English Version

Quality Management Systems Training
for SMEs
Leonardo da Vinci Project
GUIDELINES FOR THE IMPLEMENTATION OF

A QUALITY MANAGEMENT SYSTEM (QMS),
ACCORDING TO THE ISO 9001:2008 STANDARD, TO
SMES.
This book was produced in the framework of Leonardo da Vinci project

Small Business Quality Management Systems. This project was carried
out with the support of the Commission of the European Community.
The content of this book does not necessarily reflect the position of the
European Community or the National Agency, nor does it invoke any
responsibility on their part.
TITLE:
ISO 9001:2008 APPLICATION GUIDE
CHAPTER 1. INTRODUCTION...............................................................................................................7
1.1. CONTEXT...............................................................................................................................................7
CHAPTER 2. GENERAL............................................................................................................................9
2.1. THE SENSE OF THE WORD QUALITY..........................................................................................9
2.2. THE DEVELOPMENT PHASES OF QUALITY: CULTURE, PRINCIPLES AND METHODS............10
2.3. QUALITY MANAGEMENT SYSTEM..................................................................................................13
2.4. WHY THE IMPLEMENTATION OF A QUALITY MANAGEMENT SYSTEM?.................................14
2.5. THE ISO 9000:2008 STANDARD................................................................................................14
CHAPTER 3. APPLICATION OF THE STANDARD ISO 9001 IN SMES............................16
3.1. SME.....................................................................................................................................................16
3.1.1.EU DEFINITION..................................................................................................................................16
3.1.2.THE HIDDEN GIANTS.........................................................................................................................17
3.2. IMPLEMENTING THE ISO STANDARD............................................................................................20
3.2.1.WHAT SHOULD ISO (NOT) BE ABOUT.........................................................................................20
3.2.2.MANAGEMENT PRINCIPLES..............................................................................................................21
3.2.3.ISO IN SMES - SOME CHARACTERISTICS HAVING IMPACT.....................................................24
3.2.4.REALIZATION OF ISO REQUIREMENTS AND DIFFERENCES BETWEEN SMES AND LARGE
ENTERPRISES...................................................................................................................................................26
CHAPTER 4. THE STANDARD ISO 9001:2008..........................................................................37
4.1. INTRODUCTION...................................................................................................................................37
4.2. CHARACTERISTICS AND CONTENTS OF ISO 9001:2008 STANDARD.................................37
4.3. OTHER RELATED STANDARDS.........................................................................................................39
4.4. QUALITY MANAGEMENT SYSTEM (CLAUSE 4)...........................................................................39
4.4.1.GENERAL REQUIREMENTS (CLAUSE 4.1)....................................................................................40
4.4.2. DOCUMENTATION REQUIREMENTS (CLAUSE 4.2)...................................................................44
4.5. MANAGEMENT RESPONSIBILITY (CLAUSE 5).............................................................................50
4.5.1. MANAGEMENT COMMITMENT (CLAUSE 5.1).............................................................................50
4.5.2. CUSTOMER FOCUS (CLAUSE 5.2)................................................................................................51
4.5.3. QUALITY POLICY (CLAUSE 5.3)...................................................................................................52
4.5.4. PLANNING (CLAUSE 5.4)...............................................................................................................52
4.5.5. RESPONSIBILITY, AUTHORITY AND COMMUNICATION (CLAUSE 5.5).................................52
4.5.6. MANAGEMENT REVIEW (CLAUSE 5.6)........................................................................................53
4.6. RESOURCE MANAGEMENT (CLAUSE 6)........................................................................................54
4.7. PRODUCT REALISATION (CLAUSE 7)............................................................................................55
4.7.1. PLANNING OF PRODUCT REALIZATION (CLAUSE 7.1)............................................................57
4.7.2. CUSTOMER-RELATED PROCESSES (CLAUSE 7.2).....................................................................58
4.7.3. DESIGN AND DEVELOPMENT (CLAUSE 7.3)..............................................................................59
4.7.4. PURCHASING (CLAUSE 7.4)..........................................................................................................60
4.7.5. PRODUCTION AND SERVICE PROVISION (CLAUSE 7.5).........................................................61
4.7.6. CONTROL OF MONITORING AND MEASURING DEVICES (CLAUSE 7.6)..............................63
4.8. MEASUREMENT, ANALYSIS AND IMPROVEMENT (CLAUSE 8).................................................64
4.9. MINIMUM REQUIREMENTS ACCORDING TO ISO.......................................................................68
4.10. PERMISSIBLE EXCLUSIONS..............................................................................................................68
CHAPTER 5. STEPS TO IMPLEMENT A QMS.............................................................................69
5.1. STEPS TO DECIDE..............................................................................................................................69
5.1.1.DECISION TO IMPLEMENT A QMS................................................................................................69
5.1.2.FIRST PLANNING OF RESOURCES..................................................................................................70
5.1.3.EXTERNAL CONSULTANTS................................................................................................................70
5.2. FIRST SELF ASSESSMENT.................................................................................................................71
5.3. DETAILED IMPLEMENTATION PLAN................................................................................................74
5.4 DEVELOPMENT OF QM HANDBOOK..................................................................................................75
5.5 DESIGN OR CHECK UP OF PROCESSES..............................................................................................76
5.6 FINAL IMPLEMENTATION QMS KICK OFF......................................................................................79
5.6.1.TRAINING.............................................................................................................................................79
5.7 INTERNAL AUDIT....................................................................................................................................80
5.8 EXTERNAL AUDIT....................................................................................................................................82
5.8.1.CERTIFICATION BODY.......................................................................................................................82
5.8.2.THE CERTIFICATION PROCESS.........................................................................................................82
5.9 CONTINUAL IMPROVEMENT..................................................................................................................84
CHAPTER 6. ADDITIONAL REQUIREMENTS..............................................................................86
6.1. MANAGEMENT SYSTEM STANDARDS.............................................................................................86
4
6.2. EUROPEAN DIRECTIVES AND TECHNICAL STANDARDS............................................................88

