F103-12-QMS-2015 ISO 9001 2015 Checklist Guidance Doc - Copy
April 24, 2017 | Author: Anand Dubey | Category: N/A
Short Description
Descripción: 9001:2015 checklist...
Description
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
4
Context of the organization
4.1
Understanding the organization and its context
Has the organization identified the external and internal issues that are relevant to its ‘context’ and that affect its ability to achieve the intended result(s) of its quality management system? Does the organization continue to monitor and review those issues to establish whether any changes to them will affect its QMS or its purpose?
Yes
N o
Objective evidence/ Remarks
Describe the process used by the organization to identify the internal and external issues and monitoring process;
Notes: The context of the organization (also known as its business or organizational environment) refers to the combination of internal and external factors and conditions that can have an effect on an organization's approach to its products, services, investments and intended outcome of its QMS. An organization’s context may include: Specific objectives & targets of the organization. Needs and expectations of its customers and any other relevant ‘interested parties’ e.g. Shareholders, employees, end used, suppliers, regulators etc. Products and services it provides; Complexity of organizational processes and their interaction. Competence of personnel working within or on behalf of the organization. The size and structure of the organization. Auditors will need to understand the internal and external issues typically experienced in type of organisations and must be prepared and able to challenge an organisation if they believe the organisation’s interpretation of their context is having deficiency or incorrect. The standard does not ask for any specific requirement that these internal and external issues, or their monitoring and review, have to be documented by an organization, so auditors cannot simply ask for a list of issues or records of reviews. However, the information may be obtained from different sources (refer examples below). The auditors will also need a change in the audit approach and will have to more likely interview the senior management in relation to the organization’s context and its strategic direction and related issues. An evidence of conformity needs to be obtained to assure that organisations are reviewing internal and external issues periodically. Examples: External context can include issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local. Internal context can include issues related to values, culture, knowledge and performance of the organization. Auditors can obtain information from sources including; Business plan or strategy, Information provided on the organization’s website, Annual reports, Management meeting minutes having these issues addressed etc. Use of Process approach by organization to identify relevant internal and external issues right from ‘sources of input’ to ‘receiver of output’ covering both internal & external context issues as above. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
4.2
Understanding the needs and expectations of interested parties
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
a) Has the organization determined the interested parties that are relevant to its QMS, who can effect or potentially effect on the organisation’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements and which requirements are relevant to its QMS?
Describe the process used by the organization to fully identify the interested parties;
b) Does the organization monitor and review the information about these interested parties and their relevant requirements?
Describe that how they monitor these interested parties and their relevant requirements;
Notes: An ‘interested party’ is any person or organization that can affect, be affected by, or perceive themselves to be affected by the decisions or activities of the organization implementing the QMS. In order to determine whether an interested party, or its requirements, are relevant to their QMS, the organization must consider whether or not they have an effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or to enhance customer satisfaction. Each organisation will have its own set of relevant interested parties and these may change over time. Similarly, each interested party may also have its own set of requirements, but all of these may not be relevant to an organization’s QMS. For any difference in opinion with client organization regarding the relevant interest of the interested parties, the Auditors should be well prepared to challenge it. Auditors will have to ensure that the organisation has been through a process of initially identifying these interested parties/ groups and then to identify their requirements that are relevant to the organisation’s QMS. They will also need to ensure that this process is revisited periodically because the relevant requirements of the interested parties may change over time. Again, as there are no specific requirements for documented information in the standard, the auditor need to use the same approach, as in clause 4.1, to obtain information through several sources/ documents and interviews with senior management to obtain the objective evidences when there is no direct documentation provided by the client for this purpose. Where the organization has determined that any interested party and/or its requirements are not relevant to QMS, then it does not have to take any action to address them. Examples: Interested parties could include the organization’s shareholders, employees, customers, end users, suppliers, regulators etc.
4.3
Requirement of Interested parties may include; Specs from raw materials manufacturers/ suppliers, Concerns on employee feedback forms, Contractual requirements from Customers, Corporate policies & procedures, Legal requirements etc.
Determining the scope of the quality management system
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Δ
Requirements
N o
Objective evidence/ Remarks
The scope of the Quality management system sets its boundaries, identifying what the requirements of the Quality management system are applicable to, and to what they are not. a) When defining the scope of QMS, has the organization considered its context (e.g. the internal and external issues it faces and the requirements of relevant interested parties), and also products and/ or services it intends to deliver?
Yes
b)
Is the scope made available and maintained as documented information?
c)
Does the scope include any justification or instances where specific elements of the standard cannot be applied?
Does the scope include all consideration in point a) as well as geographical locations;
Notes: The scope of a management system may include the whole of the organization or specific functions, section of the organization, or one or more functions across a group of organizations. Boundaries for the scope may even include specific geographic location(s), Processes, activities etc. Outsourced functions or processes are considered within the organization’s scope of Quality management system. Although there is no longer any requirement that the scope of an organization’s QMS must be documented in a Quality Manual (which is no longer required), it need be available and maintained as ‘documented information’ (ISO 9001:2015clause 7.5). The scope must include reference to the products and services covered by the QMS. Where a requirement cannot be applied (e.g. the organization does not perform any design activity), the organization can determine that the requirement is not applicable. However, this should not result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction (Annex-A. A5) If the organization has excluded any requirement, this must be clearly recorded and the organization must be able to justify the exclusion. Auditors will need to verify that the organisation’s scope is documented, and evidence that it has been produced in consideration of organization’s context and products and services. If exclusions have been applied by the organisation, auditors must ensure that they are recorded and that the rationale for the exclusion is stated and justified.
4.4
Quality management system and its processes a)
Δ
Has the organization adopted the process approach while establishing, implementing, maintaining and continually improving the effectiveness of its quality management system?
b) Has the organization determined the processes needed for the quality management system and their application throughout the organization including; Inputs required and the outputs expected, Sequence and interaction of processes,
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Is the process approach understood in the organization;
Ensure requirements in point b) has met and upload organization’s processes to demonstrate the Process approach is fully understood;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
Measurements and related performance indicators, Availability of resources needed, Responsibilities and authorities assigned, Risks and opportunities associated and planned and implemented appropriate actions to address them, Evaluation of processes, andImprovement opportunities for the established processes and QMS. c) Does the organisation maintain the documented information necessary to support the operation of its processes? Do they also retain documented information that evidences thatprocesses are being carried out as planned?
