43 0 11MB
TVE INTERNATIONAL ACADEMY PVT. LTD.
LEAD AUDITOR TRAINING QUALITY MANAGEMENT SYSTEM (ISO 9001:2015)
IRCA REGISTERED COURSE 17980
DELEGATE MANUAL
TVE International Academy Pvt. Ltd. 21/26B, Kamarajar Street, K.K. Nagar, Trichy – 620 021. Contact No: 0431 – 4051364 Email: [email protected] (www.tvecert.org)
Quality Management Systems Auditor / Lead Auditor Training Course
This manual, any documentation related thereto (with the exception of any national or international standards referred to herein) and the information disclosed therein, is confidential and proprietary to TVE. This information
may
not be
used by
or
disclosed to others for any purpose except as specifically authorized in writing by TVE The recipient, by accepting this document agrees that neither the document, the information disclosed therein nor any part thereof shall be reproduced or transferred to other documents nor used or disclosed to others for any other purpose except as specifically authorized in writing by TVE.
(Copyright) 2015 an unpublished work by TVE – All rights reserved.
Quality Management Systems Auditor / Lead Auditor Training Course Delegate Manual (17980)
TVE CERT
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
COURSE INTRODUCTION
We TVE CERT is very glad to introduce this 5 days Lead Auditor Training course. TVE CERT is one of the leading & fast growing Certification & Training bodies in India. TVE CERT operates as a Certification and Training body, organized according to international standard ISO/IEC 17021:2011 in India and across the globe.
All our course presenters are highly qualified and experienced in Quality Management System Design, implementation, and have good experiences of QMS Certification Assessment and Trainings. All sessions are made interesting and interactive by encouraging the delegate participation. Delivery will include Presentations by lectures, Practical workshops, Role plays, Mock Audits etc., leaded by highly experienced and Qualified Tutors.
The course containing each day is divided into four sessions with a lunch break. The morning session is again divided into two sessions with one tea break. Then following the lunch break the afternoon session is again divided into two sessions with one tea break.
The course material is divided into number of Chapters and Exercises. Each chapter will provide enough information based on the learning objectives of that chapter. Also there are practical exercises pertaining to the chapters (wherever relevant). The outputs of the exercises are a part of the formal continuous assessment and will therefore be marked. Although the exercises are group exercises individual score to the delegate will be based on their overall
TVE CERT
8
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
participation, involvement in the relevant chapter presentation and in the exercise. A mock audit – Role play will be conducted on Days 4 & 5 of the Training for the delegates to demonstrate the skills learned and understood during the course. All sessions are interactive and delegate participation is encouraged.
Attendance for the full duration of the course is mandatory and poor time keeping must be avoided. Delegates are not encouraged for taking leave or permissions during the 5 days of the training Course.
Expected Prior Knowledge Requirements
Prior knowledge Before starting this course, you must inform students that they are expected to have the following prior knowledge:
a) Management systems
The Plan, Do, Check, Act (PDCA) cycle
The core elements of a management system and
the
interrelationship
management objectives,
between
responsibility, planning,
top
policy,
implementation,
measurement, review and continuous improvement.
b) Quality management
The fundamental concepts and the seven quality management principles (see ISO 9000):
TVE CERT
9
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Customer focus Leadership Engagement of people Process approach Improvement Evidence-based decision making Relationship management.
The relationship between quality management and customer satisfaction.
c) ISO 9001
Knowledge of the requirements of ISO 9001 and the commonly used quality management terms and definitions, as given in ISO 9000, which may be gained by completing an IRCA Certified QMS Foundation Training course or equivalent.
LEARNING OBJECTIVES
2.1 Briefly describe what students will know and be able to do by the end of the course.
On completion successful students will have the knowledge and skills to: Knowledge
2.1.1 Explain the purpose of a quality management system, of quality management systems standards, of
management
system
audit,
of
third
party
certification and the business benefits of improved performance of the quality management system (see 3.1).
TVE CERT
10
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
2.1.2 Explain the role and responsibilities of an auditor to plan, conduct, report and follow-up a quality management system audit in accordance with ISO 19011, and ISO/IEC 17021, as applicable (see 3.2).
Skills
2.1.3 Plan, conduct, report and follow-up an audit of a quality management system to establish conformity (or otherwise) with ISO 9001 and in accordance with ISO 19011, and ISO/IEC 17021, as applicable (see 3.3).
Course Assessment
The outputs of the exercises are a part of the formal continuous assessment and will therefore be marked. In order to pass the course a delegate must pass the continual assessment and the written examination as well.
Continual Assessment
Delegates will be assessed throughout the course. The outputs of the exercises are a part of the formal continual assessment and will therefore be marked. Although the exercises are group exercises individual score to the delegate will be based on their overall participation, involvement in the relevant chapter presentation and in the exercise.
Delegates who are late at unavoidable circumstances may at the tutor's decision receive additional one to one instruction. However this should be considered during the breaks and aft this time. Poor timekeeping, irrespective of cause, will be reflected in the appropriate the full days session & care should be taken that this may not disturb the routine class timings. Still repetitive poor timekeeping will result in failure.
TVE CERT
11
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The overall pass mark for the continual assessment is 60% and should score minimum 50% in individual exercises also. Delegates who fail in the individual exercises are required to resubmit the exercises.
Final Examination
Delegates will have to write the closed book written examination on Day 5 of the course. A total of 2 hours will be available for the Examination.
There are 4 sections to the exam:
Section 1 (10 marks) Section 2 (20 marks) Section 3 (30 marks) Section 4 (30 marks)
The pass mark is 70% and delegates are expected to achieve at least 50% in each section.
Delegates who fail the written exam (but have otherwise successfully completed the course) shall be allowed to retake (an exam) within 12 months of the initial exam. The delegates will be provided with ―Certificate of Successful Completion‖ on successful completion of the course which will be valid for 3 years for registration in IRCA from the end of the course. The delegates will be provided with ―Certificate of Attendance‖ if not been successful in the exam or the continual assessment but have satisfied the course TVE CERT
12
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
attendance requirements. These certificates shall not be accepted by IRCA for Auditor registration.
Auditor Registration as per IRCA Scheme
IRCA provide a Quality Management Systems Auditor Certification Scheme (the QMS Scheme) to provide confidence to accredited certification bodies and to business and industry that auditors certified to this scheme are competent.
The scheme is intended for:
Quality auditors, e.g. those employed by third party certification bodies / registrars, or by purchasing organizations
Quality practitioners, e.g. quality consultants, quality managers and other quality personnel
Employees conducting quality management system audits within their own organization i.e. Internal Standards
The QMS 2015 Scheme has six grades of certification:
QMS 2015 Provisional Internal Auditor
QMS 2015 Internal Auditor
QMS 2015 Provisional Auditor
QMS 2015 Auditor
QMS 2015 Lead Auditor
QMS 2015 Principal Auditor
TVE CERT
13
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The certification is based on considering the following criteria
A. Education B. Work experience C. Auditor Training D. Auditing Experience
For information concerning the process for certification with IRCA as a Lead Auditor, visit the IRCA Website at http://www.irca.org.
Complaints and Appeals
All delegates have the right to make a complaint or an appeal. The delegates will be provided with the process for the same upon request.
QMS Standard
The delegates will be provided with the copies of ISO 9001:2015 standard for reference during the course.
Delegates Introduction
The course introduction is next followed by Delegate introduction .The delegates are expected to introduce themselves about their Academic Background, Technical Knowledge / Career experiences.
Note: This will help the tutor on identifying right teams in forming Groups/Teams for Practical Exercises.
TVE CERT
14
Issue Date: SEP 2015
Welcome to your CQI and IRCA Certified Quality Management System Auditor/Lead Auditor Training Course TVE International Academy Pvt. Ltd. has been independently assessed and approved by the CQI and IRCA. This means they have the processes and systems in place to deliver certified courses to the highest standard.
About the CQI and IRCA The CQI is the only chartered professional body dedicated entirely to quality. IRCA is its specialist division dedicated to management system auditors. Find out more about the CQI and IRCA at www.quality.org We hope you enjoy your course
www.quality.org/training
Quality Management Systems Auditor / Lead Auditor Training Course
PURPOSE, BENEFITS & PRINCIPLES OF QMS
1. Quality Management System A Quality Management System (QMS) is a set of policies, processes and procedures required for planning and execution (production / development / service) in the core business area of an organization. (i.e. areas that can impact
the organization's
ability to meet
customer
requirements.)ISO 9001:2015 is an example of a Quality Management System.
A QMS integrates the various internal processes within the organization and intends to provide a
process approach for project execution. A Process
Based QMS enables the organizations to identify measure, control and improve the various core business processes that will ultimately lead to improved business performance.
2. Evolution of ISO - Evolution of Standards
MILSTANDARDS - 1960s
ISO 9001 – 1stEdition - 1987 ISO 9001 – 2ndEdition - 1994 ISO 9001 - 3rdEdition - 2000
BS 5755 - 1960s
ISO 9001 - 4th Edition 2008 ISO 9001 - 5th Edition – 2015
ISO 9001 - 1980s
TVE CERT
16
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. Purpose of Quality Management System Quality management systems can assist organizations in enhancing customer satisfaction. Customers require products with characteristics that satisfy their needs and expectations. These needs and expectations are expressed in product specifications and collectively referred to as customer requirements Customer requirements may be specified contractually by the customer or may be determined by the organization itself. In either case, the customer ultimately determines the acceptability of the product. Because customer needs and expectations are changing, and because of competitive pressures and technical advances, organizations are driven to improve continually their products and processes. The quality management system approach encourages organizations to analyse customer requirements, define the processes that contribute to the achievement of a product which is acceptable to the customer, and keep these processes under control. A quality management system can provide the framework for continual improvement to increase the probability of enhancing customer satisfaction and the satisfaction of other interested parties. It provides confidence to the organization and its customers that it is able to provide products that consistently fulfill requirements
4. Benefits of Quality Management System:
Assess the overall context of the organization to define who is affected by their work and what the customers expect from the organisation. This will enable to clearly state the organisations objectives and identify new business opportunities.
TVE CERT
17
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Put the customers first, making sure the organization consistently meet their needs and enhance their satisfaction. This can lead to repeat custom, new clients and increased business for your organization.
Work in a more efficient way as all the processes will be aligned and understood by everyone in the business or organization. This increases productivity and efficiency, bringing internal costs down.
Meet the necessary statutory and regulatory requirements.
Expand into new markets, as some sectors and clients require ISO 9001 before doing business.
Identify and address the risks associated with the organization..
TVE CERT
18
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
INTRODUCTION TO AUDITING 1. What is Audit? Systematic, Independent and documented process for obtaining ―audit evidence‖ and evaluating it objectively to determine the extent to which ―audit criteria‖ are fulfilled.
Note: Independent does not necessarily mean external to the organization in many cases particularly in smaller organizations. Independence can be demonstrated by the freedom from responsibility for the activity being audited.
Also Audit can be defined as an official inspection of an organization's Management system, Management processes, and product or in terms of financial aspects and evaluating it to find to what extent the objectives are met.
The audit criteria used may be set of policies, procedures or requirement of any ISO standards.
Type of Audits
2. Internal or First Party Audit
First party audits, or internal audits, are used by companies to evaluate the effectiveness of their own quality performance that is to identify deficiencies and inaccuracies within the system.
TVE CERT
19
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. External or Second Party Audit
The second party audit is generally known as the vendor quality assurance audit. The purpose of such an audit is to determine whether a vendor conforms to some specified contractual procedures imposed by a customer.
The objectives are: 1. Qualification and assessment of vendors 2. Customer‗s requirement that the organization shall audit their vendors 3. Ensure that vendors continue to maintain and improve their quality system 4. Resolve quality problems / issues.
4. External Third Party Audit
Third party audits are conducted by an independent body (certification body) and can either be voluntary, as in the case of a certification audit, or compulsory, as required by laws and regulations. Unlike an internal audit, the third party audit focuses
on
conformance
with
the
standard
and
implementation.
5. Stage 1 Audit
The purpose of the stage 1 audit is to evaluate the quality system is in compliance with a standard. a. Document review to be completed in off-site, but in most cases they are combined with an Initial Visit.
TVE CERT
20
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
6. Stage 2 Audit The purpose of the stage 2 audit is to evaluate the implementation,
including
effectiveness,
of
the
client's
management system. The stage 2 audit shall take place at the site(s) of the client.
7. Follow-up Audit
Any Major Non conformities require a follow up audit to verify the effectiveness of the corrective action taken.
8. Re-Certification Audit
The Re-Certification audit includes an onsite audit that requires the following
Verify the Full management system
Demonstrated
commitment
to
maintain
the
effectiveness and improvement of the management system
Enhance overall performance
Verify the achievement of the organization‘s policy and objectives
9. Additional Audits
The client shall be informed if an additional full audit, an additional limited audit, or documented evidence (to be confirmed during future surveillance audits) will be needed to verify effective correction and corrective actions.
TVE CERT
21
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
10. Surveillance Audit
Surveillance audits are on-site audits, but are not necessarily full system audits, and shall be planned together with the other surveillance activities so that the certification body can maintain confidence that the certified management system continues to fulfill requirements between recertification audits. The surveillance audit programme shall include, at least
11. Extensions to Scope
The certification body shall, in response to an application for extension to the scope of a certification already granted, undertake a review of the application and determine any audit activities necessary to decide whether or not the extension may be granted. This may be conducted in conjunction with a surveillance audit.
12. Short-notice Audits
It may be necessary for the certification body to conduct audits of certified clients at short notice to investigate complaints, or in response to changes, or as follow up on suspended clients. In such cases
a. the certification body shall describe and make known in advance to the certified clients the conditions under which these short notice visits are to be conducted, and
b. the certification body shall exercise additional care in the assignment of the audit team because of the lack of opportunity for the client to object to audit team members.
TVE CERT
22
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
13. Multi-site Audit
Where multi-site sampling is utilized for the audit of a client's management system covering the same activity in various locations, the certification body shall develop a sampling programme to ensure proper audit of the management system. The rationale for the sampling plan shall be documented for each client.
14. Audit Trails
An audit trail is the sequence of paperwork that validates or invalidates the whole process of an organization. Also it is an indicator of good internal controls instituted by a firm, and forms the basis of objectivity.
Audit carried on step by step with sequential process from beginning to the end
Reviewing again by various cross –references procedures/Documents
Audit Trail can be carried out either in forward and backward direction of process sequence.
Audit follows a trail (e.g. estimate, contract, work ticket, form, checklist, material and product) through the business from origination to completion.
15. Auditing statutory and regulatory requirements
ISO 9001 requires an organization to identify and control the statutory and regulatory requirements applicable to its products (including services). It is up to the organization how to do this within its QMS.
TVE CERT
23
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The organization should demonstrate that the statutory and regulatory requirements applicable to its products / services have been properly identified, are available and easily retrievable.
Auditors need to be aware of the general and specific statutory and regulatory requirements applicable to the products/ services included within the scope of the QMS. During the audit preparation phase, auditors should obtain relevant information from internal or external sources with respect to these statutory and regulatory requirements. This will allow them to make a judgment on the suitability of the QMS to address such requirements. These requirements need to be identified and integrated in the resource management and product realization activities of the organization.
During the audit phase, auditors should
ensure that the organization has a methodology in place for identifying, maintaining and updating all applicable statutory and regulatory requirements
ensure that these statutory and regulatory requirements are utilized as ‗process inputs‘ while monitoring ‗process outputs‘ for compliance with requirements
ensure that any claimed compliance to standards, statutory and regulatory
requirements
etc.
are
properly
demonstrated
by
the
organization
if evidence is found, during the audit, that specific information regarding statutory and regulatory requirements has not been taken into account, the auditors should issue a nonconformity
auditors should also issue a nonconformity if a non compliance with such requirements is directly identified
TVE CERT
24
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Auditors should avoid making statements about what statutory or regulatory requirements are applicable to the products / services of the organization, or about methods of compliance, because of the possibility of liability.
Nonconformities should be issued only in situations where identification has been made of system deficiencies or of direct violations in respect of statutory and regulatory requirements applying to the products/ services of the organization.
However, if non conformance with other kinds of statutory requirements (e.g. health and safety, environment, etc.) is co-incidentally, detected during the audit, this fact cannot be ignored by the audits. It should be reported without delay to the auditee and, if required, to the audit client.
If auditors become aware of any deliberate legal non-compliance that could affect the image and credibility of the QMS before, during, or after the audit (including, for example, breach of antitrust law, labour law, health and safety or environmental regulations) then this should be taken into consideration and investigated further, as appropriate. Apart from the regulatory authority‘s action, it is for the auditors to assess the effectiveness of the QMS in meeting customer requirements
(stated
or
generally
implied)
and
report
this
to
the
certification/registration body management to take appropriate actions.
TVE CERT
25
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
CERTIFICATION AND ACCREDITATION This chapter explains the organization and role of the Accreditation Body and the Certification Body.
1. Accreditation Body- Definition
Third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks.
2. Accreditation Process
Accreditation is a formal, third party recognition of competence to perform specific tasks. It provides a means to identify a proven, competent evaluator so that the selection of a laboratory, inspection or certification body is an informed choice. Accreditation means the evaluator can demonstrate to its customer that it has been successful at meeting the requirements of international accreditation standards.
Usually the reason for getting something independently evaluated is to confirm it meets specific requirements in order to reduce risks. Obvious examples are product failure, health risks, company reputation or to meet legal or customer requirements. Anything or anyone can be evaluated - products, equipment, people, management systems or organizations.
Accreditation body means the evaluators: testing and calibration laboratories, inspection and certification bodies have been assessed against internationally recognized standards to demonstrate their competence, impartiality and performance capability.
TVE CERT
26
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. Certification Body – Definition
The certification body has been assessed against internationally recognized standards to demonstrate its competence, impartiality and performance; capability. The certification body will make its services accessible to all applicants based on their requirements.
4. Certification Process
There are three steps to complete a Certification process
Application
Document review& Contract agreements
Audit and certification.
a. Application
Applicant need to submit the application form for requesting certification the point of registration
b. Document Review & Contract Agreements
The auditor conducts the Document Review using the audit form and the management system documentation. During the process, the auditor will contact you to discuss the document review and/or for clarification or to request additional information
If applicable, the applicant needs to supply the necessary information enabling the auditor to finish the review.
TVE CERT
27
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The applicant application is reviewed for the scope of accreditation by the certification body and then final offer with contract agreements were made with the applicant.
c. Audit & Certification
Once the Certification Body verifies that all documentation has been submitted, an independent auditor performs a content review of the documentation followed by a project site visit. Following the site visit, the auditor compiles a final report. The certification body then reviews the auditor report, notifies the team of the audit results and certifies the project accordingly. Certification Process – Flow Diagram
TVE CERT
28
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
5. Certification Body – Examples
These are the few examples of Certification Bodies.
TVE Certification Services Pvt. Ltd.,
Bureau Veritas Certification (India) Pvt. Ltd.
DNV
TUV SUD South Asia Pvt. Ltd.
6. Benefits of Third - Party Accredited Certification:
There are many reasons why you should use the services of an accredited certification body:
To win the new business opportunities in both the public and private sector;
To access into overseas markets as the certificates issued by bodies that are accredited by an IAFMLA signatory are recognized and accepted throughout the world;
Help to identify best practice since the certification body is required to have appropriate knowledge of your business sector;
Reduction in the need for central and local government to employ their own specialist assessment personnel.
Reduction in bureaucracy and lighter touch regulation.
Public trust
Control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice;
Offer market differentiation and leadership by showing to others credible evidence of good practice;
To reduce the risk faced by the procurement department by taking the guesswork out of choosing a certification body that it closely meets your requirements;
TVE CERT
29
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Demonstrate due diligence in the event of legal action;
Accreditation provides the assurance for Government to rely on commercial providers of evaluation and inspection services.
Enhancing business efficiency by reducing the necessity to re-audit the business & reduces paper work QMS – Sample Certificate
TVE CERT
30
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
QUALITY MANAGEMENT PRINCIPLES, PROCESS APPROACH 1. Introduction One of the definitions of a ―principle‖ is that it is a basic belief, theory or rule that has a major influence on the way in which something is done. ―Quality management principles‖ are a set of fundamental beliefs, norms, rules and values that are accepted as true and can be used as a basis for quality management. The QMPs can be used as a foundation to guide an organization‘s performance improvement. They were developed and updated by international experts of ISO/TC 176, which is responsible for developing and maintaining ISO‘s quality management standards.
This document provides for each QMP
Statement : Description of the principle
Rationale : Explanation of why the principle is important for the organization
Key benefits : Examples of benefits associated with the principle
Typical actions : Examples of typical actions to improve the organization‘s performance when applying the principle
The seven quality management principles are QMP 1 - Customer focus QMP 2 - Leadership QMP 3 - Engagement of people QMP 4 - Process approach QMP 5 - Improvement QMP 6 - Evidence-based decision making
TVE CERT
31
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
QMP 7 - Relationship management
These principles are not listed in priority order. The relative importance of each principle will vary from organization to organization and can be expected to change over time.
QMP 1 - Customer focus
Statement
The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations.
Rationale
Sustained success is achieved when an organization attracts and retains the confidence of customers and other interested parties. Every aspect of customer interaction provides an opportunity to create more value for the customer. Understanding current and future needs of customers and other interested parties contributes to sustained success of the organization.
Key benefits
Increased customer value
Increased customer satisfaction
Improved customer loyalty
Enhanced repeat business
Enhanced reputation of the organization
Expanded customer base
Increased revenue and market share
TVE CERT
32
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Typical Actions
Recognize direct and indirect customers as those who receive value from the organization.
Understand customers‘ current and future needs and expectations.
Link the organization‘s objectives to customer needs and expectations.
Communicate
customer
needs
and
expectations
throughout
the
organization.
Plan, design, develop, produce, deliver and support goods and services to meet customer needs and expectations.
Measure and monitor customer satisfaction and take appropriate actions.
Determine and take actions on interested parties‘ needs and expectations that can affect customer satisfaction.
Actively manage relationships with customers to achieve sustained success.
QMP 2 – Leadership
Statement
Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization‘s quality objectives.
Rationale
Creation of unity of purpose and direction and engagement of people enable an organization to align its strategies, policies, processes and resources to achieve its objectives.
TVE CERT
33
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Key benefits
Increased effectiveness and efficiency in meeting the organization‘s quality objectives
Better coordination of the organization‘s processes
Improved communication between levels and functions of the organization
Development and improvement of the capability of the organization and its people to deliver desired results
Typical Actions
Communicate the organization‘s mission, vision, strategy, policies and processes throughout the organization.
Create and sustain shared values, fairness and ethical models for behaviour at all levels of the organization.
Establish a culture of trust and integrity.
Encourage an organization-wide commitment to quality.
Ensure that leaders at all levels are positive examples to people in the organization.
Provide people with the required resources, training and authority to act with accountability.
Inspire, encourage and recognize people‘s contribution.
QMP 3 - Engagement of people
Statement
Competent, empowered and engaged people at all levels throughout the organization are essential to enhance its capability to create and deliver value.
TVE CERT
34
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Rationale
To manage an organization effectively and efficiently, it is important to involve all people at all levels and to respect them as individuals. Recognition, empowerment and enhancement of competence facilitate the engagement of people in achieving the organization‘s quality objectives.
Key benefits Improved understanding of the organization‘s quality objectives by people in the organization and increased motivation to achieve them Enhanced involvement of people in improvement activities Enhanced personal development, initiatives and creativity Enhanced people satisfaction Enhanced trust and collaboration throughout the organization Increased attention to shared values and culture throughout the organization
Typical Actions Communicate with people to promote understanding of the importance of their individual contribution. Promote collaboration throughout the organization. Facilitate open discussion and sharing of knowledge and experience. Empower people to determine constraints to performance and to take initiatives without fear. Recognize
and
acknowledge
people‘s
contribution,
learning
and
improvement. Enable self-evaluation of performance against personal objectives. Conduct surveys to assess people‘s satisfaction, communicate the results, and take appropriate actions. TVE CERT
35
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
QMP 4 - Process approach
Statement
Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
Rationale
The
quality
management
system
consists
of
interrelated
processes.
Understanding how results are produced by this system enables an organization to optimize the system and its performance.
Key benefits Enhanced ability to focus effort on key processes and opportunities for improvement Consistent and predictable outcomes through a system of aligned processes Optimized performance through effective process management, efficient use of resources, and reduced cross-functional barriers Enabling the organization to provide confidence to interested parties as to its consistency, effectiveness and efficiency
Typical Actions Define objectives of the system and processes necessary to achieve them. Establish
authority,
responsibility
and
accountability
for
managing
processes.
TVE CERT
36
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Understand the organization‘s capabilities and determine resource constraints prior to action. Determine
process
interdependencies
and
analyse
the
effect
of
modifications to individual processes on the system as a whole. Manage processes and their interrelations as a system to achieve the organization‘s quality objectives effectively and efficiently. Ensure the necessary information is available to operate and improve the processes and to monitor, analyse and evaluate the performance of the overall system. Manage risks that can affect outputs of the processes and overall outcomes of the quality management system. QMP 5 – Improvement
Statement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels of performance, to react to changes in its internal and external conditions and to create new opportunities.
