often, approval is a cross-functional or multi-functional event involving
Quality, Purchasing Engineering, Manufacturing, etc. as appropriate. If any or all of those
34 OF 61

functions (entities, personnel, departments, etc.) have been given approval responsibility, then they
must have disapproval authority as well.
7.4.2 Purchasing Information

Purchasing information may take many forms however is generally a purchase order or
requisition. The auditor will expect to see that the information clearly describes the product to be
purchased as well as any other requirements, including as appropriate:
7.4.2 a) the approval of products, procedures, processes and equipment.
7.4.2 b) the qualification requirements of personnel.
7.4.2 c) the QMS requirements.
7.4.2 d) the name or other positive identification, and applicable issues of specifications, drawings,
process requirements, inspection instructions and other relevant technical data
BV Certification: Describing the applicable issues is the essence of this requirement. Issues
refers to the revision level (number, letter, date, etc.) of the document / data that is being invoked on
the supplier. Applicable infers that the version being invoked is not necessarily the latest / current
revision an earlier version may be desired. Even if the organization does indeed wish to invoke the
latest / current version they must identify the specific revision. It is not sufficient for them to simply
state latest revision. Doing so gives the supplier insufficient, ambiguous information. The supplier
may not have the wherewithal to determine what the latest revision is and may mistakenly /
ignorantly use the latest (though outdated) version in their possession.
7.4.2 e) requirements for design, test, examination, inspection and related instructions for acceptance
by the organization
BV Certification: as applicable. When the purchased product is clearly defined (e.g. by
specifications, drawings, etc.), an understanding needs to be in place to ensure that the supplier
understands that the product must in fact meet requirements. Further, the supplier must understand
that correction and/or corrective action will be expected if the delivered products do not meet the
purchase requirements. This understanding is normally achieved through a statement to that effect in
the purchase order or in the terms and conditions (T&Cs).
7.4.2 f) requirements for test specimens (e.g., production method, number, storage conditions) for
design approval, inspection, investigation or auditing
35 OF 61

BV Certification: this clause applies, if applicable.
7.4.2 g) requirements relative to
supplier notification to organization of nonconforming product and
arrangements for organization approval of supplier nonconforming material
BV Certification: The organization must communicate these requirements to their suppliers. For
some reason, many organizations fail to communicate these requirements. Evidence of notification is
required.
7.4.2 h) requirements for the supplier to notify the organization of changes in product and/or process
definition and, where required, obtain organization approval
BV Certification: Same as notification of nonconforming product (above). Evidence of notification
is required.
7.4.2 i) right of access by the organization, their customer, and regulatory authorities to all facilities
involved in the order and to all applicable records
BV Certification: As above, evidence of notification is required.
7.4.2 j) requirements for the supplier to flow down to sub-tier suppliers the applicable
requirements in the purchasing documents, including key characteristics where required
BV Certification: As above, evidence of notification is required.
7.4.3 Verification of Purchased Product

Auditor will expect to see a process is in place to verify that purchased product meets
requirements. This may take many forms depending on the product. Auditor will verify that these
requirements are known and being accomplished. This may include receiving inspection and
testing, visual inspection, receipt of certificates of conformance etc. In the event verification will
take place at the suppliers premises the method for doing so must be stated in the purchasing
information.
Verification activities may include
a) obtaining objective evidence of the quality of the product from suppliers (e.g.,
accompanying documentation, certificate of conformity, test reports, statistical records,
process control),
b) inspection and audit at suppliers premises,
36 OF 61

c) review of the required documentation,
d) inspection of products upon receipt, and
e) delegation of verification to the supplier, or supplier certification
BV Certification: The standard provides some guidance here with respect to the type of verification
activities. Quite obviously, the auditor needs to determine which activities apply to the organization
and to then audit accordingly.
Purchased product shall not be used or processed until it has been verified as conforming to specified
requirements unless it is released under positive recall procedure.
BV Certification: It is expected product is only rarely released under positive recall prior to
verification of conformance. The organization has the responsibility of defining what verification
activities are necessary to determine conformance. Typically, this is embodied in the type and
extent of control that the organization exercises over purchased product.
Where the organization utilizes test reports to verify purchased product, the data in those reports shall
be acceptable per applicable specifications. The organization shall periodically validate test reports for
raw material.
BV Certification: When using test report to verify purchased product, the organization must be able
to substantiate that the data in the test reports is indeed acceptable. Commonly, assigned personnel
(often an individual associated with the Quality function) will review the certificates of test against the
applicable specifications, placing a check () next to the acceptable values. Initials or quality stamp
would be evidence of the review. Merely placing the certificates in a file folder is not evidence of
review.
The test reports must be validated periodically. The organization needs to define the periodicity.
Validation of the first test report each year is often used. This would be acceptable if there are no
nonconformities associated with a product. In the case of bar stock that is produced by a given mill
but purchased from several distributors, validation of the product from a single distributor would be
considered to be acceptable. The auditor needs to make a judgment with respect to the interval
between validations. Typically volume and criticality would be important considerations.
Where the organization delegates verification activities to the supplier, the requirements for delegation
shall be defined and a register of delegations maintained.
Where specified in the contract, the customer or the customers representative shall be afforded the
right to verify at the suppliers premises and the organizations premises that subcontracted product
conforms to specified requirements.
37 OF 61

BV Certification: This is another example of right of entry. The organization needs a documented
statement permitting right of entry.
Verification by the customer shall not be used by the organization as evidence of effective control of
quality by the supplier and shall not absolve the organization of the responsibility to provide acceptable
product, nor shall it preclude subsequent rejection by the customer.
7.5 Production and Service Provision