CHAPTER 7. GLOSSARY........................................................................................................................90
BIBLIOGRAPHY..........................................................................................................................................94
INDEX OF TABLES
Table 3.1Recent development in SME perception in EU
Table 3.2
16
The ISO-related differences between SMEs and large
enterprises in a nutshell
27
Table 4.1
43
Records required by ISO 9001:2008
Table
4.2
Audit list (abridged and artificial version)
56
INDEX OF FIGURES
Figure 3.1
European enterprises by size
16
Figure 3.2
Issued ISO 9000 certificates, world total
17
Figure 3.3
Distribution of issued certificates among world regions (2007)
17
Figure 3.4
Share of certificates of conformity to ISO 9001:2008 on
ISO 9000 total
18
Figure 3.5
processes according to the eight ISO 9000 principles
21
Figure 4.1
Process map of a construction company (artificial)
37
Figure 4.2
Artificial example of process flow
chart
38
Figure 4.3
Some of the 7 quality tools
39
Figure 4.4
Typical QMS Processes
Figure
49
5.1
Example of a first assessment checklist
62
Figure
5.2
Example of a strengths and weaknesses analysis
63
Figure
5.3
Force Field Analysis
Figure
63
5.4
Example of an implementation plan with milestones
64
Figure 5.5
QM
Handbook Hierarchies
66
Figure 5.6
SIPOC method
67
Figure 5.7 Example of a process map

68
CHAPTER 1.
1.1.
INTRODUCTION
Context
During the last decades enterprises made an effort to achieve

quality as a measure to increase their competitiveness. This
quality goal was usually achieved by trial and error, costing, to
enterprises, a great deal in terms of time and money, not to
mention the effect on clients, in the cases of error. To organise
the procedure of obtaining and maintaining quality, a series of
international standards were created in the form of ISO model.
This way the improvement of quality could be obtained through
standard procedures already tried and tested in many other
enterprises. The whole procedure very often includes reengineering of the company and, in every case, training of the
personnel. The revision of the standard in 2008 version imposes
more obligations.
The
achievement
of quality
The power of
SMEs in
Yet SMEs, which represent an important percentage of the total Europe
enterprises power in Europe, have complained that implementing

the ISO 9000 was expensive, as it required additional staff and
paperwork. They also complained that its demands were
irrelevant to SMEs operational dimensions.
Companies are facing new challenges due to the more dynamic

economic situation. Markets appear and vanish within short periods
of time and customers show growing expectations about the quality
of delivered goods and services. Responding to these facts, many
industrial sectors, principally the automotive industry, have decided
to implement generally accepted quality management tools which
lead, finally, to the establishment of quality management systems
(QMS) after e.g. ISO, VDA or QS standards. An undoubted advantage
of such a procedure is not only a support function for the systematic
way of managing quality relevant issues within their own
organisation but also the knowledge that a supplier who fulfils the
criteria of such an accepted QMS i.e. the organisation is certified to
such a standard - stands for high quality products and services. The
supplier selection process was massively supported by the emerging
certification activities and in some areas it has even become a
minimum criterion for it.
Large companies, especially, began to get certified to ISO 9000
standards whereas more and more small and medium sized
enterprises have decided to choose this way within the last few
years.
Therefore a lot of enterprises require from their suppliers and
their subcontractors certification at ISO-9001 and application of
quality processes, while in certain sectors the certification is
imposed by the national legislation. Furthermore clients are
becoming active participants in requiring certified products and
providers.
The lack of
educational
material and
tools for SMEs
Consideration
of branche
specific
situations /
Internal and
external
reasons for
implementing
a QMS
Criteria, if for implementing a QMS, can be subdivided mainly into