Key benefits Improved process performance, organizational capabilities and customer satisfaction Enhanced focus on root-cause investigation and determination, followed by prevention and corrective actions
TVE CERT
37
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Enhanced ability to anticipate and react to internal and external risks and opportunities Enhanced
consideration
of
both
incremental
and
breakthrough
improvement Improved use of learning for improvement Enhanced drive for innovation
Typical Actions
Promote establishment of improvement objectives at all levels of the organization.
Educate and train people at all levels on how to apply basic tools and methodologies to achieve improvement objectives.
Ensure people are competent to successfully promote and complete improvement projects.
Develop and deploy processes to implement improvement projects throughout the organization.
Track, review and audit the planning, implementation, completion and results of improvement projects.
Integrate improvement considerations into the development of new or modified goods, services and processes.
Recognize and acknowledge improvement.
QMP 6 - Evidence-based decision making
Statement
Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.
TVE CERT
38
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Rationale
Decision making can be a complex process, and it always involves some uncertainty. It often involves multiple types and sources of inputs, as well as their interpretation, which can be subjective. It is important to understand cause-andeffect relationships and potential unintended consequences. Facts, evidence and data analysis lead to greater objectivity and confidence in decision making.
Key benefits Improved decision-making processes Improved assessment of process performance and ability to achieve objectives Improved operational effectiveness and efficiency Increased ability to review, challenge and change opinions and decisions Increased ability to demonstrate the effectiveness of past decisions
Typical Actions Determine, measure and monitor key indicators to demonstrate the organization‘s performance. Make all data needed available to the relevant people. Ensure that data and information are sufficiently accurate, reliable and secure. Analyse and evaluate data and information using suitable methods. Ensure people are competent to analyse and evaluate data as needed. Make decisions and take actions based on evidence, balanced with experience and intuition.
TVE CERT
39
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
QMP 7 - Relationship management
Statement
For sustained success, an organization manages its relationships with interested parties, such as suppliers.
Rationale
Interested parties influence the performance of an organization. Sustained success is more likely to be achieved when the organization manages relationships with all of its interested parties to optimize their impact on its performance. Relationship management with its supplier and partner networks is of particular importance.
Key benefit Enhanced performance of the organization and its interested parties through responding to the opportunities and constraints related to each interested party Common understanding of goals and values among interested parties Increased capability to create value for interested parties by sharing resources and competence and managing quality-related risks A well-managed supply chain that provides a stable flow of goods and services
Typical Actions Determine relevant interested parties (such as suppliers, partners, customers, investors, employees, and society as a whole) and their relationship with the organization.
TVE CERT
40
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Determine and prioritize interested party relationships that need to be managed. Establish relationships that balance short-term gains with long-term considerations. Pool and share information, expertise and resources with relevant interested parties. Measure performance and provide performance feedback to interested parties, as appropriate, to enhance improvement initiatives. Establish collaborative development and improvement activities with suppliers, partners and other interested parties. Encourage and recognize improvements and achievements by suppliers and partners.
2. Process approach a. General
The process approach involves the systematic definition and management of processes,
and
their interactions, so as to achieve the intended results in
accordance with the quality policy and strategic direction of the organization.
Management of the processes and the system as a whole can be achieved using the PDCA cycle with an overall focus on risk-based thinking aimed at taking advantage of opportunities and preventing undesirable results.
The application of the process approach in a QMS enables:
understanding and consistency in meeting requirements
the consideration of processes in terms of added value
the achievement of effective process performance
improvement of processes based on evaluation of data and information
TVE CERT
41
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Figure 1 gives a schematic representation of any process and shows the interaction of its elements.
The monitoring and measuring checkpoints, which are necessary for control, are specific to each process and will vary depending on the related risks.
Starting Point
End Point
Activities
Sources of inputs
Inputs
Predecessor Processes
Matter, Energy, Information, e.g. in the form of materials, resources, requirements
Outputs
Matter, Energy, Information, e.g. in the form of product, service, decision
Receivers of Outputs
Subsequent Processes
Possible controls and check points to monitor and measure Performance
Figure 1 — Schematic representation of the elements of a single process
TVE CERT
42
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
b. What is the process approach?
All organizations use processes to achieve their objectives. A process:
set of interrelated or interacting activities that use inputs to deliver an intended result
NOTE: Inputs and outputs may be tangible (e.g. materials, components or equipment) or intangible (e.g. data, information or knowledge) The process approach includes establishing the organization‘s processes to operate as an integrated and complete system. The management system integrates processes and measures to meet objectives Processes define interrelated activities and checks, to deliver intended outputs Detailed planning and controls can be defined and documented as needed, depending on the organization‘s context.
TVE CERT
43
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. Risk‐based thinking, PDCA and the process approach
Figure 2 — Representation of the structure of this International Standard in the PDCA cycle
These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that may impact on objectives and results must be addressed by the management system. Risk‐based thinking is used throughout the process approach to:
TVE CERT
44
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Decide how risk (positive or negative) is addressed in establishing the processes to improve process outputs and prevent undesirable results Define the extent of process planning and controls needed (based on risk) improve the effectiveness of the quality management system maintain and manage a system that inherently addresses risk and meets objectives
PDCA is a tool that can be used to manage processes and systems. PDCA stands for: P Plan: set the objectives of the system and processes to deliver results (―What to do‖ and ―how to do it‖) D Do: implement and control what was planned C Check: monitor and measure processes and results against policies, objectives and requirements and report results A Act: take actions to improve the performance of processes
PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.
d. What are the possible benefits? A focus on the more important (―high‐risk‖) processes and their outputs improved understanding, definition and integration of interdependent processes systematic
management
of
planning,
implementation,
checks
and
improvement of processes and the management system as a whole. better use of resources and increased accountability more consistent achievement of the policies and objectives, intended results and overall performance
TVE CERT
45
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
process approach can facilitate the implementation of any management system enhanced customer satisfaction by meeting customer requirements enhanced confidence in the organization.
The practical steps in using a process approach in ISO 9001:2015 are explained below in table.
e. The process approach in ISO 9001:2015
In accordance with the requirements of ISO 9001 the following sequence of actions provides examples of how an organization may choose to build and control the processes of its quality management system. Performance can be managed and improved by applying the Plan‐Do‐Check‐Act (PDCA) cycle. This applies equally to the system as a whole, to individual processes and to operational activities.
Steps in the process approach
What to do?
Guidance
PLAN Define the context of the organization
The organization should identify its responsibilities, the relevant interested parties and their relevant requirements, needs and expectations to define the organization‘s intended purpose.
Gather, analyze and determine external and internal responsibilities of the organization to satisfy the relevant requirements, needs and expectations of the relevant interested parties. Monitor or communicate frequently with these interested parties to ensure continual understanding of their requirements, needs and expectations.
Define the scope, objectives and policies of the organization
Based on the analysis of the requirements, needs and Expectations establish the scope, objectives and policies that are relevant for the organization‘s quality
The organization shall determine the scope, boundaries and applicability of its management system taking into consideration the internal and external context and interested party requirements. Decide which markets
TVE CERT
46
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
management system.
Determine the processes in the organization
Determine the sequence of the processes
the organization should address. Top management should then establish objectives and policies for the desired outcomes.
Determine the processes needed to meet the objectives and policies and to produce the intended outputs.
Management shall determine the processes needed for achieving the intended outputs. These processes include management, resources, operations, measurement, analysis and improvement. Determine how the processes Define and describe the network of flow in sequence and processes and their interaction. interaction. Consider the following: The inputs and outputs of each process (which may be internal or external). Process interaction and interfaces on which processes depend or enable. Optimum effectiveness and efficiency of the sequence. Risks to the effectiveness of process interaction. Note: As an example, realization processes (such as those needed to provide the products or services delivered to a customer) will interact with other processes (such as the management, measurement, procurement in the provision of resources). Process sequences and their interactions may be developed using tools such as modeling, diagrams, matrices and flowcharts.
Define people or remits who take process ownership and accountability
TVE CERT
Assign responsibility authority for each process.
47
and Top Management should organize and define ownership, accountability, individual roles, responsibilities, working groups, remits, authority and ensure the competence needed for the effective definition, implementation, maintenance and improvement of each process and its interactions. Such individuals or remits are usually referred to as the Process Owners.
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
To manage process interactions it may be useful to also establish a management system team that has a system overview across all the processes and may include representatives from the interacting processes and functions. Define the need for documented information
Determine those processes that Processes exist within the need to be formally defined and organization. They may be formal or how they are to be documented. informal. There is no catalogue or list of processes that have to be formally defined. The organization should determine which processes need to be documented on the basis of risk‐ based thinking, including, for example: The size of the organization and its type of activities. The complexity of its processes and their interactions. The criticality of the processes. The need for formally accountability of performance. Processes can be formally documented using a number of methods such as graphical representations, user stories, written instructions, checklists, flow charts, visual media or electronic methods including graphics and systemization. However, the method or the technology chosen are not the goals. They can be used to describe processes, which are the means to achieve the goals. Effective and organized processes can then deliver consistent and accountable operations and the desired objectives and results which can then be improved. Note: For more guidance see the ISO 9000 Introduction and Support Package module Guidance on the Documented Information Requirements of ISO 9001:2015
TVE CERT
48
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Define the interfaces, risks and activities within the process
Determine the activities needed to achieve the intended outputs of the process and risks of unintended outputs.
Define the required outputs and inputs of the process. Determine the risks to conformity of products, services and customer satisfaction if unintended outputs are delivered. Determine the activities, measures and inherent controls required to transform the inputs into the desired outputs. Determine and define the sequence and interaction of the activities within the process. Determine how each activity will be performed. Ensure that the management system as a whole takes account of all material risks to the organization and users. Note:In some cases the customer may specify requirements not only for the outputs but also for the realization of a process.
Define the monitoring and measurement requirements
Determine where and how monitoring and measuring should be applied. This should be both for control and improvement of the processes and the intended process outputs. Determine the need for recording results.
Identify the validation necessary to assure effectiveness and efficiency of the processes and system. Take into account such factors as: Monitoring and measuring criteria. Reviews of performance Interested parties‘ satisfaction. Supplier performance. On time delivery and lead times. Failure rates and waste. Process costs. Incident frequency. Other measures of conformity with requirements.
DO Implement
TVE CERT
Implement actions necessary to The organization should perform achieve planned activities and activities, monitoring, measures results. and controls of defined processes and procedures (which may be automated), outsourcing and other methods necessary to achieve planned results.
49
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Define the resources needed
Determine the resources needed Examples of resources include: for the effective operation of each • Human resources. process. • Infrastructure. • Environment. • Information. • Natural resources (including knowledge). • Materials. • Financial resources. CHECK
Verify the process against its planned objectives
Confirm that the process is effective and that the characteristics of the processes are consistent with the purpose of the organization.
The organization should compare outputs against objectives to verify that all the requirements are satisfied. Processes are needed to gather data. Examples include measurement, monitoring, reviews, audits and performance analysis.
ACT Improvement
Change the processes to ensure Act on the findings to ensure that they continue to deliver the improvement of process intended outputs effectiveness. (NOTE: Organizations may also wish to improve process efficiency, though it is not a requirement of ISO 9001 to do so). Corrective action as a result of process failure should include the identification and elimination of the root causes of the problems. ‗System Thinking‘ recognizes that an event in one process may have a cause or effect in a dependent process. Causes and the effects may not be within the same process. Problem solving and improvement typically follows the essential steps of: define
TVE CERT
50
the
problems
Issue Date: SEP 2015
or
Quality Management Systems Auditor / Lead Auditor Training Course
objectives collect and analyze the data on the problem and relevant processes select and implement the preferred solutions evaluate the effectiveness of the solutions. incorporate the solutions into the routine Even when planned process outputs are being achieved and requirements fulfilled, the organization should still seek to improve process performance, customer satisfaction and reputation. This can be achieved, for example, by small‐step continual improvement (―Kaizen‖), breakthrough improvements and/or by innovation.
TVE CERT
51
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
TVE CERT
52
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
ISO 9001 Terminologies For the purposes of this document, the following terms and definitions apply.
3.01 organization
Person or group of people that has its own functions (3.25)
with
responsibilities,
authorities
and
relationships to achieve its objectives (3.08)
3.02 Interested party
person or organization (3.01) that can affect, be affected by, or perceive themselves to be affected by a decision or activity
EXAMPLE Customers (3.26), owners, people in an organization (3.01), suppliers (3.27), bankers, unions, partners or society that may include competitors or opposing pressure groups.
3.03 requirement
Need or expectation that is stated, generally implied or obligatory
3.04 management system set of interrelated or interacting elements of an organization (3.01) to establish policies (3.07) and objectives (3.08) and processes (3.12) to achieve those objectives
TVE CERT
53
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.05 top management person or group of people who directs and controls an organization (3.01) at the highest level
3.06 effectiveness extent to which planned activities are realized and planned results achieved
3.07 policy intentions and direction of an organization (3.01), as formally expressed by its top management (3.05)
3.08 objective result to be achieved
3.09 risk effect of uncertainty on an expected result
3.10 competence ability to apply knowledge (3.53) and skills to achieve intended results
3.11 documented information information (3.50) required to be controlled and maintained by an organization (3.01) and the medium on which it is contained
TVE CERT
54
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.12 process set of interrelated or interacting activities which transforms inputs into outputs (3.46)
3.13 performance measurable result
3.14 outsource (verb) make an arrangement where an external organization (3.01) performs part of an organization‘s function (3.25) or process (3.12)
3.15 monitoring determining (3.67) the status of a system (3.31), a process (3.12) or an activity
3.16 measurement process (3.12) to determine (3.67) a value 3.17 audit systematic and independent process (3.12) for obtaining objective evidence (3.61) and evaluating it objectively to determine the extent to which the audit criteria (3.60) are fulfilled
3.18 conformity fulfillment of a requirement (3.03)
TVE CERT
55
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.19 nonconformity non-fulfillment of a requirement (3.03)
3.20 corrective action action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.21 continual improvement recurring activity to enhance performance (3.13) 3.22 correction action to eliminate a detected nonconformity (3.19)
3.23 involvement engagement in, and contribution to, shared objectives (3.08)
3.24 context of the organization business environment combination of internal and external factors and conditions that can have an effect on an organization's (3.01) approach to its products (3.47), services (3.48) and investments and interested parties (3.02) Note 1 to entry: The concept of context of the organization is equally applicable to not-for-profit or public service (3.48) organizations (3.01) as it is to those seeking profits. Note 2 to entry: In English this concept is often referred to by other phrases such as business environment, organizational environment or ecosystem of an organization (3.01).
TVE CERT
56
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.25 function role to be carried out by a designated unit of the organization (3.01) 3.26 customer person or organization (3.01) that could or does not receive a product (3.47) or a service (3.48) is intended for or required by this person or organization
3.27 supplier provider person or organization (3.01) that provides a product (3.47) or a service (3.48)
EXAMPLE Producer, distributor, retailer or vendor of a product (3.47) or a service (3.48) or information (350). 3.28 improvement activity to enhance performance (3.13) 3.29 management coordinated
activities
to
direct
and
control
an
organization (3.01) 3.30 quality management management (3.29) with regard to quality (3.37) 3.31 system set of interrelated or interacting elements
TVE CERT
57
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.32 infrastructure system (3.31) of facilities, equipment and services (3.48) needed for the operation of an organization (3.01)
3.33 quality management system management system (3.04) with regard to quality (3.5.2) 3.34 quality policy policy (3.07) related to quality (3.37) 3.35 strategy planned activities to achieve an objective (3.08). 3.36 object entity anything perceivable or conceivable EXAMPLES Product (3.47), service (3.48), process (3.12), person, organization (3.01), system (3.31), resource. 3.37 quality degree to which a set of inherent characteristics (3.65) of an object (3.36) fulfills requirements (3.03) 3.38 statutory requirement obligatory requirement (3.03) specified by a legislative body 3.39 regulatory requirement obligatory requirement (3.03) specified by an authority mandated by a legislative body
TVE CERT
58
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.40 defect nonconformity (3.19) related to an intended or specified use 3.41 traceability ability to trace the history, application or location of an object (3.36)
3.42 innovation process (3.12) resulting in a new or substantially changed object (3.36) 3.43 contract binding agreement 3.44 design and development set of processes (3.12) that transforms requirements (3.03) for an object (3.36) into more detailed requirements 3.45 quality objective objective (3.08) related to quality (3.37)
3.46 output result of a process (312)
TVE CERT
59
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.47 product output (3.46) that is a result of activities where none of them necessarily is performed at the interface between the provider (3.27) and the customer (3.26) 3.48 service intangible output (3.46) that is the result of at least one activity necessarily performed at the interface between the provider and the customer 3.49 data facts about an object (3.36) 3.50 information meaningful data (3.49)
3.51objective evidence data (3.49) supporting the existence or verity of something
3.52 information system network
of
communication
channels
used
within
an
organization (3.01)
3.53 knowledge available collection of information (3.50) being a justified belief and having a high certainty to be true
TVE CERT
60
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.54 verification confirmation, through the provision of objective evidence (3.51), that specified requirements (3.03) have been fulfilled
3.55 validation confirmation, through the provision of objective evidence, that the requirements (3.03) for a specific intended use or application have been fulfilled 3.56 feedback opinions, comments and expressions of interest in a product, a service or a complaints-handling process
3.57 customer satisfaction customer‘s (3.26) perception of the degree to which the customer‘s expectations have been fulfilled
3.58 complaint expression of dissatisfaction made to an organization (3.01), related to its product (3.47) or service (3.48), or the complaints-handling process (3.12) itself, where a response or resolution is explicitly or implicitly expected 3.59 audit programme set of one or more audits (3.17) planned for a specific time frame and directed towards a specific purpose
TVE CERT
61
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3.60 audit criteria set of policies (3.07), documented information (3.11) or requirements (3.03) used as a reference against which audit evidence (3.61) is compared 3.61 objective / audit evidence records, statements of fact or other information (3.50), which are relevant to the audit criteria (3.60) and verifiable
3.62 audit findings results of the evaluation of the collected audit evidence (3.61) against audit criteria (3.60)
3.63 concession permission to use or release (3.64) a product (3.47) or service (3.48) that does not conform to specified requirements (3.03)
3.64 release permission to proceed to the next stage of a process (3.12)
3.65 characteristic distinguishing feature Note 1 to entry: A characteristic can be inherent or assigned. Note 2 to entry: A characteristic can be qualitative or quantitative. Note 3 to entry: There are various classes of characteristic, such as the following:
a) physical
(e.g.
mechanical,
electrical,
chemical
or
biological
characteristics); b) sensory (e.g. related to smell, touch, taste, sight, hearing);
TVE CERT
62
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c) behavioural (e.g. courtesy, honesty, veracity); d) temporal (e.g. punctuality, reliability, availability). e) ergonomic (e.g. physiological characteristic, or related to human safety); f)
functional (e.g. maximum speed of an aircraft)
3.66 performance indicator performance
metric
characteristic
(3.65)
having
significant impact on realization of the output (3.46) and customer satisfaction (3.57) EXAMPLES Nonconformities (3.19) per million opportunities, first time capability, nonconformities per unit.
3.67 determination activity to find out one or more characteristics (3.65) and their characteristic values
3.68 review determination (3.67) of the suitability, adequacy or effectiveness (3.06) of an object (3.36) to achieve established objectives (3.08)
3.69 measuring equipment measuring
instrument,
software,
measurement
standard, reference material or auxiliary apparatus or combination thereof necessary to realize a measurement (3.16) process (3.12).
TVE CERT
63
Issue Date: SEP 2015
64
Quality Management Systems Auditor / Lead Auditor Training Course
CONTEXT OF THE ORGANIZATION This chapter deals about the clause requirement Context of the Organisastion
1. Understanding the organization and its context
The organization shall
determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its QMS.
monitor and review information about these external and internal issues.
2. Auditing Guidance - Context of the Organisastion
Issues can include positive and negative factors or conditions for consideration.
External context includes legal,
technological,
competitive,
market,
cultural,
social
and
economic environments, whether international, national, regional or local. relationships with and perceptions/values of external stakeholders
Internal context includes policies, objectives and strategies corporate culture governance, objectives and strategies resources (people, capital, time, processes, system technologies) information
systems,
information
flows
and
decision-making
processes (both formal and informal)
TVE CERT
65
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. Understanding the needs and expectations of interested parties Due to their effect or potential effect on the organization‘s
ability
to
consistently
provide
products and services that meet customer and applicable statutory and regulatory requirements,
The organization shall:
determine the interested parties that are relevant to the QMS
determine the requirements of these interested parties that are relevant to the QMS
Monitor and review information about these interested parties and their relevant requirements.
4. Auditing Guidance - Understanding the needs and expectations of interested parties
Sub clause 4.2 specifies requirements for the organization to determine the interested parties that are relevant to the QMS and the requirements of those interested parties.
However, 4.2 does not imply extension of QMS requirements beyond the scope of this International Standard. As stated in the scope, this International Standard is applicable where an organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.
There is no requirement in this International Standard for the organization to consider interested parties where it has decided that those parties are not
TVE CERT
66
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
relevant to its QMS.
It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its QMS.
5. Determining the scope of the quality management system
The organization shall determine the boundaries and applicability of the QMS to establish its scope.
When determining this scope, the organization shall consider:
the external and internal issues referred to in 4.1; the requirements of relevant interested parties referred to in 4.2; the products and services of the organization.
The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its QMS.
The scope of the organization‘s QMS shall be available and be maintained as documented information. shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is not applicable to the scope of its QMS.
Conformity to this International Standard may only be claimed if the requirements determined as not being applicable do not affect the organization‘s ability or responsibility to ensure the conformity of its products and services and the enhancement of customer satisfaction.
TVE CERT
67
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
6. Auditing Guidance – Determining the scope of the quality management system
This International Standard does not refer to ―exclusions‖ in relation to the applicability of its requirements to the organization‘s quality management system.
However, an organization can review the applicability of requirements due to the size or complexity of the organization, the management model it adopts, the range of the organization‘s activities and the nature of the risks and opportunities it encounters.
The requirements for applicability are addressed in 4.3, which defines conditions under which an organization can decide that a requirement cannot be applied to any of the processes within the scope of its QMS.
The organization can only decide that a requirement is not applicable if its decision will not result in failure to achieve conformity of products and services.
7. Quality management system and its processes
a. The organization shall establish, implement, maintain and continually improve a Q M S , including the processes needed and their interactions, in accordance with the requirements of this International Standard.
The organization shall determine the processes needed for the QMS and their application throughout the organization and shall determine
the inputs required and the outputs expected from these processes
the sequence and interaction of these processes
TVE CERT
68
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes
resources needed for these processes and ensure their availability
The organization shall
assign the responsibilities and authorities for these processes;
address the risks and opportunities as determined in accordance with the requirements of 6.1
evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results
improve the processes and the QMS.
b. To the extent necessary, the organization shall:
maintain documented information to support the operation of its processes
retain documented information to have confidence that the processes are being carried out as planned.
8. Summary
1.
Has the organization determined external and internal issues?
2.
Has the organization determined the interested parties relevant to the QMS?
3.
Has the organization determined the requirements of the interested parties are relevant to the QMS?
4.
Has the organization monitored and reviewed the information about the interested parties are relevant requirements?
TVE CERT
69
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
5.
Has the organization determined the boundaries and applicability of the QMS to establish its scope?
6.
Has the organization considered the external and internal issues when determining the scope?
7.
Has the organization considered the relevant interested parties needs and expectations?
8.
Has the organization considered the organization‘s units, functions and physical boundaries when determining the scope?
9.
Has the organization considered its products and services when determining the scope?
10.
Has the organization considered the authority and ability to exercise control and influence when determining the scope?
11.
Has the organization maintained the documented information?
12.
Has the organization determined the inputs required and the outputs expected from these processes?
13.
Has the organization determined the sequence and interaction of these processes?
14.
Has the organization determined and apply the criteria and methods needed to ensure the effective operation and control of these processes?
15.
Has the organization determined the resources needed for the theses processes?
16.
Has the organization assigned the responsibilities and authorities of these processes?
17.
Has the organization addressed the risks and opportunities as determined in accordance with the requirements of 6.1?
18.
Has the organization evaluate these processes and implement any changes needed to ensure that these process achieve their intended results?
19.
TVE CERT
Has the organization improve the processes and the QMS?
70
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
20.
Has the organization maintained documented information to support the operation of its processes?
21.
Has the organization retained documented information to have confidence that the processes are being carried out as planned?
TVE CERT
71
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
LEADERSHIP This chapter deals about the clause requirement - Leadership 1. Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the Q M S by:
taking accountability for the effectiveness of the QMS
ensuring that the quality policy and quality objectives are established for the QMS and are compatible with the context and strategic direction of the organization
ensuring the integration of the QMS requirements into the organization‘s business processes
promoting the use of the process approach and risk-based thinking
ensuring that the resources needed for the QMS are available
communicating the importance of effective QM and of conforming to the QMS requirements
ensuring that the QMS achieves its intended results
engaging, directing and supporting persons to contribute to the effectiveness of the QMS
promoting improvement
supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
NOTE Reference to ―business‖ in this International Standard can be interpreted broadly to mean those activities that are core to the purposes of the organization‘s existence, whether the organization is public, private, for profit or not for profit.