Objective evidence can be indicated on process audit notes F103-16 or the organization’s identified processes if point b) above implemented;
Notes: ISO 9001:2015 includes specific requirements necessary for the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system. This requires an organization to systematically define and manage processes and their interactions so as to achieve the intended results in accordance with both the quality policy and strategic direction of the organization. There needs to be evidence that these process requirements are included e.g. in the design, operation and on-going update of the organization’s QMS. The organizations will have to pay attention to use the performance indicators to control and monitor processes, and the risks and opportunities associated with them. Although there is no longer any reference to ‘Records’ (ISO 9001: 2008 clause 4.2.4), there is still a requirement to demonstrate evidence of compliance with QMS requirements and processes (ISO 9001:2015 clause 7.5). Auditor must note that there are explicit requirement for a process-based quality management system now. They should also note the additional new requirements regarding use of performance indicators to control and monitor processes, and the requirement for processes to be assessed from a risk and opportunity perspective. In effect, auditors will need to review how the organisation has designed its process-based management system. Examples: Existing operational procedures, work instructions and flow charts are valid examples of documented information and can be used to evidence that the requirement for documented information to support the operation of processes is being met. If these are working well for the organisation then there is no need to replace them. Use of Turtle diagram by the organization for identifying the Process related Inputs, Outputs, Resources used (Human & Infrastructure), Monitoring and measuring processes and documentation. Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, and the risks and opportunities associated with them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
5
Leadership
5.1
Leadership and commitment
5.1.1
General
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Δ
Requirements
Yes
N o
Objective evidence/ Remarks
Has top management exhibited their leadership and commitment towards its Quality Management system by:
Objective evidence must include an interview with Top management covering the elements of points a) to h) to ensure thorough understanding and leadership at the highest level. If the Top management is not involved, a non-conformance needs to be raised.
a) Taking accountability of QMS effectiveness? b) ensuringQuality policy and Quality objectives are established and, are consistent with its overall strategic direction and the context in which the organization operates? c) ensuring that quality management system requirements are integral to the organization’s business processes (i.e. Core to the purpose to Organization’s existence)? d) promoting the adoption of the process approach and risk-based thinking& improvement? e) ensuring resources required for the effective operation of the quality management system are made available? f)
communicating the importance conforming to the quality management system requirements& its effectiveness?
g) ensuring that quality management system attain its intended outcome? h) involving, directing and providing support people& for them to demonstrate leadership in their relevant processes/ areas to contribute to theeffective operation of the QMS? Notes: Top management need to emphasize the importance of conforming to the QMS requirements. Additionally, they mustalso ensure that the QMS is achieving its intended results and continual improvement driven within the organization. Auditors should look forevidences that top management has a “hands-on” approach to the management of their quality management system during interviews and auditing other requirements e.g. Context of the organization, Quality policy, Quality objectives, Management review minutes, Resources etc. Where top management have effectively delegated responsibility for the QMS down to the MR, then they will now have to demonstrate much more direct involvement in the QMS with an exception where ISO 9001:2015 indicates that the Top Management is responsible for ‘ensuring’ that a task is done, but otherwise the specified requirements must be seen to be undertaken by top management directly. Auditors must understand which ISO 9001:2015 requirements top management can delegate and which they cannot. Auditors should ensure that they are well prepared to interview the top management in respect of theircommitment to their quality management systems. Auditing at this level is likely to be a newexperience and challenging at same time. A good understanding of management related processes and language used by top management can be helping tool to engage with management on range of issues.
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
5.1.2
Δ
Requirements
Yes
N o
Objective evidence/ Remarks
Customer focus Has top management taken the lead in demonstrating the organization’s commitment to its customers by ensuring:
Objective evidence must include an interview with Top management covering the elements of points a) to c) to ensure thorough understanding and leadership at the highest level. Top management is not involved, a non-conformance needs to be raised.
a) Customer and applicable statutory and regulatory requirements are identified and met? b) Determination and addressing the risks and opportunities that can affect conformity of products and services and its ability to enhance customer satisfaction? c) Remain focused on providing products and services that meetcustomer, applicable statutory & regulatory requirements and, on enhancing the customer satisfaction? Notes: Auditors will need to seek evidence that top management are ensuring that any risks and opportunitieswith the potential to impact the organisation’s ability to supply products and services that conformto customer requirements and applicable statutory or regulatory requirements, or that may affectcustomer satisfaction, are being identified and addressed by the organisation. Auditors should expectto find a focus on risks, but should note that opportunities must also be considered too. The requirement is to maintain a customer focus, so it will not be a one-time exercise,but must be evidenced as on-going activity.
5.2 5.2.1
Δ
Quality policy a) Has the Top management established, implemented & maintained a Quality policy that is consistent with the purpose and context of the organization and its strategic direction?
b) provides a framework for the setting the quality objectives? c) includes commitments to satisfy any applicable requirements and continually to improve their quality management system?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Objective evidence must include an interview with Top management covering the elements of points a) to c) to ensure thorough understanding and leadership at the highest level. Top management is not involved, a non-conformance needs to be raised.
ISO 9001:2015 Checklist/ Guidance Document Clause # 5.2.2
Δ
Requirements
Yes
N o
Objective evidence/ Remarks
Is the Quality policy; a) available as documented information? b) communicated, understood andapplied across the organization and available to relevant interested parties?
Interview with Top management down to different levels of the organization to ensure the Quality policy is communicated, understoodand implemented.How is it made available to interested parties?
Notes:
ISO 9001:2015 now requires that an organization’s quality policy is appropriate to both its purpose and context. This means that once the organization has determined its context and the relevant requirements of its interested parties, Top management need to have a review its quality policy in light of that information. They will have to continue to review the quality policy to ensure that any changes in its context, interested parties or their requirements is reflected in the Quality policy and whether the organization’s quality objectives are effected (6.2a). The auditors will also have to check that how the Quality policy is made available to relevant interested parties, where it is appropriate to do so.
5.3
Organizational roles, responsibilities and authorities Does top management of the organization ensures assignment, communication & understanding of the necessary responsibilities and authorities to individuals within the organization?
Δ
Objective evidence must include an interview with Top management through different levels covering the elements of points a) to d) to ensure leadership and thorough understanding at the highest level.
Has top management assigned the responsibility and authority for: a) ensuring that the requirements of this International Standard are conformed and QMS processes are delivering their intended results? b) reporting on the QMS performance and any opportunities for improvement, especially to top management? c) ensuring the promotion of customer focus throughout the organization?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Interview through different level in the organization to ensure understanding the customer requirements;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
d) ensuringwhenever changes to QMS is planned and implemented, the integrity of the system is maintained? Notes:
Auditors should note that there is no longer a requirement for appointment of Management Representative (MR), though the duties currently assigned to the MR under ISO 9001:2008 must still be undertaken and can be assigned to different personnel. Auditor must seek evidence that Organizations personnel have not only been advised of their QMS responsibilities& authorities, but also that they understand these in the context of the overall purpose of the Quality management system. Auditors must also seek evidence that top management have assigned responsibility and authority forpreserving the integrity of the organisation’s QMS during revisions or updates.
6 6.1
6.1.1
Planning for the Quality Management system Actions to address risks and opportunities
Has the organization considered their context when planning for the Quality management system covering issues referred to in 4.1 and the requirements referred to in 4.2 and determined the risks and opportunities that need to be addressed to:
What process did the organization used to identify the risks?
a) to provide assurance that the quality management system can achieve its intended outcomes, enhance desirable effects, to prevent or reduce undesired effects, and to achieve improvement. 6.1.2
a) Has the organization planned actions to address these risks and opportunities?