two different groups: internal aspects e.g. internal quality
improvements like reduction of rework or cost savings and
external aspects e.g. lower reclamation rate, better image,
differentiation via long term quality strategy.
Another reason for implementing a QMS is that it can be required
by the customer (but it must not be the only reason!).
Educational programs and educational materials are then
necessary. The majority of them address large enterprises and
there is a lack of educational material and tools specially
designed for small enterprises with practical guidelines that can
help on the implementation of ISO-9000 without bureaucratic
procedures. Moreover, even if the requirements of ISO-9001 are
single, their way of application varies between the enterprises
with different objectives, sectors and methods of operation.
Some professional organizations have already proposed
guidelines to explain how to adapt the general requirements of
ISO-9001 to their own case; but, in general, those tools do not
address the specific needs of small enterprises.
CHAPTER 2.
2.1.
GENERAL
The sense of the word Quality
The word "Quality", being an abstract concept, can have many

different definitions, such as "essential and distinguishable
attribute of someone or something " or "feature defining the
individual nature of something"; these are just some of the many
definitions of the entry "Quality" that one can find in the
dictionary.
The many
different
definitions of
word
quality
A traditional meaning - but nowadays quite old fashioned - is

"conformity to specific requirements". This acceptation matches Quality as
the concept of quality directly to the features of the feature
product/service itself (Quality as feature), emphasizing its
fulfilment. In this sense, the quality implies that the requirements
of the production process are clearly specified and entirely
respected, without any guarantee that these requirements will
respond to customer expectations, who is not necessarily taken
into consideration.
On the contrary, the current concept of quality of any Quality as
product/service implies the skills to understand the users need, value
and through the precise determination of the requirements, its
fulfilment. This acceptation underlining the adequacy to usage
(Quality as value) focuses on users needs.
With the acceptation of Quality as value, many definitions of
the word quality have been elaborated, and two of these are
particularly important:
Quality means
higher costs
1. Quality intended as the features of the products meeting

customer needs and determining his satisfaction. In this
sense, the meaning of quality is oriented to profit. The goal
of a better quality is to enhance customer satisfaction, and
finally, to increase the profit. As increasing or improving
quality involves money investments, we have also an
increase on costs. In this sense, Quality means higher Quality means
lower costs
costs.
2. Quality intended as absence of flaws and errors which
require repairing activities which usually bring to market The ISO
shares loss, customer discontent and so on. In this sense 9000:2000
the word quality is oriented to costs and better quality definition
means lower costs.
Finally, ISO 9000:2008 defines the word quality as: "degree to
which a set of inherent characteristics fulfils requirements.
It must be specified that (explanatory notes in the regulations):
- "the term quality can be used with adjectives such as poor,
good or excellent; while the term inherent means existing in
something, especially as a permanent characteristic.
2.2.
The development phases of Quality: culture,

principles and methods
The origin of the problems related to Quality can be

associated to the beginning of trade activities. It is a
very old concept, strictly related to the establishment of the
market itself with its main characters: the buyer-user and the
seller-producer. In time, the meaning of quality has undergone
different relevant evolutions, which have often changed its
common meaning.
Let us concentrate on the main acceptations of quality
developed during the 20th century.
After the First

World War
In the years preceding the First World War there was a

strong difference between quantity and quality, the former
considered as belonging to production, the latter to the product
final testing. Quantity is the main goal while quality is
considered as one of many possible factors for success.
Sometimes the buyer himself follows the production process and Between 1935
and 1945
performs the final tests.
Between 1935 and 1945 the so-called Quality Control

activities (QC) are generated. They are the set of actions
which permits to point out and measure the product features,
comparing them to formerly specified parameters. In these
years the perspective changes, but the idea to intervene in
the production process in order to guarantee the conformity of
the product to the project itself, remains unchanged; actually,
the production is deeply analysed and checking phases are
included to guarantee the quality of the final product. In the 50s
Servicing companies are still not included in this Quality
management method, because the service is not considered
a measurable and valuable result.
In the 50s the approach to Quality is greatly modified and