TVE CERT
72
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
2. Auditing Guidance - Top Management
Following are the methods of the evaluating top management commitment The auditor can ask relevant questions during the interview with the top management that
Seek to obtain evidence of top management‘s awareness of and commitment to quality and its relevance to the organization's overall objectives and management system,
Establish evidence of conformity to the ISO 9001 requirements for management responsibility.
The auditor/audit team should be constantly looking for opportunities to collect and verify the answers received from top management
This includes
The availability and relevance of policies and objectives
The establishment of linkage between the policies and objectives and are effective and understood throughout the organization
Confirming if the policies and objectives are appropriate for continual improvement of the quality management system and for the achievement of customer satisfaction.
Confirming if top management are involved in management reviews.
3. Customer focus Top
management
shall
demonstrate
leadership
and
commitment with respect to customer focus by ensuring
TVE CERT
73
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
that:
customer and applicable statutory and regulatory requirements are determined, understood and consistently met
the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed
the focus on enhancing customer satisfaction is maintained.
4. Policy a. Developing the quality policy Top management shall establish, implement and maintain a quality policy that:
is appropriate to the purpose and context of the organization and supports its strategic direction
provides a framework for setting quality objectives
includes a commitment to
satisfy applicable requirements
continual improvement of the QMS.
b. Communicating the quality policy The quality policy shall:
be available and be maintained as documented information
be communicated, understood and applied within the organization
be available to relevant interested parties, as appropriate.
TVE CERT
74
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
5. Auditing Guidance – Quality Policy
The quality policy and its effective deployment can only be truly assessed based on the overall results of the audit.
Audit methods should include: •
Interviewing Top Management to understand their approach and commitment to quality
•
Evaluating, through the records of management review, the commitment and
involvement
of
Top
Management
in
the
establishment,
implementation, monitoring and updating of the quality policy •
Assessing
whether Management
has
effectively ―translated‖ the
quality policy into the local languages •
Conducting interviews with personnel to verify if they have the required awareness, understanding and knowledge of the way the organization‘s quality policy relates to their own activity
•
Seeking evidence of effective distribution of the quality policy by appropriate communication.
6. Organizational roles, responsibilities and authorities
Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization.
Top management shall assign the responsibility and authority for: a) ensuring
QMS conforms to the requirements of this International Standard
processes are delivering their intended outputs
TVE CERT
75
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
promotion of customer focus throughout the organization;
integrity of the QMS is maintained when changes to the QMS are planned and implemented.
b) reporting on the performance of the QMS and on opportunities for improvement (see 10.1), in particular to top management; NOTE: The term Management representative removed
7. Summary
1.
Does the top management demonstrate leadership & commitment with respect to the QMS policy?
2.
Is the top management ensured accountability for the effectiveness of the QMS?
3.
Does the top management ensure that the quality policy and quality objectives are compatible with the strategic direction and the context of the organization?
4.
Does the top management promotes the use of the process approach and risk-based thinking?
5.
Has the top management ensured that the resources needed for the QMS are available?
6.
Has the top management communicated the importance of effective quality management and of conforming to the quality management system requirements?
7.
Has the top management ensured that the quality management system achieves its intended results?
8.
Does the top management engage in directing and supporting person to contribute to the effectiveness of the QMS?
9.
TVE CERT
How the top management promotes improvement?
76
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
10.
Does the top management support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility?
11.
Does the top management demonstrate leadership and commitment with respect to customer focus by ensuing customer and applicable statutory and regulatory are determined?
12.
Does the top management demonstrate leadership and commitment with respect to customer focus ?
13.
Does the top management demonstrate leadership and commitment with respect to customer focus by ensuing the risks and opportunities that can affect conformity of products and services?
14.
Does the top management demonstrate leadership and commitment with respect to customer focus by ensuring the ability to enhance customer satisfaction are determined and addressed?
15.
Has the top management established, implemented and maintained a quality policy?
16.
Is the Quality policy appropriate to the purpose and context of the organization?
17.
Does the quality policy support its strategic direction?
18.
Does the quality policy provide a framework for setting quality objectives?
19.
Does the quality policy include a commitment to satisfy applicable requirements?
20.
Does the quality policy include a commitment to continual improvement of the QMS?
21.
Is the quality policy communicated, understood and applied within the organization?
22.
Is the quality policy available and maintained as documented information?
23.
Is the quality policy available to relevant interested parties as appropriate?
TVE CERT
77
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
24.
Has the top management ensured the responsibilities and authorities for relevant roles are assigned?
25.
Has the top management ensured the responsibilities and authorities for relevant roles are communicated and understood within organization?
26.
Has the top management assigned the responsibility and authority thereby ensuring the QMS conforms to the requirements of ISO 9001:2015?
27.
Has the top management assigned the responsibility and authority for ensuring the processes are delivering their intended outputs?
28.
Has the top management assigned the responsibility and authority for reporting on the performance of the QMS and on opportunities for improvement in particular to top management?
29.
Has the top management assigned the responsibility and authority for ensuring the promotion of customer focus throughout the organization?
30.
Has the top management assigned the responsibility and authority for ensuring that the integrity of the QMS is maintained when changes to the QMS are planned and implemented?
TVE CERT
78
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
RISK BASED THINKING & PLANNING This chapter deals about the requirements of Risk Based Thinking & the clause requirement Planning
1. Risk-based thinking ISO 9001:2015 is to establishes a systematic approach to considering risk, rather than treating ―prevention‖ as a separate component of a quality management system. Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system. In previous editions of ISO 9001, a clause on preventive action was separated from the whole. By using risk-based thinking the consideration of risk is integral. It becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in when a management system is risk-based. Risk-based thinking is something we all do automatically in everyday life. Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car. Risk-based thinking has always been in ISO 9001 – this ISO 9001:2015 builds it into the whole management system. In ISO 9001:2015 risk-based thinking needs to be considered from the beginning and throughout the system, making preventive action inherent to planning, operation, analysis and evaluation activities.
TVE CERT
79
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Risk-based thinking is already part of the process approach. Not all the processes of a quality management system represent the same level of risk in terms of the organization‘s ability to meet its objectives. Some need more careful and formal planning and controls than others. Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks. Risk is commonly understood to have only negative consequences; however the effects of risk can be either negative or positive. In ISO 9001:2015 risks and opportunities are often cited together. Opportunity is not the positive side of risk. An opportunity is a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk. Example: Crossing the road directly gives me an opportunity to reach the other side quickly, but if I take that opportunity there is an increased risk of injury from moving cars. Risk-based thinking considers both the current situation and the possibilities for change. Analysis of this situation shows opportunities for improvement: • a subway leading directly under the road • pedestrian traffic lights, or • diverting the road so that the area has no traffic
TVE CERT
80
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
2. Where is risk addressed in ISO 9001:2015? The concept of risk-based thinking is explained in the introduction of ISO 9001:2015 as an integral part of the process approach. ISO 9001:2015 uses risk-based thinking in the following way: Introduction - the concept of risk-based thinking is explained Clause 4 – the organization is required to determine its QMS processes and to address its risks and opportunities Clause 5 – top management is required to Promote awareness of risk-based thinking Determine and address risks and opportunities that can affect product /service conformity Clause 6 – the organization is required to identify risks and opportunities related to QMS performance and take appropriate actions to address them Clause 7 – the organization is required to determine and provide necessary resources (risk is implicit whenever ―suitable‖ or ―appropriate‖ is mentioned) Clause 8 – the organization is required to manage its operational processes (risk is implicit whenever ―suitable‖ or ―appropriate‖ is mentioned) Clause 9 – the organization is required to monitor, measure, analyse and evaluate effectiveness of actions taken to address the risks and opportunities Clause 10 – the organization is required to correct, prevent or reduce undesired effects and improve the QMS and update risks and opportunities
TVE CERT
81
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. Why use risk-based thinking? By considering risk throughout the system and all processes the likelihood of achieving stated objectives is improved, output is more consistent and customers can be confident that they will receive the expected product or service. Risk-based thinking: •
improves governance
•
establishes a proactive culture of improvement
•
assists with statutory and regulatory compliance
•
assures consistency of quality of products and services
•
improves customer confidence and satisfaction
Successful companies intuitively incorporate risk-based thinking.
4. A Risk Assessment - QMS a. Introduction With the release of the new ISO 9001:2015 standard, QMS in all kind of organizations are going to face several changes. This presentation intends to assess in one methodology in order to accomplish with the new ISO requirements.
b. ISO 9001:2015 Requirements Determine external and internal issues that affect its ability to achieve the intended result(s) of its QMS.
TVE CERT
82
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Identify the processes needed and their interactions Processes identification needs: Inputs and Outputs Sequence and interactions Measuring methods Resources Responsibilities and authorities Risk and opportunities Methods of monitoring Opportunities of improvement
Risk and opportunities in Processes Identify the Risk and opportunities in process Plan actions to address them Implement the actions
Identification of Risk related to the QMS
Give assurance that the QMS can achieve the intended result
Prevent or Reduce, undesired effects (Non conformities)
Achieve continual improvement
Planning actions to address risk integrate and implement the actions into its QMS processes evaluate the effectiveness of these actions. This actions shall be proportionate to the potential impact on the conformity of products and services
TVE CERT
83
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. Process Management
A process consists of a set of activities that are performed in coordination.
They are set in an organizational and technical environment.
Each process can stand by itself but they can interact each other
Starting Point
End Point
Activities
Sources of inputs
Inputs
Predecessor Processes
Matter, Energy, Information, e.g. in the form of materials, resources, requirements
Outputs
Matter, Energy, Information, e.g. in the form of product, service, decision
Receivers of Outputs
Subsequent Processes
Possible controls and check points to monitor and measure Performance
Figure 1 — Schematic representation of the elements of a single process
TVE CERT
84
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
d. Risk Management
Risk: The combination of the probability of an event and its consequence
Consequences can be positive or negative
Risk management: systematic process of understanding, evaluating and addressing these risks to maximize the chances of objectives being achieved
Likelihood
Very likely
Likely
Unlikely
Acceptable risk Medium 2 Acceptable risk Low 1 Acceptable risk Low 1
What is the chance it will Minor happen?
Unacceptable risk High 3 Acceptable risk Medium 2 Acceptable risk Low 1
Unacceptable risk Extreme 5 Unacceptable risk High 2 Acceptable risk Medium 2
Moderate
Major
Impact TVE CERT
85
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
e. Integrating Risk into Process Management
Identify in each process (input / output) the hazards and the harms
Assess the consequence and the probability
Define an acceptance criteria
Define the acceptance or the mitigation
Identify the cost of mitigation and control
Monitor new harms for the process
f. Examples of Risk in process
Effectiveness Productivity
Risk
Employees are doing more tasks Reducing Throughput
Time
time
Efficiency Effectiveness
TVE CERT
Things are done right
86
Employees are doing tasks Reducing transaction cost
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
g. Turtle Diagram Methodology
Several methodologies are used to implement, audit and report potential Risk into the organization QMS process
Outputs
Inputs
Measure(s)
Customer
Supplier
Process
Materials / Equipment
Process Support
Competence / Skills Training
Advantages Quick identification of process inputs / outputs, controls and resources. High level of detail Ease identification of interactions between process Accomplish with the new ISO 9001:2015 standard
TVE CERT
87
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
h. Identification of major risk in process
Key process Inputs Key Process Outputs Key Process Activities
Major Risk
Key Personnel involved Process effectiveness measurement Process Objectives
i. Process Risk Assessment
Identify the activity, the potential Hazard and the undesired Outcome
Asses the risk (Likelihood and impact)
Set a control measure
Set a responsible
Define a due date
TVE CERT
88
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
j. Process Risk Assessment Matrix:
Process Risk Assessment Activity
TVE CERT
Hazard
Undesired
Risk Assessment
Control
Identified
Outcome
Likelihood
Measure
Impact
89Issue Date: SEP 2015
Responsible
Due Date
Quality Management Systems Auditor / Lead Auditor Training Course
k. Risk Management Plan Once the organization has set the Process Risk Management it should develop a risk management plan for those potential risk that can affect its QMS intended results 1 Select the Intended QMS outcome (Conformity)
2 Define the hazard and the potential non desired outcome (Non Conformity)
3 Define other areas to be affected
4 Assess the risk
5 Define the risk treatment actions in place
6 Identify the residual risk
7 Identify the potential residual non desired outcomes
8 Define additional actions to be taken
9 Identify the resources required to assess the risk
10 Define the risk owner
TVE CERT
90
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
l. Risk Management Matrix:
RISK MANAGEMENT Risk Assessment Desired
Hazard
Undesired
Outcome
Identified
Outcome
Primary Action
Likelihood
Impact
Plan
Potential Residual
Undesired
Additional
Risk
Residual
actions
Outcome
m. Benefits of Risk Assessment Helps to set the strategic and business planning Makes the use of resources effective Reduces the undesired outcomes Can improve the possibility of find new opportunities in the QMS Enhance communication between process Holds Stakeholders Helps focus internal audit programme
TVE CERT
91Issue Date: SEP 2015
Resources
Risk Owner
Quality Management Systems Auditor / Lead Auditor Training Course
n. Challenges Challenges to be faced are Actual
QMS
are
based
in
―heavy‖
documentation Few organizations knows the risk assessment methodology Fewer organizations are prepared to change their actual QMS Identify the degree of ―depth‖ of the risk assessment New changes in the ISO 9001:2015 final standard
5. Planning Actions to address risks and opportunities When planning for the QMS, the organization shall consider the issues referred to in 4 . 1 and the requirements referred to in 4 . 2 and determine the risks and opportunities that need to be addressed to:
give assurance that the QMS can achieve its intended result(s)
enhance desirable effects
prevent, or reduce, undesired effects
achieve improvement.
The organization shall plan:
actions to address these risks and opportunities
how to integrate and implement the actions into its QMS processes (see 4.4) evaluate the effectiveness of these actions.
Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.
TVE CERT
92
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
NOTE Options to address risks can include avoiding risk taking risk in order to pursue an opportunity eliminating the risk source changing the likelihood or consequences sharing the risk, or retaining risk by informed decision. Opportunities can lead to the adoption of new practices launching new products opening new markets addressing new clients building partnerships using new technology and other
desirable
and
viable
possibilities
to
address
the
organization‘s or its customers‘ needs
6. Quality objectives and planning to achieve them
The organization shall establish quality objectives at relevant functions, levels and processes needed for the QMS.
The quality objectives shall:
be consistent with the quality policy
be measurable
take into account applicable requirements
be relevant to conformity of products and services and to enhancement of customer satisfaction
TVE CERT
be monitored and communicated
be updated as appropriate.
93
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The organization shall maintain documented information on the quality objectives.
6.2.2 When planning how to achieve its quality objectives, the organization shall determine:
what will be done
what resources will be required
who will be responsible
when it will be completed
how the results will be evaluated.
7. Auditing Guidance - Quality Objectives
Auditors need to verify that the organization‘s overall quality objectives have been defined, that they reflect the quality policy, are substantially coherent, aligned and compatible with the overall business objectives, including customer expectations. If this is not the case, the auditors should further evaluate Top Management commitment to quality.
The fulfilment of quality objectives needs to be measurable and documented.
The auditors should obtain evidence of the way
the
cascaded
quality
objectives
throughout
the
are
suitably
organization‘s
structure and processes, linking the general strategic objectives to management objectives and down to specific operational activities.
It is recommended that the documented quality objectives should be examined at the documentation review stage of the audit.
TVE CERT
94
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Evidence of that the organization has assigned responsibility to the personnel the resources needed to meet their objectives should be obtained at all levels of the organization.
Auditors should verify that the overall performance of the organization reflects the aims of the quality policy and reasonably meets the quality objectives and aims for continual improvement. Auditors should ensure the fulfilment of objectives can be measured in a quantitative or qualitative manner. They should also remember that there is a clear link between the dynamic aspects of revising the quality policy and the quality objectives and the commitment of the organization to continual improvement.
8. Planning of changes
When the organization determines the need for changes to the QMS, the changes shall be carried out in a planned manner (see 4.4). The organization shall consider the:
purpose of the changes and their potential consequences
integrity of the QMS
availability of resources
allocation or reallocation of responsibilities and authorities
9. Summary 1. Has the top management considered the issues refereed (4.1) understanding the organization and its context? 2. Has the top management considered the issues refereed (4.2) understanding the needs and expectations of interested parties? 3. Has the organization determined the risks and opportunities giving assurance that the QMS can achieve its intended results? 4. Has the organization determined the risks and opportunities to enhance desirable effects?
TVE CERT
95
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
5. Has the organization determined the risks and opportunities prevent, or reduce, undesired effects? 6. Has the organization determined the risks and opportunities to achieve improvements? 7. Has the organization planned actions to address these risks and opportunities? 8. Has the organization planned how to integrate and implement the actions into its QMS system processes? 9. Has the organization planned to evaluate the effectiveness of these actions? 10.
Is the action taken to address risks and opportunities proportionate to the potential impact on the conformity of products and services?
11. Does this action taken includes eliminating the risk source, changing the likelihood or consequences, sharing the risk or retaining risk by informed decision? 12.
Do the opportunities lead to the adoption of new practices, launching new products, opening new markets?
13. Does the opportunities lead to addressing new clients, building partnerships, using new technology, and other desirable and viable possibilities? 14. Has the organization established quality objectives at relevant functions, levels and processes needed for the QMS? 15. Are the quality objectives consistent with quality policy? 16. Are the quality objectives measurable? 17. Does
the
quality
objectives
take
in
to
account
applicable
requirements? 18. Are the quality objectives relevant to conformity of products and services and the enhancement of customer satisfaction? 19. Are the quality objectives monitored, communicated and updated as appropriate? 20. Does the organization maintain documented information? 21. Has the organization planned how to achieve its quality objectives?
TVE CERT
96
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
22. Has the organization determined what will be done? 23.
Has the organization determined what resources are required?
24. Has the organization determined who are all responsibility? 25. Has the organization determined how the results are evaluated? 26. Has the organization determined the need for changes to the QMS & the changes are carried out in a planned manner? 27. Has the organization considered the purpose of the changes and their potential consequences? 28. Has the organization considered the integrity of the QMS? 29. Has the organization considered the availability of resources? 30. Has the organization considered the allocation or reallocation of responsibilities and authorities?
TVE CERT
97
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
SUPPORT This chapter deals about the clause requirement - Support
1. Resources The organization shall determine and provide the resources needed for the establishment, implementation,
maintenance
and
continual
improvement of the QMS.
The organization shall consider: the capabilities of, and constraints on, existing internal resources what needs to be obtained from external providers 2. People
The organization shall determine and provide the persons necessary for the effective implementation of its QMS and for the operation and control of its processes.
3. Infrastructure
The organization shall determine, provide and maintain
the
infrastructure
necessary
for
the
operation of its processes and to achieve conformity of products and services. NOTE Infrastructure can include:
TVE CERT
buildings and associated utilities
equipment, including hardware and software
transportation resources
information and communication technology
98
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
4. Environment for the operation of processes The organization shall determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. NOTE A suitable environment can be a combination of human and physical factors, such as:
social (e.g. non-discriminatory, calm, non-confrontational)
psychological
(e.g.
stress-reducing,
burnout
prevention,
emotionally
protective)
physical (e.g. temperature, heat, humidity, light, airf low, hygiene, noise)
These factors can differ substantially depending on the products and services provided.
5. Monitoring and measuring resources a. General
The organization shall determine and provide the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements.
The organization shall ensure that the resources provided:
are suitable for the specific type of monitoring and measurement activities being undertaken
are maintained to ensure their continuing fitness for their purpose
The organization shall retain appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources.
TVE CERT
99
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
b. Measurement Traceability
When measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results, measuring equipment shall be:
calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; when no such standards exist, the basis used for calibration or verification shall be retained as documented information
identified in order to determine their status
safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results.
The organization shall determine if the validity of previous measurement results has been adversely affected when measuring equipment is found to be unfit for its intended purpose, and shall take appropriate action as necessary. 6. Auditing Guidance – Monitoring and Measuring Resources
The following information is provided as guidance for auditing the processes associated with control of monitoring and measuring equipment, and to assist in the evaluation of justifications for the exclusion of clause 7.1.5.2 from the scope of an organization‘s quality management system.
In the auditing of monitoring and measuring processes, it is important for auditors to understand the difference between ―monitoring‖ and ―measuring‖:
Monitoring implies observing, supervising, keeping under review (using
TVE CERT
100
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
monitoring equipment); it can involve measuring or testing at intervals, especially for the purpose of regulation or control.
Measuring considers the determination of a physical quantity, magnitude or dimension (using measuring equipment). The auditors should evaluate the following
How the organization validates that ―the monitoring and measuring equipment‖ is consistent with the monitoring and measurement requirements.
How the organization assures the information validity and the consistency of the results.
The competence of those responsible for using ―the monitoring and measuring equipment‖
From the description above, the organization should be able to decide whether or not all or part of the requirements of clause 7.1.5.2 may be excluded. It is stressed that just because an organization does not have measuring equipment that needs to be calibrated does not mean that it can automatically exclude compliance with the whole of clause 7.1.5.2 to do so would require that it also does not do any monitoring or measurement and that it does not use any monitoring or measuring equipment.
7. Organizational Knowledge
In 7.1.6, this International Standard addresses the need to determine and manage the knowledge maintained by the organization, to ensure that it can achieve conformity of products and services.
Requirements regarding organizational knowledge were introduced for the purpose of:
TVE CERT
101
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
a) safeguarding the organization from loss of knowledge, e.g.
through staff turnover
failure to capture and share information
b) encouraging the organization to acquire knowledge, e.g. learning from experience
mentoring
benchmarking
The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services.
This knowledge shall be maintained and be made available to the extent necessary.
When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.
NOTE 1. Organizational knowledge is knowledge specific to the organization. It is gained by experience. It is information that is used and shared to achieve the organization‘s objectives. 2. Organizational knowledge can be based on: a) internal sources Examples intellectual property knowledge gained from experience lessons learned from failures and successful projects capturing
and
sharing
undocumented
knowledge
and
experience
TVE CERT
102
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
the results of improvements in processes, products and services
b) external sources Examples standards academia conferences gathering knowledge from customers or external providers
8. Competence
The organization shall:
determine
the
necessary
competence
of
person(s) doing work under its control that affects the performance and effectiveness of the QMS
ensure that these persons are competent on the basis of appropriate education, training, or experience
where
applicable,
take
actions
to
acquire
the
necessary
competence, and evaluate the effectiveness of the actions taken
retain
appropriate
documented
information
as
evidence
of
competence. NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the re- assignment of currently employed persons; or the hiring or contracting of competent persons.
TVE CERT
103
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
9. Awareness The organization shall ensure that persons doing work under the organization‘s control are aware of
the quality policy
relevant quality objectives
their contribution to the effectiveness of the QMS, including the benefits of improved performance
the implications of not conforming with the QMS requirements.
10. Auditing Guidance – Resource Management
Auditors should verify that the resources needed to implement, maintain and improve the
quality
adequately
management managed.
This
system
are
means
that
appropriate resources are to be identified, planned, made available, used, monitored and changed as necessary by the organization.
It is recommended that the management of resources is not audited in isolation. Irrespective of the way the organization is structured and identifies its processes, auditors should be able to verify the adequacy and effective management of the re- sources to achieve planned results. It is important for auditors to verify whether the organization has evaluated past and present performance (e.g. using cost-benefit analysis, risk assessment) when deciding what resources are to be allocated.
Management of resources can be evaluated by interviews with top management and other responsible personnel to check that suitable processes are in place. This needs however to be supported by objective
TVE CERT
104
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
evidence collected throughout the audit. Evidence can be obtained at different stages of the audit – reviewing inputs, process performance and outputs. This has to be carried out when auditing all the processes and related system and process documentation, such as •
management commitment and responsibilities
•
management review process
•
product realization processes including the control of nonconforming products, corrective and preventive actions and continual improvement.
Auditors should verify that the human resources, infrastructure (energy, water, facilities and equipment maintenance, communications, information technology, etc.), and the work environment (temperature, lighting, vibration, noise, etc.) have been provided and maintained in a way consistent with the quality policy and objectives as well as contributing to conformity to product requirements. If it is found that effective management of resources has not been taken into consideration by the organization which may result in not satisfying product related requirements, this should be treated as a nonconformity, the magnitude of which should be related to the associated risk.
11. Communication
The
organization
shall
determine
the
internal
and
external
communications relevant to the Q M S , including:
TVE CERT
on what it will communicate
when to communicate
with whom to communicate
how to communicate
who communicates.
105
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
12. Auditing Guidance –Communication
The auditor should observe the following communicating information within the organization
Management led communication in work areas
Team briefings and other meetings such as those for recognition of achievement
Notice boards
E-mail, intranet and web sites
Company or in house magazine/newsletter
Staff meetings
Individual notices or letters
The auditor may ensure the effectiveness of the organization‘s internal communication processes by:
Interviewing employees
Evaluating the causes of nonconformities and the organization‘s corrective action processes.
Evaluating
the
relevance
and
significant
dates
of
displayed
information.
Examining the feedback mechanisms within the organization, e.g. one-to- one interviews or reviews, employee surveys etc.
Evaluating training and induction programs within the organization.
Viewing
minutes
of
meetings
containing
items
of
internal
communication.
TVE CERT
106
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
13. Documented information a. General
The
organization‘s
QMS
shall
include
documented information:
required by this International Standard
determined by the organization as being necessary for the effectiveness of the QMS.