7.5.1: Control of product and service provision
There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of
suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their
quality management system. The non-applicability of these items must be justified in the quality
manual (4.2.2 a) and must not affect the organizations ability, or responsibility to provide
product that meets customer and applicable regulatory requirements (1.2).
The auditor will expect to see that production activity is well defined and understood. This is
generally ascertained through interviews with employees on the production floor, review of
documentation and observations. The auditor will verify the following at a minimum:
Planning shall consider, as applicable,
- the establishment of process controls and development of control plans where key characteristics
have been identified,
- the identification of in-process verification points when adequate verification of conformance
cannot be performed at a later stage of realization,
- the design, manufacture, and use of tooling so that variable measurements can be taken,
particularly for key characteristics, and
- special processes (see 7.5.2).
BV Certification: These requirements generally reflect good planning. Objective evidence might
include detailed work instructions, set-up sheets, shop travellers and instructions for in-process/ final
inspection.
38 OF 61

7.5.1 a) the information describing the characteristic of the product. This may be in the form of a
work order, traveller, schedule etc.
7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any
format (electronic or paper); instructions may simply be included on the work order or traveller.
Instructions do not have to be documented and could simply be provided through training. The
auditor will review Control of Document, 4.2.3 as applicable.
7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is
suitable for the process and that it is maintained. The auditor will investigate how equipment is
maintained and how malfunctions are handled. This may be in conjunction with Infrastructure
6.3.
7.5.1 d - e) the availability of suitable monitoring and measuring devices and the implementation
of monitoring and measurement. Measuring and monitoring may require record keeping i.e.
operator log sheets, inspection sheets, routers or other documentation. Documentation will be
reviewed as applicable per Control of Records 4.2.4.
7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor
will expect to see that release, delivery and post delivery activities are defined. This may include
release to the next process or for shipment to customers.
7.5.1 g) accountability for all product during manufacture (e.g., parts quantities, split orders,
nonconforming product)
BV Certification: The organization needs to demonstrate a process of accountability for manufactured
product. This is often accomplished through the use of travelers or through bar coding at the
workstations. The effectiveness of the process for ensuring accountability needs to be verified during
the audit. Sometimes parts are physically lost, either internally or during outside processing.
Whenever there are issues surrounding product accountability, the organization needs to demonstrate
appropriate corrective action.
7.5.1 h) evidence that all manufacturing and inspection operations have been completed as planned,
or as otherwise documented and authorized
BV Certification: Many organizations control manufacturing and inspection operations through use
of shop travellers with operator initials after each operation has been completed. A similar result can
be achieved through the use of bar codes that are scanned at each workstation. Whatever method is
used, the auditor should verify that all manufacturing and inspection operations for representative jobs
have been completed. If evidence of completion for all operations is lacking, the reason needs to be
documented and authorized.
39 OF 61

7.5.1 i) provision for the prevention, detection, and removal of foreign objects,
BV Certification: The organization must have a process for eliminating foreign objects. The extent
of control will vary widely, dependent upon the nature of the product. Service industry, for example,
would not be concerned with foreign objects. Manufacturers of solid parts without cavities might
control foreign objects by simple cleaning and packaging. Manufacturers of complex parts and
assemblies (i.e. with enclosed or deep cavities) would be expected to have more proactive processes.
Examples of measures taken to control F.O.D include detailed work instructions, shadow boards (to
identify missing tools) and F.O.D training programs.
7.5.1 j) monitoring and control of utilities and supplies such as water, compressed air, electricity
and chemical products to the extent they affect product quality
BV Certification: The key words here are to the extent necessary. Many manufacturing companies
control the quality of compressed air through the use of filters and routine maintenance of this
equipment. Organizations with sophisticated analytical instrumentation may monitor and control
power sources. Other organizations may need no special control of the utilities and supplies. The
bottom line is that if there are processes where such control is important, there must be evidence of
adequate control.
7.5.1 k) criteria for workmanship, which shall be stipulated in the clearest practical manner (e.g.,
written standards, representative samples or illustrations)
7.5.1.1 Production Documentation: Production operations shall be carried out in accordance with
approved data. This data shall contain as necessary
a) drawings, parts lists, process flow charts including inspection operations, production
documents (e.g., manufacturing plans, traveler, router, work order, process cards); and
inspection documents (see 8.2.4.1), and
b) a list of specific or non-specific tools and numerical control (NC) machine programs
required and any specific instructions associated with their use.
7.5.1.2 Control of Production Process Changes: Persons authorized to approve changes to production
processes shall be identified.
40 OF 61

BV Certification: The auditor would expect to see a procedure or a documented statement that
identifies those individuals authorized to approve changes to production processes. Engineering input
is usually required for such process changes.
The organization shall identify and obtain acceptance of changes that require customer and/or
regulatory authority approval in accordance with contract or regulatory requirements.
Changes affecting processes, production equipment, tools and programs shall be documented.
Procedures shall be available to control their implementation. The results of changes to production
processes shall be assessed to confirm that the desired effect has been achieved without adverse effects
to product quality.
BV Certification: A process should be in place to ensure that changes to not affect product quality.
Many manufacturing companies run a first piece prior to running a job. This is especially important if
there have been changes to the production process. Verification may be through operator checks or
more formal inspection. If the change is determined to be a process change, customer notification
and/or first article inspection may be necessary.
7.5.1.3 Control of Production Equipment, Tools and Numerical Control (NC) Machine Programs:
Production equipment, tools and programs shall be validated prior to use and maintained and inspected
periodically according to documented procedures. Validation prior to production use shall include
verification of the first article produced to the design data/specification.
BV Certification: see section 7.5.1.3 above.
Storage requirements, including periodic preservation/condition checks, shall be established for
production equipment or tooling in storage.
7.5.1.4 Control of Work Transferred, on a Temporary Basis, Outside the Organizations Facilities:
When planning to temporarily transfer work to a location outside the Organizations facilities, the
organization shall define the process to control and validate the quality of the work.
BV Certification: It is incumbent on the organization to demonstrate that work transferred outside,
even on a temporary basis, is performed to the requirements of this AS9100 standard. Generally, the
level of control should be more than a purchase order. Examples of such control could be approval of
41 OF 61