How the organization addressing those risks?
b) Has the organization integrate and implement the actions into its quality management system processes and evaluate the effectiveness of these actions? c) Are the actions taken to address risks and opportunities proportionate to the potential impact on the conformity of products and services?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Auditor to verify the effectiveness of the identified actions by the organization in addressing the risk;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
Notes: ‘Risk’ is defined as the effect of uncertainty on an expected result. Risk is often characterized by reference to potential “events” and “consequences” as well as the “likelihood” of occurrence. Although risks and opportunities have to be determined and addressed, there is no requirement for a formal, documented risk management process. Auditors should seek evidence that confirms that an organization has a methodology in place that enables them to effectively identify risks and opportunities in respect of the planning of their quality management system. The role of the auditorisnot to carry out their own determination of risks and opportunities, but to ensure that the organisation is applying their methodology consistently and effectively. All of the processes of a QMS do not represent the same level of risk in terms of the organization’s ability to meet its objectives. Due to this reason, the consequences of failures or non-conformities in relation to processes, systems, products and/or services will not be the same for all organizations. When deciding how to plan and control its QMS, therefore, including its component processes and activities, the organization needs to consider both the type and level of risk associated with them. Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision. Auditors should ensure that the organisation is taking a planned approach to addressing risks and realising opportunities, and that any actions taken have been recorded. For those actions that have been completed, auditors should ensure that each action’s effectiveness has subsequently been assessed. They should also ensure that the action taken was proportionate to the risk or opportunity. Examples: SWOT analysis by the organization as part of their business strategy to identify the external risk and opportunities and action plan to address them. Formal business risk assessment performed by the organization talking into consideration its context, associated risk and opportunities and mitigation plan. Use of Process approach by organization to identify sources of input, input, activities, output, receiver of output, performance indicators to control and monitor processes, the risks and opportunities associated with them and action plan to address them. [Figure-01 Schematic representation of the elements of single process (ISO 9001:2015)]
6.2 6.2.1
Δ
Quality objectives and planning to achieve them Has the organization established quality objectives at relevant functions, levels and processes? Are the Quality objectives;
Have the Quality objective been identified throughout the organization?
a) consistent with the organization’s quality policy and be relevant to the conformity of products and services, and the enhancement of customer satisfaction?
What Quality objectives are established to enhance customer satisfaction?
b) measurable, take into account applicable customer and statutory and regulatory requirements, and be monitored
Objectives must be measureable and what’s the process to monitor?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
in order to determine whether they are being met? c) communicated across the organization and be updated as and when the need arises?
What process does the organization used to communicate the objectives to process owners and update when needed?
d) maintained as documented information? 6.2.2
Has the organization carried out planning in order to determine;
a) the work required in order to realize its quality objectives, the resources necessary to undertake this work, who will be responsible for ensuring that the work is done and when the work needs to be completed by?
What strategic action plans established to ensure achieving the Quality objectives?
b) how it will evaluate the work done to determinewhether it has led to the objective being realized?
What process has been used to evaluate that the objectives have been met?
Notes: ISO 9001:2015 now requires organizations to set quality objectives at functions, levels and processes that are relevant to conformity of product and the enhancement of customer satisfaction. There will need to be evidence that the established quality objectives add value to the relevant functions, levels and processes within the organization. Organizations are now required to determine what resources will be required to achieve quality objectives, who will be responsible for them, what will be done and when, as well as how achievement of the objectives will be evaluated. In many cases, this will require organizations to undertake more detailed monitoring of objectives and targets than they currently do. Auditors should ensure that organizations are able to evidence that they are complying with these new requirements.
6.3
Planning of changes
Where the organization determines the need for change to the quality management system (4.4), are changes carried out in a planned and systematic manner? Does the organization consider:
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Does the organizationhave the management change process?
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
N o
Objective evidence/ Remarks
a) the purpose of the change and any of its potential consequences (both positive & negative)?
The change identified include all potential risks and related actions;
b) the integrity of the quality management system may be compromised (or indeed improved)?
How does the organizationmaintain the integrity of the QMS while changes carried out within the organization?
c) the availability of resources to effect the change?
What resources the organization has put in place to control the changes?
d) any changes required in responsibilities and authorities to drive the change through? Notes: Clause 6.3 is an enhancement of ISO 9001:2008 clause 5.4.2b. When the organization determines there is a need to change the quality management system, clause 6.3 of ISO 9001:2015 requires such changes to be carried out in a controlled manner by planning first and then logically enacted. Auditors should ensure that the organization is able to evidence that it has taken into account the considerations of ISO 9001:2015 Clause 6.3, when planning and implementing changes to its quality management system.
Clause # 7 7.1 7.1.1
Requirements
Yes
No
Objective evidence/ Remarks
Support Resources General a) Has the organization determined and provided the resources necessary to establish, implement, maintain and continual improve its quality management system?
Δ
b) Has the organization considered both the capabilities and constraints on its existing internal resources and what need to be obtained from
F103-12-QMS-2015 – Issue date: 08-OCT-2015
What process the organization used to determine the internal resources as well as external resources needed?
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements external providers?
Yes
No
Objective evidence/ Remarks
Notes: Organizations need to demonstrate that they have considered both internal and external resource requirements and capabilities e.g. training, software, appropriate work instructions, competency skills, contract requirements, supply chain etc. Auditors must now evidence that organizations have considered their need for external resources inaddition to their need for internal ones.
7.1.2
People To ensure that the organization can consistently meet customer and applicable statutory and regulatory requirements, has the organization provided the persons necessary for the effective operation of the quality management system, including the processes needed?
Δ
What the process used to ensure that there is sufficient manpower?
Notes: Essentially the same requirements as in ISO 9001: 2008, though the obligation to meet statutory and regulatory requirements is now explicit.
No change in the audit approach required here.
7.1.3
Infrastructure Has the organization determined, provided and maintained the infrastructure for the operation of its processes to achieve conformity of products and services?
What infrastructure determined by the organization? During the onsite audit ensure that how the infrastructure been maintained?
Notes: Essentially the same requirements as in ISO 9001: 2008, but it is made clear that ‘Infrastructure’ can include:buildings and associated utilities;equipment including hardware and software;transportation; and information and communication technology. No change in the audit approach required here.
7.1.4
Δ
Environment for the operation of processes Has the organization determined, provided and maintained the environment necessary for the operation of its processes and to achieve conformity of products and services?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
During the site tour, ensure that the environment determined by the organization based on the product and service provided is verified.
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
Notes: The key change here is that “work environment” now becomes “environment” necessary for the operation of processes reflecting an increased focus throughout the standard on a process-based approach. Organizations to not only to determine what is a work environment suitable to ensure conformity of products and services, but also to ‘provide and maintain’ it. ‘Environment for the operation of processes’ can include physical, social, psychological, environmental and other factors (such as temperature, humidity, ergonomics and cleanliness). Organizations will need to demonstrate that it is applying this updated requirement to the processes it has determined are necessary for the effective operation of its QMS. Auditors will need to audit the organization’s process environment, not its work environment. As wellas physical factors, this now includes social and psychological factors too.
7.1.5 7.1.5.1
Δ
Δ
7.1.5.2
Monitoring and measuring resources a) Where an organization uses monitoring or measuring to demonstrate that its products and services conform to requirements, has the organization provided the necessary resources to ensure that monitoring and measuring results are valid?
Upgrade audit: The delta would be to determine resources to ensure measuring results are valid.
b) Does the organization ensure that the resources provided are suitable to the type of monitoring or measurement being undertaken and maintained in order to ensure they remain fit for purpose?
Upgrade audit: The delta would be that does the organization have expertise to the type of monitoring & measurement being undertaken.
c) Does the organization retain appropriate documented information that the monitoring and measurement resources are fit for purpose?