NOTE
The extent of documented information for a QMS can differ from one organization to another due to the:
size of organization and its type of activities, processes, products and services;
complexity of processes and their interactions;
competence of persons.
b. Creating and updating When creating and updating documented information, the organization shall ensure appropriate:
identification and description (e.g. a title, date, author, or reference number)
format (e.g. language, software version, graphics) and media (e.g. paper, electronic)
review and approval for suitability and adequacy
TVE CERT
107
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. Control of documented information
Documented information required by the QMS and by this International Standard shall be controlled to ensure it is :
available and suitable for use, where and when it is needed
adequately protected (e.g. from loss of confidentiality, improper use,
or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
distribution, access, retrieval and use
storage and preservation, including preservation of legibility
control of changes (e.g. version control)
retention and disposition.
Documented information
of external origin determined by the organization to be necessary for the planning and operation of the QMS shall be identified as appropriate, and be controlled.
retained as evidence of conformity shall be protected from unintended alterations.
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.
TVE CERT
108
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
14. Auditing Guidance – Requirements of Documented Information of ISO 9001:2015
a. Introduction Two of the most important objectives in the revision of the ISO 9000 series of standards have been: a) to develop a simplified set of standards that will be equally applicable to small as well as medium and large organizations, and b) for the amount and detail of documentation required to be more relevant to the desired results of the organization‘s process activities. ISO 9001:2015 Quality management systems – Requirements has achieved these objectives, and the purpose of this additional guidance is to explain the intent of the new standard with specific regard to documented information. ISO 9001:2015 allows an organization flexibility in the way it chooses to document its quality management system (QMS). This enables each individual organization to determine the correct amount of documented information needed in order to demonstrate the effective planning, operation and control of its processes and the implementation and continual improvement of the effectiveness of its QMS.
It is stressed that ISO 9001 requires (and always has required) a ―Documented quality management system‖, and not a ―system of documents‖. b. What is documented information? ‐ Definitions and references
The term Documented information was introduced as part of the common High Level Structure (HLS) and common terms for Management System Standards (MSS).
The definition of documented information can be found in ISO 9000 clause 3.8.
TVE CERT
109
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Documented information can be used to communicate a message, provide evidence of what was planned has actually been done, or knowledge sharing. The following are some of the main objectives of an organization‘s documented information a) Communication of Information - As a tool for information transmission and communication. The type and extent of the documented information will depend on the nature of the organization‘s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture.
b) Evidence of conformity - Provision of evidence that what was planned has actually been done. c) Knowledge sharing d) To disseminate and preserve the organization‘s experiences. A typical example would be a technical specification, which can be used as a base for design and development of a new product or service.
It must be stressed that, according to ISO 9001:2015 clause 7.5.3 Control of documented information requirements, documents may be in any form or type of medium, and the definition of ―document‖ in ISO 9000:2015 clause 3.8.5 gives the following examples: − paper − magnetic − electronic or optical computer disc − photograph − master sample
TVE CERT
110
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. ISO 9001:2015 Documentation Requirements ISO 9001:2015 clause 4.4 Quality management systems and its processes requires an organization to “maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confident that the processes are being carried out as planned.”
Clause 7.5.1 General explains that the quality management system documentation shall include:
a) documented information required by this International standard b) documented information determined by the organization as being necessary for the effectiveness of the quality management system
The note after this Clause make it clear that the extent of the QMS documented information can differ from one organization to another due to the: a) size of organization and its type of activities, processes, products and services b) complexity of processes and their interactions c) competence of persons All the documented information that forms part of the QMS has to be controlled in accordance with clause 7.5 Documented information.
d. Guidance on Clause 7.5 of ISO 9001:2015 The following comments are intended to assist users of ISO 9001:2015 in understanding the intent of the general documented information requirements of the International Standard. Documented information can refer to:
TVE CERT
111
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
a) Documented information needed to be maintained by the organization for the purposes of establishing a QMS (high level transversal documents). These include:
The scope of the quality management system (clause 4.3)
Documented information necessary to support the operation of processes (clause 4.4)
The quality policy (clause 5.)
The quality objectives (clause 6.2)
This documented information is subject to the requirements of clause 7.5
b) Documented information maintained by the organization for the purpose of communicating the information necessary for the organization to operate (low level, specific documents). See 4.4. Although ISO 9001:2015 does not specifically requires any of them, examples of documents that can add value to a QMS may include:
Organization charts
Process maps, process flow charts and/or process descriptions
Procedures
Work and/or test instructions
Specifications
Documents containing internal communications
Production schedules
Approved supplier lists
Test and inspection plans
Quality plans
Quality manuals
Strategic plans
Forms
Where it exists, all such documented information, is also subject to the requirements clause 7.5. TVE CERT
112
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c) Documented information needed to be retained by the organization for the purpose of providing evidence of result achieved (records). These include:
Documented
information
to the extent necessary to
have
confidence that the processes are being carried out as planned (clause 4.4)
Evidence of fitness for purpose of monitoring and measuring resources (clause 7.1.5.1)
Evidence of the basis used for calibration of the monitoring and measurement
resources (when no international or national
standards exist) (clause 7.1.5.2)
Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2)
Results of the review and new requirements for the products and services (clause 8.2.3)
Records needed to demonstrate that design and development requirements have been met (clause 8.3.2)
Records on design and development inputs (clause 8.3.3)
Records of the activities of design and development controls (clause 8.3.4)
Records of design and development outputs (clause 8.3.5)
Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6)
Records of the evaluation, selection, monitoring of performance and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1)
Evidence of the unique identification of the outputs when traceability is a requirement (clause 8.5.2)
TVE CERT
113
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Records of property of the customer or external provider that is lost, damaged or otherwise found to be unsuitable for use and of its communication to the owner (clause 8.5.3)
Results of the review of changes for production or service provision, the persons authorizing the change, and necessary actions taken (clause 8.5.6)
Records of the authorized release of products and services for delivery to the customer including acceptance criteria and traceability to the authorizing person(s) (clause 8.6)
Records of nonconformities, the actions taken, concessions obtained and the identification of the authority deciding the action in respect of the nonconformity (clause 8.7)
Results of the evaluation of the performance and the effectiveness of the QMS (clause 911)
Evidence of the implementation of the audit programme and the audit results (clause 9.2.2)
Evidence of the results of management reviews (clause 9.3.3)
Evidence of the nature of the nonconformities and any subsequent actions taken (clause 10.2.2)
Results of any corrective action (clause 10.2.2)
Organizations are free to develop other records that may be needed to demonstrate conformity of their processes, products and services and quality management system. Where they exists, all such records are also subject to the requirements clause 7.5.
TVE CERT
114
Issue Date: SEP 2015
115
116
Quality Management Systems Auditor / Lead Auditor Training Course
15. Summary
1. Has the organization determined and provided the resources needed for the establishment, implementation, maintenance and continual improvement? 2. Has the organization considered the capabilities of, and constraints on, existing internal resources? 3. Has the organization considered what needs obtained from external providers? 4. Has the organization determined and provided the persons necessary for the effective implementation of its QMS and for the operation and control of its processes? 5. Has the organization determined, provided and maintained the infrastructure necessary for the operation of its processes and to achieve conformity of products and services? 6. Has the organization included buildings and associated utilities? 7. Has the organization included equipments? 8. Has the organization included hardware and software? 9. Has the organization included transportation resources? 10. Has the organization included information and communication technology? 11. Has the organization determined, provided and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services? 12. Has the organization considered suitable environment such as human and physical factors? 13. Has the organization considered social, psychological and physical factors? 14. Has the organization determined and provided the resources needed to ensure valid and reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements?
TVE CERT
117
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
15. Has the organization ensured the suitable resources provided suitable for the specific type of monitoring and measurement activities being undertaken? 16. Has the organization ensured the resources provided maintained to ensure their continuing fitness for their purpose. 17. Has the organization retained appropriate documented information as evidence of fitness for purpose of the monitoring and measurement resources? 18. Has the organization‘s measurement traceability is a requirement, or is considered by the organization to be an essential part of providing confidence in the validity of measurement results? 19. Has the organization measuring equipments are calibrated or verified? 20. Has the organization measuring equipments calibrated or verified at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards? 21. Has the organization retained the documented information of calibrated or verified equipments? 22. Are the equipments safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results? 23. How the organization, considered any changes need and trends from current knowledge? 24. How the organisation determined to acquire or access any necessary additional knowledge and required updates? 25. Has the organization considered organizational knowledge from experience and any specific knowledge to the organization? 26. Is the organization knowledge considered from internal sources? 27. Is the organization knowledge considered from external sources? 28. Has the organization determined the necessary competence of persons doing work under its control that affects the performance and effectiveness of the QMS? 29. Has the organization ensured that these persons are competent on the
TVE CERT
118
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
basis of appropriate education, training, or experience? 30. How the organization taken actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken? 31. Has the organization retained appropriate documented information as evidence of competence? 32. Does the Applicable action include the provision of training to, the mentoring of, or the re- assignment of currently employed persons; or the hiring or contracting of competent persons? 33. Has the organization ensured that persons doing work under the organization‘s control are aware of the quality policy and relevant quality objectives? 34. Has the organization ensured that persons doing work under the organization‘s control are aware of their contribution to the effectiveness of the QMS, including the benefits of improved performance? 35. Has the organization ensured that persons doing work under the organization‘s control are aware of the implications of not conforming with the quality management system requirements? 3 6 . Has the
organization
determined
the
internal
and
external
internal
and
external
internal
and
external
communications relevant to the Q M S ? 37. Does the
organization
determine
the
communication on what it will communicate? 38. Does the
organization
communication
when
determine to
the
communicate
and
with
whom
to
communicate? 39. Has the organization included documented information required by international standard? 40. Has the organization included documented information determined by the organization for the effectiveness of the QMS? 41. Has
the
organization
ensured
appropriate
identification
and
description when creating and updating documented information?
TVE CERT
119
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
42. Has the organization ensured appropriate format and media when creating and updating documented information? 43. Has the organization ensured appropriate review and approval for suitability and adequacy when creating and updating documented information? 44. Has the organization ensured the documented information is available and suitable for use? 45. Has the organization ensured the documented information is adequately protected? 46. Has the organization addressed the distribution, access, retrieval and use of documented information? 47. Has the organization addressed the storage, preservation and legibility? 48. Has the organization addressed the control of changes, retention and disposition? 49.
Are the external origin documented informations (QMS) identified and controlled?
TVE CERT
120
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
OPERATION This chapter deals about the clause requirement - Operation
1. Operational planning and control The organization shall plan, implement and control the processes (see 4.4) needed to meet the requirements for the provision of products and services, and to implement the actions determined in Clause 6, by
determining the requirements for the products and services
establishing criteria for the processes the acceptance of products and services
determining the resources needed to achieve conformity to the product and service requirements
implementing control of the processes in accordance with the criteria
determining and keeping documented information to the extent necessary: 1) to have confidence that the processes have been carried out as planned 2) to demonstrate the conformity of products and services to their requirements
NOTE ―Keeping‖ implies both the maintaining and the retaining of documented information. The output of this planning shall be suitable for the organization‘s operations.
The organization shall
control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary
TVE CERT
ensure that outsourced processes are controlled (see 8.4)
121
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
2. Requirements for products and services a. Customer communication Communication with customers shall include:
providing information relating to products and services
handling
enquiries,
contracts
or
orders,
including changes
obtaining customer feedback relating to products and services, including customer complaints
handling or controlling customer property
establishing specific requirements for contingency actions, when relevant
b. Determining the requirements related to products and services When determining the requirements for the products and
services
to
be
offered
to
customers,
the
organization shall ensure that the:
requirements for the products and services are defined, including: any applicable statutory and regulatory requirements those considered necessary by the organization
organization can meet the claims for the products and services it offers.
TVE CERT
122
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. Review of requirements related to products and services The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer, to include:
requirements specified by the customer, including the requirements for delivery and post- delivery activities
requirements not stated by the customer, but necessary for the specified or intended use, when known
requirements specified by the organization
statutory and regulatory requirements applicable to the products and services
contract or order requirements differing from those previously expressed
The organization shall ensure that contract or order requirements differing from those previously defined are resolved.
The customer‘s requirements shall be confirmed by the organization before acceptance, when the customer does not provide a documented statement of their requirements. NOTE - In some situations, such as internet sales, a formal review is impractical for each order. Instead, the review can cover relevant product information, such as catalogues or advertising material.
The organization shall retain documented information, as applicable on:
TVE CERT
the results of the review
any new requirements for the products and services
123
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
d. Changes to requirements for products and services
The organization shall ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed. 3. Auditing Guidance – Customer communication
Customer feedback is a process. It needs to be audited as a process, not as a ―clause of the standard‖.
An
evaluation
also
needs
to
be
performed on the way in which the process is managed (see ISO 9001 clause 4.1.c), and its ability to provide meaningful information with which to judge the overall effectiveness of the QMS. The way in which the organization obtains this feedback (―the method‖) is up to the organization to define.
The auditor should therefore be aware of the many factors that can affect the organization‘s approach, and should recognize that there is no fixed ―recipe‖.
Due consideration should be given to factors such as:
organization size and complexity
degree of sophistication of products and customers
risks associated with the product
diversity of customer base
The auditor needs to be aware of the specific characteristics of the organization‘s products that are likely to impact customer satisfaction. Throughout the audit the auditor should be alert for indications that may suggest customer satisfaction or dissatisfaction which could serve as input into the audit of the customer feedback process. Good sources of such
TVE CERT
124
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
information may include, for example:
Goods returned by the customer
Warranty claims
Revised invoices
Credit notes
Articles in the media
Consumer websites
Direct observation of, or communication with, the customer (for example in a service organization)
4. Design and Development of Products and Services
a. Design and Development Planning
To effectively plan the design and development process, the organization must:
Clearly define the stages involved in the design and development process.
Identify how the review and verification of the design will take place.
Describe
clear
responsibility
and
authority for the people doing this work.
See that design information flows effectively among the various groups having a role in designing, selling, managing, manufacturing, and servicing the products.
Keep design and development plans up to date.
b. Design and Development Inputs
Determine the product requirements, including:
TVE CERT
what it does and how well it must perform,
legal and regulatory requirements,
125
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
pertinent information from similar designs,
other pertinent requirements.
c. Design and Development controls
The controls applied to the Design and Development process shall ensure the reviews verification and validation. Design and Development review
Review the design and development work products to:
determine if the design meets the design input requirements
identify and problems with the design
propose solutions to identified design problems
Include representatives from each function concerned with the design and development stage being reviewed. Keep records of the reviews. Design and Development Verification
Verify, according to your plan, that the design output meets design input requirements. Record the results of these verification activities. Design and Development Validation
Validate the operation of the resulting product under actual operating conditions. If the product has multiple uses, validate operation for each intended use. The methods for validation defined in the design output
TVE CERT
126
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
should be followed. Whenever possible, the validation of a product or service should be performed prior to delivery to the customer. Record the results of these validation activities.
d. Design and Development Outputs The output of design and development must include sufficient information to verify that design output meets design input requirements. In addition, it must:
include the information need to purchase component materials, manufacture the product, and service the product.
specify how to determine if the product has acceptable performance,
highlight safety and usage considerations.
e. Control of Design and Development Changes
The Organisation needs to Identify, document, review, and approve all design changes before carrying them out. Evaluate the impact of the changes on the present design of the product. Also should keep records of the review.
5. Auditing Guidance - Design and Development The objective of auditing the design and development process is to determine whether it is managed and controlled to enable products to meet their intended use and specified requirements. It is necessary to note that for service organizations, the approach to design and
development may
be
different
from
―traditional‖ manufacturing
organizations. Before discussing in detail the way in which the design and development process should be audited it is vital for the auditor to understand what is meant by the phrase ―Design and development‖. By misunderstanding this
TVE CERT
127
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
concept, many organizations have wrongly excluded this process from their quality management system. ISO 9001clause 7.3 refers only to design and development of products and services. In some organizations it can be beneficial, but not required, to apply the same methodology to design and development of processes. Product design and development is the set of processes for transforming requirements
for
the
product
(for
example
specifications,
statutory
requirements and specific or implied customer requirements) into specified product characteristics (―distinguishing features of the product‖). ISO 9000 Clause 3.5.1 gives the following examples of product characteristics.
physical
(e.g.
mechanical,
electrical,
chemical
or
biological
characteristics)
sensory (e.g. related to smell, touch, taste, sight, hearing)
behavioral (e.g. courtesy, honesty, veracity)
temporal (e.g. punctuality, reliability, availability)
ergonomic (e.g. physiological characteristic, or related to human safety)
functional (e.g. maximum speed of an aircraft)
In order for the auditor to determine if the organization is in fact involved in design and development, auditors need to establish who is responsible for defining the characteristics of the product or service together with how and when this is carried out. Note - This may apply to original design or ongoing design changes Generally, the design and development process consists of the stages shown in Figure below. Each stage has specific deliverables that cover both the commercial and technical aspects of design and development of a product. In some cases, organisations might be able to justify the exclusion of certain subclauses or individual requirements from their QMS, without necessarily excluding the entire clause. For an organisation with a long established and
TVE CERT
128
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
well validated product design, for example, the organisation might only need to ensure that design changes are managed in accordance with the requirements of clause 7.3. Auditors should verify that any exclusions are valid.
D E S I G N
Need for products and processes identified 8.3.1
Design and development planning ISO 9001 8.3.2
Design and development changes 8.3.6
C O N T R O L S
Design and development inputs ISO 9001 8.3.3
Design and development process
Design and development outputs ISO 9001 8.3.5
Completed design or development
Outline of the Design and Development Process
Auditors should establish what design and development projects have been, and are currently being, undertaken. Auditors should select a sufficient number of projects to be able to audit all stages of the design process.
Guidance for auditing the various stages of the design and development
TVE CERT
129
Issue Date: SEP 2015
8 . 3 . 4
Quality Management Systems Auditor / Lead Auditor Training Course
process is given below but it should be noted that it might not be possible to audit all stages for all the projects selected.
a. Auditing the need for design and development
The need for design and development is generated from a number of sources including
the organization‘s strategic planning
market intelligence and research
service reports
customer feedback and demand
new or changed statutory and regulatory requirements
process changes
new technology
suppliers
Auditors should evaluate whether organizations have in place, and perform, activities for the review of such needs. Whilst it is not a requirement of the standard it is useful to review how the decision to proceed with design and development is taken, i.e. have risks and cost implications been considered and have all relevant functions (internal or external) been consulted.
b. Auditing design and development planning
The following issues should be considered when auditing the planning function
TVE CERT
what is the overall flow of the design planning process?
how is it described?
what resources and competencies are required?
130
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
what part of the design will be outsourced?
who is responsible and are the authorities defined?
how are (internal and external) interfaces between various groups identified and managed?
are the required verification, validation and review points defined?
are the main milestones and timelines identified?
is the implementation and effectiveness of the plan monitored?
is the plan updated and communicated to all relevant functions as necessary?
c. Auditing design and development inputs
When auditing the design and development inputs, auditors should develop an understanding of how the organization identifies its own inputs based on
the organization‘s products and processes
financial, environmental, health and safety issues
organizational risks and impacts
customer‘s requirements and expectations
statutory and regulatory requirements applicable to the product
Auditors should evaluate the risks, the possible implications for customer satisfaction and issues that the organization may encounter if some relevant inputs are not considered.
d. Auditing the design and development controls
The controls applied to the Design and Development process shall ensure the reviews verification and validation.
TVE CERT
131
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Auditing the design and development process and design reviews
Auditors should verify that the overall design and development process is controlled in accordance with
the
organization‘s
original
plan
being
reviewed and that the design and development reviews take place at appropriate planned stages. The following issues should be considered by auditors when examining the review process
do reviews occur at planned stages throughout the design process?
are
the
reviews
carried
out
in
a
systematic
way
involving
representatives of the functions concerned with the stage(s) being reviewed?
have all original and any new inputs been considered ?
are the original outputs still relevant or have revised outputs been identified?
have revised inputs and outputs been reviewed and approved by those with the relevant responsibility and authority (including the customer where appropriate)?
does the output demonstrate the suitability, adequacy and effectiveness of the designed product?
are the relevant design objectives being achieved?
are there adequate records of reviews?
Auditing design and development verification
Design and development verification is aimed at providing assurance that the outputs of a design and development activity have met the input requirements for this activity.
TVE CERT
132
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Verification can comprise activities such as
performing alternative calculations
comparing a new design specification with a similar proven design specification
undertaking demonstrations including prototypes, simulations or tests and
reviewing documents prior to issue
Auditors should determine that the design and development verification activities should provide confidence that
required verifications are planned and that verification is performed as appropriate during the design and development process
the completed design or development is acceptable and the results are consistent with and traceable to the initial requirements
the completed design or development is the result of implementation of a proper sequence of events, inputs, outputs, interfaces, logic flow, allocation of timing, etc
the design or development provides safety, security, and compliance with other requirements and design inputs
evidence is available to demonstrate that the verification results and any further actions have been recorded and confirmed when actions are completed.
Auditors should determine that only verified design and development outputs have been submitted to the next stage, as appropriate. Auditing design and development validation
Design and development validation is the confirmation by examination, and the provision of evidence, that the
TVE CERT
133
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
particular requirements for specific intended use are fulfilled. In other words, is the validation process capable of checking that the final product and/or service will meet, or does meet, the customer‘s needs when it is in use?
Validation methods should be specified as part of the design and development planning process, although these could be modified during the realization of design and development.
For many products and/or services, validation is relatively simple process. An example could be a new design of office furniture, which could be validated by the testing of prototypes, followed by testing of initial samples of the finished product.
Auditors should ensure that
there are records to confirm that the validations have been carried out
the validation was carried out in accordance with the planned arrangements for validation
the validation indicates that the resulting product is capable of meeting the requirements of the specification
wherever practical, the validation has been carried out prior to delivery or implementation; and that
there are records of any actions necessary to correct non-compliance with the design and development inputs and the reasons for these deviations.
Where validation cannot be carried out prior to delivery or implementation, auditors should ensure that these activities are carried out at the earliest opportunity, such as when commissioning a complex plant or factory, and that this is communicated to the client. Auditors should determine that only validated design and development outputs have been submitted for customer use.
TVE CERT
134
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
e. Auditing design and development outputs
The design and development outputs should comply with the identified needs in order to ensure that the resulting product can fulfil its intended use. Outputs can include information relevant to the following
marketing, sales and purchasing
production
quality assurance
information for service provision and maintenance of the product after delivery
and, should be provided in a form that enables verification and validation activities to be performed.
Auditors should obtain evidence from the projects selected to confirm that
information regarding the completion of design and development stages is available
the design and development process has been completed for the stage under review
design and development outputs have been confirmed
h. Auditing design and development changes
Design and development changes made during the design process need to be controlled. Auditors should consider the following
are the sources and requests for changes properly identified and communicated?
TVE CERT
is the impact of any change evaluated?
135
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
is any additional design proving or testing undertaken where appropriate?
are the effects of the changes on constituent parts and product already delivered evaluated?
has appropriate approval been given before a change is implemented (this could include statutory or regulatory approval or approval by the client)?
are the changes fully documented and do records include information regarding any necessary additional actions?
6. Control of externally provided processes, products and services a. General The
organization
shall
ensure
that
externally
provided processes, products and services conform to requirements.
The organization shall determine the controls to be applied to externally provided processes, products and services when:
products and services from external providers are intended for incorporation into the organization‘s own products and services
products and services are provided directly to the customer(s) by external providers on behalf of the organization
a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
The organization shall determine and apply criteria for the evaluation selection
TVE CERT
136
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
monitoring of performance and re-evaluation of external providers
based on their ability to provide processes or products and services in accordance with requirements. The organization shall retain documented information of these activities and any necessary actions arising from the evaluations.
b. Type and extent of control
The organization shall ensure that externally provided processes, products and services do not adversely affect the organization‘s ability to consistently deliver conforming products and services to its customers. The organization shall:
ensure that externally provided processes remain within the control of its QMS
define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output
take into consideration: the potential impact of the externally provided processes, products
and
services
on
the
organization‘s
ability
to
consistently meet customer and applicable statutory and regulatory requirements the effectiveness of the controls applied by the external provider
determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements.
TVE CERT
137
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
c. Information for external providers
The organization shall ensure the adequacy of requirements prior to their communication to the external provider.
The organization shall communicate to external providers its requirements for:
the processes, products and services to be provided;
the approval of products and services methods, processes and equipment the release of products and services
competence, including any required qualification of persons
the external providers‘ interactions with the organization
control and monitoring of the external providers‘ performance to be applied by the organization
verification or validation activities that the organization, or its customer, intends to perform at the external providers‘ premises.
7. Auditing Guidance - Control of externally provided processes, products and services All forms of externally provided processes, products and services are addressed in 8.4, e.g. whether through:
TVE CERT
purchasing from a supplier
an arrangement with an associate company
outsourcing processes to an external provider
138
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Outsourcing always has the essential characteristic of a service, since it will have at least one activity necessarily performed at the interface between the provider and the organization. The controls required for external provision can vary widely depending on the nature of the processes products and services. The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes products and services
When developing a management system, many organizations will have put in place systems to control the purchasing of products and the verification of purchased products in a way in which they consider satisfies the requirements of Clause 8.4 of ISO 9001. Similarly, Auditors may consider it sufficient to confirm compliance by checking that an approved external providers list is upto-date, that orders have been placed only with approved suppliers and activities necessary for ensuring that meeting specified purchase requirements have been carried out.