the suppliers quality system through third party certification or by a second party audit of the
suppliers facility. In some instances, there may be an outsourcing agreement per section 4.1.
7.5.1.5 Control of Service Operations: Where servicing is a specified requirement, service operation
processes shall provide for
a) a method of collecting and analyzing in-service data,
b) actions to be taken where problems are identified after delivery, including investigation,
reporting activities, and actions on service information consistent with contractual and/or
regulatory requirements,
c) the control and updating of technical documentation,
d) the approval, control, and use of repair schemes, and
e) the controls required for off-site work (e.g., organizations work undertaken at the
customers facilities).
BV Certification: Clearly this section applies to organizations with off-site field service functions.
This section also applies to those organizations that assist customers with end use applications for
delivered products or have in-house repair operations. Merely addressing customer product related
complaints does not constitute service. It is important to verify collection and analysis of in-service
data. It is important also that service data are disseminated within the organization and included in the
corrective action process, as appropriate. Organizations that are strictly make-to-print shops may be
able to justify exclusion of this section.
7.5.2: Validation of processes for production and service provision

This clause applies exclusively to special processes and not to all the processes of the quality
management system in general.
This clause may be considered within the quality management system as not applicable. Any
organization that does not have any special processes can clearly note this clause as not
applicable.
Where special processes have been identified, Bureau Veritas Certification auditors will expect
to see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that:
7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewed
and approved.
qualification and approval of special processes prior to use

42 OF 61

BV Certification: Since special processes are, by definition, those processes where the resulting
output cannot be verified by subsequent monitoring and measurement, the auditor would expect to
see evidence that the special processes were indeed qualified and approved prior to use.
7.5.2 b) the equipment used and the personnel involved are qualified.
7.5.2 c) specific methods and procedures are used (may require documentation).
control of the significant operations and parameters of special processes in accordance with documented
process specifications and changes thereto,
7.5.2 d) records are maintained.

7.5.2 e) re-validation is performed for those instances where, for example, a deficiency is found.
As an example, it may be determined that an individual is actually not qualified to
perform a particular special process. Training may be provided to improve the
individuals skills, following which the individuals qualifications should be re-validated
to ensure they are capable of providing the planned results.
7.5.3: Identification and traceability

Organizations cannot completely exclude 7.5.3. Despite the phrase where appropriate, no
organization can wholly claim non-applicability for identification. However, traceability can
be identified as not applicable where it is not a requirement of the customer, the product
regulatory requirements, or of the organization itself.
The auditor will expect to see that product is identified (as appropriate) and its status with
regards to monitoring and measuring (conforming or not) is identified throughout the product
realization processes. Where traceability is a requirement, the auditor will expect to see that the
organization is controlling and recording the unique identification of the product. This
documentation is a required record per Control of Records 4.2.4.
The organization shall maintain the identification of the configuration of the product in order to
identify any differences between the actual configuration and the agreed configuration.
BV Certification: This section relates directly to Configuration Management, see detailed explanation
under section 4.3.
43 OF 61

When acceptance authority media are used (e.g., stamps, electronic signatures, passwords), the
organization shall establish and document controls for the media.
According to the level of traceability required by contract, regulatory, or other established requirement,
the organizations system shall provide for:
a) identification to be maintained throughout the product life
b) all the products manufactured from the same batch of raw material or from the
same manufacturing batch to be traced, as well as the destination (delivery, scrap)
of all products of the same batch
c) for an assembly, the identity of its components and those of the next higher assembly to
be traced
BV Certification: The main issue here is the nature of the identification. The organization that is
manufacturing to customer specifications or drawings cannot add unauthorized identification to
manufactured product. However, depending upon the product, the organization may record
manufacturing job numbers and lot numbers of subassemblies and purchased components.
According to the level of traceability required by contract, regulatory, or other established requirement,
the organizations system shall provide for:
d) for a given product, a sequential record of its production (manufacture, assembly, inspection) to
be retrieved.
BV Certification: Job travelers or electronic bar codes provide a sequential record of production.
Production documentation are quality records and should be controlled in accordance with section
4.2.4
7.5.4: Customer property

The auditor will expect to see that the organization has clearly identified any and all customer
property. The auditor will verify that the organization has established a process to protect
customer property. Further a process must be established for contacting the customer when these
items are lost, damaged or otherwise found unsuitable for the process. This communication to the
customer must be maintained as a Quality Record 4.2.4.
Customer property may include (not limited to):
Components supplied for inclusion into the product.

44 OF 61


Packaging material
Transport
Intellectual property drawings, specifications etc including customer furnished data used
for design, production and/or inspection.
BV Certification: The aerospace community makes extensive use of proprietary blueprints, drawings,
specifications and similar documents, in electronic and/or hard copy format. The documents themselves
often indicate the confidential nature of these documents. The organization must have evidence of a
process for proper disposition of obsolete documents. Dumpster does not demonstrate adequate
control.
Equipment or tools
7.5.5: Preservation of product

Auditor will expect to see that adequate measures are taken to protect/preserve product during
internal processing and delivery to the intended destination. The preservation process must
include the following:
Identification - this is relative to 7.5.3 Identification and Traceability however for

preservation of product it is a requirement and not as applicable. Auditor will expect to
see that all products are clearly identified.
Handling - auditor will verify that suitable handling methods are implemented throughout
the processes. This may include bulk handing using moving equipment or physical
contact where handling may influence product conformity.
Packaging - auditor will expect to see that methods have been established for packaging
product to preserve integrity.
Storage - auditor will expect to see that product is stored in locations and in a manner to
safe guard product.
Protection auditor will verify that appropriate measures are in place to protect product.
This may vary widely depending on the product.
Preservation of product shall also include, where applicable in accordance with product specifications
and/or applicable regulations, provisions for:
a) cleaning;
b) prevention, detection and removal of foreign objects;
c) special handling for sensitive products;
45 OF 61

d) marking and labelling including safety warnings;
e) shelf life control and stock rotation;
f) special handling for hazardous materials.
BV Certification: Preservation of product should be observed throughout the product realization
process. In a manufacturing environment, parts may, for example, be separated to prevent surface
damage and covered to prevent contamination. There should be a process for controlling shelf life
sensitive products. A good practice would be to have a system for the positive recall of shelf life
sensitive products before the expiration date.
The organization shall ensure that documents required by the contract/order to accompany the product
are present at delivery and are protected against loss and deterioration.
BV Certification: Organizations generally take precautions to ensure that the proper documents are
present at shipping. It is considerably more difficult to ensure that they are present at delivery. Some
companies fax duplicate documents to their customers. The auditor might check records of customer
complaints to determine whether there have been complaints relating to missing documents and to
review any subsequent actions.
7.6: Control of monitoring and measuring devices

