BVC+ISO 9001+2008+interpretation

Bureau Veritas Certification Interpretations
Expectations for Companies Certifying to ISO 9001:2008.
Bureau Veritas Certification has established certain minimum expectations for companies who
wish to register their Quality Management Systems (QMS) to ISO 9001:2008. These expectations
are based upon our understanding of the requirements of the standard and the requirements for
third party registration/certification to the standard gained through our collective experience in
auditing quality management systems of many varied applications.
Additionally, The ISO Technical Committee (TC) has developed several guidance documents for
various requirements of ISO 9001:2008. These documents are available to the public via Internet
website http://www.bsi.org.uk/iso-tc176-sc2. These documents are referred to throughout this
document.
Auditor Notes:
This document is not intended to add to, minimize, or in any way modify the requirements of the
standard and the requirements for accredited certification to the standard. It is meant to be a
guidance tool for Bureau Veritas Certification auditors and clients providing common
understanding on the intent of the standard and certification requirements in addition to providing
clarification of the text. For organizations seeking registration/certification, this document provides
insight as to the expectations of Bureau Veritas Certification auditors.
In order to claim conformity with ISO 9001:2008, the organization has to be able to provide
objective evidence of the effectiveness of its processes and its quality management system.
Clause 3.8.1 of ISO 9000:2005 defines ‘Objective evidence’ as ‘Data supporting the existence or
verification of something’ and notes that ‘Objective evidence may be obtained through
observation, measurement, test or other means’. Objective evidence does not necessarily depend
on the existence of documented procedures, records or other documents, except where specifically
mentioned in ISO 9001:2008. In some cases, (for example, in clause 7.1{d} Planning of product
realization, and clause 8.4 Monitoring and measurement of product), it is up to the organization to
determine what records are necessary in order to provide objective evidence.
This document has been updated to meet the ISO 9001:2008 requirements; the intent of the
standard did not change from 2000 to 2008. There were many “text” changes, mainly for clarity
and alignment to ISO 14001. BVC’s position is “there are no new requirements to ISO
9001:2008”. A currently certified company to ISO 9001:2000 would meet the intent of the 2008
revision and clients may not be required to make changes to their QMS based on the new text.
General text changes include, but are not limited to: alignment of ISO 14001, many notes have
been added for clarity and guidance, definition of product was added, process approach is required,
statutory requirements and legal requirements clarified, calibration (7.6) now called equipment
changed from devices, other subtle changes in text are listed below in detail, as needed.
Page 1 of 42
Interpretation of Jan 10 2010 Rev. level 7
ISO 9001:2008 Interpretations

Element 4: Quality Management System
4.1: General
Section 4.1 includes the general requirements that must be met in order to establish, implement
and continually improve the effectiveness of a quality management system meeting the
requirements of the standard. These requirements are referenced to and/or further defined in
subsequent clauses of the standard. Table A, shown below, contains the cross-linked references.
Continual improvement of the effectiveness of the quality management system may be reflected in
a number of different areas. These may include:
Quality objectives;
Corrective and preventive actions;
Internal audits;
External audits;
Review of customer satisfaction surveys and associated action items;
Operation meetings producing improvement actions;
Actions initiated by suggestion programs;
Process Changes;
Infrastructure and environment changes;
Management Reviews
If continual improvement has become a way of life for a company, it is unlikely that a
demonstration of company wide continual improvement will come from only a few sources.
System deterioration would not necessarily lead to non-conformity if all actions were positive and
the improvement path is still evident and logical. The system would be questionable if the
company did not recognize it or had not reacted to the issues appropriately.
Note: It is the responsibility of the company to demonstrate improvement rather than the auditor to
look for it. Accordingly, it is a useful audit practice to ask management to identify any
improvement initiatives taken since the previous visit, and any planned for the future.
Page 2 of 42
4.1 a) Process Determination, the 2000 revision used the term “identify” processes which is
defined as, “to give an identity” where 2008 uses the term “determine” the term determine is to
“move forward, impel, to use” the intent is that Top Management shall use the processes to operate
the business.
Bureau Veritas Certification auditors will expect to see a process model that explains the key
processes of the business and how each relates and links to the others. The depth of process
explanation may be as detailed as the company chooses, but should be based on its customer and
applicable regulations or statutory requirements, the nature of its activities and its overall corporate
strategy. In determining which processes should be determined and documented the organization
may wish to consider factors such as:
Effect on quality
Risk of customer dissatisfaction
Statutory and/or regulatory requirements
Economic risk
Effectiveness and efficiency
Competence of personnel
Complexity of processes
Bureau Veritas Certification promotes the identification of Customer Oriented Processes (COPS),
Support Oriented Processes (SOPS) and Management Oriented Processes (MOPS) while defining
processes however, this is not a requirement. The auditor must see evidence that the organization
has determined their processes and interactions.
COPs may include: Sales, Purchasing, Manufacturing/Service, Design, etc. any process that affects
or interacts with the customer.
SOPs may include: calibration, maintenance, IT, finance, HR/Training, corrective action, audits,
etc. any process that “supports” other processes, typically across many processes.
MOPs may include: business planning, goal setting, management review and other meetings,
operating plans, customer satisfaction review, budgets, resource planning, etc. any process that is
formally conducted by the Top Management.
If the company calls it a “process” it shall be monitored for effectiveness (4.1, 8.4, 8.2.3)
The ISO TC document - ISO/TC 176/SC 2/N 544R - ISO 9000 Introduction and Support Package:
Guidance on the Concept and Use of the Process Approach for Management Systems, provides
basic information for understanding application of the process approach. The bulletin defines a
process as: A “Process” can be defined as a “Set of interrelated or interacting activities, which
transforms inputs into outputs”. These activities require allocation of resources such as people
and materials (http://www.bsi.org.uk/iso-tc176-sc2).
4.1 b) Sequence and interaction of these processes – The interactions of the processes must
somehow be described in the quality manual (4.2.2 c). The Auditor must see evidence that the
Page 3 of 42
organization has determined their processes and that the interactions are also defined, all within the
quality manual. Subsequently, this includes the actual and technical inputs and outputs of the
processes to show their inter-relationship. Though, 4.2.2c requires the “description of the
interactions between the processes”, this shall include the process names and the inputs and
outputs of each process hence, interactions. The dictionary term for “interaction” is “how one
influences the other”. BVC agrees that the “description of the interactions of the processes” cannot
be done if the processes are not determined (names).
The organization is not required to produce system maps, flow charts, lists of processes etc. as
evidence to demonstrate that the processes and their sequence and interactions were determined.
Such documents may be used by organizations should they deem them useful, but are not
mandatory. Graphical representation such as flow-charting is perhaps the most easily
understandable method for describing interactions between processes. Other possible methods may
include: documentation prepared for implementation of the product management system (SAP,
SYMIX, MRP, etc…); deployment flowcharts; and pictorial diagrams.
The Completion of the Bureau Veritas Certification process matrix provides the relationship
between the organizations processes and the requirements of ISO9001:2008 by element and sub-
clause however does not show the interaction between the processes. If the organization chooses
to use the process matrix to show interaction, it must be supplemented with another method to
show process interaction. The Bureau Veritas Certification process matrix must be completed in
order to assist in the scheduling of the organizations audits in addition, Auditors do not define
processes, the organization does, Auditors do have to understand the relationship between a
companies processes, what they call them and what ISO elements pertain to those processes.
4.1 c) Criteria and methods needed to ensure that both the operation and control of these
processes are effective. This could be demonstrated with stated objectives, instructions and or
procedures as required for consistent output of the processes. This is the “Plan” part of PDCA.
4.1 d) Ensure the availability of resources and information necessary to support the operation
and monitoring of these processes. This may be through Management Review or other methods
for defining and determining resources. This is the “Do” part of PDCA.
4.1 e) Monitor, measure and analyze these processes - All identified processes are subject to
requirements for monitoring, measurement, and analysis for needed improvement. The methods
employed and the timing of such analysis should be based upon priorities established by the
organization. Auditor expects to see measurable objectives established for each process. These
objectives should support the organization’s overall objectives. This is the “Check” part of
PDCA.
Note: this clause requires each defined process to be measured as applicable, monitored and
analyzed, as opposed to clause 8.2.3, which requires” suitable methods for monitoring and, where
applicable measurement” of the processes. “Monitoring of the processes” may be considered; “real
time” measurements of the flow of work i.e. inspection, test or verification that is relevant to the
real time verification of the product/service. “Measurement of the process” may be considered; the
Page 4 of 42
overall process objectives, historical, current and planned, the data used to determine that the
overall objectives are met, typically is produced at the lower levels during the production/service
work flow. The “measurement” of the product is considered monitoring of the process”. BV
Auditors would not debate the difference between these terms, the intent is to assure that the
organization monitors/measures their processes for improvement and conformance to objectives
and or criteria.
4.1 f) Implement actions necessary to achieve planned results and continual improvement of these
processes – Same as described above. Auditor expects to see corrective action taken when
measurable objectives fall below target or defined action level however, a formal corrective action
is not always required, “corrections” can be made thru improvement plans and other methods
though, a significant departure from the objectives may require formal correction actions. This is
the “Act” part of the PDCA.
Outsourced Processes: Outsourced processes must be controlled by the organization and these
controls must be defined/described within their system. Organizations are required to identify the
controls they apply for any outsourced processes. The facility quality manual must identify if
outsource processes are applicable. In addition, the client shall have written documentation on
the methods used to control the outsourced process(es). Examples of some outsourced processes
are:
Process completed wholly or partially by a sister facility outside the scope of registration.
Such as corporate performing design, purchasing or customer related processes, this
includes management activities i.e. business planning, goal setting, resources, data analysis,
budgeting, etc. This may include the entire element or a subsection i.e. corporate completes
supplier evaluation and re-evaluation of suppliers and the registered site initiates purchase
orders.
Processes completed by an outside vendor or subcontractor such as heat treating, plating,
calibration, painting, powder coating, etc. These types of processes may be controlled
under 7.4 Purchasing where a formal contract/PO may be the controls. If this is the case,
written documentation would be the purchasing documentation and records however, these
processes are required to be documented in the quality manual.
If an outsourced process is controlled through Purchasing there must be documented objective

evidence to ensure that these processes are being controlled beyond the basic purchasing
requirements, which are focused on controlling products not processes. The organization is
responsible to ensure that the outsourced process is meeting applicable requirements to ISO
9001:2008. Outsourced processes may be controlled through such
methods as (not limited to):
Internal Audits
Internal Agreements between two sites where only the audited site is under the scope of
registration (Interface Agreements – Bureau Veritas Certification terminology)
Process performance data review on an ongoing basis
Purchasing Process (see above)
Page 5 of 42
NOTE 3 Ensuring control over outsourced processes does not absolve the organization of the
responsibility of conformity to all customer, statutory and regulatory requirements. The type and
extent of control to be applied to the outsourced process can be influenced by factors such as
a) the potential impact of the outsourced process on the organization’s capability to provide
product that conforms to requirements,
b) the degree to which the control for the process is shared,
c) the capability of achieving the necessary control through the application of 7.4.
I have been pushing to see an analysis of the outsourced process using the criteria above and in
determining the amount of control – quite honestly for some outsourced processes Purchasing
could be all that is needed and would be acceptable if the analysis showed it had low risk o f
impacting the system – just a thought.
ISO/TC 176/SC 2/N 630R2 ISO 9000 Introduction and Support Package: Guidance on
'Outsourced Processes: An outsourced process can be performed by a supplier that is totally
independent from the organization, or which is part of the same parent organization (i.e. a
separate department or division that is not subject to the same quality management system). It
may be provided within the physical premises or work environment of the organization, at an
independent site, or in some other manner… The organization has to demonstrate that it
exercises sufficient control to ensure that this process is performed according to the relevant
requirements of ISO 9001:2008, and any other requirements of the organization’s quality
management system. The nature of this control will depend, among other things, on the
importance of the outsourced process, the risk involved, and the competence of the supplier to
meet the process requirements (http://www.bsi.org.uk/iso-tc176-sc2).
TABLE A: Cross-linked references