gradually the idea is spread that no business activity can be
totally separated from the other ones. Consequentially,
successful results can be obtained only thanks to the integration
and coordination of the many different company departments. In In the 60s
these years the Total Quality (TQM) approach is born in the USA.
The QC is still bound to each single activity and it doesnt
control the entire structure yet: however, the trend extends
Quality control concepts to the organization and planning
phases.
In the 60s the concept of Quality is newly modified and

systematically operates on both production process and
10
product itself, the so-called Quality Guarantee (QG). QG is a

management system which considers the integration of
several activities, whose strong connections contribute to
determine the quality of the product itself. Activities such as
action planning, staff training, records filing and management,
adjustment actions, etc.
The most relevant innovations of the QG method, compared to
the older approaches, are:
-
integrated approach to Quality management, considered

as part of the system, controlled by the entire organization,
and most of all by the management;
immediate applicability to services;
attention to planning and activity recording;
widening of planning and testing concepts, from production

to designing.
The difference between Quality Guarantee and Quality Total

Management systems is basically on their different
approaches: the former is static, the latter is dynamic.
The Total Quality system puts Quality at the very first place
among the business values and its goal is to improve its In the 70-80s
relationship with its customers.
The active orientation to Quality implies the introduction of
innovative attitudes and differs from traditional approaches in
three points:
1. improvement of quality as a continuing process;
2. improvement through fixed policies and goals;
3. education of the whole organization to Quality as a rule.
In the 70-80s the concept of Quality is also extended to

servicing companies. In Quality in Services we can
distinguish two different approaches. The traditional approach
is based on the identification of customer needs and
expectations and the subsequent product design, the
activation of Quality process (in terms of mistake reductions),
control planning and its improvement.
The other approach - the so-called staff-oriented approach asserts that a quality program should be based on a change of
culture, values, attitudes of the whole personnel; its most
important points are basically staff management and customer
feedback.
The starting point is the identification of the product offered
by the servicing company and its features -in comparison with
11
any manufactured product - such as:

-
the product does not exist before purchasing;
the product cannot be stocked;
production and consumption happens in the same time;
the customer is involved in the production phase;
the product cannot be touched;
mobility of the service supply system.
The attention paid to services helps to change the perspective

when facing problems regarding quality: the organization starts
considering not only the product, but also all management and
technical activities implied in the product, that is the business
process.
The process includes all the activities oriented to a final result,
performed by different business units. Each of them adds a new
value to the product, directly proportional to its integration skills
and ability to work for targets.
Managing for processes means highly supervising all the
connections among different activities, identifying customer
needs aiming to his satisfaction, and exploiting business outputs
as the common target.
Whoever is responsible for Quality starts investing in the
Quality System concept, i.e. running the business aiming
for Quality. The structure of a Quality system can be
summarized as:
1. definition of the business and its goals
2. assignment of tasks and responsibilities
3. identification of means and staff
4. implementation and management of operative modalities
through monitoring and checking
According to Quality policy, the business is more and more
oriented towards customer satisfaction and his needs become
the organization target, at the lower organizational costs.
Creating Quality means providing internal quality and
external
quality.
External quality refers to the customer relationship
modalities, and above all, the awareness of his needs,
12
attitudes, expectations, how carefully his request is considered,

how much care is given to the communication process
(welcome, service and farewell), problem solving skills, and
easiness in anticipating if needed his needs and wishes,
offering services not explicitly requested. External quality
also means the establishment of good relationships with
suppliers, media, etc. as the corporate image contributes, in
large measure, to the perception and determination of
external quality.
Internal quality refers to all that is related to workers
satisfaction and parameters such as: shifts, information
circulation, time management, accomplished tasks feedback,
and so on. Therefore, quality can be defined as conformity of
the service to internal and external customer satisfaction.
The 1990-2009 period is characterized by the increasing The 1990demand of social quality aiming to consumers, citizens and 2009 period
users satisfaction. The main goal is now the improvement of life
quality, and all companies develop more integrated systems to
manage quality, environment and safety. In this contest is set the
SA 8000 standard (Social Accountability). The origin and
development of this first standard on social responsibility is a
world-wide recognized reference point. Its main goal is to
eliminate unfair and cruel work conditions in all kind of business.
2.3.
Quality Management System
The quality management system is a wide concept and it can Definition

be defined as a systemic set of management procedures
used to monitor, check and improve the organization
operative and financial performances, aiming to offer the
best product/service at lower costs.
The
management procedures
constituting
the
quality
management system include some activity subsets, respectively
indicated as: Quality assurance, Quality control and Quality
improvement.
Quality
assurance
Quality assurance (QA) activities aim to guarantee that all