In many instances, however, that may not be sufficient to ensure that purchased products simply meet original specifications in all respects. In such instances, it would be preferable to review the wider processes for procurement management and the supply chain.
In auditing the process for the management of procurement, the following should be considered:-
TVE CERT
139
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Procurement starts during the design and development of a product when a specification is prepared
Inter-departmental discussions take place to ensure that potential external providers can provide a product that meets the design specification at the required cost
The
organization
should
ensure
that
the
specified
purchase
requirements are correct prior to their communication to the supplier;
Statutory & regulatory requirements have been included in the purchase requirements; and
The degree of risk associated with a component product and the controls required to ensure that it meets the design specification have been assessed
Practical suggestions of ways in which to confirm that the above points have been considered are:-
Confirm that the specification quoted in a purchase order is the same as the specification contained in the design (or the specification received from the customer)
Identify whether or not there were discussions between the organization and potential external providers regarding the design specification of critical components during the design process or prior to an order being placed
Was there some form of ―approval‖ of the specification before the final specification/order was confirmed to the external providers?
Does the purchase order contain or refer to any statutory or regulatory requirements?
In many cases, audits of the evaluation and selection of external providers simply consists of a review of the organization‘s approved supplier list and whether this list has been reviewed at regular intervals. In many cases this
TVE CERT
140
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
may not be sufficient to ensure that the organization has effective control of all of those suppliers within its supply chain.
8. Production and service provision a. Control of production and service provision The organization shall implement production and service provision under controlled conditions. Controlled conditions shall include, as applicable:
the availability of documented information that defines: the characteristics of the products to be produced, the services to be provided, or the activities to be performed the results to be achieved
the availability and use of suitable monitoring and measuring resources
the implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met
the use of suitable infrastructure and environment for the operation of processes the appointment of competent persons, including any required qualification the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the resulting output cannot be verified by subsequent monitoring or measurement
TVE CERT
the implementation of actions to prevent human error
the implementation of release, delivery and post-delivery activities.
141
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
b. Identification and traceability The organization shall use
suitable means to identify outputs when it is necessary to ensure the conformity of products and services.
identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision.
control the unique identification of the outputs when traceability is a requirement,
and
shall
retain
the
documented
information
necessary to enable traceability.
c. Property belonging to customers or external providers The organization shall exercise care with property belonging to customers or external providers while it is under the organization‘s control or being used by the organization.
The organization shall identify, verify, protect and safeguard customers‘ or external providers‘ property provided for use or incorporation into the products and services.
When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider and retain documented information on what has occurred. NOTE A customer‘s or external provider‘s property can include
TVE CERT
material,
components,
tools and equipment,
142
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
premises,
intellectual property and
personal data.
d. Preservation
The organization shall preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements. NOTE
Preservation can include
identification
handling
contamination
control
packaging
storage
transmission or transportation, and
protection
e. Post-delivery activities
The organization shall meet requirements for postdelivery activities associated with the products and services.
In determining the extent of post-delivery activities that are required, the organization shall consider:
statutory and regulatory requirements
the potential undesired consequences associated with its products and services
TVE CERT
the nature, use and intended lifetime of its products and services
143
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
customer requirements
customer feedback
NOTE Post-delivery activities can include
actions under warranty provisions,
contractual obligations such as maintenance services, and
supplementary services such as recycling or final disposal.
f. Control of changes The organization shall
review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements.
retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review.
9. Release of products and services
The organization shall implement planned arrangements, at appropriate stages, to verify that the product and service requirements have been met.
The release of products and services to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer.
The organization shall retain documented information on the release of products and services. The documented information shall include:
TVE CERT
evidence of conformity with the acceptance criteria
traceability to the person(s) authorizing the release. 144
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
10. Control of nonconforming outputs
The organization shall
ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery.
take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services. This shall also apply to nonconforming products and services detected after delivery of products, during or after the provision of services.
deal with nonconforming outputs in one or more of the following ways: correction segregation, containment, return or suspension of provision of products and services informing the customer obtaining authorization for acceptance under concession.
Conformity to the requirements shall be verified when nonconforming outputs are corrected. The organization shall retain documented information that:
describes the nonconformity
describes the actions taken
describes any concessions obtained
identifies the authority deciding the action in respect of the nonconformity.
TVE CERT
145
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Summary 1. Has the organization planned, implemented and controlled the processes needed to meet the requirements for the provision of products and services? 2. Has the organization implemented the actions determined in Clause 6 (planning)? 3. Has the organization determined the requirements for the products and services? 4. Has the organization established criteria for the processes and the acceptance of products and services? 5. Does the organization determine the resources needed to achieve conformity to the product and service requirements? 6. Does the organization implement control of the processes in accordance with the criteria? 7. Does the organization determine and keeping documented information to the extent necessary? 8. Does the organization have confidence that the processes have been carried out as planned? 9. Does the organization demonstrate the conformity of products and services to their requirements? 10. Does the organization maintain and the retaining of documented information? 11. Is the output of this planning suitable for the organization‘s operations? 12. Does the organization control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary? 13. Has the organization ensured that outsourced processes are controlled? 14. Does the organization communication with customers include providing information relating to products and services? 15. Does the organization communication with customers include
TVE CERT
146
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
handling enquiries, contracts or orders, including changes? 16. Does the organization communication with customers include obtaining customer feedback relating to products and services, including customer complaints? 17. Does the organization communication with customers include handling or controlling customer property? 18. Does the organization communication with customers include specific requirements for contingency actions, when relevant? 19. Does the organization ensures the requirements for the products and services are defined? 20. Does the organization ensure any applicable statutory and regulatory requirements? 21. Does the organization meet the claims for the products and services it offers? 22. Does the organization ensure that it has the ability to meet the requirements for products and services, offered to customers? 23. Does the organization conduct a review before committing to supply products and services to a customer? 24. Does the organization ensure requirements customer, including
the
requirements
for
specified delivery
by and
the post-
delivery activities? 25. Does the organization ensure requirements not stated by the customer, but necessary for the specified or intended use, when known? 26. Does the organization ensure requirements specified by the organization? 27. Does the organization ensure statutory and regulatory requirements applicable to the products and services? 28. Does the organization ensure contract or order requirements differing from those previously expressed? 29. Does the organization ensure that contract or order requirements differing from those previously defined are resolved? 30. Does the organization confirm the customer‘s requirements before
TVE CERT
147
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
acceptance, when the customer does not provide a documented statement of their requirements? 31. Does the organization provide internet sales review, that cover relevant product information like catalogues or advertising materials? 32. Does the organization retain documented information on the results of the review? 33. Does the organization retain documented information on any new requirements for the products and services? 34. Does the organization ensure that relevant documented information is amended, and that relevant persons are made aware of the changed requirements, when the requirements for products and services are changed? 35. Has the organization ensured that externally provided processes, products and services conform to requirements? 36. Has the organization determined the controls to be applied to externally provided processes, products and services? 37. Has the organization determined the controls for products and services from external providers are intended for incorporation into the organization‘s own products and services? 38. Has the organization determined the controls for products and services are provided directly to the customer(s) by external providers on behalf of the organization? 39. Has the organization determined the controls a process, or part of a process, is provided by an external provider as a result of a decision by the organization? 40. Has the organization determined and applied criteria for the evaluation, selection, monitoring of performance, and re-evaluation of external providers, based on their ability to provide processes or products and services in accordance with requirements? 41. Does the organization retain documented information of these activities and any necessary actions arising from the evaluations? 42. Does the organization ensure that externally provided processes,
TVE CERT
148
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
products and services do not adversely affect the organization‘s ability to consistently deliver conforming products and services to its customers? 43. Does the organization ensure that externally provided processes remain within the control of its QMS? 44. Does the organization define both the controls that it intends to apply to an external provider and those it intends to apply to the resulting output? 45. Does the organization take into consideration the potential impact of the externally provided processes, products and services on the organization‘s ability to consistently meet customer and applicable statutory and regulatory requirements? 46. Does the organization take into consideration the effectiveness of the controls applied by the external provider? 47. Does the organization determine the verification, or other activities, necessary to ensure that the externally provided processes, products and services meet requirements? 48. Does the organization ensure the adequacy of requirements prior to their communication to the external provider? 49. Does the organization communicate to external providers its requirements for the processes, products and services to be provided? 50. Does the organization communicate to external providers its requirements for the approval of products and services? 51. Does the organization communicate to external providers its requirements for approval of methods, processes and equipment? 52. Does the organization communicate to external providers its requirements for the approval of the release of products and services? 53. Does the organization communicate to external providers its requirements competence, including any required qualification of persons?
TVE CERT
149
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
54. Does the organization communicate to external providers its requirements,
the
external
providers‘
interactions
with
the
organization? 55. Does the organization communicate to external providers its requirements, control and monitoring of the external providers‘ performance to be applied by the organization? 56. Does the organization communicate to external providers its requirements, verification or validation activities that the organization, or its customer, intends to perform at the external providers‘ premises. 57. Has the organization implemented production and service provision under controlled conditions? 58. Has the organization controlled conditions included the availability of documented information that defined the characteristics of the products to be produced, the services to be provided, or the activities to be performed? 59. Has the organization controlled conditions included the availability of documented information that defined the results to be achieved? 60. Has the organization controlled conditions included the availability and use of suitable monitoring and measuring resources? 61. Has
the
organization
controlled
conditions
included
the
implementation of monitoring and measurement activities at appropriate stages to verify that criteria for control of processes or outputs, and acceptance criteria for products and services, have been met? 62. Has the organization controlled conditions included the use of suitable infrastructure and environment for the operation of processes? 63. Has the organization controlled conditions included the appointment of competent persons, including any required qualification? 64. Has the organization controlled conditions included the validation, and periodic revalidation, of the ability to achieve planned results of the processes for production and service provision, where the
TVE CERT
150
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
resulting output cannot be verified by subsequent monitoring or measurement? 65. Has
the
organization
controlled
conditions
included
the
included
the
implementation of actions to prevent human error? 66. Has
the
organization
controlled
conditions
implementation of release, delivery and post-delivery activities? 67. Does the organization use suitable means to identify outputs when it is necessary to ensure the conformity of products and services? 68. Does the organization identify the status of outputs with respect to monitoring and measurement requirements throughout production and service provision? 69. Does the organization control the unique identification of the outputs when traceability is a requirement? 70. Does the organization retain the documented information necessary to enable traceability?. 71. Does the organization exercise care with property belonging to customers or external providers while it is under the organization‘s control or being used by the organization? 72. Does the organization identify, verify, protect and safeguard customers‘ property provided for use or incorporation into the products and services? 73. Does the organization identify, verify, protect and safeguard external providers‘ property provided for use or incorporation into the products and services? 74. Does the organization retain documented information on what has occurred, When the property of a customer or external provider is lost, damaged or otherwise found to be unsuitable for use, the organization shall report this to the customer or external provider? 75. Does the customer‘s or external provider‘s property include material, components, tools and equipment, premises, intellectual property and personal data?
TVE CERT
151
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
76. Does the organization preserve the outputs during production and service provision, to the extent necessary to ensure conformity to requirements? 77. Does the Preservation include identification, handling, contamination control, packaging, storage, transmission or transportation, and protection? 78. Does
the
organization
meet
requirements
for
post-delivery
activities associated with the products and services? 79. Does
the
organization
consider
organization
consider
statutory
and
regulatory
potential
undesired
requirements? 80. Does
the
the
consequences associated with its products and services? 81. Does the organization consider the nature, use and intended lifetime of its products and services? 82. Does the organization consider customer requirements? 83. Does the organization consider customer feedback? 84. Does the Post-delivery activity include actions under warranty provisions? 85. Does the Post-delivery activity include contractual obligations such as maintenance services? 86. Does the Post-delivery activity include supplementary services such as recycling or final disposal? 87. Does the organization review and control changes for production or service provision, to the extent necessary to ensure continuing conformity with requirements? 88. Does the organization retain documented information describing the results of the review of changes, the person(s) authorizing the change, and any necessary actions arising from the review? 89. Has the organization implemented planned arrangements, at appropriate
stages,
to
verify
that
the product and service
requirements have been met? 90. How the organization ensured the release of products and services
TVE CERT
152
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
to the customer shall not proceed until the planned arrangements have been satisfactorily completed, unless otherwise approved by a relevant authority and, as applicable, by the customer? 91. Does the organization retain documented information on the release of products and services? 92. Does the documented information include
evidence of conformity
with the acceptance criteria? 93. Does the documented information include traceability to the person(s) authorizing the release? 94. Does the organization ensure that outputs that do not conform to their requirements are identified and controlled to prevent their unintended use or delivery? 95. Does the organization take appropriate action based on the nature of the nonconformity and its effect on the conformity of products and services? 96. Does the organization deal with nonconforming outputs by correction? 97. Does the organization deal with nonconforming outputs by segregation, containment, return or suspension of provision of products and services? 98. Does the organization deal with nonconforming outputs by informing the customer? 99. Does the organization deal with nonconforming outputs by obtaining authorization for acceptance under concession? 100. How the Conformity to the requirements is verified? 101. Does the organization retain documented information that describes the nonconformity? 102. Does the organization retain documented information that describes the actions taken? 103. Does the organization retain documented information that describes any concessions obtained? 104. Does the organization retain documented information that identifies the authority deciding the action in respect of the nonconformity?
TVE CERT
153
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
PERFORMANCE EVALUATION & IMPROVEMENT This chapter deals about the clause requirement – Performance Evaluation & Improvement 1. Monitoring, measurement, analysis and evaluation a. General
The organization shall determine:
what needs to be monitored and measured
the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results
when the monitoring and measuring shall be performed
when the results from monitoring and measurement shall be analysed and evaluated.
The organization shall
evaluate the performance and the effectiveness of the QMS.
retain appropriate documented information as evidence of the results.
b. Customer satisfaction
The organization shall
monitor customers‘ perceptions of the degree to which their needs and expectations have been fulfilled.
determine the methods for obtaining, monitoring and reviewing this information.
TVE CERT
154
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
NOTE Examples of monitoring customer perceptions can include:
customer surveys
customer feedback on delivered products and services
meetings with customers
market-share analysis
compliments
warranty claims and
dealer reports
c. Analysis and evaluation
The organization shall analyse and evaluate appropriate data and information arising from monitoring and measurement.
The results of analysis shall be used to evaluate:
conformity of products and services
the degree of customer satisfaction
the performance and effectiveness of the QMS
if planning has been implemented effectively
the effectiveness of actions taken to address risks and opportunities
the performance of external providers
the need for improvements to the QMS.
NOTE Methods to analyse data can include statistical techniques.
2. Internal audit
The organization shall conduct internal audits at planned intervals to provide information on whether the QMS:
TVE CERT
155
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
conforms to the: organization‘s own requirements for its QMS requirements of this International Standard
is effectively implemented and maintained.
The organization shall:
plan, establish, implement and maintain an audit programme(s) including the frequency methods responsibilities planning requirements and reporting
which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits
define the audit criteria and scope for each audit
select auditors and conduct audits to ensure objectivity and the impartiality of the audit process
ensure that the results of the audits are reported to relevant management
take appropriate correction and corrective actions without undue delay
retain documented information as evidence of the implementation of the audit programme and the audit results.
NOTE See ISO 19011 for guidance.
TVE CERT
156
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
3. Management review
a. General
Top
management
organization‘s intervals,
to
shall
QMS, ensure
review at
its
the
planned continuing
suitability, adequacy, effectiveness and alignment with the strategic direction of the organization.
b. Management review inputs
The management review shall be planned and carried out taking into consideration:
the status of actions from previous management reviews
changes in external and internal issues that are relevant to the QMS
information on the performance and effectiveness of the Q M S , including trends in: customer satisfaction and feedback from relevant interested parties the extent to which quality objectives have been met process performance and conformity of products and services nonconformities and corrective actions monitoring and measurement results audit results the performance of external providers
TVE CERT
157
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
the adequacy of resources
the effectiveness of actions taken to address risks and opportunities (see 6.1)
opportunities for improvement.
c. Management review outputs
The outputs of the management review shall include decisions and actions related to:
opportunities for improvement
any need for changes to the QMS
resource needs.
The organization shall retain documented information as evidence of the results of management reviews.
Auditing Guidance - Management Review
ISO
9001
review
requires the
top
management
organization's
to
quality
management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The review could be carried out at a separate meeting but this is not a requirement of the standard. There are many
ways
management generated
by
in
which
system
top
such
management as
the management
receiving
can and
representative
review
the
quality
a
report
reviewing or
other
personnel,
electronic communication or as part of regular management meetings where issues such as budgets and targets are also discussed.
TVE CERT
158
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The management review is a process that should be conducted and audited utilizing the process approach.
The management review process should not be an exercise carried out solely to satisfy the requirements of the standard and the auditors; it should be an integral part of the organization‘s business management process. The overall management review is complex process carried out at various levels in the organization. It is always a two-way process, generated by top management with inputs from all levels in the organization. These activities could vary from daily, weekly, monthly, organizational unit meetings to simple discussions or reports.
Auditors should look for evidence that the inputs and outputs of the management review process are relevant to the organization‘s size and complexity and that they are used to improve the business. Auditors should also consider how the organization‘s management is structured and how the management review process is used within this structure.
4. Improvement a. General The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.
These shall include:
improving products and services to meet requirements as well as to address future needs and expectations
TVE CERT
correcting, preventing or reducing undesired effects
improving the performance and effectiveness of the QMS.
159
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
NOTE Examples of improvement can include:
correction
corrective action
continual improvement
breakthrough change
innovation and
re-organization
5 . Non conformity and corrective action When a nonconformity occurs, including any arising from complaints, the organization shall:
react to the nonconformity and, as applicable: take action to control and correct it deal with the consequences
evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: 1) reviewing and analysing the nonconformity 2) determining the causes of the nonconformity 3) determining if similar nonconformities exist, or could potentially occur
implement any action needed
review the effectiveness of any corrective action taken
update risks and opportunities determined during planning, if necessary
make changes to the QMS, if necessary.
Corrective
actions
shall
be
appropriate
to
the
effects
of
the
nonconformities encountered.
TVE CERT
160
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The organization shall retain documented information as evidence of:
the nature of the nonconformities and any subsequent actions taken;
the results of any corrective action.
6. Continual improvement
The organization shall
continually improve the suitability, adequacy and effectiveness of the Q MS .
consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement.
7. Auditing Guidance – Continual Improvement
The auditor should seek to determine if the auditee has attempted to set objectives that establish the correlation between the three factors of corporate objectives, customer needs, and market expectations. Thereafter, it is up to the organization to balance the need for improving internal efficiency and the need to progress with external performance (although the two are very often closely related). No one in isolation can ever be considered as being ―enough‖ or ―not enough‖.
It is important to understand that continual improvement doesn‘t necessarily just mean continual improvement of product or process, but can and should also apply to the quality management system itself. An auditor should remember that it would be unrealistic to expect an organization to make progress on all potential improvements simultaneously.
TVE CERT
161
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Continual improvement should be interpreted as a recurring (step by step) activity. What it means is when opportunities for improvement are identified and when such improvements are justified, an organization needs to decide how they are to be implemented, based on the available resources.
Each improvement will require the commitment of resources, which may need prioritisation by top management, especially where investments are needed. Instead, the auditor should seek to ensure that the improvement objectives are consistent overall, and are coherent with the trilogy of factors mentioned above. However, an organization that does not have a policy and objectives relating to continual improvement is clearly not complying with the standard. Similarly, the absence of any evidence of improvement on at least one of these aspects would have to be considered as indicating that an organization's quality policy is not in line with ISO 9001.
There is no requirement that the organization should set objectives for improvement of all its processes at any one time. As in the above example on reducing customer complaints, some processes may not be deemed by top management to contribute significantly to the reduction of delays, and it is only normal therefore, that the organization would not concentrate on these areas.
If the top management has set a (realistic) objective for a process, and there is no evidence of improvement, this information must be fed back into the management review so that top management can decide what type of action is appropriate - for example, re-adjusting the objective or providing other means to impact on the process.
TVE CERT
162
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Summary 1. Has the organization determined what needs to be monitored and measured? 2. Has the organization determined the methods for monitoring, measurement, analysis and evaluation needed to ensure valid results? 3. Has the organization determined when the monitoring and measuring shall be performed? 4. Has the organization determined when the results from monitoring and measurement shall be analysed and evaluated? 5. Has the organization evaluated the performance and the effectiveness of the QMS? 6. Does the organization retain appropriate documented information as evidence of the results? 7. Does the organization monitor customers‘ perceptions of the degree to which their needs and expectations have been fulfilled? 8. Has the organization determined the methods for obtaining, monitoring and reviewing this information? 9. Does the organization monitoring customer perception can include customer surveys, customer feedback on delivered products and services? 10. Does the organization monitoring customer perception can include meetings with customers, market-share analysis, compliments, warranty claims and dealer reports? 11. Does the organization analyse and evaluate appropriate data and information arising from monitoring and measurement? 12. Are the result of analysis used to evaluate conformity of products and services? 13. Are the result of analysis used to evaluate the degree of customer satisfaction? 14. Are the result of analysis used to evaluate the performance and effectiveness of the QMS? 15. Are the result of analysis used to evaluate if planning has been
TVE CERT
163
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
implemented effectively? 16. Are the result of analysis used to evaluate the effectiveness of actions taken to address risks and opportunities? 17. Are the result of analysis used to evaluate the performance of external providers? 18. Are the result of analysis used to evaluate the need for improvements to the QMS? 19. What type of methods used to analyse of data? 20. Does the organization conform to the organization‘s requirements of QMS? 21. Does the organization conform to the requirements of this ISO 9001:2015 standard? 22. Does the organization plan, establish, implement and maintain an audit programme(s)? 23. Does
the
organization
include
the
frequency,
methods,
responsibilities, planning requirements and reporting, which shall take into consideration the importance of the processes concerned, changes affecting the organization, and the results of previous audits? 24. Does the organization define the audit criteria and scope for each audit? 25. Does the organization select auditors and conduct audits to ensure objectivity and the impartiality of the audit process? 26. Does the organization ensure that the results of the audits are reported to relevant management? 27. Does the organization take appropriate correction and corrective actions without undue delay? 28. Does the organization retain documented information as evidence of the implementation of the audit programme and the audit results? 29. Does the organization‘s Top management review the organization‘s QMS, at planned intervals? 30. Does the top management ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the
TVE CERT
164
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
organization? 31. Is the management review, planned and carried out taking into consideration of the status of actions from previous management reviews? 32. Is the management review, planned and carried out taking into consideration of the changes in external and internal issues that are relevant to the QMS? 3 3 . Is the management review, planned and carried out taking into consideration of information on the performance and effectiveness of the Q M ? 34. Does the management review include trends in customer satisfaction and feedback from relevant interested parties? 35. Does the management review include trends in the extent to which quality objectives have been met? 36. Does the management review include trends in process performance and conformity of products and services? 37. Does the management review include trends in nonconformities and corrective actions? 38. Does the management review include trends in monitoring and measurement results? 39. Does the management review include trends in audit results? 40. Does the management review include trends in the performance of external providers? 41. Does the management review include trends in the adequacy of resources? 42. Does the management review include trends in the effectiveness of actions taken to address risks and opportunities? 43. Does the management review include trends in opportunities for improvement? 44. Does the output of the management review include decisions and actions related to opportunities for improvement? 45. Does the output of the management review include decisions and
TVE CERT
165
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
actions related to any need for changes to the QMS? 46. Does the output of the management review include decisions and actions related to resource needs? 47. Does the organization retain documented information as evidence of the results of management reviews? 48. Does the organization determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction? 49. Has the organization included improving products and services to meet requirements as well as to address future needs and expectations? 50. Has the organization included improving the performance and effectiveness of the QMS? 51. Has the improvement continual
included
correction,
corrective
action,
improvement, breakthrough change, innovation and re-
organization? 52. How the organizations react when any nonconformity occurs? 53. How the organizations take action to control and correct the nonconformities? 54. Has organization evaluated the need for action to eliminate the causes of the nonconformities? 55. How
the
organization
monitor
the
reoccurrence
of
the
nonconformities? 56. Has the organization reviewed the nonconformities? 57. Has the organization determined the causes of the nonconformities? 58. How the organization determines the nonconformity is potential? 59. Has organization reviewed the effectiveness of any corrective action taken? 60. Is any change done in the QMS? 61. Has the organization retained documented information? 62. Has the organization have a plan for continual improvement of the QMS performance?
TVE CERT
166
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
63. Has the organization identified, where the continual improvement required in the QMS 64. Has the organization consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement?
TVE CERT
167
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
MANAGEMENT OF AUDIT PROGRAMME An organization needing to conduct audits should establish an audit programme that contributes to the determination of the effectiveness of the auditee‘s management system. The audit programme can include audits considering one or more management system standards, conducted either separately or in combination.
The top management should ensure that the audit programme objectives are established and assign one or more competent persons to manage the audit programme. The extent of an audit programme should be based on the size and nature of the organization being audited, as well as on the nature, functionality, complexity and the level of maturity of the management system to be audited.