4.1 General requirements Relevant further clauses
a) Determine the processes, including 5.4.2 QMS planning
outsourcing, needed for the quality 7.1 Planning of product realization
management system and their application 8.1 General
throughout the organization (see 1.2),
b) Determine the sequence and interaction of 5.4.2 QMS planning
these processes, 7.1 Planning of product realization
4.2.2 (c)
c) Determine criteria and methods needed to 7.1 (c)
ensure that both the operation and control 7.3.3 (c)
of these processes are effective, 7.4.1 (Criteria for selection)
7.5.2
d) Ensure the availability of resources and Whole of 6
information necessary to support the operation
and monitoring of these processes,
e) Monitor, measure as applicable, and analyze Whole of 8.2
Page 6 of 42
these processes, and,

f) Implement actions necessary to achieve Whole of 5, 6, 7 and 8
planned results and continual improvement of
these processes.
These processes shall be managed by the

organization in accordance with the
requirements of this International Standard.
Where an organization chooses to outsource any

process that affects product conformity to
requirements, the organization shall ensure
control over such processes. The type and
extent of control to be applied to these
outsourced processes shall be defined within the
quality management system.
4.2: Documentation Requirements
4.2.1: General
The Quality Management System (QMS) “documentation” shall include: 4.2.1 a-d
a) documented statements of a quality policy and quality objectives,

b) a quality manual,
c) documented procedures and records required by this International Standard, and
d) documents, including records, determined by the organization to be necessary to ensure the
effective planning, operation and control of its processes.
4.2.2: Quality Manual
Exclusions from the quality management system must be described and justified within the quality
manual (see 4.2.2 a). The documented procedures established for the quality management system
must be included or cross-referenced in the quality manual (see 4.2.2 b). A description of the
interaction between the organization’s processes needs to be identified in the quality manual (see
4.2.2 c). An organization cannot describe the interactions of the processes without defining the
processes themselves.
The applicable processes might include those relating to four general categories: 1) Management
Activities, 2) Resource Management, 3) Product Realization, and 4) Measurement and Monitoring.
Most companies will prefer to focus on their own COPS, MOPS, and SOPS.
Manual content and design - There are many ways of documenting the quality management
system and organizations should adopt the approach that is most useful for effective operation of
Page 7 of 42
their system. BV takes the approach that ISO 9001:2008 is a “measurement” based standard not a
“documentation comprehensive standard” though, documentation is required for some of the ISO
elements and is used for many purposes and advantages. An organization must keep in mind, the
word “effectiveness” is stated 28 times in the standard therefore, measurements and monitoring
can be more critical than documents. Auditors must not strictly focus on documents and must
assure that the organization has measurement criteria to show effectiveness of the processes and
the QMS.
Examples may include, but no limited to:
Flowcharts;
Written text;
Diagrams;
System maps;
Process maps;
Process Turtles.
The company server with hyper-links
The quality manual may have many forms. Although many organizations structure their
documentation in a typical pyramid, it is not the only, and not always the most suitable, way. A
quality manual doesn't have to exist as a separate document. The quality manual may:
Be a direct collection of QMS documents including procedures;

Be a grouping or a section of QMS documentation;
Be more than one document or level;
Be in one or more volumes;
Be a stand alone document or otherwise;
Be a collection of separate documents
Be electronic with hyper-links i.e. using process turtles/maps with links to each process
turtle leg or flow box.
The ISO 9001:2008 standard offers companies a possibility to establish effective, user-friendly
systems. This edition offers the current users a unique opportunity to streamline their quality
management system documentation.
A separate document "addressing" all the clauses of the standard is not required by the standard -
neither does the standard require the quality manual to "address" or "cover" the requirements of the
standard. The manual may be documented specifically to the organizations processes.
4.2.2 a) Scope – The organization may exclude portions of the standard that do not apply to their
quality management system due to the nature of the product or service that they supply. ISO
9001:2008 clearly limits and identifies which activities may be excluded, limited to clause 7 only.
The justification for exclusion and those considered not applicable must be clearly documented in
the quality manual. If, for example, design does not apply to the quality management system, the
standard stipulates (in section 1.2 Application) how a reduction in scope of the standard may be
Page 8 of 42
justified and documented within the quality manual. Bureau Veritas Certification has defined
exclusion applicability to be within the clause Design and Development (7.3) only. All other
potential exclusions within section 7 must be identified as not applicable or not applicable at this
time with justification or explanation as to why it does not apply. In addition, if an organization
conducts these activities or is responsible by the customer to conduct these activities, they must be
part of the scope of certification. Design applies to product design, organizations cannot exclude
portions of design element 7.3, “it’s all or nothing”.
ISO TC Guidance - Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support
Package: Guidance on ISO 9001:2008 clause 1.2 'Application:
ISO 9001:2008 clause 1, Scope, defines the scope of the standard itself. This should not be
confused with the scope of the QMS, which is a term commonly used within the context of QMS
certification/registration to describe the organization and products to which the QMS applies
(http://www.bsi.org.uk/iso-tc176-sc2).
Auditor should discuss the difference between the scope of certification and the scope of the QMS
(i.e. what is on or will be on the organization’s certificate).
The scope of the QMS should be based on the nature of the organization's products and their
realization processes, the result of risk assessment, commercial considerations, and contractual,
statutory and regulatory requirements. Auditors shall assure, at every audit, that the scope of
certification is accurate to the actual activities conducted by the organization. The Auditor is
expected to review the certificate terminology and assure that the scope is accurate and is not
misleading to the customer. This includes factored items, as appropriate though, factored items
normally are not defined on the certificate, these items may influence the scope and activities.
If an organization chooses to implement a quality management system with a limited scope, this
should be clearly defined in the organization's Quality Manual and any other publicly available
documents to avoid confusing or misleading customers and end users (this includes, for example,
certification/registration documents and marketing material).
Note: For multi-site/corporate certifications the auditor will expect to see that one quality manual
is applicable for all sites and that any changes are centrally controlled (see 4.2.3). Also required is
a centralized Management review (corporate), centralized internal audit system and corrective
action system. It is typical for a corporate scheme to have specific document and records
requirements for the sites however; sites may have their own controlled documentation at the local
level.
The auditor must verify the linkages between the Headquarters (central site) and the sites as well
as the individual site linkages to corporate. In most cases, specific linkages vary between sites. If
these linkages are not established and defined the organization does not meet multisite
requirements (per IAF MD-1) In addition, BV has instituted a methodology regarding corporate
schemes, we are attempting to conduct certification audits at the local sites first then at the
corporate site, this gives the Auditor evidence that the linkages are accurate and effective.
Page 9 of 42
4.2.2 b) Documented Procedures – The manual must include reference to, at a minimum the six
required documented procedures (see 4.2.3, 4.2.4, 8.2.2, 8.3, 8.5.2, 8.5.3). The manual may
reference other documentation but must list those required documents in some format. This may be
in the form of a link or other such reference.
The notes after sub clause 4.2.1 in ISO9001:2008 make it clear that where the standard specifically
requires a ‘documented procedure’, the procedure has to be established, documented, implemented
and maintained. It also emphasizes that the extent of the QMS documentation may differ from one
organization to another due to:
NOTE 1
Where the term “documented procedure” appears within this International Standard, this means
that the procedure is established, documented, implemented and maintained. A single document
may address the requirements for one or more procedures. A requirement for a documented
procedure may be covered by more than one document.
NOTE 2
The extent of the quality management system documentation can differ from one organization to
another due to
a) the size of organization and type of activities,
b) the complexity of processes and their interactions, and
c) the competence of personnel.
NOTE 3 The documentation can be in any form or type of medium.
4.2.2 c) Interaction between processes – This requirement ties closely to section 4.1 b), which is
discussed in the previous paragraphs. The interactions between the quality management system
processes do not have to be separately described, or illustrated, by charts, tables or maps. If an
organization chooses to use a process map to show interaction, just using boxes and arrows is not
sufficient – a description or other depiction is required for interactions. An example may be “
process turtles” with hyper links for each leg, links from a flow chart, cross-reference matrices,
etc. the intent is to determine the actual inputs and outputs of each process.
Although many organizations may choose such a format, it is not a mandatory method. Interaction
between processes may be described, for instance, by way of references and/or cross-references
within the procedures, where the procedures form part of the Quality Manual. If the procedures are
not included or referenced from the Quality Manual, then the manual can not be consider
acceptable to the standard requirements, the interactions can be in an appendix, addendum or hyper
linked to the manual if the system is electronic.
4.2.3: Control of Documents
A documented procedure is required for control of documents.
Page 10 of 42
Guidance is given for documents and records in ISO/TC 176/SC 2/N 525R ISO 9000
Introduction and Support Package: Guidance on the Documentation Requirements of ISO
9001:2000 (http://www.bsi.org.uk/iso-tc176-sc2).
4.2.3 a) Approve documents – procedure must identify the approval process.
4.2.3 b) Review and update – All management system documentation must be covered by some
review strategy. The procedure must identify a method on how and when all documents are
reviewed on an ongoing basis. Different types / levels of documents may be reviewed at different
intervals / criteria and / or by different methods (i.e. – at each use, through internal audits, via
formal recalls and reviews, during training events where procedures are taken most literally, etc.),
review should be conducted by personnel competent to do so. Bureau Veritas auditors should
assess whether review methodology demonstrates effective document controls. Note – statutory /
regulatory and customer / industry requirements may also impact review methodology. A method
must be in place to show review was completed where there were no changes. Though a formal
record is not required, evidence of the methods conducted and the reviews have taken place must
be shown. Those documents that are updated must be put back through the organizations required
approval process (4.2.3 a).
4.2.3 c) Changes and current revision status – The procedure must identify how changes and
revisions to documents are identified. These must be identifiable for each document. How does the
user know what the changes are?
4.2.3 d) Availability of documents – procedure must identify how documents are made available to
employees. Auditor will expect to see that documents are readily available to employees through
out the facility at their points of use.
4.2.3 e) Documents are legible and readily identifiable – auditor will expect to see that documents
are maintained and remain legible and easily identifiable.
4.2.3 f) Documents of external origin – Documents of external origin are those that are produced
from outside the organization that are used by the organization in support of the quality
management system processes. The procedure must address if documents of external origin are
applicable and if so how these documents are controlled by the facility. The auditor expects to see
that controls are in place to ensure current versions are used and documents are controlled within
the facility furthermore, who in the facility has the experience/knowledge to understand the
external documents and applicability to the organization?
4.2.3 g) Obsolete documents – Procedure must address how obsolete documents are controlled to
prevent unintended use and if retained how these documents are identified.
Note: For multi-site/corporate certifications the auditor will expect to see that System
documentation and changes are centrally managed (usually performed at the headquarters location)
with further control of documents at the local level, as applicable.
Page 11 of 42
4.2.4: Control of Records
Records required by the organization may be in any format deemed suitable for the organizations
method of operation. A documented procedure must be in place and define the controls needed for:
Identification – the procedure must identify the system/process is in place to identify