No change from ISO 9001:2008 version.
In instances, where measurement traceability is a statutory or regulatory requirement; a customer or relevant interested party expectation; or considered by the organization to be an essential part of providing
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Initial audit: The complete requirements from the point a) to c) to be established;
Initial audit: The complete requirements from the point b) to be established;
No change from ISO 9001:2008 version
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements confidence in the validity of measurement results.Are the measuring equipment;
Yes
No
Objective evidence/ Remarks
a) verified or calibrated against international or national measurement standards at specific intervals or prior to their use. If no such standards exist, is the basis used for calibration or verification retained as documented information? b) identified in such a way that their calibration status can be determined? They must also be protected to prevent them being adjusted, damaged or subjected to deterioration. c) found to be defective during its planned verification or calibration, or during its use, previous results need to be revisited and anynecessary corrective action implemented.
Notes: Organizations will need to demonstrate that they retain documented information to evidence that not just monitoring and measuring equipment is fit for purpose, but that all monitoring and measuring ‘resources’ are. Auditors should note that where measurement traceability is required, measuring equipments are subject to additional controls. If measurement traceability is not required then auditors must satisfy themselves that themonitoring and measuring resources an organization has employed are suitable and fit for purpose,and that arrangements are in place to ensure their continued fitness for purpose. Auditors should also ensure that documented information is being maintained by the organization todemonstrate that monitoring and measuring resources are fit for purpose in these instances.
7.1.6
Organizational knowledge
Does the organization take steps to capture and preserve the knowledge necessary for the effective operation of its processes and for ensuring the conformity of products and services?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
What processes does the organization used to determine the knowledge necessary for ensuring conformity to products & services?
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements Is this knowledge maintained and made available to the extent necessary? Does the organization consider its current knowledge and determine how to acquire or access the necessary additional knowledge, when addressing changing needs and trends?
Yes
No
Objective evidence/ Remarks How the knowledge is preserved? When changes occur at the organization, what processes do they use to determine the necessary additional knowledge?
Notes: ‘Organizational knowledge’ addresses the need to determine and maintain the knowledge obtained by the organization, including by its personnel, to ensure that it can achieve conformity of products and services. The process for considering and controlling past, existing and additional knowledge needs to take account of the organization’s context, including its size and complexity, the risks and opportunities it needs to address, and the need for accessibility of knowledge. The balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization, provided that conformity of products and services can be achieved. Organizational knowledge can include information such as intellectual property and lessons learned. To obtain the knowledge required, the organization can consider: a) internal sources (e.g. learning from failures and successful projects, capturing undocumented knowledge and experience of topical experts within the organization); b) external sources (e.g. standards, academia, conferences, gathering knowledge with customers or providers). Organizations need to demonstrate that, if they are planning to make changes to their QMS, they re-assess the extent of their current organizational knowledge and take steps to improve it if it is determined to be insufficient to accommodate the planned changes.
7.2
Competence Has the organization;
What process does the organization used to determine competence?
a) determined the necessary competence of those people working under its control that affects its quality performance? b) ensured that those people possesses the necessary competence either on the basis of appropriate education, training, or experience? c) taken actions, where applicable, to acquire the necessary competence, and evaluated the effectiveness of the actions taken?
What actions are taken to address competency gaps?
d) retained appropriate documented information to evidence of the competence of its people?
Notes: ‘Competence’ is defined as the ability to apply knowledge and skills to achieve intended results
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
Organizations are still required to take action to address any competency issues and subsequentlyto check that this action has been effective. Additionally, organizations are still required to maintainevidence to demonstrate that people doing work under its control are competent. This evidenceneeds to be maintained as documented information. For example, a clean driving license can be evidence of competence for a driver) As these requirements apply to personnel ‘under its control’ this will include any sub-contract/agency personnel, as well as anyone undertaking outsourced processes and functions – see reference to the need to communicate competence requirements to external providers in ISO 9001:2015 clause 8.4.3 (c).
7.3
Awareness
Δ
Are persons doing work under the organization’s control aware of: the organization’s quality policy, any quality objectives that are relevant to them, how they are contributing to the effectiveness of the QMS and what the implications are of them not conforming to QMS requirements?
What processes have been established by the organization to make people, working on behalf of organization, aware of the stated requirements?
Notes: The important factor here is the addition of requirement to make people aware both of the organization’s quality objectives as well as the consequences of non-conformance with its QMS requirements. Auditors should note that additional information as set out above must be communicated to these individuals both (internal and external).
7.4
Communication
Δ
Has the organization determined those QMS related matters on which it wishes to communicate internally and externally including; a) on what it will communicate, when it will communicate, withwhom it will communicate and how it will communicate?
Has communication strategy been developed and implemented?
Notes: ISO 9001:2015 now makes communication with persons outside the organization a specific requirement. Auditors should ensure that organizations are identifying external communications as well as internal communications that need to take place in respect of the operation of its quality management system. They should also ensure that the organization has determined what it needs to communicate, when it will communicate, with whom it will communicate and how it will communicate.
7.5 7.5.1
Documented Information General
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
7.5.2
Δ
7.5.3 7.5.3.1
Δ 7.5.3.2
Requirements Does the organization’s quality management system include:both documented information identified as required in standard and documented information identified by the organization as necessary for the effective operation of its quality management system.
Yes
No
Objective evidence/ Remarks No change from ISO 9001:2008 version.
Creating and updating a) When creating and updating documented information, does the organization ensure that it is appropriately identified and described (e.g. title, date, author, reference number), in an appropriate format (e.g. language, software version, graphics) and on appropriate media (e.g. paper, electronic)?
Requirements are more explicit, but changes are insignificant.
b) Does the documented information reviewed and approved for suitability and adequacy?
Upgrade audit: No changes
Control of documented information a) Is the documented information controlled in order to ensure that it is available where needed and that it is suitable for use?
Upgrade audit: No changes
b) Is it adequately protected against improperuse, loss of integrity and loss of confidentiality?
What processes established by the organization to comply with point b) requirements?
For the control of documented information, has the organization addressed the following activities, as applicable: a) how it will distribute, access, retrieve and use documentedinformation? b) how it will store and preserve documented information, and how it will controlany changes to the documented information?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
No change from ISO 9001:2008 version
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
c) its retention and disposalarrangements?
d) Has the organization identified any documented information of external origin that it considers necessary for the planning and operation of the organizations’ qualitymanagement system
Notes: The terms ‘documented procedure’ and ‘record’ used in ISO 9001: 2008 have both been replaced throughout ISO 9001:2015 by the term ‘documented information’, which is defined as information required to be controlled and maintained by an organization, as well as the medium on which it is contained. Documented information can be in any format and media and from any source. There is no longer a requirement to establish and maintain a Quality Manual (2008 clause 4.2.2) or for mandatory documented QMS procedures. The extent of documented information required for a quality management system can differ from one organization to another. This can be due to: a)
the size of organization and its type of activities, processes, products and services; b) the complexity of processes and their interactions; or c) the competence of persons. The organization needs to determine the level of documented information necessary to control its QMS. ‘Access’ can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information. Examples: Operational procedures, work instructions, flow charts, process maps, etc. are all examples of ‘documented information’. Organizations do not have to remove their current Quality Manual or documented procedures. If an organization wishes to retain these then they can do so.