Companies with no measuring equipment can claim non-applicability for this (as addressed
from paragraph 3 of section 7.6 of the standard onwards).
The clause addresses devices as well as equipment, and reconfirmation of computer software as
necessary. The first two paragraphs address monitoring and measuring devices, and can be
applicable to service companies as well as manufacturing organizations. For example, in a
training organization, where consistency of evaluating and grading trainees (the product) needs
to be assured, then calibration may be applicable.
The organization shall maintain a register of these monitoring and measuring devices, and define the
process employed for their calibration including details of equipment type, unique identification,
location, frequency of checks, check method and acceptance criteria.
BV Certification: The register could be in most any format and media hardcopy, electronic, a
paper listing, an electronic file as part of a calibration software program, or even a manual card file.
The register must be a complete, finite compilation of all devices under calibration control - including
those owned by the company, by its employees (if used for conformity acceptance), and those that are
46 OF 61

customer-supplied. Company-owned devices that are on loan to suppliers are to be included as well.
Even if a device is calibrated by anoutside service provider it must be on the list. Inactive devices
(though not currently under calibration control) should be on the list (with its status so noted). The
register must also include pertinent data described by the Standard (e.g. device type and identification
number, location, calibration frequency, check method, acceptance criteria, etc.).
NOTE: Monitoring and measuring devices include, but are not limited to: test hardware, test software,
automated test equipment (ATE) and plotters used to produce inspection data. It also includes
personally owned and customer supplied equipment used to provide evidence of product conformity.
The organization shall ensure that environmental conditions are suitable for the calibrations,
inspections, measurements and tests being carried out.
BV Certification: The auditor should verify that the suitable environmental conditions are defined
and that calibration, monitoring and measuring activities have been performed in accordance with
these defined conditions. Sending measuring and test equipment to an outside laboratory does relieve
the organization of controlling this requirement.
7.6 a) be calibrated or verified at specific intervals or prior to use. Devices must be calibrated
using measurement standards traceable to international or national measurement standards.
Where there is no standard available for the device the basis for calibration or verification
must be recorded. Auditor expects to see that traceable standards are used and where
applicable have not expired. Where calibration is completed by an outsourced process
(vendor), the records of traceability must be reviewed.
7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that devices
found to be out of calibration are adjusted/re-adjusted by qualified personnel and the
validity of the previous measuring results are accessed when a device is found to be out of
calibration and appropriate action is taken (may include recall of product). Auditor will
expect to see that a process is in place to provide traceability of each device to the
process/product the device was used on. The results of calibration and verification are
required to be maintained as quality records.
7.6 c) be identified to show calibration status. Auditor will expect to see that each device is
identified in such a way that the user can determine that the device has current calibration.
Generally this is accomplished with a calibration sticker that provides a unique
identification for the device, current calibration date and next calibration date. Other
methods may be used however must clearly identify the calibration status. Where the
47 OF 61

environment is not contusive to the use of stickers, status may identified by color coding,
identification number with associated calibration record, and/or calibrated prior to very use.
7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in place to
ensure that users outside the calibration process do not adjust devices. Devices may be
verified prior to use however any adjustments made to a device must meet all requirements
of this section.
7.6 e) be protected from damage during handling, maintenance and storage. Auditor will expect
to wee that measuring devices are handled and stored in a manner to protect the device
from damage.
7.6 f) be recalled to a defined method when requiring calibration.
BV Certification: Typically there is a spreadsheet or database that lists the date that calibration was
due for calibration and the dates when the calibration was actually performed. A review of
instruments past due for calibration should provide an indication of the effectiveness of the recall
process.
The auditor will expect to see a process is in place to determine required measuring and
monitoring to be accomplished as well as the devices needed to provide evidence of conformity.
Many facilities use calibration software including a calibration master list of all devices. While
this is not required, all devices requiring calibration must be identified and shall:
Clause 8: Measurement, Analysis and Improvement

8.1: General
The means (i.e. processes) and resources for accomplishing the three (3) requirements must be
planned for and implemented. The processes must address four (4) different, but related,
aspects:
1) Monitoring (i.e. examination, information and data collection, and reporting)
2) Measurement (i.e. determination and comparison of performance indicators against
actuals against knowns, or against expectations and requirements i.e.
inspections, tests, product and process audits, systems audits, SPC, etc.)
3) Analysis (review of data, evaluation of results and variances, causation analysis,
application of statistical techniques, etc.)
4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement,
etc.)
48 OF 61

The various techniques, methodologies, resources, tools (including statistical techniques), and
applicable procedures need to be determined for these Measurement, Analysis and Improvement
processes. This is not for an organization to state that there is no need to use a statistical
technique, if there is variability in their process or product characteristics, then there is a need for
the use of a statistical technique.
Fulfillment of the requirements in Section 8 is important if the organization is to fully embrace
and effectively apply the principles of the Process Model and the Plan Do Check Act
model.
8.2: Monitoring and Measurement

8.2.1: Customer Satisfaction
It is recognized / understood that Customer Satisfaction is:

A viable, effective (albeit partial) measurement of the performance (merits, benefits,

adequacy, suitability, effectiveness, etc.) of the quality system.
An objective, goal, expectation of the quality system.
ISO 9000:2000, 3.3.5 defines the Customer as the organization or person that receives a
product. The examples stated are; consumer, client, end-user, retailer, beneficiary and
purchaser. It is intended that the customer satisfaction measurements be focused on external
customer but in addition can include internal customers. Internal customer satisfaction measures
can be contained in the establishment of the organizations defined internal process measurable
objectives. Measuring only internal customer satisfaction would not meet the intent of this clause
and must include all interested parties where appropriate.
Customer Satisfaction is determined by the organization measuring its customers perception as to
whether they have satisfied their customers requirements and may be somewhat subjective or
qualitative as much as quantitative. Customer complaints are a common indicator of low
customer satisfaction but their absence does not necessarily imply high customer satisfaction.
Simply capturing customer complaints and product returns will only gauge dis-satisfaction
which does not fully meet the intent of the clause and will not satisfy these requirements. The
organizations management should analyse the implications of the absence or existence of
customer complaints.
Process definition is needed. The various techniques, methodologies, tools, resources, etc.
(forms, surveys, frequency, targeted customers, responsibilities, external survey service
companies, benchmarking, etc.) and applicable procedures need to be determined for:
49 OF 61

1) Obtaining customer satisfaction information (i.e. identifying, collecting, monitoring
and reporting various data/information)
2) Using customer satisfaction information (analyzing, understanding and responding to
i.e. making changes, corrections, enhancements and improvements to the
products/services/quality system)
The
requirements

5.2
8.4 a)
8.5.1
5.6.2 b)
7.2.3
in
8.2.1
interrelate
closely
with
those
in
sub-clauses:
Customer Focus (. with aim of enhancing customer satisfaction.)

Analysis of Data customer satisfaction
Continual Improvement (via analysis of data)
Management Review Input customer feedback
Customer Communication customer feedback & complaints
8.2.2: Internal Audit

IMPORTANT INITIAL CERTIFICATION REQUIREMENT:
For a new/first time
registration/certification, a full round of internal audits, including documented evidence that all
processes and sections of the standard have been audited, must be completed prior to the
registration/certification audit being conducted. For multi-site/corporate certifications all
processes performed at each site must be included in the initial round of internal audits. It is an
expectation that internal audit planning and the evaluation of the internal audit results across all
sites will be performed by the headquarters location (i.e. centrally managed). The results of this
evaluation are to be presented during the management review process (see 5.6). The organization
shall have documented conclusions based on the outcomes of all process, product and system
audits in terms of the effectiveness of the QMS based on audit results. This may be in a standalone document (e.g. Annual Audit Report) or be a part of the management review records. The
conclusions should be based on the audit team leaders conclusions along with the audit team.
Auditor will expect to see a documented procedure developed that defines responsibilities and
requirements for planning and conducting audits, reporting results and maintaining records (see
4.2.4). The Auditor must make a determination if the internal audit process is effective in
maintaining the integrity of the quality management system. A statement indicating the level of
effectiveness must be included in the summary section of the Bureau Veritas Certification audit
report. In the event the auditor cannot state that the audit process is effective, a nonconformance
should be raised.
Internal audits shall be planned based on the status and importance of the processes executed, in
other words more emphasis (time audited) on those processes that have a direct or significant
impact on the achievement of the organizational goals. In addition, previous audit results must be
50 OF 61

considered in the scheduling of future internal audits. Auditor will expect to see a schedule (plan)
that has been developed considering the status and importance of the processes, previous audit
results, and selection/assignment of auditors to ensure objectivity/impartiality (auditors can not
audit their own work). Bureau Veritas Certification expects the internal audit process and
internal audit schedules will reflect the process approach. If the organization only has an audit
schedule based on the clauses of the standard, then this will not be considered acceptable, would
not be reflective of the process approach, not based on the status and importance of the processes
or reflect previous audit results. In all likelihood this will result in a nonconformance to the
standard against 8.2.2.
The auditor must see evidence that the audits include the requirements of ISO 9001:2000 as well
as the requirements established by the organization. Nonconformances raised during the audit
must be addressed without undue delay. The auditor will expect to see that a process is in place
to ensure that actions taken are implemented to eliminate the nonconformance and the cause. A
process must be in place for follow up to ensure that the action(s) taken were effective. The
results must be recorded. Auditors would expect to see that nonconformances follow the
requirements of 8.5.2. However, there is no requirement to have one corrective action system and
therefore it is acceptable to have a separate process for audit nonconformances as long as
requirements for corrective action 8.5.2. are being met.
Requirements of 8.2.2 interrelate closely with those in sub-clauses:
5.6.2 a) Management Review Input results of audits
8.5.1
Continual Improvement (via use of audit results)
8.5.2
Corrective Action (to eliminate deficiencies found in the audit)
8.5.3
Preventive Action (resulting from audit, analysis and observations)
Detailed tools and techniques shall be developed such as check sheets, process flowcharts, or any
similar method to support audit of the quality management system requirements. The acceptability of
the selected tools will be measured against the effectiveness of the internal audit process and overall
organization performance.
Internal audits shall also meet contract and/or regulatory requirements.
BV Certification: Although the organization needs to demonstrate the use of detailed tools and
techniques, there is considerable latitude with respect to what those might be. An important point
here is that the audit process must provide an accurate reflection of the effectiveness of the audit
process and the organizations performance. If the internal audit process has indicated few areas for
corrective action while the third party audit has identified numerous areas of nonconformance, the a
formal corrective action request may be justified.
8.2.3: Monitoring and Measurement of Processes

51 OF 61

Applicable processes need to be identified in the Quality Manual, along with a description of the
interaction between those processes. The applicable processes might include those relating to
four general categories: 1) Management Activities, 2) Resource Management, 3) Product
Realization, and 4) Measurement and Monitoring, but most companies will prefer to focus on
their own particular COPS, MOPS, and SOPS.
Fulfillment of the requirements in this sub-clause is important if the organization is to fully
embrace and effectively apply the principles of the Process Model, the Plan Do Check Act
model.
The

requirements
of
8.2.3
interrelate
closely
with
those
in
sub-clauses:
4.2.2 c) Quality Manual (include a description of interaction between processes)