Priority should be given to allocating the audit programme resources to audit those matters of significance within the management system. These may include the key characteristics of product quality or hazards related to health and safety, or significant environmental aspects and their control.
1. Establishing the Audit Programme Objectives
a. Audit Objectives
The audit objectives shall be determined by the certification body. The audit scope and criteria including any changes, shall be established by the certification body after discussion with the client
The audit objectives shall describe what is to be accomplished by the audit and shall include the following: a. Determination of the conformity of the client‘s Management system, or parts of it, with audit criteria. b. Evaluation of the ability of the management system, to ensure the
TVE CERT
168
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
client organization meets applicable statutory, regulatory and contractual requirements. c. Note: a management system certification audit is not a legal compliance audit d. Evaluation of the effectiveness of the management system to ensure the
client organization is continually meeting its specified
objectives. e. As applicable, identification of areas, for potential improvement of the management system
b. Audit Scope
The audit scope should be consistent with the audit programme and audit objectives. It includes such factors as physical locations, organizational units, activities and processes to be audited, as well as the time period covered by the audit.
c. Audit Criteria
The audit criteria are used as a reference against which conformity is determined and may include applicable policies, procedures, standards, legal requirements, management system requirements, contractual requirements, sector codes of conduct or other planned arrangements.
In the event of any changes to the audit objectives, scope or criteria, the audit programme should be modified if necessary.
When two or more management systems of different disciplines are audited together (a combined audit), it is important that the audit objectives, scope and criteria are consistent with the objectives of the relevant audit programmes
TVE CERT
169
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
2. Establishment of the Audit Programme a. Roles and responsibilities of the person managing the audit programme The person managing the audit programme should:
establish the extent of the audit programme.
identify and evaluate the risks for the audit programme.
establish audit responsibilities.
establish procedures for audit programmes.
determine necessary resources.
ensure the implementation of the audit programme, including the establishment of audit objectives, scope and criteria of the individual audits, determining audit methods and selecting the audit team and evaluating auditors.
ensure that appropriate audit programme records are managed and maintained.
monitor, review and improve the audit programme.
The person managing an audit programme should inform the top management of the contents of the audit programme and, where necessary, request its approval. b. Competence of the person managing the audit programme The person managing the audit programme should have the necessary competence to manage the programme and its associated risks effectively and efficiently, as well as knowledge and skills in the following areas:
TVE CERT
audit principles, procedures and methods.
management system standards and reference documents.
activities, products and processes of the auditee.
applicable legal and other requirements relevant to the activities and 170
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
products of the auditee.
customers, suppliers and other interested parties of the auditee, where applicable.
The person managing the audit programme should engage in appropriate continual professional development activities to maintain the necessary knowledge and skills to manage the audit programme.
3. Extent of the Audit Programme
The extent of the audit programme may vary depending on the size and nature of the auditee, as well as on the nature, functionality, complexity and the level of maturity of, and matters of significance to, the management system to be audited.
Other factors impacting the extent of an audit programme include the following:
the objective, scope and duration of each audit and the number of audits to be conducted, including audit follow up, if applicable.
the number, importance, complexity, similarity and locations of the activities to be audited.
those factors influencing the effectiveness of the management system.
applicable audit criteria
conclusions of previous internal or external audits.
results of a previous audit programme review.
language, cultural and social issues.
the concerns of interested parties, such as customer complaints or non compliance with legal requirements.
significant changes to the auditee or its operations.
availability of information and communication technologies to support audit
TVE CERT
activities, in particular the use of remote audit methods.
the occurrence of internal and external events, such as product
171
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
failures, information security leaks, health and safety incidents, criminal acts or environmental incidents.
4. Audit Programme Risks
There are many different risks associated with audit Programme .These risks may be associated with the following:
planning
resources
selection of the audit team
implementation
records and their controls
monitoring, reviewing and improving the audit programme
5. Procedures for the audit programme A procedure for the audit programme should be established which includes
planning and scheduling audits considering audit programme risks.
ensuring information security and confidentiality.
assuring the competence of auditors and audit team leaders.
selecting appropriate audit teams and assigning their roles and responsibilities.
conducting audits, including the use of appropriate sampling methods.
conducting audit follow up, if applicable.
reporting to the top management on the overall achievements of the audit programme.
maintaining audit programme records.
monitoring
and reviewing the
performance
and
risks,
and
improving the effectiveness of the audit programme.
TVE CERT
172
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
6. Audit Programme Resources
The following resources to be identified for the audit programme.
the financial resources necessary to develop, implement, manage and improve audit activities.
audit methods.
the availability of auditors and technical experts having competence appropriate to the particular audit programme objectives.
the extent of the audit programme and audit programme risks.
travelling time and cost, accommodation and other auditing needs.
the availability of information and communication technologies
7. Applying Audit Methods An audit can be performed using a range of audit methods. An explanation of commonly used audit methods can be found in this annex. The audit methods chosen for an audit depend on the defined audit objectives, scope and criteria, as well as duration and location. Available auditor competence and any uncertainty arising from the application of audit methods should also be considered. Applying a variety and combination of different audit methods can optimize the efficiency and effectiveness of the audit process and its outcome.
Performance of an audit involves an interaction among individuals with the management system being audited and the technology used to conduct the audit. Table B.1 provides examples of audit methods that can be used, singly or in combination, in order to achieve the audit objectives. If an audit involves the use of an audit team with multiple members, both on-site and remote methods may be used simultaneously. NOTE
TVE CERT
Additional information about on-site visits is given in Clause B.6.
173
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Table B.1 — Applicable audit methods Extent of involvement between the auditor and the auditee Human interaction
Location of the auditor On-site Conducting interviews. Completing checklists and questionnaires with auditee participation. Conducting document review with auditee participation. Sampling.
No human interaction
Conducting document review (e.g. records, data analysis). Observation of work performed. Conducting on-site visit. Completing checklists. Sampling (e.g. products).
Remote Via interactive communication means: — conducting interviews; —
completing checklists and questionnaires;
Conducting document review (e.g. records, data analysis). Observing work — conducting performed via document surveillance means, review with considering social and legal auditee requirements. participation. Analyzing data.
On-site audit activities are performed at the location of the auditee. Remote audit activities are performed at any place other than the location of the auditee, regardless of the distance. Interactive audit activities involve interaction between the auditee‘s personnel and the audit team. Non-interactive audit activities involve no human interaction with persons representing the auditee but do involve interaction with equipment, facilities and documentation.
The responsibility of the effective application of audit methods for any given audit in the planning stage remains with either the person managing the audit programme or the audit team leader. The audit team leader has this responsibility for conducting the audit activities.
The feasibility of remote audit activities can depend on the level of confidence between auditor and auditee‘s personnel.
On the level of the audit programme, it should be ensured that the use of remote and on-site application of audit methods is suitable and balanced, in order to ensure satisfactory achievement of audit programme objectives.
TVE CERT
174
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
8. Selection of the audit methods
The person managing the audit programme should select and determine the methods for effectively conducting an audit, depending on the defined audit objectives, scope and criteria.
Where two or more auditing organizations conduct a joint audit of the same auditee, the persons managing the different audit programmes should agree on the audit method and consider implications for resourcing and planning the audit. If an auditee operates two or more management systems of different disciplines, combined audits may be included in the audit programme.
9. Selection of the audit team members The audit team performing any audit should include the team leader and any technical experts needed for the specific audit. An audit team is selected, taking into account the competence needed to achieve the objectives of the individual audit within the defined scope. If there is only one auditor, the auditor performs all applicable duties of an audit team leader. In deciding the size and composition of the audit team for the specific audit, consideration is given to the following:
a. the overall competence of the audit team needed to achieve audit objectives, taking into account audit scope and criteria. b. complexity of the audit and if the audit is a combined or joint audit. c. the audit methods that have been selected. d. legal and contractual requirements and other requirements to which the organization is committed. e. the need to ensure the independence of the audit team members from the activities to be audited and to avoid any conflict of interest.
TVE CERT
175
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
f. the ability of the audit team members to interact effectively with the representatives of the auditee and to work together. g. the language of the audit, and the auditee‘s social and cultural characteristics.
These issues may be addressed either by the auditor‘s own skills or through the support of a technical expert.
If the necessary competence is not covered by the auditors in the audit team, technical experts with additional competence should be included in the team. Technical experts should operate under the direction of an auditor, but should not act as auditors.
Auditors in training may be included in the audit team, but should participate under the direction and guidance of an auditor.
Adjustments to the size and composition of the audit team may be necessary during the audit, i.e. if a conflict of interest or competence issue arises. If such a situation arises, it should be discussed with the appropriate parties (e.g. audit team leader, the person managing the audit programme, audit client or auditee) before any adjustments are made.
10. Audit Programme Records
TVE CERT
Audit Plan
Audit Schedule
Audit Cheklist
Working Paper
Audit Report
Non- Conformity Reports
Corrective & Preventive Action Reports
Reports of Audit Programme Review
Auditor Personnel Record
176
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Auditor Competence
Auditor Performance Evaluation
Maintenance & Improvement of Competence.
11. Monitoring the Audit Programme
The
person
managing
the
audit
programme
should
monitor
its
implementation considering the need to:
a. evaluate conformity with audit programmes, schedules and audit objectives. b. evaluate the performance of the audit team members. c. evaluate the ability of the audit teams to implement the audit plan. d. evaluate feedback from top management, auditees, auditors and other interested parties. Some factors may determine the need to modify the audit programme, such as the following:
audit finding.
demonstrated level of management system effectiveness.
changes to the client‘s or the auditee‘s management system.
changes to standards, legal and contractual requirements and other requirements to which the organization is committed.
change of supplier.
12. Reviewing and improving the audit programme The audit programme is reviewed to assess whether its objectives have been achieved. Lessons learned from the audit programme review should be used as inputs for the continual improvement process for the programme.
TVE CERT
177
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
The audit programme review should consider the following:
a. results and trends from audit programme monitoring. b. conformity with audit programme procedures. c. evolving needs and expectations of interested parties. d. audit programme records. e. alternative or new auditing methods. f. effectiveness of the measures to address the risks associated with the audit programme. g. confidentiality and information security issues relating to the audit programme.
The person managing the audit programme should review the overall implementation of the audit programme, identify areas of improvement, amend the programme if necessary, and should also:
review the continual professional development of auditors, in accordance
report the results of the audit programme review to the top management.
TVE CERT
178
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
5.2 Establishing the audit programme objectives
Plan
5.3 Establishing the audit programme 5.3.1 Roles and responsibilities of the person managing the audit programme 5.3.2 Competence of the person managing the audit programme 5.3.3 Establishing the extent of the audit programme 5.3.4 Identifying and evaluating audit programme risks 5.3.5 Establishing procedures for the audit programme 5.3.6 Identifying audit programme resources
5.4 Implementing the audit programme 5.4.1 General Competence and evaluation of auditors (Clause 7)
5.4.2 Defining the objectives, scope and criteria for an individual audit
Do
5.4.3 Selecting the audit methods 5.4.4 Selecting the audit team members 5.4.5 Assigning responsibility for an individual audit
Performing an audit
to the audit team leader
(clause 6)
5.4.6 Managing the audit programme outcome 5.4.7 Managing and maintaining audit programme records
Check
5.5 Monitoring the audit programme
Act
5.6 Reviewing and Improving the audit programme
NOTE 1-This figure illustrates the application of the Plan-Do-Check-Act cycle in this International Standard. NOTE 2-Clause/sub clause numbering refers to the relevant clauses/sub clauses of this International Standard.
Figure 1 — Process flow for the management of an audit programme
TVE CERT
179
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Audit Related Forms
TVE CERT
180
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Audit Plan Organization Name
Ref. No.
Audit Criteria / Standard / Reference documents ISO 9001:2015 Audit Objective (s) Stage -1
Stage -2
Recertification
Surveillance [No. ]
Head Office Site(s)
Scope of Certification Exclusions (if any)
IAF / NACE
Mobile No.
Contact Person Audit Date(s)
Total Man days
Role
Name
ARN1
Remarks
Team Leader Audit Team Auditor(s) Technical Area / Sector Expert Remarks Sign: Date:
TVE CERT
181
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
Audit Plan (Schedule)
Organization
Ref. No.
Location
Standard
Date
Time
o o o
TVE CERT
Stage 1 √ Stage 2 Surveillance [ ] Recertification
Assessment Areas [Auditor / Lead Auditor]
[Auditor / Member]
[/ TE]
Audit Schedule for stage 2 should be prepared during stage 1 audit and may be changed, if required, during the opening meeting of stage 2. Audit schedule should be prepared for each site separately. Each man-day is equivalent to 8 working hours excluding lunch and travel
182
Issue Date: SEP 2015
Quality Management Systems Auditor / Lead Auditor Training Course
AUDIT CHECK LIST
Checklist process: QMS Clause No.
TVE CERT
Page
of
Date of Preparation REQUIREMENT/QUESTION
ACTIVITY COMPLIANCE Y/N
Issue Date: 183SEP 2015
COMMENTS / REMARKS
Quality Management Systems Auditor / Lead Auditor Training Course
Working Paper
Auditor Name: S. No
QMS Clause Ref.
Date: Audit Notes
TVE CERT
Comments / Remarks
Issue Date: SEP 2015
184
Quality Management Systems Auditor / Lead Auditor Training Course
An
Audit Report Submitted to
M/s_______________________________________________ Address---------------------------------------------------------------------
Ref No.
Disclaimer: - The Auditing is based on a sampling process of the available information and consequently there is an element of uncertainty which may be reflected in the Audit findings. Those relying or acting upon the Audit results and conclusions to be aware of this uncertainty. The Audit recommendations are subject to an independent review, prior to decision.
TVE Certification Services Pvt. Ltd. 21/26B, Kamarajar Street, K.K. Nagar, Trichy-620 021 Ph: 0431-2352288, Mob: 9361444418, 9360728434 Email: [email protected] Website: www.tvecert.org
TVE CERT
Issue Date: SEP 2015
185
Quality Management Systems Auditor / Lead Auditor Training Course
Audit Report
STAGE 2
Management Representative Exclusion
Audit Criteria [Standard] [ISO 9001:2015/ ISO 14001:2015/ OHSAS 18001:2007]
Audit Objectives
[ISO 9001]
Determination of the conformity of the client’s management system, or parts of it, w ith audit criteria; Evaluation of the ability of the management system to ensure that the client organiz ation meets applicable statutory, regulatory and contractual requirements; Evaluation of the effectiveness of the management system to ensure that the client organization is continually meeting its specified objectives; Identification of areas for potential improvement of the management system.
Audit Scope [confirmed] Audit Site[s] Date[s] of audit
[Dates of Stage 2 only]
Technical Code
[IAF-NACE]
Team Leader Audit Team
Auditor[s] Technical Expert
Brief Profile of the organization Including main products/ services and customers
Positive features
TVE CERT
Issue Date: SEP 2015
186
Quality Management Systems Auditor / Lead Auditor Training Course
Evaluation of Internal Audits
[Kindly provide comments related to audit plan, internal auditors, areas covered, any impartiality, non conformities raised, periodicity etc.]
Evaluation of Management Review
[Kindly provide comments on the periodicity, agenda, review output, participants etc.]
Non Conformities
[Kindly provide comments on the types of nonconformities and status]
Observations/ areas for potential Improvement
Overall Comment on the compliance of the system, to the requirements of the standard for meeting organization policies and objectives.
TVE CERT
Issue Date: SEP 2015
187
Quality Management Systems Auditor / Lead Auditor Training Course
Conclusion and Recommendation Based on the information and audit evidences gathered audit team concluded to:
Recommend for grant of certification Certification will be recommended subject to acceptance of corrective actions evidence Recommend for follow up assessment Recommend for full assessment again
Remarks:-
I pledge that the report and records will remain confidential and will not be shared with any other person or organization and abide with the confidentiality and no conflict of interest agreement signed.
(Signature) Team Leader
To Audit Manager, TVE Certification Services Pvt. Ltd. Attachments (Kindly tick)
✓ Audit team Allocation Plan ✓ Audit schedule ✓ Certification Assessment Plan ✓ Scope of Certification
Non Conformity Reports ✓ Attendance Sheet ✓ Assessment Checklist ✓ Ongoing Surveillance Plan
Note: Auditors may use blank sheets for putting any supplementary/ additional information.
TVE CERT
Issue Date: SEP 2015
188
Quality Management Systems Auditor / Lead Auditor Training Course
ISO 9001:2015 AUDIT - NONCONFORMITY REPORT Name of the Company:
Non Conformity No.:______
Area Under Review: ___________________________.
Category : Major / Minor
ISO 9001:2015 Clause No.:________
√ (tick ) Most Appropriate
Description of the nonconformity (Max 3 marks): _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Relevant evidence (Max 3 Marks): ____________________________________________________________________________ _____________________________________________________________________________
ISO 9001:2015 clause and requirement (Max 1 Mark): _______________________________________________________________________________ _______________________________________________________________________________
Auditor :
TVE CERT
Issue Date: SEP 2015
189
Quality Management Systems Auditor / Lead Auditor Training Course
PERFORMING AN AUDIT – PRE AUDIT ACTIVITIESPLANNING THE AUDIT –PART- I This Chapter gives guidance on preparing and conducting audit activities as part of an audit programme Figure provides an overview of typical audit activities. The extent to which the provisions of this clause are applicable depends on the objectives and scope of the specific audit. 6.2 Initiating the audit 6.2.1 General 6.2.2 Establishing initial contact with the auditee 6.2.3 Determining the feasibility of the audit
6.3 Preparing audit activities 6.3.1 Performing document review in preparation for the audit 6.3.2 Preparing the audit plan 6.3.3 Assigning work to the audit team 6.3.4 Preparing work documents
6.4 Conducting the audit activities 6.4.1 General 6.4.2 Conducting the opening meeting 6.4.3 Performing document review while conducting the audit 6.4.4 Communicating during the audit 6.4.5 Assigning roles and responsibilities of guides and observers 6.4.6 Collecting and verifying information 6.4.7 Generating audit findings 6.4.8 Preparing audit conclusions 6.4.9 Conducting the closing meeting
6.5 Preparing and distributing the audit report 6.5.1 Preparing the audit report 6.5.2 Distributing the audit report
6.6 Completing the audit
6.7 conducting audit follow up (if Specified in the audit plan) NOTE
Sub clause numbering refers to the relevant sub clauses of this International Standard.
Figure2 — Typical audit activities
TVE CERT
Issue Date: SEP 2015
190
Quality Management Systems Auditor / Lead Auditor Training Course
Typical audit activities may be divided into three phases. 1. Pre-audit Activities 2. On-site Audit Activities 3. Post Audit activities
PRE-AUDIT ACTIVITIES
1. Initial contact with the Auditee
The initial contact with the auditee for the performance of the audit can be informal or formal and should be made by the audit team leader. The purposes of the initial contact are the following
establish communications with the auditee‘s representatives
confirm the authority to conduct the audit
provide information on the audit objectives, scope, methods and audit team composition, including technical experts
request access to relevant documents and records for planning purposes
determine applicable legal and contractual requirements and other requirements relevant to the activities and products of the auditee
confirm the agreement with the auditee regarding the extent of the disclosure and the treatment of confidential information
make arrangements for the audit including scheduling the dates
determine any location-specific requirements for access, security, health and safety or other
agree on the attendance of observers and the need for guides for the audit team
determine any areas of interest or concern to the auditee in relation to the specific audit.
TVE CERT
Issue Date: SEP 2015
191
Quality Management Systems Auditor / Lead Auditor Training Course
2. Feasibility of the audit
The feasibility of the audit should be determined to provide reasonable confidence that the audit objectives can be achieved.
The determination of feasibility should take into consideration such factors as the availability of the following:
sufficient and appropriate information for planning and conducting the audit
adequate cooperation from the auditee
adequate time and resources for conducting the audit.
Where the audit is not feasible, an alternative should be proposed to the audit client, in agreement with the auditee.
3. Document Review
The relevant management system documentation of the auditee should be reviewed in order to:
gather information to prepare audit activities and applicable work e.g. on processes, functions
Establish an overview of the extent of the system documentation to detect possible gaps.
a. Conducting the document review
The auditors should consider if:
the information in the documents provided is:
complete
correct
consistent
TVE CERT
Issue Date: SEP 2015
192
Quality Management Systems Auditor / Lead Auditor Training Course
current
the documents being reviewed cover the audit scope and provide sufficient information to support the audit objectives
the use of information and communication technologies, depending on the audit methods, promotes efficient conduct of the audit: specific care is needed for information security due to applicable regulations
on protection of data (in particular for information which lies outside the audit scope, but which is also contained in the document).
The documentation should include, as applicable, management system documents and records, as well as previous audit reports. The document review should take into account the size, nature and complexity of the auditee‘s management system and organization, and the audit objectives and scope.
4. Preparation of Audit Plan The audit team leader should prepare an audit plan based on the information contained in the audit programme and in the documentation provided by the auditee. The audit plan should consider the effect of the audit activities on the auditee‘s processes and provide the basis for the agreement among the audit client, audit team and the auditee regarding the conduct of the audit. The plan should facilitate the efficient scheduling and coordination of the audit activities in order to achieve the objectives effectively.
In preparing the Audit plan the following to be considered Sampling Techniques
the composition of the audit team and its collective competence.
the risks to the organization created by the audit.
For example, risks to the organization may result from the presence of the audit team members influencing health and safety, environment and quality, and their presence presenting threats to the auditee‘s products, services, personnel or infrastructure (e.g. contamination in clean room facilities). TVE CERT
Issue Date: SEP 2015
193
Quality Management Systems Auditor / Lead Auditor Training Course
For combined audits, particular attention should be given to the interactions between operational processes and the competing objectives and priorities of the different management systems.
The scale and content of the audit plan may differ, for example, between initial and subsequent audits, as well as between internal and external audits. The audit plan should be sufficiently flexible to permit changes which can become necessary as the audit activities progress. The audit plan should cover or reference the following: a. the audit objectives b. the audit scope, including identification of the organizational and functional units, as well as processes to be audited c. the audit criteria and any reference documents d. the locations, dates, expected time and duration of audit activities to be conducted, including meetings with the auditee‘s management e. the audit methods to be used, including the extent to which audit sampling is needed to obtain sufficient audit evidence and the design of the sampling plan, if applicable f. the roles and responsibilities of the audit team members, as well as guides and observers g. the allocation of appropriate resources to critical areas of the audit. h. identification of the auditee‘s representative for the audit i.
the working and reporting language of the audit where this is different from the
j.
language of the auditor or the auditee or both
the audit report topics
k. logistics
and
communications
arrangements,
including
specific
arrangements for the locations to be audited l.
any specific measures to be taken to address the effect of uncertainty on achieving the audit objectives
m. matters related to confidentiality and information security n. any follow-up actions from a previous audit o. any follow-up activities to the planned audit p. co-ordination with other audit activities, in case of a joint audit. TVE CERT
Issue Date: SEP 2015
194
Quality Management Systems Auditor / Lead Auditor Training Course
PERFORMING AN AUDIT – PRE AUDIT ACTIVITIESPLANNING THE AUDIT –PART- II This chapter deals about the pre audit activities like the preparation of the work documents like the audit checklist and the Sampling techniques.
1. Work Documents
The audit team members should collect and review the information relevant to their audit assignments and prepare work documents, as necessary, for reference and for recording audit evidence. Such work documents may include the following:
checklists
audit sampling plans
forms for recording information, such as supporting evidence, audit findings and records of meetings.
The use of checklists and forms should not restrict the extent of audit activities, which can change as a result of information collected during the audit. Preparing work documents
When preparing work documents, the audit team should consider the questions below for each document. a. Which audit record will be created by using this work document? b. Which audit activity is linked to this particular work document? c. Who will be the user of this work document? d. What information is needed to prepare this work document?
TVE CERT
Issue Date: SEP 2015
195
Quality Management Systems Auditor / Lead Auditor Training Course
For combined audits, work documents should be developed to avoid duplication of audit activities by:
clustering of similar requirements from different criteria
coordinating the content of related checklists and questionnaires.
The work documents should be adequate to address all those elements of the management system within the audit scope and may be provided in any media.
2. Sampling a. General
Audit sampling takes place when it is not practical or cost effective to examine all available information during an audit, e.g. records are too numerous or too dispersed geographically to justify the examination of every item in the population.
The objective of audit sampling is to provide information for the auditor to have confidence that the audit objectives can or will be achieved.
b. Sampling Risks
The risk associated with sampling is that the samples may be not representative of the population from which they are selected, and thus the auditor‘s conclusion may be biased and be different to that which would be reached if the whole population was examined.
C. Sampling Steps
establishing the objectives of the sampling plan
selecting the extent and composition of the population to be sampled
selecting a sampling method
determining the sample size to be taken
TVE CERT
Issue Date: SEP 2015
196
Quality Management Systems Auditor / Lead Auditor Training Course
conducting the sampling activity
compiling and evaluating, reporting and documenting results
d. Sampling Methods Judgement-Based Sampling
Judgement-based sampling relies on the knowledge, skills and experience of the audit team for judgement-based sampling, the following can be considered:
previous audit experience within the audit scope
complexity of requirements (including legal requirements) to achieve the objectives of the audit
complexity and interaction of the organization‘s processes and management system elements
degree of change in technology, human factor or management system
previously identified key risk areas and areas of improvement
output from monitoring of management systems.