records. Have all required records been identified. Refer to Annex B of the ISO/TC 176/SC
2/N 525R - ISO 9000 Introduction and Support Package: Guidance on the Documentation
Requirements of ISO 9001:2008.
Storage – where records are stored – specific location i.e. Quality filing cabinet in the QC
Laboratory, etc.
Protection – how individual records are protected i.e. tape back up every 24 hours (for
electronic records), fireproof safe, filing cabinet etc. Electronic records back-up is part of
the records procedure.
Retrieval – any special requirements for retrieval. Generally dependant on location and
protection. May be a request process.
Retention time – identification of how long each record will be maintained. The intent of
the standard is that after the defined retention time has been met, records would eventually
be disposed of, BVC poses the question to the Top Management, do they know how long
records are kept and can these records help or hinder in a legal case?
Disposition of records – method for disposing of records i.e. shredding, burned, trash
A spreadsheet or other document may be used to identify the above requirements.
Element 5: Management Responsibility

Note that this section has nine references to top management. This is defined in ISO 9000:2005,
3.2.7 as “person or group of people who directs or controls an organization at the highest level”.
It is therefore essential to examine top management’s commitment to, and support for, the QMS
(and to record objective evidence to support any conclusions reached). “Top Management” may be
the CEO, President, General Manager, etc. The Top Management of the firm relevant to the scope
of certification also, BVC would accept a “management team” if formal business decisions are
indeed a collect effort.
5.1: Management Commitment
It is necessary for auditors to obtain (and record) objective evidence of management commitment.
This would include:
5.1 a) Evidence that top management has communicated to the organization the importance
of meeting customer requirements as well as statutory and regulatory requirements. This can
be achieved through meetings, newsletters, bulletin boards, training records etc.
Page 12 of 42
NOTE - statutory and regulatory requirements are broad based and include all applicable
requirements for processes, products and activities.
5.1 b) Top Management’s establishment of and input into, and commitment to, the quality
policy (its definition, delivery and maintenance) through management review or other
meetings or methods.
5.1 c) Documented quality objectives (for all processes).
5.1 d) Top Management’s active participation in management review meetings.
5.1 e) Evidence of a process for defining resource requirements and ensuring that adequate
resources are available.
In short, how well they address requirements 5.2 through 5.6.
5.2: Customer Focus
Customer requirements and customer satisfaction are directly linked with the process approach
concept in the standard. Auditors will seek objective evidence to demonstrate that the customer
requirements are indeed being met, whether the satisfaction is revealed in customer survey results,
repeat sales or any other type of mechanism that would reveal trends and lead to improved
customer satisfaction. Management review minutes might be a record where Customer Focus is
addressed. You might also look at Quality plans and or product plans that include customer related
requirements.
5.3: Quality Policy
It is expected that there is evidence that Top Management fully embrace the quality policy. The
standard identifies five specific points which requires that top management ensures that the policy;
5.3 a) Is appropriate to the purpose of the organization
5.3 b) Includes a commitment to meeting requirements and to continual improvement of the

quality system
5.3 c) Provides framework for establishing and reviewing quality objectives
5.3 d) Is communicated and understood at appropriate levels in the organization
5.3 e) Is reviewed for continuing suitability.
Auditors must determine if the Quality Policy meets the intent and is understood, by
interviewing personnel at all levels. Although the exact policy does not need to be recited by
interviewees, the awareness of the quality policy and how their job affects the company
Page 13 of 42
objectives should be determined. If personnel interviewed do not know what their measurable
objectives are and/or do not know what the organizational objectives are that they have a direct
effect on, the auditor would be further directed to evaluate managements communication of the
policy and objectives.
The Quality Policy must be documented anywhere within the organization, this could be done
electronically however, all personnel need access to it.
The Quality Policy does not have to include objectives but should create a framework for
establishing them. The Quality Policy should be stated in such a way that it aims toward continual
improvement. It should be reviewed and possibly revised to meet higher aspirations.
Bureau Veritas Certification does not require that the policy include the words “continual
improvement” in the written policy, however it must be ascertained that it is implied and known
through out the organization.
To meet the intent of this clause, the auditor would be looking for a clearly defined Quality Policy
that is sufficiently detailed to provide a framework for quality objectives that can be monitored for
continual improvement. An auditor would not want to see a vague policy, such as “Our Policy is to
Maintain Status Quo”. Furthermore, The policy shall be “real” and the objectives shall be
consistent with the policy meaning that, the policy shall be implemented and the objectives
cascaded throughout the QMS levels, also see 6.2.2d. Quality objectives may be the same as the
Business plan objectives, ISO 9001 is a formal business management standard however, the
business plan is not auditable by the Auditor, as applicable.
BVC Auditors intent is not just conformance to the requirements but also to assist an organization
in meeting their business objectives, better customer satisfaction and eventually more market
share, which, in time, brings more profits for the organization.
When interviewing top management, their input into, and commitment to, the quality policy needs
to be determined. Is it theirs, or have they clearly just signed something written for them by the
management representative?
Note: For multi-site/corporate certifications the quality policy must be applicable for all sites.
5.4: Planning
5.4.1 Quality Objectives
Auditors must determine that the organization has developed measurable quality objectives for
relevant functions and levels of the organization. Bureau Veritas Certification expects overall
objectives to be established at the facility/corporate level and objectives established for each
identified process. Process objectives shall support the organization’s overall objectives.
The organization must establish what the “relevant functions” of the organization are, however at a
minimum this will include all defined processes (reference 4.1 a, c, e). Sub-processes, projects, or
Page 14 of 42
individual objectives would be at the discretion of organization. The auditor may want to ask what
criteria were used to determine if functions are relevant or not. It would be left up to the company
to determine if a cost or added value benefit would result from including or not including functions
of the operation when establishing quality objectives. The COPS may have more critical objectives
as opposed to internal audits or inspection processes; the intent of the standard is for the
organization to have the right measurement in the right place for the right reason.
If some functions or levels have been excluded, it may be necessary to explore, evaluate (and
record) the reasons for such omissions (which might be quite acceptable at that particular stage in
the continual improvement process).
The organization must identify quality objectives that can be measurable, such as “vendor on-time
rating”, “on-time delivery”, “all employees will have completed an ISO 9001 awareness class” and
“all machines will have clearly defined procedures on their usage.” If the objectives were not
measurable (including a time-based element where appropriate), they would not meet the intent of
the standard,
The objectives do not have to be defined in a specific document although the objectives are
required to be documented (see 4.2.1 a). Objectives can either be defined in associated procedures
or instructions, or could be recorded in meeting minutes such as management review records. The
organization must have a process to ensure that all the objectives are clear and communicated to all
employees who can influence the defined objective(s). The organization should be able to
demonstrate that the objectives are being measured and reviewed (see 4.2.4 and 8.5.1 and 8.4
analysis of data).
5.4.2: Quality Planning
Auditors have to use their judgment in evaluating the entire collected audit evidence in order to
assess effectiveness of planning activities. The auditor may also satisfy him/herself that planning
was done, by interviewing the personnel involved in establishing or achieving specific quality
objectives.
Auditors are recommended to attribute such QMS deficiencies to relevant clause, requirements of
which were contravened, rather than to clause 5.4.2.
Determining effective and efficient planning may be found by evidence of:
All those planning activities undertaken to establish the QMS in accordance with clause
4.1, this would include new products, services and part numbers, etc.
The existence of an effective, documented, and implemented QMS that provides collective
evidence demonstrating that these planning activities have been performed effectively.
Deficiencies in the quality system that may indicate that these planning activities were not
quite effective.
The evidence and use of Strategic Plans, Business Plans, Management Review results,
Contingency Plans, Quality Objectives, any programs or plans, documented or not, such as
Minutes of meetings, Memos, Internal communications.
Page 15 of 42
Where there is lack of documented evidence, an auditor may satisfy him/herself through
interviewing the personnel at those levels and functions involved in achieving particular objectives
to determine the level of planning.
Another methodology allowing audit of effective planning involves review of the progress in
implementation of such plans aimed at adhering to individual objectives.
5.5: Responsibility, Authority and Communication
5.5.1: Responsibility and authority
In order for the auditor to be satisfied that the intent of this element has been met, he/she may
review organization charts, job descriptions or a responsibility matrix. Identification of
responsibility and authority could be written into procedures and/or work instructions, as well. The
auditor may also use interviews of individuals to determine if responsibility and authority has been
communicated effectively.
5.5.2: Management Representative
Responsibilities to include:
5.5.2 a) Ensuring that the processes needed for the quality management system are established,
implemented and maintained.
5.5.2 b) Reporting on the performance of the system to top management.
5.5.2 c) ensuring the promotion of awareness of customer requirements.
The resource designated as management representative shall be a member of the organization’s

management. The 2008 revision requires that the companies own Management be the MR
however, a consultant that conducts on-site work at the facilities on a continuing basis, can be
classified as the MR. Those consultants that show up annually for the ISO audit cannot be the
MR. The intent is that the organization and a member of, shall “own” the QMS, what type of
commitment is it if a consultant “owns” the system? The Auditor shall determine that the
Management Representative (employee or subcontractor) is a “member of management”. If the
designated management representative, particularly if from outside the organization such as a
consultant, operates in a part time mode, the management system must ensure continuity in
fulfilling the management representative responsibilities. It is highly recommended that the
company delegate one of it’s own management as the MR.
Promotion of customer awareness might include news releases, meetings, training, photographs,
models; examples of products demonstrating required visual attributes, do the employees know
where the products are used and if deficiencies to the products are found, how this may affect the
customer? We look for one individual to be the management representative in terms of defined
Page 16 of 42
responsibility. However, implementation of those responsibilities may be in the form of a defined