8
Operation
8.1
Operational planning and control
Δ
Does the organization plan, implement and control those processes that it has previously identified (clause 4.4) as necessary in order for it to meet product or service requirements and to implements the actions determined in 6.1 by;
Is the organizational process identified for Production or service in control and where not, are appropriate action taken for those identified risks and opportunities?
a) determining the product and services requirements;
This should include organizational internal requirements and external customer requirements.
b) establishing criteria for the processes and for the acceptance of products and services?
What criteria established for controlling the processes and the resulting output?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements c) determining resources needed to support each process and implementing control of the processes in accordance with the criteria? d) retaining documented information to the extent necessary to ensure that its processes are being carried out as planned, and that the products and services that are being produced conform to the identified requirements and acceptance criteria? Is the output of operational planning and control suitable for the organization's operations?
Yes
No
Objective evidence/ Remarks Objective evidences for control of processes to demonstrate adequate resources; Objective evidence to demonstrate that processes are carried out as planned and the output meets the requirements of acceptance criteria.
Objective evidence that KPIs/ measuring of the processes have been met and/ or the action taken if they are not.
Does the organization control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary? Does the organization ensure that outsourced processes are controlled in accordance with clause 8.4?
Have the organization identified the controls to be applied to outsourced processes?
Notes: The term “product realization” has been withdrawn and replaced by “operation”, and the requirement for “Planning of product realization” has been replaced by “Operational planning and control”. The new control-focused requirements centre on ensuring that processes are implemented as planned, including actions to address risks and opportunities. This needs to be evidenced by means of documented information. ISO 9001:2015 introduces a requirement to establish the ‘criteria for the processes’ and to implement controls ‘in accordance with the criteria’. The emphasis is on controlling the processes and organizations need to demonstrate that they have planned and implemented the appropriate process criteria:
-
inputs, outputs, resources, controls, criteria, process measurement indicators, etc., plus
-
any actions required to address identified risks and opportunities.
Additional requirements are included in ISO 9001:2015 relating to the control and review of changes to process controls (including unintended changes). Auditors should also gather and evaluate evidence related to it.
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause # 8.2 8.2.1
Requirements Yes Determination of requirements for products and services
No
Objective evidence/ Remarks
Customer communication Has the organization established the processes for communicating with customers on matter related to;
Δ
a) its products and services, enquiries, contracts or order handling (including amendments?
b) obtaining customer views and perceptions, including customer complaints? c) the handling or treatment of customer property? d) specific requirements for contingency actions, when customer requirements are not met? Notes: These requirements are essentially the same as for ISO 9001:2008 sub-clause 7.2.3 “Customer communication”, but with the addition of new requirements to communicate in respect of the handling or treatment of customer property and specific requirements for contingency actions where relevant. The requirement to obtain “customer feedback” has been amended to obtain “customer views and perceptions”.
8.2.2
Determination of requirements related to products and services Has the organization put in place a process to ensure that requirements for the products and services it intends to offer to customers have been defined? This includesany applicable statutory and regulatory requirements (and those considered necessary by the organisation).
Δ
No changes from the ISO 9001:2008 version.
Does the organization ensure that it has the ability to meet the defined requirements and substantiate the claims for the products and services it intends to supply?
Notes:
ISO 9001:2015 starts from the position that the organization has already determined the products and services it intends to offer to customers, taking into account customer
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
requirements. Auditors should also evidence that the organization is able to substantiate any claims it is making for the products and services it offers e.g. Claims for mileage per litre of petrol by the Car manufacturer, an ISO 9001 certified company catalogue/ website or in media claiming certification for full range of products against a limited scope of certification etc.
8.2.3 8.2.3.1
Review of requirements related to products and services Does the organization review, as applicable: a) requirements relating to its products and services, consideration of requirements set by the customer, including ones relating to delivery and post-delivery b) consideration of any requirements not expressly stated by the customer but that are known to be necessary for the product or service to be suitable for thecustomer’s intended use? c) consideration of any statutory or regulatory requirements relating to the product or service, and any new or changed requirements that differ from those previouslydetermined? d) Is this review conducted prior to the organization’s commitment to supply products and services to the customer and does it ensure that contract or order requirements differing from those previously defined are resolved? e) Where the customer does not provide a documented statement of their requirements, are the customer requirements shall be confirmed by the organization before acceptance?
8.2.3.2
Is documented information retained which describes the results of the review, including any new or changed
F103-12-QMS-2015 – Issue date: 08-OCT-2015
No changes from the ISO 9001:2008 version.
ISO 9001:2015 Checklist/ Guidance Document Clause #
8.2.4
Requirements requirements for the products and services?
Yes
No
Objective evidence/ Remarks
Where requirements for products and services are changed, does the organization ensure that relevant documented information is amended and that relevant personnel are made aware of the changed requirements?
Notes: There is no substantive change to content, though there is recognition that when reviewing requirements relating to products or services, these requirements could now include those arising from relevant interested parties – not just from customers. Auditors should ensure that requirements from relevant interested parties are considered as part of an organization’s product and service requirement review process.
8.3
Design and development of products and services
8.3.1
General
Has the organization established, implemented and maintained a design and development process that it is adequate for subsequent production or service provision?
Notes: ISO 9001:2015 now makes clear the circumstances when ‘design and development’ is required; there is also a specific requirement for a design and development process to be in place:
where the organisation has not established detailed requirements for products or services, or
where these have not been defined by the customer or other interested parties
Increased knowledge of the products and services, and methods of arriving at them, will be required by auditors in order to be able to verify whether the organization’s QMS should or should not include design and development.
8.3.2
Δ
Design and development planning When determining the stages and controls to be applied to its design and development process, does the organization considered:
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Does the organization’s design process include the stages and evidences of a) through h) as below? Note: The organization’s current product or service in the design phase should be the objective evidence.
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements a) the nature, duration and complexity of the design and development activities?
Yes
No
Objective evidence/ Remarks
b) anyrequirements that specify particular process stages must be included, for example design and development reviews, verification & validation? c) the responsibilities and authorities of those involved in the design and development process? d) the internal and external resource needed for the design and development of products and services? e) the need to ensure that interfaces between individuals and parties involved in the design and development process are controlled? f)
the need for involvement and control expected by the customer and user groups in the design and development process?
g) the requirements for subsequent provision of products and services?
h) the necessary documented information to confirm that design and development requirements have been met?
Notes: ISO 9001: 2015 is more explicit in terms of the elements that must be considered as part of the design planning process. Auditors should ensure that organizations are able to evidence that they have taken into consideration the explicitly referenced considerations relating to the design and development process set out above. They should also ensure that the organization has retained documented information to confirm that its identified design and development requirements have been met.
8.3.3
Design and development inputs
Δ
Does the organization determine:
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Does the organization’s design process include the stages and evidences of a) through h)
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes No as below?
Objective evidence/ Remarks
Note: The organization’s current product or service in the design phase should be the objective evidence. a) requirements essential for the specific type of products and services being designed and developed, including, as applicable, functional and performance requirements? b) applicable statutory and regulatory requirements? c) anystandards or codes of practice that the organization has committed to implement? d) any resources needed, whether internal and external for the design and development of products and services? e) the potential consequences of failure due to the nature of the products and services? f)
Are inputs adequate for design and development purposes, complete and unambiguous?
g) Are conflicts on design & development inputs resolved?
h) Are the documented information maintained for the design and development input?