A drawback to judgement-based sampling is that there can be no statistical estimate of the effect of uncertainty in the findings of the audit and the conclusions reached.
Statistical Sampling
Statistical sampling design uses a sample selection process based on probability theory. Attribute-based sampling is used when there are only two possible sample outcomes for each sample (e.g. correct/incorrect or pass/fail). Variable-based sampling is used when the sample outcomes occur in a continuous range.
The sampling plan should take into account whether the outcomes being examined are likely to be attribute-based or variable-based. For example, when evaluating conformance of completed forms to the requirements set out TVE CERT
Issue Date: SEP 2015
197
Quality Management Systems Auditor / Lead Auditor Training Course
in a procedure, an attribute-based approach could be used. When examining the occurrence of food safety incidents or the number of security breaches, a variable-based approach would likely be more appropriate.
e. Elements Affecting the Audit Sampling
The key elements that will affect the audit sampling plan are:
the size of the organization
the number of competent auditors
the frequency of audits during the year
the time of individual audit
any externally required confidence level
3. CHECKLISTS
a. Introduction This session covers the purpose, role and use of audit checklists to support the audit process for an on-site audit.
b. Purpose The purpose of auditor checklists is to provide a reference document for use during the audit process which helps the auditor keep to the prepared plan for the audit both in terms of time and content.
In preparing a checklist the auditor should
be familiar with the Safety Management System
relate the checklist to the department / area to be audited
relate the work to be done to the time available
The format of the checklist is at the auditor‘s discretion.
TVE CERT
Issue Date: SEP 2015
198
Quality Management Systems Auditor / Lead Auditor Training Course
c. Preparation of Checklists
Guidance points for the preparation of audit checklists are:
Before preparing the checklists, the auditor should become fully conversant with the objectives and scope of the audit and the documents specifying the Quality System requirements.
There should be a separate checklist for each department or work area to be visited. Sometimes it may be advantageous to have more than one checklist for a single area where there is more than one function applicable to that area, e.g. production and inspection.
Time allocated for an audit will depend on number of items on the checklist and their importance.
The amount of detail included in the checklist about the activities for examination should suit needs of the auditor. The auditor may write out a series of questions, or simply list headings.
The checklists should be a good servant but never be the ‗master‘ of the auditor. The auditor may come across information which, if followed up, may provide a valuable insight into the way the company manages quality. However, deviation from a pre-prepared checklist should only be permitted if time allows and the overall objective of the audit is not jeopardised. In general, if an audit has been well planned and the checklist carefully prepared, deviation from the checklist will not be necessary.
The following documents can be used / referred while preparing a check-list:
Legal/Statutory sector specific requirements/mandatory in law
Quality System standard e.g. ISO 9001
Customer requirements
Company‘s Quality system documentation
Personal experience (not personal bias)
In a situation, wherein there is no documentation for an activity, a checklist can still be prepared, based on the above points. TVE CERT
Issue Date: SEP 2015
199
Quality Management Systems Auditor / Lead Auditor Training Course
d. Advantages of checklists
Pre-planning the audit by preparing checklists is one of the techniques of effective auditing. The use of checklists:
Checklists if developed for a specific audit and used correctly: o Promote planning for the audit. o Ensure a consistent audit approach. o Act as a sampling plan and time manager. o Serve as a memory aid. o Provide a repository for notes collected during the audit process (audit field notes)
Audit checklists need to be developed to provide assistance to the audit process.
Auditors need to be trained in the use of a particular checklist and be shown how to use it to obtain maximum information by using good questioning techniques.
Checklists should assist an auditor to perform better during the audit process.
Checklists help to ensure that an audit is conducted in a systematic and
comprehensive manner and that adequate evidence is
obtained.
Checklists can provide structure and continuity to an audit and can ensure that the
Checklists can provide a means of communication and a place to record data for
audit scope is being followed.
use for future reference.
A completed checklist provides objective evidence that the audit was performed.
A checklist can provide a record that the QMS was examined.
Checklists can be used as an information base for planning future audits.
Checklists can be provided to the auditee ahead of the on-site audit.
TVE CERT
Issue Date: SEP 2015
200
Quality Management Systems Auditor / Lead Auditor Training Course
e. Disadvantages of Checklist
In contrast, when audit checklists are not available, or poorly prepared, the following issues/concerns are noted:
The checklist can be seen as intimidating to the auditee.
The focus of the checklist may be too narrow in scope to identify specific problem areas.
Checklists are a tool to aid the auditor, but will be restrictive if used as the auditor‘s only support mechanism.
Checklists should not be a substitute for audit planning.
An inexperienced auditor may not be able to clearly communicate what he/she is looking for, if they depend too heavily on a checklist to guide their questions.
Poorly prepared checklists can slow down an audit due to duplication and repetition.
Generic checklists, which do not reflect the specific organizational management system, may not add any value and may interfere with the audit.
Narrow
focused
checklists
minimize
unique
assessment
questions/approach
f. Essential features of a Process Based Checklist
The PDCA Approach
Process Performance Measures (Plan)
Expected results (Plan)
Process map (Plan)
Process owner (Plan)
Sequence of activities (Plan)
SOPs \ WIs (Plan)
TVE CERT
Issue Date: SEP 2015
201
Quality Management Systems Auditor / Lead Auditor Training Course
Implementation (Do)
Monitoring (Do/Check)
Reviewing process measures (Check)
Analysis of data (Check \ Act)
Improvements activities (Act)
g. Conclusion
There are advantages and disadvantages in using audit checklists. It depends on many factors, including customer needs, time and cost restraints, auditor experience and sector scheme requirements. Auditors should assess the value of the checklist as an aid in audit process and consider its use as a functional tool.
TVE CERT
Issue Date: SEP 2015
202
Quality Management Systems Auditor / Lead Auditor Training Course
ON-SITE AUDIT ACTIVITIES-CONDUCTING THE AUDIT-PART-I This chapter deals about the on-site audit activities like the opening meeting, the significance of stage1 audit and the document review done during the stage 1 audit.
The following are the steps in the on-site audit activities.
On-site Audit Activities: 1. Opening Meeting 2. Stage-1 Audit 3. Stage-2 Audit 4. Communication during the Audit 5. Collecting and verifying information 6. Audit conclusions 7. Audit conclusions & Closing meeting
1. Opening Meeting
The primary purpose of an audit opening meeting is
to
confirm
the
audit
plan
and
prior
arrangements. It is also an opportunity to introduce the audit team members and describe your audit approach.
The opening meeting is chaired by the Lead Auditor and held with management of the organization and the areas to be audited. The meeting should be conducted in a friendly manner and put the auditee at ease. You want to create a sense of trust and cooperation from the very start of the audit. If you will be assigned guides, or be accompanied by observers, the opening meeting can be used to carefully explain their roles to avoid possible disruptions during the audit. TVE CERT
Issue Date: SEP 2015
203
Quality Management Systems Auditor / Lead Auditor Training Course
Remember to allocate time in the opening meeting for the auditee to ask questions. The opening meeting can also give insights into the level of management commitment and support.
The detail covered in an opening meeting should be consistent with the familiarity of the auditee with the audit process. For internal audits in a small organization, the opening meeting may simply consist of communicating that an audit is being conducted and explaining the nature of the audit.
For other audit situations, particularly third-party audits, the opening meeting may be quite formal and even capture attendance records. The following agenda topics should be considered, as appropriate:
Agenda
Introduction of meeting participants
Roles of auditor auditee guide observer
Attendance list (names, titles, contact information)
Audit objective (purpose or reason for the audit)
Audit scope (coverage of areas processes clauses)
Audit criteria (applicable requirements)
Documentation status (changes since plan developed)
Agenda plan (agenda assignments meetings times)
Audit methods (procedure sampling forms)
Risk management (reduce risk from presence of audit team)
Communications (auditee to be kept well-informed)
Language (to be used during the audit)
Confirmation of resources and facilities
Confidentiality (results only to the auditee)
Safety, security, and emergency considerations
Reporting method (including severity grading, if any)
Closing meeting (date, time, and location)
Acknowledgments (who accepts nonconformities)
TVE CERT
Issue Date: SEP 2015
204
Quality Management Systems Auditor / Lead Auditor Training Course
Complaints or appeals (system for feedback)
Concerns or questions (ready to begin audit?)
Participants
Most of the companies adopt the policy of having their
management
strongly
represented
at
opening meetings to demonstrate to the auditors the company‘s commitment to their Quality System.
Few companies send managers also to opening meetings as a means of communicating the quality message and gaining commitment to the Quality System. However, it is a matter for the auditee company to decide who will be present.
The Lead Auditor should go into the opening meeting well prepared with a written agenda along with the opening meeting check list and should conduct the meeting in a business-like and professional manner.
The auditors may have questions of a general nature to ask about the Quality System of the company. It is sometimes appropriate to ask these during the opening meeting. However, if there are a large number of people attending the meeting, it is better to keep the questions for a subsequent discussion with the Management representatives to avoid keeping managers away from their work longer than is necessary. Also, if the auditor asks for information about the Quality System during the opening meeting there is a risk that lengthy explanations by the auditee‘s management will extend the meeting and upset the audit programme. The auditors should ask questions in less formal settings when they can, without discourtesy, interrupt if an explanation becomes unnecessarily long or irrelevant.
TVE CERT
Issue Date: SEP 2015
205
Quality Management Systems Auditor / Lead Auditor Training Course
The Lead Auditor should ensure that a record is kept of those attending and particular concerns raised.
The meeting should be in time and to the point. Presentations by the company – such as slide shows – should be politely declined as they would take time out of the audit programme.
2. Stage-1 Audit
The stage 1 audit shall be performed to
a. audit the client's management system documentation (review the client documentation) b. evaluate the client's location and site-specific conditions and to undertake discussions with the client's personnel to determine the preparedness for the stage 2 audit c. review the client's status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance
or
significant
aspects,
processes,
objectives
and
operation of the management system d. collect necessary information regarding the scope of the management system, processes and location(s) of the client, and related statutory and regulatory aspects and compliance (e.g. quality, environmental, legal aspects of the client's operation, associated risks, etc.) e. review the allocation of resources for stage 2 audit and agree with the client on the details of the stage 2 audit f. provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the client's management system and site operations in the context of possible significant aspects g. evaluate if the internal audits and management review are being planned and performed, and that the level of implementation of the management system substantiates that the client is ready for the stage 2 audit.
TVE CERT
Issue Date: SEP 2015
206
Quality Management Systems Auditor / Lead Auditor Training Course
For most management systems, it is recommended that at least part of the stage 1 audit be carried out at the client's premises in order to achieve the objectives stated above. Stage 1 audit findings shall be documented and communicated to the client, including identification of any areas of concern that could be classified as nonconformity during the stage 2 audit.
In determining the interval between stage 1 and stage 2 audits, consideration shall be given to the needs of the client to resolve areas of concern identified during the stage 1 audit. The certification body may also need to revise its arrangements for stage 2.
3. Documentation Review
The auditors should consider if: The information in the documents provided is:
complete (all expected content is contained in the document)
correct (the content conforms to other reliable sources such as standards and regulations)
consistent (the document is consistent in itself and with related documents)
current (the content is up to date)
the documents being reviewed cover the audit scope and provide sufficient information to support the audit objectives
the use of information and communication technologies, depending on the audit methods, promotes efficient conduct of the audit: specific care is needed for information security due to applicable regulations on protection of data (in particular for information which lies outside the audit scope, but which is also contained in the document).
TVE CERT
Issue Date: SEP 2015
207
Quality Management Systems Auditor / Lead Auditor Training Course
ON-SITE AUDIT ACTIVITIES-CONDUCTING THE AUDIT-PART-II This chapter deals about the stage 2 audit conducted onsite on the clients management system. Also it deals about the communication through interviews during the audit and the methods of verifying and collecting information during the audit
1. Stage 2 Audit
The stage 2 audit is the onsite audit activity that starts with the opening meeting with the Top management and the members of the organisation being audited.
The purpose of the stage 2 audit is to evaluate the implementation, including effectiveness, of the client's management system. The stage 2 audit shall take place at the site(s) of the client.
It shall include at least the following: a. information and evidence about conformity to all requirements of the applicable management system standard or other normative document b. performance monitoring, measuring, reporting and reviewing against key
performance objectives and targets (consistent with the
expectations in the applicable management system standard or other normative document) c. the client's management system and performance as regards legal compliance d. operational control of the client's processes e. internal auditing and management review f. management responsibility for the client's policies g. links between the normative requirements, policy, performance objectives and targets(consistent with the expectations applicable
management
system
TVE CERT
in
the
standard or other normative Issue Date: SEP 2015
208
Quality Management Systems Auditor / Lead Auditor Training Course
document),
any
applicable
legal
requirements,
responsibilities,
competence of personnel, operations, procedures, performance data and internal audit findings and conclusions.
2. Communication during the audit
During the audit, it may be necessary to make formal arrangements for communication within the audit team, as well as with the auditee, the audit client and potentially with external bodies (e.g. regulators), especially where legal requirements require the mandatory reporting of non-compliances.
The audit team should confer periodically to exchange information, assess audit progress, and reassign work between the audit team members, as needed.
During the audit, the audit team leader should periodically communicate the progress of the audit and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk to the auditee should be reported without delay to the auditee and, as appropriate, to the audit client.
Any concern about an issue outside the audit scope should be noted and reported to the audit team leader, for possible communication to the audit client and auditee.
Where the available audit evidence indicates that the audit objectives are unattainable, the audit team leader should report the reasons to the audit client and the auditee to determine appropriate action. Such action may include reconfirmation or modification of the audit plan, changes to the audit objectives or audit scope, or termination of the audit.
Any need for changes to the audit plan which may become apparent as auditing activities progress should be reviewed and approved, as appropriate, by both the person managing the audit programme and the auditee. TVE CERT
Issue Date: SEP 2015
209
Quality Management Systems Auditor / Lead Auditor Training Course
3. Collecting & Verifying Information
During the audit, information relevant to the audit objectives, scope and criteria, including information relating to interfaces between functions, activities and processes,
should
be
collected
by means of
appropriate sampling and should be verified. Only information that is verifiable should be accepted as audit evidence.
Audit evidence leading to audit findings should be recorded. If, during the collection of evidence, the audit team becomes aware of any new or changed circumstances or risks, these should be addressed by the team accordingly.
Methods of collecting information include the following:
interviews with employees and other persons
observations of activities and the surrounding work environment and conditions
documents, such as policies, objectives, plans, procedures, standards, instructions, licenses and permits specifications, drawings, contracts and orders
records, such as inspection records, minutes of meetings, audit reports, records of monitoring programme and the results of measurements
data summaries, analyses and performance indicators
information on the auditee‘s sampling plans and on the procedures for the control of sampling and measurement processes
reports from other sources, e.g. customer feedback, external surveys and measurements, other relevant information from external parties and supplier ratings
databases and websites
simulation and modelling.
TVE CERT
Issue Date: SEP 2015
210
Quality Management Systems Auditor / Lead Auditor Training Course
4. Observation (on visiting the auditee’s location)
To minimize interference between audit activities and the auditee‘s work processes and to ensure the health and safety of the audit team during a visit, the following should be considered:
a. Planning the visit: ensure permission and access to those parts of the auditee‘s location, to be visited in accordance within the audit scope provide adequate information (e.g. briefing) to auditors on security, health (e.g. quarantine),
occupational health and safety matters and cultural norms for the visit including requested and recommended
vaccination and clearances, if applicable
confirm with the auditee that any required personal protective equipment (PPE) will be available for the audit team, if applicable
except for unscheduled ad hoc audits, ensure that personnel being visited will be informed about the audit objectives and scope
b. On-site activities:
avoid any unnecessary disturbance of the operational processes
ensure that the audit team is using PPE properly
ensure emergency procedures are communicated (e.g. emergency exits, assembly points)
schedule communication to minimize disruption
adapt size of the audit team and the number of guides and observers in accordance with the audit scope, in order to avoid interference with the operational processes as far as practicable
do not touch or manipulate any equipment, unless explicitly permitted, even
when competent or licensed
TVE CERT
Issue Date: SEP 2015
211
Quality Management Systems Auditor / Lead Auditor Training Course
if an incident occurs during the on-site visit, the audit team leader should review the situation with the auditee and, if necessary, with the audit client and reach agreement on whether the audit should be interrupted, rescheduled or continued
if taking photographs or video material, ask for authorization from management in advance and consider security and confidentiality matters and avoid taking photographs of individual persons without their permission if taking copies of documents of any kind, ask for permission in advance and consider confidentiality and security matters.
when taking notes, avoid collecting personal information unless required by the audit objectives or audit criteria.
5. Conducting Interviews
a. The Communication Process
Hearing, seeing, speaking and body language are all methods of direct communication whereas writing and reading would be considered as indirect. Many people are not, accomplished at communicating directly or indirectly. Let‘s look at some of the problems with which we are faced when it comes to ―straight forward communication:
Language is often open to varying interpretations
The average person only has a 25% efficiency rating when it comes to actual listening
About 90% of learning is achieved via our ears and eyes
Body language is a very efficient mode of communication, but difficult to evaluate and is often not taken into account at all when formalising reports etc. and can influence people in a positive or negative way quicker than any other form of communication
TVE CERT
Issue Date: SEP 2015
212
Quality Management Systems Auditor / Lead Auditor Training Course
Most people hear what they want to hear, and respond in a manner they believe you want to hear
With this in mind, we can appreciate the problems the auditor is faced with, so communication between the auditor and auditee must be good to achieve positive results, This can be influenced by either party during the health and safety audit, but essentially rests with how the auditor handles the communication process between himself and all other parties during the audit. Other ―tips‖ to polish communication skills include those non-verbal communications and body language observations that all give clues to the auditee‘s confidence with the activities being examined. These are:
Eye contact – can give a good indication of the attentiveness and interest being given during questioning. Eye contact is often difficult to maintain during the health and safety audit due to the need to constantly refer to checklists and reference documents, and selecting objective evidence
Facial expressions – often provide feedback from the auditee, the eyebrow being raised for example may be read as disbelief or surprise
Voice tone – may also provide a good indication of the level of knowledge of the auditee where the obvious slow deliberate tone may indicate lack of knowledge or understanding of a procedure; a quick voice response may indicate nervousness
Posture – can also provide positive evidence of boredom of confusion
Whichever signs are present it takes considerable practice before one becomes refined in identifying and correctly interpreting the ―vibes‖. Remembering that this type of feedback must be seen only as an indicator, wherever possible it should always be confirmed using other sources of feedback to ensure that the correct interpretations are being made.
TVE CERT
Issue Date: SEP 2015
213
Quality Management Systems Auditor / Lead Auditor Training Course
It should also be noted that when undertaking health and safety audits the auditee may have been a victim of an accident or incident under investigation or may have witnessed the same. It is now widely accepted that traumatic events often have long lasting psychological effects on those involved or witnessing such events. These may include flash backs, fear of reoccurrence in similar situations or emotional distress when asked to recall the event. It should be clear to all experienced auditors, that under such situations the auditee may respond to questioning regarding these events in an unpredictable manner. The auditor must be sympathetic to any apparent emotional stress being suffered by the auditee and remember that their statements and or recollection of the event may not be complete or wholly accurate. To experience how the auditee may feel or react when recalling a traumatic event, consider an event in your life which you consider traumatic, and answer the following questions:
did you recall all events clearly immediately after the incident?
has your perception of the incident changed with time?
what emotional feelings did you have immediately after the incident?
when you recall the incident now do you still have an emotional reaction?
has this reaction changed with time?
Now consider how you may get the best from an auditee who is clearly still deeply affected by a traumatic event. Use:
compassion
clear sympathetic questioning
patience, understanding approach and also
change the line of questioning if the auditee becomes overwhelmed
stop the interview
TVE CERT
Issue Date: SEP 2015
214
Quality Management Systems Auditor / Lead Auditor Training Course
b. Talking
This is essentially the art of asking questions. Various
questioning
employed
to
help
techniques the
can
auditor
be
gather
information from the auditees. When to use each technique depends very much on the situation, how the auditee is responding, e.g. guarded answers not giving away much information or open discussions adequately describing the activities under review.
Below are some common questioning techniques along with some of the benefits of each. There are of course disadvantages associated with these techniques and the auditor must select the most appropriate techniques to use depending on the prevailing situation.
Technique
Benefits
Open: How……Why….. When….. Where…. What..
Encourages open discussion Relaxes auditee Encourages auditee to describe
How do you carry out your risk
activities in details
assessments? Closed:
Allows definitive answers to be
Do….Can…
obtained
Do you always send a copy of the
Clarifies ambiguity
completed risk assessments to the
Avoids auditee evading questions
Corporate Health and Safety Team? Reflective: You said that….
Confirms information given previously
You said that completed risk
Allows the auditee to expand
assessments from contractors do not
Shows the auditee that the auditor is
always get sent to you. How do.. you
listening
handle those situations?
TVE CERT
Issue Date: SEP 2015
215
Quality Management Systems Auditor / Lead Auditor Training Course
Allows auditor to focus on specific
Comparative:
issues
Comparing…. How do risk assessments produced by teams on site compare with generic risk assessments?
Encourages the auditee to open up discussion Allows comparisons & similarities between activities to be discussed Allows auditor to ask specific questions
Hypothetical: Imagine… What if….
about situations which may not have
What if the risk assessments had been
occurred
reviewed by the manager and approved, but where not adequate for the job, what
Encourages auditee to think in a wider context
steps do you take? Leading: When…. You do this then….
Confirms understanding
When you receive the risk assessments from the contractors, you review them for adequacy, email the result to the purchasing manager and write a letter to the contractors, what happens then?
Prevents the auditee giving information already given
By careful pharsing of questions, guided by checklist the auditor can answer a multitude of paints by asking a single question e.g. ―How do you check all incoming post?‖ This invites the auditee to describe the system. During the answer supplementary questions can be interested such as, ―Why do you do that?‖ – ―When is this done?‖ – ―How do you report defects?‖ etc.
Such questions need to be kept within the bounds of reason and the sense of proportion mentioned earlier helps here. Do not be afraid to say ―I don‘t understand!‖ and ask for further information. Compare answers given, with answers to the same question given by a different source. Use the ―unasked‖ question. Silence can encourage the auditee to volunteer further information.
Know what the procedures or standards require so that you are clear in your own mind as to what constitutes and acceptable answer and what you will accept as a minimum as objective evidence of compliance.
TVE CERT
Issue Date: SEP 2015
216
Quality Management Systems Auditor / Lead Auditor Training Course
c. Listening
An audit is an activity involved in the gathering of information. If an auditor is talking, they are not gathering information. It should become second nature to listen.
Listen to what is going on around you
Listen intently and with interest to auditee responses
Encourage the auditee with signals that you are listening and that you are interested
as you listen, evaluate what you hear, make notes, identify new questions to follow on, sort the information from the conversation
d. Looking An important facet of an auditor‘s skill is the gathering of information by observation. Other than viewing the objective evidence provided by records, reports, documentation, products etc., much background information can be gathered by the vigilant auditor. Although the auditor should never reach conclusions based solely on subjective impressions, a good idea of the attitude of management can be gained by examination of the condition and housekeeping prevailing at the premises. A good auditor stores this information and uses it to pursue the audit. Take careful notes at each stage, few people can remember everything. The figure provides an overview of the process, from collecting information to reaching audit conclusions.
TVE CERT
Issue Date: SEP 2015
217
Quality Management Systems Auditor / Lead Auditor Training Course
source of information
Collecting by means of appropriate sampling
Audit Evidence
Evaluating against Audit Criteria Audit Findings
Reviewing Audit Conclusions
Figure 3 — Overview of the process of collecting and verifying information
TVE CERT
Issue Date: SEP 2015
218
Quality Management Systems Auditor / Lead Auditor Training Course
AUDIT FINDINGS Auditors evaluate audit evidence against audit criteria to determine audit findings. These audit findings can indicate conformity or nonconformity with the audit criteria.
Nonconformities and their supporting audit evidence
should
be
recorded.
Nonconformities may be graded in terms of severity, e.g. minor or major, for prioritizing corrective actions.
Review nonconformities with the audited area to obtain acknowledgement that the audit evidence is accurate and the nonconformities are understood. Attempt to resolve any diverging opinions concerning the audit evidence or findings, and record any unresolved issues.
In addition to nonconformities, audit findings should include conformity and good practices, along with their supporting evidence, as well as, opportunities for
improvement
and
recommendations.
Emphasize
that
any
recommendations are not binding.
1. Determining Audit Findings When determining audit findings, consider:
Follow-up of previous audit records and conclusions
Requirements of the audit client (requestor of audit)
Findings exceeding normal practice, or opportunities for improvement
Sample size
Categorization (if any) of the audit findings
TVE CERT
Issue Date: SEP 2015
219
Quality Management Systems Auditor / Lead Auditor Training Course
2. Recording Findings For records of conformity, consider:
Identification of audit criteria against which conformity is shown
Audit evidence to support conformity
Declaration of conformity, if applicable
For records of nonconformity, consider:
Description of, or reference to, audit criteria
Nonconformity declaration
Audit evidence
Related audit findings, if applicable
3. Multiple Criteria
It is possible to identify findings related to multiple criteria. For a finding linked to one criterion on a combined audit, consider the possible impact on corresponding or similar criteria of the other management systems. Depending on arrangements with the audit client, you may:
Issue separate findings for each criterion, or
Raise a single finding with references to multiple criteria
Depending on the arrangements with the audit client, the auditor may guide the auditee on how to respond to those findings.