5.6.2 a) Management Review Input (process performance)
8.5.1 Continual Improvement (via analysis of data)
4.1 e & f) General Requirements (to implement, measure, monitor, Analyze and
continually improve the processes).
The organization should identify monitoring, and, where appropriate, measurement methods to
evaluate process performance. The organization should incorporate these measurements into
processes and use the measurements in process management. Measurements of process
performance should cover the needs and expectations of interested parties in a balanced manner.
Examples (from ISO 9004:2000) might include:

Process capability
Reaction time
Cycle time or throughput
Measurable aspects of dependability
Yield
The effectiveness and efficiency of the organizations people
Utilization of technologies
Waste reduction
Cost allocation and reduction
In the event of process nonconformity, the organization shall

a) take appropriate action to correct the nonconforming process,
b) evaluate whether the process nonconformity has resulted in product nonconformity, and
c) identify and control the nonconforming product in accordance with clause 8.3.
BV Certification: Processes need to be monitored, measured and analyzed (section 4.1). If the
process metrics indicate an area of nonconformance, the nonconformity must be corrected, i.e. as part
52 OF 61

of continual improvement. It is anticipated that section 8.2.3 can be audited together with section 4.1.
If the process nonconformity has resulted in a product nonconformity, the audit trail could lead to
corrective action (section 8.5.2) and control of nonconforming product (section 8.3).
8.2.4: Monitoring and Measurement of Product

The organization must show evidence that a process is in place to monitor and measure the
characteristics of product to verify that requirements are being met. This must be accomplished
at appropriate stages of the product realization process and must be defined as required per
Planning of Product Realization 7.1. Auditor will verify that records are maintained to provide
evidence of conformity and indicate the person(s) authorizing the release of products. The
release of product or delivery of service must not be completed until the planned requirements
(7.1) have been met. For product release or service delivery, the planning requirements may be
waived, but must be approved by relevant authority and by the customer as appropriate.
When key characteristics have been identified, they shall be monitored and controlled.
When the organization uses sampling inspection as a means of product acceptance, the plan shall be
statistically valid and appropriate for use. The plan shall preclude the acceptance of lots whose samples
have known nonconformities. When required, the plan shall be submitted for customer approval.
BV Certification: The requirement for statistically valid sampling applies when the organization
chooses to use sampling inspection. If the organization has had the use of a sampling plan imposed on
it by a customer or through the requirements of a product specification, then the organization is
expected to follow those requirements.
When an organization chooses to use sampling inspection it must be based on a statistically valid plan
in which the acceptance number is zero and the reject number is one. The use of any plan that allows
the acceptance number other than zero shall result in a major nonconformity by the Bureau Veritas
Certification auditor, as such a plan allows nonconforming product to enter the supply chain.
Product shall not be used until it has been inspected or otherwise verified as conforming to specified
requirements, except when product is released under positive-recall procedures pending completion of
all required measurement and monitoring activities.
BV Certification: Although it is anticipated that product is only rarely released under positive
recall prior to verification of conformance, the organization has the responsibility of defining the
necessary controls.
53 OF 61

8.2.4.1 Inspection Documentation: Measurement requirements for product or service acceptance shall
be documented. This documentation may be part of the production documentation, but shall include
a) criteria for acceptance and/or rejection,
b) where in the sequence measurement and testing operations are performed,
c) a record of the measurement results, and
d) type of measurement instruments required and any specific instructions associated with their use.
BV Certification: No interpretation necessary
Test records shall show actual test results data when required by specification or acceptance test plan.
Where required to demonstrate product qualification the organization shall ensure that records provide
evidence that the product meets the defined requirements.
8.2.4.2 First Article Inspection: The organizations system shall provide a process for the inspection,
verification, and documentation of a representative item from the first production run of a new part, or
following any subsequent change that invalidates the previous first article inspection result.
NOTE: See (AS) (EN) (SJAC) 9102 for guidance.
BV Certification: First article inspection, as opposed to first piece inspection, is performed in
response to contract requirements. The auditor would expect to see evidence of representative first
article inspection and customer acceptance (e.g. stamp or signature).
8.3: Control of Nonconforming Product

The Auditor will verify that a documented procedure has been developed to define the controls,
responsibilities and authorities for dealing with nonconforming product. Product that does not
meet requirements must be identified and controlled. The auditor will expect to see that
nonconforming product is clearly labelled and segregated to prevent unintended use.
It is important to note that requirements may extend beyond delivery of product, and/or to the
point or time of use (i.e. during shipment/transit, until received and accepted at the customer,
while on consignment at customers facility, etc.) This also suggests that the organization may
be responsible to take action, even after use of the product has begun. Appropriate objective
evidence (quality records) must be maintained.
54 OF 61

NOTE: The term nonconforming product includes nonconforming product returned from a
customer.
BV Certification: Clearly returned goods need to be controlled in accordance with the organizations
nonconforming product procedures. The auditor should check to verify that returned goods are clearly
identified and that records are in place to demonstrate control and ultimate disposition.
The organizations documented procedure shall define the responsibility for review and authority for
the disposition of nonconforming product and the process for approving personnel making these
decisions.
BV Certification: The organization needs to define both the responsibility for review and authority
for the disposition of nonconforming product. This definition needs to be quite specific. Merely
saying MRB, Quality or Engineering is insufficient. If the responsibility and authority for
addressing nonconforming product rest jointly with the Plant Manager and Director of Quality, for
example, the procedure should state that. If the responsibilities are delegated, there should be evidence
of the delegation and the credentials of those selected for the delegated functions. There should be
evidence that documents detailing disposition of nonconforming product have been signed by the
authorized agents. That is, those individuals who actually disposition nonconforming product must be
those designated in the procedure.
Requirements of 8.3 interrelate with those in sub-clauses:

8.2.1 Customer Satisfaction (possible impact upon)

8.4 b) Analysis of Data (information relating conformance to product requirements)
8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the
action shall be appropriate to the effects)
There are only four possibilities auditors should see as dispositions of nonconforming product, 1scrap, 2- rework or repair, 3- re-grading of the product, or 4 use with the concession of the
customer and records maintained. Obviously reworked or repaired product requires subsequent
verification prior to release.
The organization shall not use dispositions of use-as-is or repair, unless specifically authorized by the
customer, if
- the product is produced to customer design, or
- the nonconformity results in a departure from the contract requirements.
Certification: No interpretation necessary.
55 OF 61

Unless otherwise restricted in the contract, organization-designed product which is controlled via a
customer specification may be dispositioned by the organization as use-as-is or repair, provided the
nonconformity does not result in a departure from customer-specified requirements.
Product dispositioned for scrap shall be conspicuously and permanently marked, or positively
controlled, until physically rendered unusable.
BV Certification: Red Dyekem, reject tags and locked quarantine storage are commonly used to
control product dispositioned for scrap. The organizations procedure that addresses control of
nonconforming product should include a description of the method used.
In addition to any contract or regulatory authority reporting requirements, the organization's system
shall provide for timely reporting of delivered nonconforming product that may affect reliability or
safety. Notification shall include a clear description of the nonconformity, which includes as necessary
parts affected, customer and/or organization part numbers, quantity, and date(s) delivered.
BV Certification: Since Control of Nonconforming Product is a required procedure, all notification
criteria must be listed. Of course, notification of any instances of delivered nonconforming product
must include all required information.
NOTE: Parties requiring notification of nonconforming product may include suppliers, internal
organizations, customers, distributors, and regulatory authorities.
8.4: Analysis of Data

The Auditor will expect to see that the organization has developed a process to identify, collect
and analyse various data and information from both internal and external sources (i.e. quality
records, monitoring and measuring results, process performance results, quality objectives,
internal audit findings, customer surveys and feedback, 2nd or 3rd-party audit results, competitor
and benchmarking information, product test results, complaints, supplier performance
information, etc., etc.). This input (information and data) should reflect upon the adequacy,
suitability, and effectiveness of the Quality Management System and its processes. The output
(result of the analysis) must provide information (understanding, insight, awareness, confidence,
knowledge of, etc.) about:

Customer Satisfaction / Perception.

Product Conformance
56 OF 61


Process performance
Product / Process Characteristics
Trends in Products / Processes
Opportunities for Preventive Action
Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))
Other potential or useful options might include:

Need for Corrective Action

Opportunity for Improvement
Competition
Requirements of 8.4 interrelate with those in sub-clauses:

5.6.2
8.5.1
8.5.2
8.5.3
Management Review Input

Continual Improvement
Corrective Action
Preventive Action
8.5: Improvement
8.5.1: Continual Improvement
Distinction must be made between continual and continuous improvement. Unlike
continuous improvement (which must be constant, steady and always positive), continual
improvement may show signs of dwells, momentary set-backs, delays or slight reversal
provided the overall trend is positive/improving.
The auditor will expect to see a process is in place for establishing and implementing continual
improvement. Significant or sustained lack of improvement must be met with corrective action
(i.e. get well plan) unless the undesirable condition is expected/predicted resulting from a
conscious/deliberate decision by management (i.e. willingness to accept a temporary setback in
productivity while new equipment/ processes are introduced.)
Drivers, or impetus for continual improvement must come from the use of (as a minimum):

The quality policy

Quality objectives
Audit results
Analysis of data
Corrective actions
57 OF 61


Preventive actions
Management review
Requirements of 8.5.1 interrelate with those in clauses / sub-clauses:

5.6.2 g) Management Review Input (recommendations for improvement)

5.6.3 a - b) Management Review Output (improvement of system, processes and
product)
8.4
Analysis of Data
8.5.2
Corrective Action
8.5.3
Preventive Action
Note: it is the responsibility of the company to demonstrate improvement rather than the auditor
to look for it. Accordingly, it is useful audit practice to ask management to identify any
improvement initiatives taken since the previous visit, and also any planned for the future.
8.5.2: Corrective action

Corrective action is action taken to PREVENT the recurrence of actual problems. When a
problem occurs, organizations invariably take remedial or containment action, or implement
CORRECTION to contain or fix the immediate problem. Corrective action (as addressed in ISO
9001:2000 8.5.2) is any subsequent action to address the root cause and prevent recurrence.
The auditor will verify that a documented procedure is in place to define the requirements for
corrective action:
8.5.2 a) Reviewing nonconformities auditor will expect to see a process is in place for
identifying nonconformities (types) and reviewing them to determine if the nonconformity
requires corrective action. The section specifically identifies customer complaints however other
sections such as internal audits, nonconforming product, monitoring and measurement of
processes reference corrective action. Sources from ISO 9004:2000 include:
Customer complaints
Nonconformity reports
Internal audit reports
Output from management review
Output from data analysis
Outputs from satisfaction measurements
Relevant quality management system records
The organizations people
58 OF 61

Process measurements
Results of self assessment
8.5.2 b) Determining cause auditor will expect to see a process is in place for determining root
cause.
8.5.2 c) Evaluating action needed to prevent recurrence auditor will expect to see evidence that
action(s) are evaluated and developed to prevent the noncoformance from recurring.
8.5.2 d) Implementing action evidence that actions are implemented. There is no requirement
for time however auditor will expect to see evidence that actions are taken in a timely manner.
8.5.2 e) Maintaining records - corrective actions are required to be maintained as quality records
per 4.2.4.
8.5.2 f) Reviewing action taken auditor will expect to see a process in place for reviewing
completed corrective action to ensure that the action taken was effective in correcting the
nonconformity.
8.5.2 g) flow down of the corrective action requirement to a supplier, when it is determined that the
supplier is responsible for the root cause, and
BV Certification: Suppliers need to undertake corrective action to address nonconformities that they
have caused. The Supplier Corrective Action Request (SCAR), although not specifically required as
such, is commonly used. The organization needs to obtain evidence from the supplier of corrective
action that meets the corrective action protocol as defined by the AS9100 standard. Organizations
often claim that is difficult to get a meaningful corrective action response from a supplier.
Nevertheless, when a nonconformity requires more than simple correction, the auditor would expect to
see evidence that the organization is working with the supplier to achieve effective corrective action.
This could include the organizations assistance. In some cases, the organizations quality and
engineering may support of the suppliers corrective action initiatives.
A documented procedure shall be established to define requirements for
8.5.2 h) specific actions where timely and/or effective corrective actions are not achieved.
BV Certification: The clients procedure that controls corrective action must define those specific
actions that the organization takes where timely and/or effective corrective actions are not achieved.
There are many types of actions that might be taken. These include discussion of open corrective
actions at management review meetings, e-mail reminders to the responsible individual(s) and
escalation of notification, often up to the ranking site executive. The auditor would expect to see
evidence that the specific actions were indeed taken. The auditor may want to review also the
59 OF 61