Notes: Auditors need to verify that the organization has addressed the specific new requirements set out in ISO 9001:2015, sub-clause: 8.3.3 – specifically, those relating to ‘resource requirement and the consequences of design or development failure’.
8.3.4
Δ
Design and development controls Has the organization applied controls to its design and
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Does the Organization’s design process include the stages and evidences of a) through d)
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements development process to ensure that:
Yes No as below?
Objective evidence/ Remarks
Note: The Organization’s current product or service in the design phase should be the objective evidence. a) the results from undertaking the design and development process are clearly defined? b) design and development reviews takes place as per planned arrangements? c) design and development outputs meets the input requirements (verification)? d) the resulting products and services are fit for their intended use and specified application, where known to the organization (Validation)? Notes: This is a new clause introduced by ISO9001:2015, which is basically a combination of the requirements in ISO 9001: 2008 relating to design review, verification and validation. There is no change in the audit approach required. However, the requirement in ISO 9001: 2008 that, where practicable, validation should be completed prior to the delivery or implementation of the product/service has been removed.
8.3.5
Design and development outputs Does the organization ensure that design and development outputs:
Does the organization’s design process include the stages and evidences of a) through h) as below? Note: The organization’s current product or service in the design phase should be the objective evidence.
a) meet the input requirements for design and development and suitable for use in subsequent processes? b) As applicable, includes or reference any related monitoring and measuring requirements, and acceptance criteria?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements c) Finally, does the organization ensure that the products that are to be produced or the services that are to be delivered are fit for their intended purpose and are safe to use?
Yes
No
Objective evidence/ Remarks
d) Does the organization retain the documented information resulting from the design and development process?
Notes: The requirements are essentially unchanged, except that the requirement to “include or reference monitoring and measuring requirements, where appropriate” has been added. Auditors should note the additional requirement for documented information in respect of sub-clause 8.3.5. They should also note the need for design outputs to reference monitoring and measuring requirements, as applicable.
8.3.6
Design and development changes
Does the organization’s design process include the stages and evidences of a) through h) as below? Note: The organization’s current product or service in the design phase should be the objective evidence.
a) Does the organization review, control and identify changes made to design inputs and design outputs during the design and development of products and services or subsequently, to the extent that there is no adverse impact on conformity to requirements?
b) Is documented information on design and development changes retained?
Notes: The ISO 9001:2015 requirements are essentially the same, though there is no longer any reference for design and development changes having to be ‘verified’, ‘validated and approved before implementation’ (ISO 9001: 2008 clause 7.3.7). No change in the audit approach would require.
8.4 8.4.1
Control of externally provided processes, products and services General
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Does the organization ensure that externally provided processes, products and services meet the organization’s specified requirements? Does the organization apply the specified requirements for the control of externally provided products and services when:
Yes
No
Objective evidence/ Remarks
Has the organization identified risks and actions for the products and services provided by the external providers?
Has the organization determined the requirements to demonstrate adequate controls over external providers for a) through c) as below?
a) products and services from the external providers for incorporation into the organization’s own products and services? b) products and services to be provided directly to the customer by external providers on the organization’s behalf? c) outsourced processes or part of a process from an external provider?
Has the organization established and applied criteria that allows it to evaluate and select external providers and, that allows it to subsequently monitor their performance? Criteria relating to the re-evaluation of external providers also need to be established and implemented.
No change from ISO 9001:2008 version.
Does the organization retain appropriate documented information for the results of external provider’s evaluation, re-evaluation and monitoring of their performance?
Does the organization’s process include monitoring the performance of external providers?
Notes: The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services. Auditors should note the new requirement for the organization to establish criteria to allow it additionally to monitor the performance of external providers. This must be maintained as documented information. They should also note the requirement for organization to provide a record of the results of their monitoring of the external provider’s performance as documented information.
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause # 8.4.2
Δ
Requirements Type and extent of control
Yes
No
Objective evidence/ Remarks
In determining the type and extent of controls to be applied to the external provision of processes, products and services, does the organisation take into consideration:
What processes are established by the organization to demonstrate control over processes, products and services provided by the external provider for the points a) through e) as below?
a) the externally provided processes are part of its Quality management system? b) the controls it intends to apply to both the external provider and the resulting output? c) the potential impact that the externally provided processes, products or services could have on its ability to supply conforming products and services to its customers and meeting statutory and regulatory requirements? d) how effective it considers the controls that are being applied by the provider are? e) verification or other activities necessary to ensure the externally provided processes, products and services conforms to its customer requirements? Notes: ISO 9001:2015 now requires the organizations to control both, “the external providers and the potential impact of the externally provided processes, products or services on the organization’s ability consistently to meet customer and applicable statutory and regulatory requirements”. There is a greater emphasis on the organization’s need to satisfy itself that the controls applied by its external providers (to ensure that it meets the organization’s requirements) are adequate.
8.4.3
Information for external providers Does the organization ensure that the requirements it intends to communicate to the external provider are reviewed for adequacy prior to their being communicated?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Δ
Requirements Does the organization communicate to external providers applicable requirements for the following:
Yes
No
Objective evidence/ Remarks
a) products or services to be provided or the processes to beperformed by the external provider on behalf of the organization? b) approval or release of products and services, methods, processes or equipment? c) competence of personnel, including necessary qualification they must possess? d) their appropriate interactions with the organization's quality management system? e) details as to how the external provider’s performance will be monitored and controlled by theorganisation? f)
New requirement as covered in section 8.4.1.
details of any verification or validation activities that the organisation (or its customer) intends to perform atthe external provider’s premises?
Notes: Essentially, these requirements are unchanged. However few requirements are expanded such as; there is an acknowledgement that organizations may need to communicate not just the products or services they wish to receive, but also any processes they want the external provider to undertake on their behalf. The requirement for the organization to communicate, as applicable, the necessary qualification of personnel to cover the competency and qualification of personnel. - The requirement for the organization to communicate any “quality management system requirements”, as applicable, to “their (ie the external provider’s) interactions with the organization’s quality management system”.
8.5 8.5.1
Production and service provision Control of production and service provision Has the organization implemented controlled conditions
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements for production and service provision, including delivery and post-delivery activities?
Δ
Do those controlled conditions include, as applicable:
a) documented information that defines the characteristics of the products and services is available?
b) documented information that defines the activities to be performed and the results to be achieved is available?