and delegated team.
Note: The management representative is responsible for ensuring it happens – not making it
happen, which is the job of line management.
Note: For multi-site/corporate certifications the auditor will expect to see that there is a
management representative with overall responsibility across all sites for ensuring that
requirements are established, implemented, maintained, and for reporting on performance.
5.5.3: Internal Communication
Although there is no mandate for documenting methods for communication, the auditor will expect
to find evidence of communication through interviews with employees. Evidence could possibly
include the employees understanding of process linkage and effectiveness, customer satisfaction
levels, preventive and corrective action information, on time delivery, quality costs, returned
material, non-conformances the objectives for their processes and understanding how they
influence those objectives (6.2.2d). This could be communicated by access to the computer
network, an information board, newsletters, or even process routers, checklists, and
multifunctional meetings. The type and extent of the documentation will depend on the nature of
the organization’s products and processes, the degree of formality of communication systems and
the level of communication skills within the organization and the organization culture.
5.6: Management Review
5.6.1: Management Review - General
IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification (Stage 1), a full round of Management Review meeting(s), including
documented evidence of all required inputs and outputs, must be completed prior to the
registration/certification audit (stage 2) note; a full internal audit cycle must be completed prior to
this review – see 8.2.2 Internal Audit). For multi-site/corporate certifications the review must
include inputs (as appropriate) from each site (see the standard 5.6.2 a – g). Normally, the review
process is conducted at the headquarters location.
As of Jan 1 2009, all new certifications shall use a 2 stage audit process. Stage 1 is generally 25%
of the full mandays looking at the following evidence for effectiveness:
• Full management review meeting all 5.6.2 and 5.6.3

• Full round of internal audits, all defined processes must be audited
• 6 required procedures for meeting ISO intent and implementation
• All and any corrective actions and customer complaints and actions, no “open” internal
corrective actions are allowed.
• Quality manual review to meet all 4.2.2 a, b and c.
• All performance indicators i.e. objectives, targets and progress made towards them.
Page 17 of 42
• Scope of certification, sites, employee count, codes are correct and any exclusions with
justification.
• The auditor would identify any issues that could be nonconforming at the stage 2 event.
• The stage 1 audit may be referred to as a “readiness review” where BV Auditors are
seeking evidence that the client is “ready” for stage 2, which is the fulfillment of the
registration audit days.
Note: Clients that are currently ISO certified will normally not have a stage 1, however a Stage 1
may be required where there are substantial changes to the clients management system, Deleted: ¶
Top management shall review the quality management system at planned intervals not only for
continuing suitability and effectiveness, but also adequacy. Additionally, this review shall include
assessing opportunities for improvement, the need for changes to the system, the quality policy,
and quality objectives.
These words are more prescriptive which cause a more proactive expectation and approach to
keeping the system current and useful and maintaining improvement activities. The auditor cannot
prescribe the intervals for reviews to occur, but can look for evidence that the frequency is
sufficient to accomplish the requirements of the standard. Although the dictionary would suggest
that suitable and adequate are the same, the standard seeks to distinguish both the system from a
global perspective of adequacy as well as the detailed suitability of the many processes that
comprise the system.
5.6.2: Management review input
The auditor will expect to see documented evidence that the (7) required inputs are discussed
during the review. Although a documented procedure for management review is not required,
records of such reviews are required (see the standard - 5.6.1 General). The minimum (7) inputs
are required in those records (see the standard 5.6.2 a – g). Evidence of cross functional input is
also expected, which means one person alone could do the review, but there would need to be
evidence of multifunctional input in the evaluation of the system and its status and actions
concluded by the Top Management.
For clarification purposes, 5.6.2a inputs are “results of audits” this includes Management to review
even the opportunities for improvement, not just nonconformities.
Furthermore, any business that conducts daily, weekly, monthly, etc. business meetings should
look at these meetings to see if they cover some of the management review items, typically, most
companies have these business meetings and meet most of the intent of management review
however, records are required.
5.6.3: Management review output
Output should focus on decisions and actions related to system improvement (5.6.3 a), product
improvement for customer requirements (5.6.3 b), and resource needs (5.6.3 c). Auditors expect to
see that some documented conclusions have been developed. The output record must include
Page 18 of 42
evidence of action and progress for system improvement, customer requirements, resource needs
as it all relates to system health. It is important to note that a documented procedure may or may
not exist. It should also be noted that formal meetings for review may or may not happen and still
be compliant - such as in the case of being accomplished in stages; on going process review; or by
circulated documentation covering the system incrementally. There is no requirement for Top
Management to sit in a formal meeting; methods to suffice management review may be in the form
of i.e. emails, circulated agenda and topics with decisions by Top Management, escalation process,
etc.
Element 6: Resource Management

6.1: Provision of Resources
The intent of this section is to ensure that adequate resources are provided to continually improve
the effectiveness of the quality management system (6.1 a) and to enhance customer satisfaction
by meeting customer requirements (6.1 b). Auditor would expect to see a process for evaluating
and determining resource needs. This may be through management review, production planning,
budget review, long range planning etc.
The auditor should determine that process activities are not prevented by a lack of resources.
Auditors may review instances where customer requirements were not met and determine if a lack,
or insufficiency, of any resources was causation factors of these instances. This requirement also
ties to paragraphs 5.1 and 5.6.3, which address management’s responsibility to determine and
provide necessary resources. Additionally, any clear evidence of resource problems links directly
to this section.
6.2: Human Resources
6.2.1: General
The standard requires that personnel be “competent”. This could be demonstrated by a person
being “qualified” however, “competence” is performance based, for example, a company could
test an employee and they pass the test however, they may still not be able to perform the required
job duties and meet the desired outputs or objectives. Competence may be based on appropriate
education, training, skills, experience, and/or demonstrated performance.
6.2.2: Competence, awareness and training
The intent of this section is to ensure that suitably competent people are performing the activities
as defined in the quality system. Evidence of the effectiveness of the training or other means of
providing competent employees must be available. Employees must be aware of the impact that
they have on the overall quality system. The auditor would expect employees to be able to
verbalize how their job activities contribute to the achievement of the quality objectives.
Page 19 of 42
6.2.2 a) Determine the necessary competence - The requirement is in emphasis toward validating
training and other activities aimed at ensuring employee competence. Identification of competency
is essentially a precursor to identification of training needs. The organization should determine
knowledge and/or skills an employee would need to be considered competent, in their opinion, to
perform a particular job. The company could then determine if the employee performing the job
possesses that knowledge or skill and, if not, consider it a training need. Changes in the business
and its environment may necessitate new competencies, which may not be available. Therefore the
identification of competencies may need to be revisited. There is no requirement for any particular
frequency of such re-review. Competency may be defined in a job description, position profile, or
by any other method or associated documents such as specific instructions or procedures. Usually
competency is determined during performance reviews, if the organization does not perform
reviews of this nature, other methods for determining personnel competence would need to be
defined and records verified.
6.2.2 b) Where applicable Provide training or take other actions - The requirement allows for
options other than training to obtain competent personnel. Training includes all those activities
where a learning opportunity needs to be satisfied. It may take a number of forms:
Classroom style, tutor led training;

Hands on experience training;
Shadowing
Individual or group coaching;
Mentoring;
Briefings;
Distance learning;
Technology based training (CD ROMS, web based etc);
Workshops.
Organizations will choose whichever form best suits their needs at any particular moment. Other
actions to bridge competence gaps might include:
Recruitment;
Outsourcing;
Acquisitions;
Use of experts and/or consultants.
Documented procedures or work instructions
All such means are acceptable as long as an organization has ensured the availability of the
competencies needed.
6.2.2 c) Evaluate the effectiveness of the actions taken - The requirement is aimed at ensuring
that the training or other activity has produced the desired result, this requirement is aimed at the
method of training, not necessarily the aptitude of the employee. This requirement could be met
in a variety of ways, including, but are not limited to:
Page 20 of 42
Observation of personnel performing their duties;

Written or oral exams;
Assessment of employee in achieving learning objectives during the course of the
training program;
Audit of performance at work focusing, for example, on:
Productivity;
Reduction of rejects;
Efficiency;
Interviews with the persons;
Annual appraisal.
Performance reviews;
Discussions;
Evaluation of performance, quality or other indicators;
Cost reviews;
Customer satisfaction assessment (see 8.2.1).
6.2.2 d) Ensure that its personnel are aware of the relevance and importance of their activities
(perhaps by internal communication – see 5.5.3) and how they contribute to the achievement of the
quality objectives - The requirement could be met in a variety of ways. Options include:
Training;
Memos, and/or meetings regarding the impact of various individual or departmental goals
on quality objectives;
Plant tours or briefings where an individual’s work and goals are shown as an integral part
of the larger processes;
Cross functional teams working towards quality objectives and reporting their progress to
their departments.
Any activity that allows individuals to understand how their efforts affect quality objectives may
satisfy this requirement. All personnel need to know the specific measurable objective(s) for the
process that they work in; they should also know what organizational objective their process
effects. They should be able to demonstrate that they know what the actual measurable is, their
progress towards that goal, what the plan is to achieve the goal. If they do not know the actual
numbers, they should be able to communicate the topics of the measurable and know where the
actual measurements are maintained or posted.
6.2.2 e) Maintain appropriate records - The requirement expands record keeping requirements to
include education, skills and experience, in addition to training, where appropriate. There are a
great variety of ways to record and provide evidence of training, education, skills and experience.
Records may include:
Diplomas;
Certificates;
Training log;
Annotations in shift logs;
Page 21 of 42
Toolbox meeting notes;