corrective action history to verify that the actions are timely and effective. It should be noted that
this is a somewhat gray area in that complex corrective action may take considerable time to complete
and verify. Nevertheless, if multiple corrective actions remain open after say six months, there is
likely a broken process.
Note: The organization may choose to maintain one document for both corrective and preventive
action. While this is acceptable, Bureau Veritas Certification believes that the processes are
unique and should be documented separately.
Note: Organizations are free to use their own terminology (i.e., many define corrective action as
the fix and preventive action as the subsequent cure). There is no problem with this provided
they are not claiming that this preventive action (i.e., after the event) meets the requirements of
8.5.3 (action taken before the event).
Note: For multi-site/corporate certifications auditors will expect to see that evaluation of
corrective actions across all sites is being performed and analyzed (usually from the headquarters
location). This would be an input to management review (see 5.6.2).
8.5.3: Preventive action

The auditor will verify that a documented procedure is in place to define the requirements for
preventive action:
8.5.3 a) Determining potential nonconformities - auditor will expect to see evidence that a
process is in place for determining potential nonconformities. This may include many methods.
Sources from ISO 9004:2000 include:
Use of risk analysis tools.

Review of customer needs and expectation.
Market analysis.
Management review output.
Output from data analysis.
Satisfaction measurements.
Process Measurements.
Lessons learned from past experience.
Results of self-assessment.
Processes that provide early warning of approaching out-of-control
operating conditions.
60 OF 61

8.5.3 b) Evaluating action needed to prevent occurrence auditor will expect to see evidence that
action(s) are evaluated and develop to prevent the occurrence of potential nonconformances.
8.5.3 c) Implementing action evidence that actions are implemented. There is no requirement
for time however auditor will expect to see evidence that actions are taken in a timely manner.
8.5.3 d) Maintaining records - preventive actions are required to be maintained as quality records
per 4.2.4.
8.5.3 e) Reviewing action taken auditor will expect to see a process in place for reviewing
completed preventive action to ensure that the action taken was effective.
Preventive action is action taken to PREVENT the occurrence of potential problems. The
organization might welcome some auditor guidance on terminology. Many companies
(especially small companies with simple systems) are struggling to identify opportunities to
satisfy 8.5.3, as most of the standard is, in fact, focused on prevention. Anything related to
evaluation of risk and related actions, or action to prevent an early dip in a trend graph becoming
a problem can be accepted as objective evidence of compliance as well as clear up-front
preventive initiatives, of course.
Reviewed By Authorized By
Ralph
McLouth
Zach Pivarnik
Rev Date
New May 9,
2007
Rev # Location
0
BMS
61 OF 61
Change History

As9100 Interpretations

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

As9100 Interpretations

Загружено:

Авторское право:

Доступные форматы

Bureau Veritas Certification Interpretations of The Standard.

Guidance for Quality Management System Auditors.

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification promotes the identification of Customer Oriented Processes

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification Interpretations of The Standard.

Process performance data

TABLE A: Cross-linked references

Relevant further clauses

5.4.2 QMS planning

Bureau Veritas Certification Interpretations of The Standard.

4.2: Documentation Requirements

Bureau Veritas Certification Interpretations of The Standard.

4.2.2: Quality Manual

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification Interpretations of The Standard.

The size of the organization and the type of activities;

Bureau Veritas Certification Interpretations of The Standard.

4.2.3: Control of Documents

Bureau Veritas Certification Interpretations of The Standard.

4.2.4: Control of Records

Identification the procedure must identify the system/process is in place to identify

Bureau Veritas Certification Interpretations of The Standard.

A spreadsheet or other document may be used to identify the above requirements.

Configuration Management: The organization shall establish, document and maintain a

Bureau Veritas Certification Interpretations of The Standard.

Element 5: Management Responsibility

5.1: Management Commitment

Bureau Veritas Certification Interpretations of The Standard.

5.2: Customer Focus

5.3: Quality Policy

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification Interpretations of The Standard.

5.4.2: Quality Planning

Bureau Veritas Certification Interpretations of The Standard.

5.5: Responsibility, Authority and Communication

5.5.2: Management Representative

Bureau Veritas Certification Interpretations of The Standard.

5.5.3: Internal Communication

5.6: Management Review

Bureau Veritas Certification Interpretations of The Standard.

5.6.2: Management review input

5.6.3: Management review output

Element 6: Resource Management

Bureau Veritas Certification Interpretations of The Standard.

6.2: Human Resources

6.2.2: Competence, awareness and training

Bureau Veritas Certification Interpretations of The Standard.

Classroom style, tutor led training;

Observation of personnel performing their duties;

Bureau Veritas Certification Interpretations of The Standard.

Bureau Veritas Certification Interpretations of The Standard.

6.4: Work Environment

Bureau Veritas Certification Interpretations of The Standard.

Element 7: Product Realization

7.1: Planning of product realization

7.2: Customer Related Processes

Bureau Veritas Certification Interpretations of The Standard.

Specific to 7.2.1 (a)

Specific to 7.2.1 (b)

Specific to 7.2.1 (c)

Bureau Veritas Certification Interpretations of The Standard.

7.2.2: Review of requirements related to the product