Yes
No
c) suitable monitoring and measuring resources are made available? d) monitoring and measurement takes place at appropriate stages in the production process to ensure that both the processes themselves and the process outputs meet the organization’s acceptance criteria e) the process environment and infrastructure are suitable? f)
personnel are competent and, where necessary, appropriately qualified?
g) for processes where the results cannot be verified by subsequent monitoring or measurement, the process itself is initially validated and then periodically re-evaluated? h) products and services release, delivery and postdelivery activities are implemented? Notes: This clause is essentially the amalgamation of clause 7.5.1 and 7.5.2 of ISO 9001:2008 with few modifications as below;
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Objective evidence/ Remarks
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
The reference to “work instructions” has been replaced by a reference to “documented information that defines the activities to be performed and the results to be achieved”. “The results to be achieved” is an important addition. These may not appear in existing documentation describing the activities to be performed or in records generated from them. There is now an explicit requirement to ensure monitoring and measurement activities are undertaken at appropriate points. This is in order to verify processes are being controlled and that process outputs, products and services are meeting their acceptance criteria. Reference is made to monitoring and measuring “resources” as opposed to “monitoring and measuring equipment”, reflecting the fact that monitoring may be being carried out by humans. The “qualification of personnel” has modified to “the competency and, where applicable, required qualification of persons emphasizing competency over qualification”
8.5.2
Identification and traceability Where necessary to ensure conformity of products and services, does the organization use suitable means to identify process outputs? Does the organization able to identify the status of process outputs in respect of any monitoringand measurement requirements it has set, at all stages of production or service provision?
Where traceability is a requirement, does the organization control the unique identification of the process outputs and retain any documented information necessary to maintain traceability?
Notes: These requirements are essentially the same as ISO 9001: 2008 clause 7.5.3, but the emphasis now is on ‘process outputs’ rather than products. Process outputs are the results of any activities which are ready for delivery to the organization’s customer or to an internal customer (e.g. receiver of the inputs to the next process). They can include products, services, intermediate parts, components, etc.
8.5.3
Property belonging to customers or external providers Does the organization take care of property that has been supplied to it forincorporation into its products or services by customers or by external providers?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Objective evidence for the property belonging to customer or external providers;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements Does the organization ensure that any such property is identified, verified, protectedand safeguarded?
Yes
No
Objective evidence/ Remarks
If the property is lost or damaged, or found unsuitable for use, has the organization made ensure that this isreported back to the customer or external provider including retaining documented information?
Notes: These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.4), but the definition of customer property has been widened to specify that it can include material, components, tools and equipment, customer premises, intellectual property and personal data. The evidence is required to confirm that the controls appearing in ISO 9001:2008 relating to customer property have been extended to cover property from external providers.
8.5.4
Preservation Does the organization ensure preservation of process outputs during production and service provision, to the extent necessary to maintain conformity to requirements?
Notes: These requirements are essentially the same as those in ISO 9001: 2008 (clause 7.5.5), but again the emphasis now is on ‘process outputs’ rather than product.
8.5.5
Post-delivery activities Does the organization fulfil requirements for post-delivery activities related to its products and services?
Δ
When making this decision, does the organisation consider: a) the risks associated with the particular product or service, the nature of the product or service, how the product or service will be used andwhat the product or service’s intended lifetime is. b) any post-delivery activities also needs to take into account customer feedback and any applicable
F103-12-QMS-2015 – Issue date: 08-OCT-2015
The processes established by the organization to address the post-delivery activities and associated risk identified based on the nature product or service;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements statutory or legal requirements?
Yes
No
Objective evidence/ Remarks
Notes: This clause expands the ISO 9001: 2008 requirement that post-delivery activities are carried out under ‘controlled conditions’ – clause 7.5.1 (f) – and now also requires the organization to consider a list of issues as above when determining what post-delivery activities are required. ‘Post-delivery activities’ can include actions under warranty provisions, contractual obligations such as maintenance services and supplementary services such as recycling or final disposal.
8.5.6
Control of changes
Does the organization control any unplanned changes that are considered essential in orderto ensure that products or services continue to meet their specified requirements?
The processes established to address any sudden changes and related objective evidence;
Does the organization retain documented information describing the results of thereview of the changes, the person(s) authorizing the changes and any necessary actions?
Notes: These are new specific requirements (though they are implicit in ISO 9001: 2008 clauses 7.5.1 & 2). Organizations need to demonstrate that where it has to make unplanned changes to its processes in order to ensure its products or services conform to specified requirements, these changes must be made in a controlled manner.
8.6
Auditors should evidence that the organisation has controlled unplanned changes in accordance withthe requirements set out above Release of products and services a) Does the organization carry out predetermined verification at appropriate stages in the production/delivery process in order to verify that products and services meet agreed acceptance criteria? b) Does the release of Products or services not normally proceed to the customer until all of the planned tests and checks have been satisfactorily
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements completed, unless otherwise approved by a relevant authority and where applicable, permission for early release must also be obtained from the customer?
Yes
No
Objective evidence/ Remarks
c) Does documented information retained provide evidence of conformity to acceptance criteria and traceability to the person(s) authorizing release of products and services for delivery to the customer?
Notes: These requirements are essentially the same as those in ISO 9001: 2008.
8.7 8.7.1
Control of nonconforming outputs Does the organization identified process outputs, products or services that do not conform to their intended requirements? Controls need to be established and implemented to ensure that these “nonconforming” process outputs, products or services are not delivered to the customer or used unintentionally. Where nonconforming process outputs, products or services are identified, does the organization take corrective action proportionate, reflecting both the nature of the nonconformity and its ability to impact the organization’s intended product or service? Is this also applied to nonconforming products and services detected after delivery of the products or during the provision of the service?
Δ
Does the organization deal with nonconforming process outputs, products or services in one or more of the following ways: by correcting the fault;
F103-12-QMS-2015 – Issue date: 08-OCT-2015
The processes established to deal with non-conforming product/ or service and clients notified, where appropriate;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
8.7.2
by segregation, containment, return or suspension of provision of product and services; by informing the customer; by obtaining authorization for acceptance under a concession. Does the organization retain documented information of on nonconforming description, actions taken, any concessions obtained and on the person or authority that made the decision regarding dealing with the nonconformity?
Notes: These requirements are essentially the same as those in ISO 9001: 2008 (clause 8.3), but once again, ‘process outputs’ are a key focus of the requirements, though the options available when non-conformities are identified are more explicitly detailed; in particular, the need to take ‘corrective’ action. Documented procedure is no longer required, but documented information relating to non-conformities now has to include details of the person(s), who authorized the action taken to deal with it.
9 9.1 9.1.1
Δ
Performance evaluation Monitoring, measurement, analysis and evaluation General Has the organization determined; a) what it needs to monitor andmeasure? b) the requirement for methods to ensurevalid results also extends to the organisation’s analysis and evaluation activities? c) when monitoring and measurement should be carried out and atwhat stage the results of monitoring and measurement should be analysed and evaluated?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Objective evidence of evaluating of the results of monitoring and measurement and analysis;
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements Has the organizations subsequently ensured that monitoring and measurement takes placein accordance with the requirements the organization has set itself?
Yes
No
Objective evidence/ Remarks
Has the organization ensured that wheremonitoring and measurement takes place, documented information is retained to evidencethe results?
Notes: The auditors should confirm that the organization identify the ‘what’ ‘how’ and ‘when’ of the monitoring and measurement, along with when the results should be evaluated. Auditors should note the additional requirement for organizations to evidence evaluation of the results of monitoring and measurement, not just their analysis. They should also note a new requirement to monitor the performance and effectiveness of the organization’s quality management system.
9.1.2
Δ
Customer satisfaction Does the organization monitor the degree to which customers believe their requirements for products and services have been met? Have the methods for obtaining, monitoring and reviewing this information been determined?