Attendance lists;
Resumes;
Employment history;
Test results.
Such records may be filed in any location as long as the requirements of 4.2.4 are observed.
There is no requirement for a record of the “evaluation of effectiveness of training” however, an
Auditor would expect to see evidence that the effectiveness of training was evaluated.
6.3: Infrastructure
It is the organization’s management who determines the adequacy of the infrastructure provided by
the organization. Auditors will seek objective evidence to demonstrate that the necessary
infrastructure exists for the quality management system to be effectively implemented, for
improvement of its effectiveness, and for fulfillment of customer requirements. Auditor would
expect to see a process in place for maintenance of the building(s), equipment and any other
supporting services. This is generally the responsibility of the maintenance and IT departments.
The 2008 revision has expanded infrastructure to include information systems, which may be
considered a support process. Due to the ever changing electronic capabilities, IT may be
considered a high risk process and failure in this process i.e. server crash, servers down, etc. may
result in a loss of data and potentially directly affect the customer. Many companies rely on their
electronic systems to perform many of the companies’ activities. Organizations may look beyond
the nightly back-up controls and implement ‘real time” back-ups furthermore, it would be
appropriate for organizations to verify the integrity of the backed up data i.e. disaster recovery,
recall of data previously backed up, etc.
6.4: Work Environment
The organization must identify and manage all those factors of the work environment that are
needed to supply a conforming product. These factors may include among others:
Human Factors
Creative work methods;
Opportunities for greater involvement of personnel;
Safety rules and guidance;
Ergonomics;
Special facilities for people.
Physical Factors
Heat;
Noise;
Light;
Hygiene;
Humidity;
Page 22 of 42
Cleanliness;
Vibration;
Pollution;
Airflow.
Different types of businesses and industry sectors may vary dramatically with regard to an
acceptable work environment, so it is the organization’s management who determines the
adequacy of the work environment provided by the organization.
For instance;
A training provider may need to ensure the training area is adequately lighted and
Some manufacturing facilities may require “clean rooms” or humidity-controlled areas.
Companies handling items easily damaged by electrostatic discharge may require special
flooring or equipment, and chemical storage areas may require special protective barriers.
As an additional example, an employee might perform a particular function that requires repetitive
wrist movements (i.e., tightening a screw). As the day wears on, it is possible that the overuse of
the wrist could result in poor torque of screws resulting in a possible quality defect. The company
should identify such a situation and provide a means of eliminating the potential defect (i.e., air-
driven screwdrivers). Evidence could consist of records of decreased quality defects and/or
medical problems related to that activity.
Element 7: Product Realization

Exclusions/non-applicability can be claimed within element 7 only. “Exclusion” should only
be taken for clause 7.3 Design and Development and must be fully justified in the quality
manual. Other sections within element 7 may be claimed as “not applicable” or “not
applicable at this time” for example 7.6 calibration, 7.5.2 validation of processes, 7.4 purchasing,
etc. Furthermore, if product design is not excluded, no other portions of design can be excluded i.e.
all design requirements apply or none, relative to the scope of certification. There may be cases
where the company conducts portions of design for the customer, in these cases please consult
your registrar for clarity and amount of design activities, this may be considered a “service” not
product design however, this example would still be considered an out-sourced process, see 4.1
note 3 b; b) the degree to which the control for the process is shared, Deleted: ¶
7.1: Planning of product realization
An organization needs to plan in advance for how they will manufacture their product or deliver
their service. The plans need to take into account the product requirements and any quality
objectives (7.1 a) that might be appropriate, resources and documents that may be necessary (7.1
b), what type of monitoring and/or inspection activities should be put in place to ensure the
product or service will meet the requirements (7.1 c), and what types of records should be kept (7.1
Page 23 of 42
d). While the sub-clause does not state that the output of this planning must be documented, it does
state that it must be in a form suitable for the organization’s method of operations.
7.2: Customer Related Processes
7.2.1: Determination of requirements related to the product
This clause promotes an up-front determination of all requirements related to the product.
This includes requirements for “servicing” which are now included as “post-delivery activities”,
which implies anything that is provided after the customer has received the product (i.e. repair
and/or warranty work, installation, maintenance, etc.).
Specific to 7.2.1 (a)
Post delivery activities may include among others:
Product support
Servicing where applicable
Specific to 7.2.1 (b)
Auditors should determine how the organization was proactive in evaluating if there were any
additional requirements for the product or service’s intended use. If the organization determined
there were not any additional requirements this should be evident in associated records, if there
were additional requirements then evidence should be present how they were addressed in the
affected process i.e. design, purchasing, manufacturing.
The analogy that can be used here is a screwdriver, everyone knows the intended use of a
screwdriver, put in and take out screws. However with a screwdriver, there are requirements that
are not stated but are intended for use, such as using a screw driver to open paint cans, could be
used as a chisel, pry bar, magnetization might be an issue, also if used around electricity the handle
should be nonconductive, but none of these requirements might be stated by the customer, but the
manufacturing organization would need to address these non-stated requirements for the
screwdriver’s intended use.
Specific to 7.2.1 (c)

The organization shall determine applicable Statutory and regulatory requirements related to the
product (i.e., taking these requirements into account when designing a product or service). This
includes ensuring process control (i.e., ensuring that these requirements were met).
Statutory requirements are those that are stipulated by local/national governments that form part of
regional, national and international legislation.
Page 24 of 42
Regulatory requirements are those imposed by regulatory bodies. In the UK the HSE (Health &
Safety Executive) and in the USA, the EPA (Environmental Protection Agency) are examples of
these. These requirements are not necessarily part of national legislation.
Compliance with regulatory requirements issued by national regulators (i.e. by The Rail Authority)
may be mandatory for those organizations to which they apply if a statutory instrument requires so.
Organizations are required to comply with a number of legal requirements to be allowed to

operate. Management must be aware of the requirements that apply to its products, processes and
activities and should include these requirements as part of the quality management system (ISO
9004:2005 – 5.2.3). Auditor must verify that these requirements are identified.
Auditors have to be aware that as the national legislation may apply to product intended for the
domestic market, in the case of export sales, organizations will be required to consider the
statutory and/or regulatory requirements in the target country that may apply to (a) product(s)
supplied.
Organizations are not required to maintain the lists of applicable statutory and/or regulatory
requirements, current revision of applicable external documents shall be maintained i.e. clause
7.3.2(b) and 4.2.3f. Organizations must ensure that they have adequate access to / or knowledge of
applicable statutory and regulatory requirements.
7.2.2: Review of requirements related to the product
The sub-clause mandates that the organization shall not issue a quotation or accept an order until it
has been reviewed to ensure requirements are defined and the organization has the capability to
meet the defined requirements. It goes on to require that records of the review and any subsequent
actions be maintained. If the customer does not provide their requirements in writing (i.e.,
telephone call), the requirements must be confirmed before they are accepted. If the requirements
are changed, all documents must be amended and relevant persons must be notified. A note is
included that covers situations such as internet sales where a formal review of each order is
impractical, stating, instead, that the review could cover the product information provided in
catalogs and advertising material.
The 2008 revision has expanded the definition of “ product”:

a) product intended for, or required by, a customer,
b) any intended output resulting from the product realization processes.
To clarify this changed text (b); this may include product for internal customers within the same
premises, the outputs of a product realization process form inputs to other processes i.e. internal
customer and internal supplier. In addition, customers may be other sister sites or corporate sites
7.2.3: Customer communication
The organization must establish effective arrangements for providing the customer with product
information (i.e., catalogs or advertising that adequately describe the product or service), means of
Page 25 of 42
handling inquiries and orders, and a method for handling customer comments (both compliments
and complaints).
There is no potential for excluding section 7.2, as every organization has external customers.
Where an organization with a stand-alone QMS is part of a larger group or corporation, and is
taking orders solely from a central Group or Corporate Sales Organization outside its certified
scope and delivering them to a central Group or Corporate Distributor outside its certified scope,
then the Sales and Distribution organizations are technically external customers, invoking 7.2
routines.
7.3: Design and development
This clause addresses product/service development as well as (conceptual) design, so organizations

involved in product/service development will have to comply with all of section 7.3 of ISO
9001:2008.
Many companies perform some enhancements or minor reconfiguration of mature designs, and are
able to use the guidance of ISO 9004:2005 in order to address some or all of section 7.3 of ISO
9001:2008.
Some organizations subcontract design and have managed this via sections 4.1 and 7.4 of ISO
9001:2008. Such organizations may have to introduce a comprehensive design system or process,
however may have to address design and development as it is applicable to the organization. They
may have to address some or all sections of 7.3 to the extent that they apply furthermore, if the
organization is design responsible and outsourcers all of design, all records (5) of design shall be
maintained by the company that is design responsible.
Document: ISO/TC 176/SC 2/N 524R3 ISO 9000 Introduction and Support Package:
Guidance on ISO 9001:2008 clause 1.2 'Application' provides excellent guidance and examples on
this topic (http://www.bsi.org.uk/iso-tc176-sc2).
7.3.1 Design and development planning
Although the standard does not require a documented procedure, the design process needs to
demonstrate how the process is controlled and planned. The organization, however, will need to
provide some type of objective evidence as to what the planning activities include. This can be
accomplished with the use of time-lines, Gantt charts or any other planning method such as
Microsoft project manager. In addition the auditor should see objective evidence of how the
interfaces between other processes are managed, either through statements in associated
procedures, process mapping, matrix approach or in the time line planning.
7.3.2 Design and development inputs
The auditor will need to review evidence that the inputs (7.3.2 a – d) have been addressed based on
the nature of the product being produced, that they have been reviewed for adequacy and that
Page 26 of 42
records are maintained of the activity. An organization may include Design personnel in the
contract review stage; these records may suffice the review of design input requirements.
7.3.3 Design and development outputs
The auditor should expect to see objective evidence that the outputs (7.3.3 a – d) have been
verified against the design inputs. This can be accomplished by reviewing documents, plans, etc.
interfacing with the customer or internal processes and by comparison with past proven designs.
Outputs may also include product preservation methods, identification, packaging, service
requirements, etc. as appropriate.
7.3.4 Design and development reviews
Reviews shall be conducted in accordance to the time line or plan established at the beginning of
the design activity. Reviews shall show evidence that all activities required in each phase of the
design have been addressed or adjustments made. Records should show who attended the reviews
and that all concerned parties were present and that all actions were satisfied before proceeding
forward with the design process. The intent of design reviews with “representatives of functions
concerned” is that other parties in the organization “interact” with Design i.e. purchasing, quality,
manufacturing (design hand off), etc.
7.3.5 Design and development verification
The 2008 revision added a note:

NOTE Design and development review, verification and validation have distinct purposes. They
can be conducted and recorded separately or in any combination, as suitable for the product and
the organization.
Design verification basically means that the product can be produced as designed and that output
meets the intended inputs. Additionally it should show that the organization has the capability to
produce the product with existing equipment and has the personnel competencies or has the ability
to train or subcontract the required capabilities.
7.3.6 Design and development validation
Validation has to ensure capability of meeting “intended use where known” as well as specified
requirements, and has been completed prior to delivery and implementation wherever practicable
(typically as a prototype or first article). In most organizations they can’t rely on the customer to
perform the validation, the lack of a negative response from the customer does not meet the intent
of this clause. The organization shall have records that the product designed will meet defined user
needs prior to delivery of the product to the customer, as appropriate. Methods of validation could
include simulation techniques, proto-type build and evaluation, comparison to similar proven
designs, beta testing, field evaluations, etc. Irrespective of the methods used, the validation activity
should be planned, executed with records maintained as defined in the planning activity in 7.3.1.
Page 27 of 42
7.3.7 Design and development changes
Design and development changes (after the original verification and validation) have to be
“verified and validated as appropriate” (as well as reviewed) and to “include evaluation of the
effect of changes on constituent parts and products already delivered”. If the organization chooses
not to perform re-verification and re-validation on every design change, then the auditor should
expect to see some very well defined criteria as to when the activity needs to occur. This includes
any changes that do not affect fit, form or function.
7.4: Purchasing
7.4.1 Purchasing Process
It would be extremely uncommon for purchasing to be excluded from the quality management
system (i.e., perhaps applying to such situations as small consultancies using no subcontractors,
and using proprietary office materials and equipment that do not directly impact on product or
service performance, or work conducted for the government/contractors – but not to many other
situations).
Where procurement is centrally controlled by a corporate procurement organization outside the

scope of the QMS of the auditee organization, this is not justification for exclusion of 7.4 in its
entirety. The audited organization is certainly responsible for providing purchasing information
(7.4.2) to the corporate procurement organization, and for verification of purchased product (7.4.3)
– and perhaps participating in the re-evaluation process. In the event that a corporate office or
other entity, outside the scope of registration, performs any sections of purchasing this shall be
considered an outsourced process per requirements identified in section 4.1. Bureau Veritas
Certification auditors would expect to see a documented agreement in place (i.e. an Interface
Agreement) between the organization and the supplier.
Auditor will expect to see a process is in place for evaluating and selecting suppliers as well as a
process for ongoing re-evaluation of suppliers. While a written procedure for purchasing is not
required, records of evaluation and actions arising from the evaluation are required to be
maintained. “re-evaluation” may be considered on-going monitoring of performance however,
suppliers that have new products requested by the company, may require a new evaluation.
7.4.2 Purchasing Information
Purchasing information may take many forms however is generally a purchase order or requisition.
The auditor will expect to see that the information clearly describes the product to be purchased as
well as any other requirements, including as appropriate:
7.4.2 a) the approval of products, procedures, processes and equipment.
7.4.2 b) the qualification requirements of personnel.
Page 28 of 42
7.4.2 c) the QMS requirements. I.e. ISO 9001 certified, ISO 17025 certified or other specific QMS
requirements including statutory and regulatory, as appropriate.
7.4.3 Verification of Purchased Product
Auditor will expect to see a process is in place to verify that purchased product meets
requirements. This may take many forms depending on the product. Auditor will verify that these
requirements are known and being accomplished. This may include receiving inspection and
testing, visual inspection, receipt of certificates of conformance etc. In the event verification will
take place at the suppliers premises the method for doing so must be stated in the purchasing
information. Based on supplier performance, receiving verification may be limited to the review of
quantity, part numbers and visual for freight damage, as appropriate.
7.5 Production and Service Provision
7.5.1: Control of product and service provision
There is the possibility of defining sub-clauses 7.5.1 b) work instructions, 7.5.1 c) the use of
suitable equipment, and 7.5.1 f) post delivery activities as not applicable to the scope of their
quality management system. The non-applicability of these items must be justified in the quality
manual (4.2.2 a) and must not “affect the organization’s ability, or responsibility to provide
product that meets customer and applicable statutory and regulatory requirements” (1.2).
The auditor will expect to see that production activity is well defined and understood. This is
generally ascertained through interviews with employees on the production floor, review of
documentation and observations. The auditor will verify the following at a minimum:
7.5.1 a) the information describing the characteristic of the product. This may be in the form of a
work order, travelers, schedule, quality plan, etc.
7.5.1 b) the availability of work instructions or procedures as applicable. These may be in any
format (electronic or paper); instructions may simply be included on the work order or travelers.
Instructions do not have to be documented and could simply be provided through training, one
may think that an Engineering drawing is a work instruction for production; it is also a record of
design. The auditor will review Control of Documents, 4.2.3 as applicable.
7.5.1 c) the use of suitable equipment. The auditor will expect to see evidence that equipment is
suitable for the process and that it is maintained. The auditor will investigate how equipment is
maintained and how malfunctions are handled. This may be in conjunction with Infrastructure
6.3.
7.5.1 d - e) the availability of suitable monitoring and measuring equipment and the
implementation of monitoring and measurement. Measuring and monitoring may require record
keeping i.e. operator log sheets, inspection sheets, routers or other documentation. Documentation
will be reviewed as applicable per Control of Records 4.2.4.
Page 29 of 42
7.5.1 f) the release, delivery and post delivery activities. Whether in process or final the auditor
will expect to see that release, delivery and post delivery activities are defined. This may include
release to the next process or for shipment to customers.
7.5.2: Validation of processes for production and service provision
This clause applies exclusively to “special processes” – and not to all the processes of the quality
management system in general.
This clause may be considered within the quality management system as not applicable. Any
organization that does not have any “special processes” can clearly note this clause as not
applicable.
Where “special processes” have been identified, Bureau Veritas Certification auditors will expect
to see that 7.5.2 a- e have been arranged as appropriate, which includes ensuring that:
7.5.2 a) the organization establishes arrangements to ensure that these processes are reviewed and
approved.
7.5.2 b) the equipment used and the personnel involved are qualified.
7.5.2 c) specific methods and procedures are used (may require documentation).
7.5.2 d) records are maintained.
7.5.2 e) re-validation is performed for those instances where, for example, a deficiency is found.
As an example, it may be determined that an individual is actually not qualified to perform a
particular “special process”. Training may be provided to improve the individual’s skills,
following which the individual’s qualifications should be re-validated to ensure they are capable of
providing the planned results.
7.5.3: Identification and traceability
Organizations cannot completely exclude 7.5.3. Despite the phrase “where appropriate”, no
organization can wholly claim non-applicability for “identification”. However, traceability can be
identified as not applicable where it is not a requirement of the customer, the product regulatory
requirements, or of the organization itself. This has been expanded to include configuration
management as meeting traceability, as appropriate.
The auditor will expect to see that product is identified (as appropriate) and its status with regards
to monitoring and measuring (conforming or not) is identified throughout the product realization
processes. Where traceability is a requirement, the auditor will expect to see that the organization
is controlling and recording the unique identification of the product. This documentation is a
required record per Control of Records 4.2.4.
Page 30 of 42
7.5.4: Customer property
The auditor will expect to see that the organization has clearly identified any and all customer
property. The auditor will verify that the organization has established a process to protect customer
property. Further a process must be established for contacting the customer when these items are
lost, damaged or otherwise found unsuitable for the process. This communication to the customer
must be maintained as a Quality Record 4.2.4.
Customer property may include (not limited to):
Components supplied for inclusion into the product.

Packaging material
Transport
Intellectual property – drawings, specifications etc.
Equipment or tools
The 2008 standard expanded this requirement to include personal information i.e. credit
card info, bank data, proprietary, confidential, social securities numbers, etc.
7.5.5: Preservation of product
Auditor will expect to see that adequate measures are taken to protect/preserve product during
internal processing and delivery to the intended destination. The preservation process must include
the following: As a note, preservation, packaging and other product specific handling methods
may be an output of the product design process.
Identification - this is relative to 7.5.3 – Identification and Traceability however for

preservation of product it is a requirement and not “as applicable”. Auditor will expect to
see that all products are clearly identified.
Handling - auditor will verify that suitable handling methods are implemented throughout
the processes. This may include bulk handing using moving equipment or physical contact
where handling may influence product conformity.
Packaging - auditor will expect to see that methods have been established for packaging
product to preserve integrity.
Storage - auditor will expect to see that product is stored in locations and in a manner to
safe guard product.
Protection – auditor will verify that appropriate measures are in place to protect product.
This may vary widely depending on the product.
7.6: Control of monitoring and measuring Equipment

Page 31 of 42
Companies with no measuring equipment can claim non-applicability for this (as addressed from
paragraph 3 of section 7.6 of the standard onwards).
The clause addresses all measuring equipment that is used for product acceptance, and
reconfirmation of computer software as necessary. The first two paragraphs address monitoring
and measuring equipment and can be applicable to service companies as well as manufacturing
organizations. For example, in a training organization, where consistency of evaluating and
grading trainees (the product) needs to be assured, then calibration may be applicable.
The auditor will expect to see a process is in place to determine required measuring and
monitoring to be accomplished as well as the equipment needed to provide evidence of
conformity. Many facilities use calibration software including a calibration master list of all
equipment. While this is not required, all equipment requiring calibration must be identified and
shall:
7.6 a) be calibrated or verified at specific intervals or prior to use. equipment must be calibrated
using measurement standards traceable to international or national measurement standards. Where
there is no standard available for the device the basis for calibration or verification must be
recorded. Auditor expects to see that traceable standards are used and where applicable have not
expired. Where calibration is completed by an outsourced process i.e. vendor, the records of
traceability must be reviewed.
7.6 b) Adjusted or readjusted as necessary. Auditor will expect to see evidence that equipment
found to be out of calibration are adjusted/re-adjusted by qualified personnel and the validity of the
previous measuring results are accessed when equipment is found to be out of calibration and
appropriate action is taken (may include recall of product). Auditor will expect to see that a
process is in place to provide traceability of each piece of equipment to the process/product that
the equipment was used on. The results of calibration and verification are required to be
maintained as quality records.
7.6 c) be identified to show calibration status. Auditor will expect to see that each piece of
equipment is identified in such a way that the user can determine that the device has current
calibration, this may be accomplished by the equipment unique serial number traceable to the
calibration record however, the calibration status label is a good practice. Other methods may be
used however must clearly identify the calibration status. Where the environment is not conducive
to the use of stickers, status may identified by color-coding, identification number with associated
calibration record, and/or calibrated prior to every use.
7.6 d) Safeguarded from adjustments. Auditor would expect to see that a process is in place to
ensure that users outside the calibration process do not adjust equipment. Equipment may be
verified prior to use however any adjustments made to equipment must meet all requirements of
this section. Methods to safeguard may include; locking materials for setscrews, tamper-proof
seals, limited entrance to calibration areas, and other methods.
Page 32 of 42
7.6 e) be protected from damage during handling, maintenance and storage. Auditor will expect to
see that measuring equipment are handled and stored in a manner to protect the equipment from
damage.
Clause 8: Measurement, Analysis and Improvement