Conformity is the fulfillment of the requirements.
Non conformity is the nonfulfillment of a requirement. In other words, a specified requirement is not being met. This may be categorized as Major, Minor-Non Conformity
a. Minor Nonconformity Minor Nonconformity is a single observed lapse in the use of defined procedure or requirement.
TVE CERT
Issue Date: SEP 2015
220
Quality Management Systems Auditor / Lead Auditor Training Course
b. Major Nonconformity
Major Nonconformity is raised where 1. There is a total breakdown of a procedure or work instruction critical to product quality, or in the operation of the organisation‘s Quality System; 2. There is a total absence of a procedure required by the Quality System Standard in the organisation‘s Quality System; 3. There are a number of minor lapses in the procedure, which when added together, collectively, suggest a total or important breakdown in the procedure; 4. The non-conformance is likely to result in an immediate hazard to the quality of the product or service being offered. c. Areas of Concern – Opportunities for Improvement:
In some cases, a process may be found conforming, but still an area of concern. These observations may be written as Opportunities for Improvement. Since they are potential problem areas, the organization can consider taking preventive actions for these observations. Corrective actions are taken for the reported nonconformities. Many nonconformity reports are poorly written. Follow these 6 C‘s for improved statements: Complete (contains all the related facts)
why – unmet requirement
what – objective evidence
where – which work area
when – the date and shift
who – by title, if relevant
Correct (accurately conveys the facts) Concise (fully explained in brief terms) Clear (understood for prompt action)
TVE CERT
Issue Date: SEP 2015
221
Quality Management Systems Auditor / Lead Auditor Training Course
Categorized (minor or major, if used) Confirmable (traceable and verifiable)
An audit is only successful if it is the catalyst for prompt and effective corrective action for nonconformities and possible preventive action for opportunities for improvement. A complete and correct nonconformity report is essential. It must be clearly and concisely expressed to initiate the right action.
TVE CERT
Issue Date: SEP 2015
222
Quality Management Systems Auditor / Lead Auditor Training Course
AUDIT CONCLUSIONS AND CLOSING MEETING This chapter deals about the Audit conclusions arrived after the completion of the onsite audit and the presentation of these finding in the closing meeting.
1. Audit Conclusions
The audit team should confer prior to the closing meeting in order to:
Review the audit findings, and any other appropriate information collected during the audit, against the audit objectives
Agree on the audit conclusions, taking into account the uncertainty inherent in the audit process
Prepare recommendations, if specified by the audit plan
Discuss audit follow-up, as applicable.
Audit conclusions can address issues such as the following:
the extent of conformity with the audit criteria and robustness of the management system, including the effectiveness of the management system in meeting the stated objectives
the effective implementation, maintenance and improvement of the management system
the capability of the management review process to ensure the continuing suitability, adequacy, effectiveness and improvement of the management system
achievement of audit objectives, coverage of audit scope, and fulfilment of audit criteria
root causes of findings, if included in the audit plan
similar findings made in different areas that were audited for the purpose of identifying trends. If specified by the audit plan, audit conclusions can lead to recommendations for improvement, or future auditing activities.
TVE CERT
Issue Date: SEP 2015
223
Quality Management Systems Auditor / Lead Auditor Training Course
2. Closing Meeting
The primary purpose of an audit closing meeting is to present the audit findings and conclusions, ensure a clear understanding of the results, and agree on the timeframe for corrective actions.
The meeting is conducted by the lead auditor. The participants should include management of the auditee, as well as, managers of the areas that were audited.
The following agenda topics should be considered, as appropriate
Introductions (attendees not at opening meeting)
Attendance (if required for audit report)
Thanks (time and cooperation)
Scope (reminder of coverage)
Disclaimer (limited sample brief time)
Criteria (applicable requirements)
Conformity areas (strengths positives)
Summary of Nonconformities (by lead auditor)
Nonconformities (from auditors)
Conclusions (conformity, effectiveness, trends)
Diverging opinions (resolved or recorded)
Acknowledgments (signed forms)
Agreements (on proposed actions)
Report (expected date, if not provided)
Non-binding recommendations (if allowed)
Post-audit (actions, complaints, appeals)
Follow-up (verification of corrective actions)
Thanks (courtesy and hospitality)
TVE CERT
Issue Date: SEP 2015
224
Quality Management Systems Auditor / Lead Auditor Training Course
When conducting the closing meeting, speak with authority and listen with interest. Maintain good manners, watch your body language, and maintain control of the meeting.
Keep a record of any issues that are raised during the meeting. If new audit evidence is provided, delete nonconformities that were written in error. However, keep valid nonconformities in the report, even if they were corrected prior to the meeting.
If applicable, the lead auditor should advise the auditee of any situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions.
If defined in the management system, or by agreement with the audit client, the participants should agree on the time frame for an action plan to address any audit nonconformities.
The level of detail in the closing meeting should be consistent with the familiarity of the auditee with the audit process. For some audits, the meeting may be formal with minutes being kept. In other cases, the closing meeting may be less formal and just communicate the audit findings and audit conclusions.
Any audit team and auditee differences of opinion on the audit findings or conclusions should be discussed and resolved, if possible. If agreement cannot be reached, the auditee concerns should be recorded and the appeals process explained to them.
If recommendations for improvement are presented, you should emphasize that the recommendations are not binding. Finish the meeting with a clear outcome and explain the next steps, assignments, and due dates.
TVE CERT
Issue Date: SEP 2015
225
Quality Management Systems Auditor / Lead Auditor Training Course
POST AUDIT ACTIVITIES - REPORTING AND FOLLOW UP THE AUDIT This chapter deals about the post audit activities like preparation of the audit report, distribution of the audit report and conducting audit follow up if necessary.
1. Preparing the Audit Report
The audit team leader should report the audit results in accordance with the audit programme procedures. The audit report should provide a complete, accurate, concise and clear record of the audit, and should include or refer to the following:
the audit objectives
the audit scope, particularly identification of the organizational and functional units or processes audited
identification of the audit client
identification of audit team and auditee‘s participants in the audit
the dates and locations where the audit activities were conducted
the audit criteria
the audit findings and related evidence
the audit conclusions
a statement on the degree to which the audit criteria have been fulfilled.
2. Distributing the Audit Report
The audit report should be issued within an agreed period of time. If it is delayed, the reasons should be communicated to the auditee and the person managing the audit programme.
TVE CERT
Issue Date: SEP 2015
226
Quality Management Systems Auditor / Lead Auditor Training Course
The audit report should be dated, reviewed and approved, as appropriate, in accordance with audit programme procedures.
The audit report should then be distributed to the recipients as defined in the audit procedures or audit plan.
3. Completing the Audit
The audit is completed when all planned audit activities have been carried out, or as otherwise agreed with the audit client (e.g. there might be an unexpected situation that prevents the audit being completed according to the plan).
Documents pertaining to the audit should be retained or destroyed by agreement between the participating parties and in accordance with audit programme procedures and applicable requirements.
Unless required by law, the audit team and the person managing the audit programme should not disclose the contents of documents, any other information obtained during the audit, or the audit report, to any other party without the explicit approval of the audit client and, where appropriate, the approval of the auditee. If disclosure of the contents of an audit document is required, the audit client and auditee should be informed as soon as possible.
Lessons learned from the audit should be entered into the continual improvement
process
of
the
management
system
of
the
audited
organizations.
4. Conducting Audit Follow-up
The conclusions of the audit can, depending on the audit objectives, indicate the need for corrections, or
TVE CERT
Issue Date: SEP 2015
227
Quality Management Systems Auditor / Lead Auditor Training Course
for corrective, preventive or improvement actions. Such actions are usually decided and undertaken by the auditee within an agreed timeframe. As appropriate, the auditee should keep the person managing the audit programme and the audit team informed of the status of these actions.
The completion and effectiveness of these actions should be verified. This verification may be part of a subsequent audit.
TVE CERT
Issue Date: SEP 2015
228
Quality Management Systems Auditor / Lead Auditor Training Course
AUDITOR RESPONSIBILITIES This chapter deals about the roles and responsibilities of the auditor, lead auditor, auditee, observer and guide also the selection of audit team member, audit principles, auditor confidentiality and the IRCA code of conduct.
1. The Roles and Responsibility of the Lead Auditor
The Lead Auditor is responsible for all aspects of the audit. This responsibility includes:
Ensure the audit scope
Select the audit team
Direct the audit team members
Planning the audit & make effective use of resources
Represent the audit team
Manage the audit team
The preparation of the report
Lead the audit team to reach audit conclusions
Control of the opening and closing meetings
Submission of the report
Audit records
Review of the audit team‘s work
Prevent & resolve conflicts
At the same time, the Lead Auditor also carries out the duties of an auditor.
2. The Role of the Auditor
The auditor is responsible to the Lead Auditor for an allocated segment of the audit programme. This includes:
Communicating audit requirements to the auditee
Auditing in accordance with the relevant checklists
TVE CERT
Issue Date: SEP 2015
229
Quality Management Systems Auditor / Lead Auditor Training Course
Where time permits, examining discovered areas of concern
Documenting observations
Recording evidence
Verifying the effectiveness of the Quality System
Reporting results to the Lead Auditor
Co-operating with and assisting the Lead Auditor
Above all, the auditor exercises judgement on the compliance, implementation and effectiveness of the Quality System. The auditor‘s job is to assess the quality system and not to advise on how it may be improved, thus the auditor is not acting as a consultant. He should not offer opinions or suggest that there may be better ways of doing things. However if specified by audit objectives, audit conclusions can lead to recommendations regarding improvements. An auditor who has acted as a consultant to an organisation cannot be a member of the certification audit team assessing that organisation.
QMS auditor should additionally have knowledge on -
quality technology
-
quality management principles & their application
-
quality management tools & their application
3. The Role of the Auditee and Audit Client
Auditee:
Organization being audited
Audit Client: Organization requesting the audit.
a. Before the audit activity begins:
Select auditing agency, based on experience, accreditation in countries of interest and reputation.
TVE CERT
Issue Date: SEP 2015
230
Quality Management Systems Auditor / Lead Auditor Training Course
Liaise with auditing/certifying agency to provide required information (verbal and written)
Agree on scope for audit and the nominated team.
Agree on suitable dates for the audit activity and sites to be visited.
b. During the pre-audit visit or through other means of communication :
agree to provide guides and prepare them for that role
agree to provide logistic assistance during audit
provide any information required by the auditors, relevant to scope and the quality management system
agree on those who will attend the opening and closing meetings
agree to inform all staff regarding the audit
seek clarifications regarding audit procedures
provide logistic support during pre-audit visit
c. During the Audit
provide office facilities for opening and closing meetings, and also for liasion meetings of auditors amongst themselves
provide guides
witness any observations
seek clarifications, in case observations, attributions or explanations of the auditors are not clearly understood
ensure relevant people from management are punctual for all meetings
inform management of any major non-conformances observed by the auditors
Cooperate with the auditors
agree to non-conformances and commit to timely corrective actions
d. Post – Audit
propose time-bound corrective actions, and seek agreement of auditors (in case required)
TVE CERT
Issue Date: SEP 2015
231
Quality Management Systems Auditor / Lead Auditor Training Course
initiate and identify causes for the non-conformity
identify the counter-measure/corrective action on the causes of the non-conformity
implement the corrective action
verify the effectiveness of the actions, through Internal Audits
inform auditors about satisfactory completion of corrective actions
4. Roles & Responsibilities of Guides & Observers a. Observer: The presence and justification of observers during an audit activity shall be agreed to by the certification body and client prior to the conduct of the audit Note: observers can be members of the client‘s organization, consultants, witnessing accreditation body personnel, regulators or other justified persons.
b. Guide: Each audit shall be accompanied by a guide, unless otherwise agreed to by the audit team leader and the client. Guides are assigned to the audit team to facilitate the audit.
Establish contacts and interview timings
Arrange visits to the areas to be audited
Ensure that safety rules are followed by the audit team
Witness the audit on behalf of the auditee
Providing the clarification or assisting in collecting information.
Note: The audit team shall ensure that observers and guides do not influence or interfere in the audit process or outcome of the audit.
TVE CERT
Issue Date: SEP 2015
232
Quality Management Systems Auditor / Lead Auditor Training Course
5. Assigning responsibility for an individual audit to the audit team leader
The person managing the audit programme should assign the responsibility for conducting the individual audit to an audit team leader. The assignment should be made in sufficient time before the scheduled date of the audit, in order to ensure the effective planning of the audit.
To ensure effective conduct of the individual audits, the following information should be provided to the audit team leader:
audit objectives
audit criteria and any reference documents
audit scope, including identification of the organizational and functional units and processes to be audited
audit methods and procedures
composition of the audit team
contact details of the auditee, the locations, dates and duration of the audit activities to be conducted
allocation of appropriate resources to conduct the audit
information needed for evaluating and addressing identified risks to the achievement of the audit objectives. The assignment information should also cover the following, as appropriate:
working and reporting language of the audit where this is different from the language of the auditor or the auditee, or both
audit report contents and distribution required by the audit programme
matters related to confidentiality and information security, if required by the audit programme
any health and safety requirements for the auditors
any security and authorization requirements
any follow-up actions, e.g. from a previous audit, if applicable
co-ordination with other audit activities, in the case of a joint audit.
TVE CERT
Issue Date: SEP 2015
233
Quality Management Systems Auditor / Lead Auditor Training Course
6. Code of Conduct – Confidentiality
All auditors are expected to comply with a code of conduct which emphasises the need for professionalism, confidentiality and behaviour which will harm neither the auditor‘s company nor the IRCA‘s public image. Any breach of this should be reported by the auditee to the IRCA. The UKAS also monitors auditor performance and this includes compliance with the code of conduct. The Code of Conduct is given in Appendix III of IRCA 602 - reproduced in 6 below)
7. Audit Principles
Auditing is based on five principles. It is a prerequisite to adhere to these principles for providing audit conclusions that are relevant to the management policies & control, thus providing information upon which the organization can act to improve performance. The principles also help reaching similar conclusions under similar circumstances.
The 6 Principles are:
Integrity: Obligation to report truthfully and accurately
Fair Presentation: (Audit findings, audit conclusions & audit reports to be accurate & truthful. Unresolved diverging opinions & significant obstacles between audit team & auditee to be reported)
Due Professional care: Diligence & judgement in auditing
Confidentiality: Security of information
Auditors should exercise discretion in the use and protection of information acquired in the course of their duties. Audit information should not be used inappropriately for personal gain by the auditor or the audit client, or in a manner detrimental to the legitimate interests of the auditee. This concept includes the proper handling of sensitive or confidential information TVE CERT
Issue Date: SEP 2015
234
Quality Management Systems Auditor / Lead Auditor Training Course
Independence: The basis for impartiality & objectivity of audit conclusion
Evidence based Approach: The rational method when audit findings & conclusions are based on audit evidence (verifiable & based on appropriate sampling)
8. IRCA Code of Conduct It is a condition of certification that you agree to act in accordance with, and be bound by the following IRCA Code of Conduct:
1. To act in a strictly trustworthy and unbiased manner in relation to both the organisation to which you are employed, contracted or otherwise formally engaged (the audit organisation) and any other organisation involved in an audit performed by you or by personnel under your direct control. 2. To disclose to your employer any relationships you may have with the organisation to be audited before undertaking any audit function in respect of that organisation. 3. Not to accept any inducement, gift, commission, discount or any other profit from the organizations audited, from their representatives, or from any other interested person nor knowingly allow personnel for whom you are responsible to do so. 4. Not to disclose the findings, or any part of them, of the audit team for which you are responsible or of which you are part, or any other information gained in the course of the audit to any third party, unless authorised in writing by both the auditee and the audit organization to do so. 5. Not to act in any way prejudicial to the reputation or interest of the audit organisation. 6. Not to act in any way prejudicial to the reputation, interests or credibility of IRCA.
TVE CERT
Issue Date: SEP 2015
235
Quality Management Systems Auditor / Lead Auditor Training Course
7. In the event of any alleged breach of this code, to co-operate fully in any formal enquiry procedure.
TVE CERT
Issue Date: SEP 2015
236
Quality Management Systems Auditor / Lead Auditor Training Course
COMPETENCE & EVALUATION OF AUDITORS A competent Auditor is one who demonstrates personal attributes (as tested below) and the ability to apply the appropriate generic & specific knowledge & skill gained thorough education, work experience, auditor training & audit experience.
1.
Personal Behaviour
An auditor needs to possess the necessary quality to enable the performance of audit activities: a. ethical, i.e. fair, truthful, sincere, honest and discreet b. open-minded, i.e. willing to consider alternative ideas or points of view c. diplomatic, i.e. tactful in dealing with people d. observant, i.e. actively aware of physical surroundings and activities e. perceptive, i.e. instinctively aware of and able to understand situations f. versatile, i.e. adjusts readily to different situations g. tenacious, i.e. persistent and focused on achieving objectives h. decisive, i.e. reaches timely conclusions based on logical reasoning and analysis i.
self-reliant, i.e. acts and functions independently while interacting effectively with others
j.
acting with fortitude, i.e. able to act responsibly and ethically, even though these action may not always be popular and may sometimes result in disagreement or confrontation
k. open to improvement i.e. willing to learn from situations, and striving for better audit results l.
culturally sensitive, i.e. observant and respectful to the culture of the auditee
m. collaborative, i.e. effectively interacting with others, including audit team members and the auditee‘s personnel
TVE CERT
Issue Date: SEP 2015
237
Quality Management Systems Auditor / Lead Auditor Training Course
2. Generic Knowledge & Skills of Auditors Auditors should possess the knowledge and skills in the following areas:
a. Audit Principle, Procedures and Methods
apply audit principles, procedures, and methods
plan and organize the work effectively
conduct the audit within the agreed time schedule
prioritize and focus on matters of significance
collect information through effective interviewing, listening, observing and reviewing documents, records and data
understand and consider the experts‘ opinions
understand the appropriateness and consequences of using sampling techniques for auditing
verify the relevance and accuracy of collected information
confirm the sufficiency and appropriateness of audit evidence to support audit findings and conclusions
assess those factors that may affect the reliability of the audit findings and conclusions
use work documents to record audit activities
document audit findings and prepare appropriate audit reports
maintain the confidentiality and security of information, data, documents and records
communicate effectively, orally and in writing (either personally, or through the use of interpreters and translators)
understand the types of risks associated with auditing.
b. Comprehend the audit scope & apply Audit criteria.
management system standards or other documents used as audit criteria
the application of management system standards by the auditee and other organizations, as appropriate
TVE CERT
Issue Date: SEP 2015
238
Quality Management Systems Auditor / Lead Auditor Training Course
interaction between the components of the management system
recognizing the hierarchy of reference documents
application of the reference documents to different audit situations.
c. Organizational Context
Organizational types, governance, size, structure, functions
General business and management system concepts
Cultural and social aspects
d. Applicable Laws, Regulations & Other Requirements.
laws and regulations and their governing agencies
basic legal terminology
contracting and liability
3. Sector Specific Knowledge & Skills of QMS Auditors
Knowledge and skills related to the discipline and the application of disciplinespecific methods, techniques, processes and practices should be sufficient to enable the auditor to examine the management system and generate appropriate audit findings and conclusions.
Examples are as follows: terminology relating to quality, management, organization, process and product,
characteristics,
conformity,
documentation,
audit
and
monitoring
and
measurement processes customer
focus,
measuring of
customer-related
processes,
customer satisfaction, complaints handling, code of
conduct, dispute resolution leadership – role of top management, managing for the sustained success of an organization – the quality management approach, TVE CERT
Issue Date: SEP 2015
239
Quality Management Systems Auditor / Lead Auditor Training Course
realizing financial and economic benefits through management of quality, quality management systems and excellence models involvement of people, human factors, competence, training and awareness process approach, process analysis, capability and control techniques, risk treatment methods system approach to management (rationale of quality management systems, quality management systems and other management system focuses, quality management system documentation), types and value, projects, quality plans, configuration management continual improvement, innovation and learning factual approach to decision making, risk assessment techniques (risk
identification,
analysis
and evaluation), evaluation of quality
management (audit, review and self-assessment), measurement and monitoring techniques, requirements for measurement processes and measuring equipment, root cause analysis, statistical techniques characteristics of processes and products, including services mutually beneficial supplier relationships, quality management system requirements and requirements for products, particular requirements for quality management in different sectors
a. Generic Knowledge & Skills of Audit Team Leaders
Audit team Leaders in addition to the generic & specific knowledge & skills required by Auditors, Audit team Leader should be able to:
TVE CERT
Issue Date: SEP 2015
240
Quality Management Systems Auditor / Lead Auditor Training Course
a. balance the strengths and weaknesses of the individual Audit team members b. develop a harmonious working relationship among the audit team members c. manage the audit process, including
planning the audit and making effective use of resources during the audit
managing the uncertainty of achieving audit objectives
protecting the health and safety of the audit team members during the audit, including ensuring compliance of the auditors with the relevant health, safety and security requirements
organizing and directing the audit team members
providing direction and guidance to auditors-in-training
preventing and resolving conflicts, as necessary
d. represent the audit team in communications with the person managing the audit programme, audit client and auditee e. lead the audit team to reach the audit conclusions f. prepare and complete the audit report
b. Knowledge and skills for auditing management systems addressing multiple disciplines
Auditors who intend to participate as an audit team member in auditing management systems addressing multiple disciplines should have the competence necessary to audit at least one of the management system disciplines and an understanding of the interaction and synergy between the different management systems.
Audit team leaders conducting audits of management systems addressing multiple disciplines should understand the requirements of each of the management system standards and recognize the limits of their knowledge and skills in each of the disciplines.
TVE CERT
Issue Date: SEP 2015
241
Quality Management Systems Auditor / Lead Auditor Training Course
c. Education, Work Experience, Auditors Training & Audit Experience of Auditors.
Education to provide the generic & specific knowledge & skills
Work experience in a technical, managerial & / or professional position involving judgment, problem solving, communication.
This may be in the field of –
Quality Management System
Completion of Auditor Training
Audit experience as an Audit Team Member.
Additional Audit Experience required to be gained while acting in the role of an Audit Team Leader under the direction & guidance of another Auditor who is competent as an Audit Team Leader. Depending on the Audit programme higher or lower level trainings for Auditors & Lead Auditors may be appropriate.
d. Audit team leaders An audit team leader should have acquired additional audit experience to develop the knowledge and skills described in 7.2.3 (19011:2011). This additional experience should have been gained by working under the direction and guidance of a different audit team leader.
4. Auditors Competence Evaluation
The auditor evaluation is to be defined in the audit programme procedures. The evaluation process should identify training & others skills enhancement needs.
This Evaluation is done in different stages -
Initial evaluation
-
Evaluation as part of the audit team selection process
-
Continual evaluation & identification of training & skill
TVE CERT
Issue Date: SEP 2015
242
Quality Management Systems Auditor / Lead Auditor Training Course
Appendix 2: Evaluation Methods
Evaluation method
Objectives
Examples
Review of records
To verify the background of the auditor.
Analysis of records of education, training, employment and audit experience.
Feedback
To provide information about how the performance of the auditor is perceived.
Surveys, questionnaires, personal references, testimonials, complaints, performance evaluation, peer review.
Interview
To evaluate personal attributes and communication skills, to verify information and test knowledge and to acquire additional information.
Face-to-face and telephone interviews.
Observation
To evaluate personal attributes and the ability to apply knowledge and skills.
Role playing, witnessed audits, on the job performance.
Testing
To evaluate personal attributes and knowledge and skills and their application.
Oral and written exams, psychometric testing.
Post-audit review
To provide information where direct observation may not be possible or appropriate.
Review of the audit report and discussion with the audit client, auditee, and colleagues and with the auditor.
5. Conducting the evaluation
The information are collected about the person & compared against the criteria set. In case, a person does not meet the criteria, additional training, work & / or audit experience may be required following which there should be a re-evaluation.
6. Maintenance & Improvement of Auditor Competence
The auditor & audit team leaders should maintain them AC & CPD. The auditing competence is achieved through regular participation in Management TVE CERT
Issue Date: SEP 2015
243
Quality Management Systems Auditor / Lead Auditor Training Course
system audits & continual professional development. This may be achieved by additional work experience, training, private study, coaching, attendance at meetings, seminars & conferences or other relevant activities.
FOR REFERENCE:
Major differences in terminology between ISO 9001:2008 and ISO 9001:2015
ISO 9001:2008
ISO 9001:2015
Products
Products and services Not used
Exclusions
(See Clause A.5 for clarification of applicability) Not used
Management representative
(Similar responsibilities and authorities are assigned but no requirement for a single management representative)
Documentation, quality manual, documented procedures, records
Documented information
Work environment
Environment for the operation of processes
Monitoring and measuring equipment
Monitoring and measuring resources
Purchased product
Externally provided products and services
Supplier
External provider
TVE CERT
Issue Date: SEP 2015
244
We hope you enjoyed your course You will be contacted by the CQI and IRCA for feedback on the course and your Approved Training Partner. Completing this short survey will help to ensure the continuing high standards of these courses.
The CQI and IRCA offer a range of services to support you throughout your career. For more information, please visit www.quality.org
www.quality.org/training