What methods determined by the organization to monitor & review customer perception;
Notes: Organizations now need to demonstrate that they have sought out information relating to how customers view the organization itself as well as its products and services. They also must have a defined methodology identifying both how they will obtain, monitor and review this information. Information related to customer views can include customer satisfaction or opinion surveys, customer data on delivered products or services quality, market-share analysis, compliments, warranty claims and dealer reports, etc.
9.1.3
Δ
Analysis and evaluation Does the organization analyze and evaluate appropriate data and informationthat it has obtained either internally or externally for a variety of pre-defined purposes? Is the output of analysis and evaluation used to:
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
demonstrate that the organization’s products and services conform to requirements; to assess and enhance customer satisfaction; to ensure the performance and effectiveness of the quality management system; to demonstrate that planning has beensuccessfully implemented; the effectiveness of actions pertaining to risk and opportunities; assess the performance of external providers; improvements needed in the organization’s QMS.
Yes
No
Objective evidence/ Remarks Objective evidence of analysis of data carried out and the effectiveness of actions related to identified risk & opportunities;
Notes: Although these requirements are similar to those in ISO 9001: 2008 (clause 8.4) there are now explicit requirements relating to how the analysis and evaluation data must be used. Organizations now need to demonstrate evaluation as well as analysis of data (from measurement, monitoring or other sources); There has to be evidence of interpretation of the data analysis they carry out including effectiveness of actions pertaining to risk & opportunities identified. Auditors should note that organisations now need to evidence both analysis and evaluation of data and information. It is not sufficient just to carry out an analysis without interpreting the results. They should ensure that organisations are able to evidence through analysis and evaluation thatplanning has been effective.
9.2 9.2.1
Internal audit Does the organization carry out internal audits at planned intervals in order to determine whether the quality management system; a) conforms to both the organization’s own requirements and the requirements of ISO 9001? b) is being effectively implemented and maintained?
9.2.2
Δ
Does the organization: a) When planning, establishing and implementing an audit programme including frequency, methods, responsibilities, planning requirements and reporting, does the organization consider the importance of the processes concerned, changes within the organization, and the results of previous audits?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
b) have a defined scope and its own audit criteria each audit? c) ensure audits and auditors be impartial and objective of the process audited? d) ensure that the findings from audits fed back to the relevant management with any required corrections or corrective actions being taken in a timely manner?
e) retain documented information to provide evidence that the audit programme has been implemented and the results of audits?
Notes: Organizations are not necessarily required to have a documented internal audit procedure, however auditors must be able to access documented information confirming the implementation of anaudit programme by the organization including evidences related to results of audits. While reviewing the internal audit programme of the organization, auditors should ensure thatconsiderations are given to the importance of the processes concerned,
changes within the organization, and the results of previous audits . 9.3
Management review
9.3.1
Does reviews of the quality management system undertaken by top management at planned intervals in order to ensure the quality management system’s continuing suitability, adequacy and effectiveness?
9.3.2
Is the management review planned and carried out taking into consideration; a) thereview of actions decided during previous management reviews? b) thechanges to context (internal/ external issues) of the organization that are relevant to its QMS?
Δ
c) information on the performance and QMS effectiveness, including trends and indicators for; feedback from Customer and relevant interested parties, achievements related to the Quality objectives,
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements
Yes
No
Objective evidence/ Remarks
process performance and conformity of products and services, non-conformities and related corrective actions, results of monitoring and measurement, and external provider’s performance.
d) adequacy of resources required for maintaining an effective QMS? e) process performance and conformity of products and services? f)
9.3.3
reviewing the effectiveness of actions implemented to address risks and opportunities?
g) new potential opportunities for continual improvement? Does the outputs of the management review include decisions and actions related to: a) improvement opportunities? b) any need for changes to the quality management system, including resources needed? Does the organization retain documented information as evidence of the results of management reviews?
Note:
Organizations are now required to retain documented information as evidence of the results of the management reviews (rather than records of management review as stated in 9001:2008) Auditors should expect to evidence the same outputs from management reviews as at present. However, they should note that the results of management reviews can now be held in any format that the organization chooses.
10
Improvement
10.1
General
Does the organization decide and choose improvement opportunities and take necessary actions that will better
F103-12-QMS-2015 – Issue date: 08-OCT-2015
What processes are planned and implemented by the organization to improve
ISO 9001:2015 Checklist/ Guidance Document Clause #
Requirements enable the organization to meet customer requirements and enhance their customers’ satisfaction?
Yes
No
Objective evidence/ Remarks the Quality performance and effectiveness of QMS?
Does this include, as appropriate: a) improving process output to fulfill the requirements and to address future requirements? b) correction, prevention and reduction of unwanted results? c) improvement of performance and QMS effectiveness? Note:
This is a new section which emphasises the general need to improve processes, products and services, as well as the performance of QMS overall, in order to meet customer current and future requirements and enhance customer satisfaction. The associated note reminds that ‘Improvement’ can be effected reactively (e.g. corrective action), incrementally (e.g. continual improvement), by step change (e.g. breakthrough), creatively (e.g. innovation) or by re-organisation (e.g. transformation). Auditors should note that there is no longer a requirement to audit preventive action as a separate entity.
10.2 10.2.1
Δ
Nonconformity and corrective action When a nonconformity is identified including complaints, does the organization: a) take whatever action is necessary to control and correct the nonconformity, and to deal with any resultant consequences b) consider whether any further action is required to eliminate the causes of the nonconformities to avoid their re-occurrence or occurrence elsewhere, by review of nonconformity, cause analysis, and determine if similar nonconformity exist or may occur in future? c) implement any actions identified as needed, review theireffectiveness and make changes to the quality management system if required?
F103-12-QMS-2015 – Issue date: 08-OCT-2015
ISO 9001:2015 Checklist/ Guidance Document Clause #
Yes
No
Objective evidence/ Remarks
Does the evidences of nature of nonconformity and any subsequent action taken, and corrective action results are retained as documented information by the organization?
Note:
Requirements Are the corrective actions appropriate to the effects of the nonconformities encountered?
Auditors should evidence that, where nonconformities have been identified by an organization, an investigation has been conducted to determine whether other similar nonconformities actually do or potentially could exist.This covers some of the requirements previously included under Preventive Action. They should also evidence that where nonconformity has occurred, the organization has considered whether it needs to make changes to the wider quality management system to prevent a re-occurrence.
10.3
Continual Improvement Does the organization work continually to improve its quality management system in terms of suitability, adequacy and effectiveness? Does the organization consider the outputs of analysis and evaluation, and from management review, to confirm if there are areas of underperformance or opportunities that need to be addressed to ensure continual improvement?
Δ
Note:
Organizations now need to demonstrate that they are using the outputs from their analysis and evaluation processes to identify areas of unsatisfactory performance and opportunities for improvement. Auditors should evidence that organizations are using the outputs from their analysis, evaluation and management review processes to identify improvement opportunities and quality management system performance.
Legend: Symbol
F103-12-QMS-2015 – Issue date: 08-OCT-2015
Description
ISO 9001:2015 Checklist/ Guidance Document
Δ
Documented information to be either maintained (document) or retained (record) Delta for additional requirements with the existing once New clause/ requirements introduced in ISO 9001:2015 version
F103-12-QMS-2015 – Issue date: 08-OCT-2015
View more...
Comments