8.1: General
The means (i.e. ‘processes’) and resources for accomplishing the three (3) requirements must be
planned for and implemented. The processes must address four (4) different, but related, aspects:
1) Monitoring (i.e. examination, information and data collection, and reporting) at the process
level.
2) Measurement (i.e. determination and comparison of ‘performance indicators’ against ‘actuals’
against ‘knowns’, or against expectations and requirements – i.e. inspections, tests, product and
process audits, systems audits, SPC, etc.) at the local level.
3) Analysis (review of data, evaluation of results and variances, causation analysis, application of
statistical techniques, etc.) at the process and local levels.
4) Improvement (i.e. corrective and/or preventive action, refinement, enhancement, etc.) This
would include changing the goals and objectives to a higher level.
The various techniques, methodologies, resources, tools (including statistical techniques), and
applicable procedures need to be determined for these Measurement, Analysis and Improvement
‘processes’. This is not for an organization to state that there is no need to use a statistical
technique, if there is variability in their process or product characteristics, then there is a need for
the use of a statistical technique.
Fulfillment of the requirements in Section 8 is important if the organization is to fully embrace and
effectively apply the principles of the “Process Model” and the “Plan Do Check Act” model. The
word “process” for measurement, monitor, analysis and improvement does not mean that these are
a defined process in the quality manual. The intent is; that there needs to be methods, techniques
and actions related to these topics.
8.2: Monitoring and Measurement
8.2.1: Customer Satisfaction
It is recognized / understood that Customer Satisfaction is:
A viable, effective (albeit partial) measurement of the performance (merits, benefits,

adequacy, suitability, effectiveness, etc.) of the quality system.
An objective, goal, expectation of the quality system.
Page 33 of 42
ISO 9000:2005, 3.3.5 defines the “Customer as the organization or person that receives a
product.” The examples stated are; “consumer, client, end-user, retailer, beneficiary and
purchaser”. It is intended that the customer satisfaction measurements be focused on external
customer but in addition can include internal customers. Internal customer satisfaction measures
can be contained in the establishment of the organizations defined internal process measurable
objectives. Measuring only internal customer satisfaction would not meet the intent of this clause
and must include all interested parties where appropriate.
Customer Satisfaction is determined by the organization measuring its customer’s perception as to

whether they have satisfied their customers’ requirements – and may be somewhat subjective or
‘qualitative’ as much as ‘quantitative’. Customer complaints are a common indicator of low
customer satisfaction but their absence does not necessarily imply high customer satisfaction.
Simply capturing customer complaints and product returns will only gauge ‘dissatisfaction’ –
which does not fully meet the intent of the clause and will not satisfy these requirements. The
organizations management should analyze the implications of the absence or existence of customer
complaints.
Process definition is needed. The various techniques, methodologies, tools, resources, etc. (forms,
surveys, frequency, targeted customers, responsibilities, external survey service companies,
benchmarking, etc.) and applicable procedures need to be determined for:
1) Obtaining customer satisfaction information (i.e. identifying, collecting, monitoring and

reporting various data/information)
2) Using customer satisfaction information (analyzing, understanding and responding to – i.e.
making changes, corrections, enhancements and improvements to the
products/services/quality system)
NOTE (added for 2008 revision)

Monitoring customer perception can include obtaining input from sources such as customer
satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost
business analysis, compliments, warranty claims and dealer reports.
Regarding these methods, organizations are required to analyze all data pertaining to the
customer’s perception and determine a measurement of effectiveness for satisfaction.
The requirements in 8.2.1 interrelate closely with those in sub-clauses:
5.2 Customer Focus (…. with aim of enhancing customer satisfaction.)

8.4 a) Analysis of Data – customer satisfaction
8.5.1 Continual Improvement (via analysis of data)
5.6.2 b) Management Review Input – customer feedback
7.2.3 Customer Communication – customer feedback & complaints
8.2.2: Internal Audit
Page 34 of 42
IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

registration/certification, a full round of internal audits, including documented evidence that all
processes and sections of the standard have been audited, must be completed “prior to” the
registration/certification audit being conducted. For multi-site/corporate certifications all processes
performed at each site must be included in the initial round of internal audits. It is an expectation
that internal audit planning and the evaluation of the internal audit results across all sites will be
performed by the headquarters location (i.e. centrally managed). The results of this evaluation are
to be presented during the management review process (see 5.6). The organization shall have
documented conclusions based on the outcomes of all process, product and system audits in terms
of the effectiveness of the QMS based on audit results. This may be in a stand-alone document
(e.g. Annual Audit Report) or be a part of the management review records. The conclusions should
be based on the audit team leader’s conclusions along with the audit team.
Auditor will expect to see a documented procedure developed that defines responsibilities and
requirements for planning and conducting audits, reporting results and maintaining records (see
4.2.4). The Auditor must make a determination if the internal audit process is effective in
maintaining the integrity of the quality management system. A statement indicating the level of
effectiveness must be included in the summary section of the Bureau Veritas Certification audit
report. In the event the auditor cannot state that the audit process is effective, a nonconformance
should be raised.
Internal audits shall be planned based on the status and importance of the processes executed, in
other words more emphasis (time audited) on those processes that have a direct or significant
impact on the achievement of the organizational goals. In addition, previous audit results must be
considered in the scheduling of future internal audits. Auditor will expect to see a schedule (plan)
that has been developed considering the status and importance of the processes, previous audit
results, and selection/assignment of auditors to ensure objectivity/impartiality (auditors can not
audit their own work). Bureau Veritas Certification expects the internal audit process and internal
audit schedules will reflect the process approach. If the organization only has an audit schedule
based on the clauses of the standard, then this will not be considered acceptable, would not be
reflective of the process approach, not based on the status and importance of the processes or
reflect previous audit results. In all likelihood this will result in a nonconformance to the standard
against 8.2.2.
Furthermore, “status” includes the performance of the processes based on achievement of goals
and objectives, problems in the process, complaints and excessive variation in a process, etc.
“Importance” is based on the activities that have the most impact to the customer,
regulatory/statutory requirements, legal, process that affects the product directly i.e. one may say
that product design and sales is more important than IT or receiving inspection, it would be logical
to assess sales and product design more often than IT, as appropriate.
The auditor must see evidence that the audits include the requirements of ISO 9001:2008 as well
as the requirements established by the organization. Nonconformances raised during the audit must
be addressed without undue delay by the management of the area/process being audited. The
Page 35 of 42
auditor will expect to see that a process is in place to ensure that actions taken are implemented to
eliminate the nonconformance and the cause. A process must be in place for follow up to ensure
that the action(s) taken were effective. The results must be recorded. Auditors would expect to see
that nonconformances follow the requirements of 8.5.2. However, there is no requirement to have
one corrective action system and therefore it is acceptable to have a separate process for audit
nonconformances as long as requirements for corrective actions 8.5.2 are being met.
Requirements of 8.2.2 interrelate closely with those in sub-clauses:
5.6.2 a) Management Review Input – results of audits

8.5.1 Continual Improvement (via use of audit results)
8.5.2 Corrective Action (to eliminate deficiencies found in the audit)
8.5.3 Preventive Action (resulting from audit, analysis and observations)
8.2.3: Monitoring and Measurement of Processes
Applicable processes need to be identified in the Quality Manual, along with a description of the
interaction between those processes. The applicable processes might include those relating to four
general categories: 1) Management Activities, 2) Resource Management, 3) Product Realization,
and 4) Measurement and Monitoring, but most companies will prefer to focus on their own
particular COPS, MOPS, and SOPS.
Fulfillment of the requirements in this sub-clause is important if the organization is to fully

embrace and effectively apply the principles of the “Process Model”, the “Plan Do Check Act”
model.
The requirements of 8.2.3 interrelate closely with those in sub-clauses:
4.2.2 c) Quality Manual (include a description of interaction between processes)

5.4.1 quality objectives (at relevant functions and levels i.e. processes)
5.6.2 a) Management Review Input (process performance)
8.5.1 Continual Improvement (via analysis of data)
4.1 e & f) General Requirements – (to implement, measure, monitor, Analyze and
continually improve the processes).
The organization should identify monitoring, and, where appropriate, measurement methods to
evaluate process performance. The organization should incorporate these measurements into
processes and use the measurements in process management. Measurements of process
performance should cover the needs and expectations of interested parties in a balanced manner.
Examples (from ISO 9004:2000) might include:
Process capability
Reaction time
Cycle time or throughput
Measurable aspects of dependability
Page 36 of 42
Yield
The effectiveness and efficiency of the organization’s people
Utilization of technologies
Waste reduction
Cost allocation and reduction
The intent of this sub-clause is to monitor/measure processes with the quality objectives stated in
5.4.1.
8.2.4: Monitoring and Measurement of Product
The organization must show evidence that a process (method, techniques, formats, etc) is in place
to monitor and measure the characteristics of product to verify that requirements are being met.
This must be accomplished at appropriate stages of the product realization process and must be
defined as required per Planning of Product Realization 7.1. Auditor will verify that records are
maintained to provide evidence of conformity and indicate the person(s) authorizing the release of
products. The release of product or delivery of service must not be completed until the planned
requirements (7.1) have been met. “Release” of product may include, according to product
planning and the verification stages, release to the next operation, release to an internal customer,
release to final customer, etc.
For product release or service delivery, the planning requirements may be waived, but must be
approved by relevant authority and by the customer as appropriate.
8.3: Control of Nonconforming Product
The Auditor will verify that a documented procedure has been developed to define the controls,
responsibilities and authorities for dealing with nonconforming product. Product that does not
meet requirements must be identified and controlled. The auditor will expect to see that
nonconforming product is clearly labeled and segregated to prevent unintended use.
“Labeling” may include; marked areas where NC product is stored/segregated, a shop router that
has annotations regarding NC product, red tags, an electronic system that puts product on hold or
other status to assure the product is not used, and other methods that meet this intent.
It is important to note that requirements may extend beyond delivery of product, and/or to the
point or time of use (i.e. during shipment/transit, until received and accepted at the customer, while
on consignment at customer’s facility, etc.) This also suggests that the organization may be
responsible to “take action”, even after use of the product has begun i.e. recall of product.
Appropriate objective evidence (quality records) must be maintained.
Requirements of 8.3 interrelate with those in sub-clauses:
8.2.1 Customer Satisfaction (possible impact upon)

8.4 b) Analysis of Data (information relating conformance to product requirements)
Page 37 of 42
8.5.2 Corrective Action (take action to eliminate cause of nonconformities and the
action shall be appropriate to the effects)
There are only four possibilities auditors should see as dispositions of nonconforming product, 1-
scrap, 2- rework or repair, 3- re-grading of the product, or 4 – use with the concession of the
customer or relevant authority i.e. Engineering (if Design responsible, form, fit and function),
regulatory body, etc. and records maintained. Obviously reworked or repaired product requires
subsequent verification prior to release.
8.4: Analysis of Data
The Auditor will expect to see that the organization has developed a process (method, techniques,
format, etc.) to identify, collect and analyze various data and information from both internal and
external sources (i.e. quality records, monitoring and measuring results, process performance
results, quality objectives, internal audit findings, customer surveys and feedback, 2nd or 3rd-party
audit results, competitor and benchmarking information, product test results, complaints, supplier
performance information, etc., etc.). This ‘input’ (information and data) should reflect upon the
adequacy, suitability, and effectiveness of the Quality Management System and its processes. The
‘output’ (result of the analysis) must provide information (understanding, insight, awareness,
confidence, knowledge of, etc.) about:
Customer Satisfaction / Perception.

Product Conformance
Process performance
Product / Process Characteristics
Trends in Products / Processes
Opportunities for Preventive Action
Suppliers and subcontractors (i.e., all as defined in 8.4 a)-d))
Other potential or useful options might include:
Need for Corrective Action

Opportunity for Improvement
Competition

Requirements of 8.4 interrelate with those in sub-clauses:
5.6.2 Management Review Input

8.5.1 Continual Improvement
8.5.2 Corrective Action
8.5.3 Preventive Action
Furthermore, any “record with data” that is established, may be considered for analysis. Records
are evidence of quality system performance and should be analyzed for potential improvements.
Page 38 of 42
8.5: Improvement
8.5.1: Continual Improvement
Distinction must be made between ‘continual’ and ‘continuous’ improvement. Unlike continuous
improvement (which must be constant, steady and always positive), continual improvement may
show signs of dwells, momentary setbacks, delays or slight reversal, shows process variation –
provided the overall trend is positive/improving.
The auditor will expect to see a process method, techniques, formats, etc. is in place for
establishing and implementing continual improvement. Significant or sustained lack of
improvement must be met with corrective action (i.e. ‘get well plan’) – unless the undesirable
condition is expected/predicted – resulting from a conscious/deliberate decision by management
(i.e. willingness to accept a temporary setback in productivity while new equipment/ processes are
introduced.)
Drivers, or impetus for continual improvement must come from the use of (as a minimum):
The quality policy

Quality objectives
Audit results
Analysis of data
Corrective actions
Preventive actions
Management review
Requirements of 8.5.1 interrelate with those in clauses / sub-clauses:
5.4.1 Quality Objectives

5.4.2 Quality system planning
5.6.2 g) Management Review Input (recommendations for improvement)
5.6.3 a - b) Management Review Output (improvement of system, processes and product)
8.4 Analysis of Data
8.5.2 Corrective Action
8.5.3 Preventive Action
Note: it is the responsibility of the company to demonstrate improvement rather than the auditor to
look for it. Accordingly, it is a useful audit practice to ask management to identify any
improvement initiatives taken since the previous visit, and also any planned for the future.
8.5.2: Corrective action
Corrective action is action taken to PREVENT the recurrence of actual problems. When a problem
occurs, organizations invariably take remedial or containment action, or implement
Page 39 of 42
CORRECTION to contain or fix the immediate problem. Corrective action (as addressed in ISO
9001:2008 8.5.2) is any subsequent action to address the root cause and prevent recurrence.
The auditor will verify that a documented procedure is in place to define the requirements for
corrective action:
8.5.2 a) Reviewing nonconformities – auditor will expect to see a process is in place for
identifying nonconformities (types) and reviewing them to determine if the nonconformity requires
corrective action. The section specifically identifies customer complaints however other sections
such as internal audits, nonconforming product, monitoring and measurement of processes
reference corrective action. Sources from ISO 9004:2000 include:
Customer complaints
Nonconformity reports
Internal audit reports
Output from management review
Output from data analysis
Outputs from satisfaction measurements
Relevant quality management system records
The organizations people
Process measurements
Results of self assessment
The 2008 revision added “causes” plural, the intent is the companies may determine several causes
for one issue, if several causes are cited, then actions to each cause must be in place. How the
organization handles and documents the actions are up to the company however, must meet the
intent of the 8.5.2 a-f.
8.5.2 b) Determining causes – auditors will expect to see that a process is in place for determining
root cause. BV has determined that root cause analysis has been a long term issue, many
companies struggle with formal root cause analysis and it is imperative that Auditors (BV) assure
organizations have some type of formal method in place to assure the actual cause has been
determined. Though, ISO 9001 does not require a specific method for root cause, Auditors must
assure that organizations have an effective method to determine root cause. Organizations must
realize the importance of root cause, if the actual cause is not determined, then there is a high
probability that the nonconformance will recur. Methods for root cause may include; 5-whys,
fishbone, FMEA, six sigma, brainstorming, quality circles, reliability analysis, and more. Auditors
must assure that the organization has determined root cause and that the issues are not recurring.
8.5.2 c) Evaluating action needed to prevent recurrence – auditor will expect to see evidence that
action(s) are evaluated and developed to prevent the nonconformance from recurring.
8.5.2 d) Implementing action – evidence that actions are implemented. There is no requirement for
time however auditor will expect to see evidence that actions are taken in a timely manner.
Page 40 of 42
8.5.2 e) Maintaining records - corrective actions are required to be maintained as quality records
per 4.2.4.
8.5.2 f) Reviewing the effectiveness of the action taken – auditor will expect to see a process in
place for reviewing completed corrective action to ensure that the action taken was effective in
correcting the nonconformity.
Note: The organization may choose to maintain one document for both corrective and preventive
action. While this is acceptable, Bureau Veritas Certification believes that the processes are unique
and should be documented separately.
Note: Organizations are free to use their own terminology (i.e., many define corrective action as
the fix and preventive action as the subsequent cure). There is no problem with this – provided
they are not claiming that this “preventive action” (i.e., after the event) meets the requirements of
8.5.3 (action taken before the event). For example, some corrective action systems use a form and
one portion of the form is “action to prevent recurrence” this is not a preventive action according
to 8.5.3 and does not meet the intent of preventive action.
Note: For multi-site/corporate certifications auditors will expect to see that evaluation of corrective
actions across all sites is being performed and analyzed (A “centralized” location is the BVC
requirement, the appropriate location would be at headquarters/corporate offices where Top
Management reviews the status of all corrective actions, including each site within the scope), this
would be an input to management review (see 5.6.2).
8.5.3: Preventive action
The auditor will verify that a documented procedure is in place to define the requirements for
preventive action:
8.5.3 a) Determining potential nonconformities and their causes - auditor will expect to see
evidence that a process is in place for determining potential nonconformities. This may include
many methods. Sources from ISO 9004:2000 include:
Use of risk analysis tools.

Review of customer needs and expectation.
Market analysis.
Management review output.
Output from data analysis.
Satisfaction measurements.
Process Measurements.
Lessons learned from past experience.
Results of self-assessment.
Processes that provide early warning of approaching out-of-control operating conditions.
Page 41 of 42
8.5.3 b) Evaluating action needed to prevent occurrence – auditor will expect to see evidence that
action(s) are evaluated and develop to prevent the occurrence of potential nonconformances.
8.5.3 c) Implementing action – evidence that actions are implemented. There is no requirement for
time however auditor will expect to see evidence that actions are taken in a timely manner.
8.5.3 d) Maintaining records - preventive actions are required to be maintained as quality records
per 4.2.4.
8.5.3 e) Reviewing action taken – auditor will expect to see a process in place for reviewing
completed preventive action to ensure that the action taken was effective.
Preventive action is action taken to PREVENT the occurrence of potential problems. The
organization might welcome some auditor guidance on terminology. Many companies (especially
small companies with simple systems) are struggling to identify opportunities to satisfy 8.5.3, as
most of the standard is, in fact, focused on prevention. Anything related to evaluation of risk and
related actions, or action to prevent an early dip in a trend graph becoming a problem can be
accepted as objective evidence of compliance – as well as clear up-front preventive initiatives, of
course.
Preventive action systems and continual improvement systems are very similar for example; a
company may identify an improvement initiative and “prevent” the occurrence of something
however, the steps in 8.5.3 must be recorded as evidence.
Reviewed By Authorized By Rev Date Rev # Location Change History

Update name change BVQi to Bureau
Prev
Veritas Certification. Changes to
Ralph 8/30/05
Zach Pivarnik 6 BMS sections: Outsource Processes, 4.2.2 c),
McLouth Rev
4.2.3 b),
5/9/05
7.6 c) and 8.2
Updates to the ISO 9001:2008 revision,
Ralph updates included throughout this
Jeff Rodgers 1/26/10 7 BMS
McLouth document are text changes and
examples/guidance statements.
Page 42 of 42

BVC+ISO 9001+2008+interpretation

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

BVC+ISO 9001+2008+interpretation

Загружено:

Авторское право:

Доступные форматы

Bureau Veritas Certification Interpretations

Expectations for Companies Certifying to ISO 9001:2008.

ISO 9001:2008 Interpretations

If an outsourced process is controlled through Purchasing there must be documented objective

b) the degree to which the control for the process is shared,

TABLE A: Cross-linked references

these processes, and,

These processes shall be managed by the

Where an organization chooses to outsource any

4.2: Documentation Requirements

a) documented statements of a quality policy and quality objectives,

4.2.2: Quality Manual

Examples may include, but no limited to:

Be a direct collection of QMS documents including procedures;

NOTE 3 The documentation can be in any form or type of medium.

4.2.3: Control of Documents

A documented procedure is required for control of documents.

4.2.3 a) Approve documents – procedure must identify the approval process.

4.2.4: Control of Records

Identification – the procedure must identify the system/process is in place to identify

A spreadsheet or other document may be used to identify the above requirements.

Element 5: Management Responsibility

5.1: Management Commitment

This would include:

5.1 c) Documented quality objectives (for all processes).

5.1 d) Top Management’s active participation in management review meetings.

In short, how well they address requirements 5.2 through 5.6.

5.2: Customer Focus

5.3: Quality Policy

5.3 a) Is appropriate to the purpose of the organization

5.3 b) Includes a commitment to meeting requirements and to continual improvement of the

5.3 c) Provides framework for establishing and reviewing quality objectives

5.3 d) Is communicated and understood at appropriate levels in the organization

5.3 e) Is reviewed for continuing suitability.

5.4.1 Quality Objectives

5.4.2: Quality Planning

Determining effective and efficient planning may be found by evidence of:

5.5: Responsibility, Authority and Communication

5.5.1: Responsibility and authority

5.5.2: Management Representative

5.5.2 b) Reporting on the performance of the system to top management.

5.5.2 c) ensuring the promotion of awareness of customer requirements.

The resource designated as management representative shall be a member of the organization’s

responsibility. However, implementation of those responsibilities may be in the form of a defined

5.5.3: Internal Communication

5.6: Management Review

5.6.1: Management Review - General

IMPORTANT INITIAL CERTIFICATION REQUIREMENT: For a new/first time

• Full management review meeting all 5.6.2 and 5.6.3

5.6.2: Management review input

5.6.3: Management review output

Element 6: Resource Management

6.2: Human Resources

6.2.2: Competence, awareness and training

Classroom style, tutor led training;

Observation of personnel performing their duties;

Toolbox meeting notes;

6.4: Work Environment

Element 7: Product Realization

7.1: Planning of product realization

7.2: Customer Related Processes

7.2.1: Determination of requirements related to the product

Specific to 7.2.1 (a)