changes in the process are clearly identified and valuated. It also
guarantees that all product/service specifications - necessary to
satisfy
both
customer
and
product/service
producers Quality
requirements - are clearly fixed.
control
Quality control (QC) is a process also known as quality

statistical control which permits to valuate the performance of
the current organization processes, individuating and performing
the actions necessary to eliminate undesired performances.
Thanks to this process QI standards can be fully respected. The
activities to correct irregular products can be or not be included Quality
improvement
in QC environment.
13
Quality improvement is a systematic and continuing activity,

which involves all business processes, aiming at high
performances.
Anyway, a quality management system must be based on
policies aiming to reach high quality goals. Actually, all business
actions reflect the management policy on fields such as finance,
product/service typology, social problems, personnel safety and
so on.
Finally, a quality management system must be accompanied by
a good quality technology system: technologies able to obtain,
monitor, control and improve the quality of the product/service
itself.
2.4.
Why the implementation of a Quality Management

System?
The creation of a quality management system can help the

organization to enhance customer satisfaction as well as of the other
interested parties. Moreover, a well implemented quality
management system provides the business with the structure to
activate continual improvement actions.
Customer
The increasing of customer satisfaction (CS) - as well as of satisfaction

the other interested parties involved in production - and the and Continual
activation of continual improvement (CI) are strictly linked to improvement
each other. Actually, considering the continuously changing customer
needs and expectations, as well as competition and technical
progress, the continual improvement of products and processes is an
essential condition to remain in the market.
The increasing of peoples satisfaction and the activation of continual
improvement can be obtained only if the organization considers
some important principles, such as:
Principle
Principle
Principle
Principle
Principle
Principle
Principle
Principle
2.5.
1
2
3
4
5
6
7
8
Customer focus
Leadership
Involvement of people
Process approach
System approach to management
Continual improvement
Factual approach to decision making
Mutually beneficial supplier approach
The principles
of CS and CI
The ISO 9000:2008 standard
ISO 9000 is a set of international standards published for the first The origin of
time in 1987 by Geneva International Organization for the ISO 9000
Standardization (ISO). Firms can use these standards to
individuate requirements necessary to maintain an efficient
quality management system.
For example, the standards indicate the requirements needed for
14
the right calibration of measurement and testing equipment (e.g.

of scales and weights) or to maintain an adequate registration
system.
The ISO 9000 standards are the result of an international
agreement of good management practice, in order to
guarantee products/services in line with customer quality
expectations, through processes, management and control.
ISO 9000 standards is a set of guidelines and requirements to
implement and maintain a quality management system, The ISO 9000
series
applicable to any kind of public or private organization,
regardless of its activity and size.
The ISO 9000 includes three main documents:
ISO 9000:2005, Quality management

Fundamentals and vocabulary.
systems
ISO 9001:2008,
Requirements.
systems
ISO 9004:2000- under revision, Quality management

systems Guidelines for performance improvements.
Quality
management
As the set of ISO 9000 - 2000 edition and up- includes only one
model for quality management system (ISO 9001), the
organization intending to implement a quality management
system should determine which items of the standard they want
to use for management actions and should develop its own
system with those requirements. The organization can get an
exclusion from the implementation of some clauses of the 7th The current
paragraph of the standard, if not applicable due to the nature of ISO 9000
the company. Design and development must be controlled and edition (2008)
documented if applied by the company.
The current ISO 9001:2008 edition being active from February
2009 on and the undergoing revision of ISO 9004 introduce minor
only changes to the previous edition. The main ones have to do
with:
Rephrasing to improve consistency between the ISO 9000

series standards and those of ISO 22000 and ISO 14000.
Adding the concept of business environment and risk
Better definition of the control over outsourced processes
Upgrading statutory and regulatory requirements
Including the goal of managing the work environment

needed to achieve conformity to requirements, this
meaning physical, environmental and other factors
15
Definition of personal data as a key example of type of

customer property that have to be protected.
Information systems as a key example of the type of

support services that may impact conformity to product
requirements, as an example of calibration (verification
and configuration))
Making explicit reference to post delivery activities such as

warranty
provisions,
maintenance
services
and
supplementary services such as recycling of final disposal
A third independent part, the certification body certifies the

conformity of the quality management system according to ISO
9001 standards. The certification will show the business
processes area, which the certification has been requested for, as
well as any other management actions foreseen in ISO 9001
regulations not considered by the organization under
certification.
CHAPTER 3.
APPLICATION OF THE STANDARD ISO
9001 IN SMES
Objective of
The aim of this chapter is firstly to introduce briefly the SME chapter 3
phenomenon and its specifics and secondly to outline how these
specifics affect the implementation of quality management
system in a SME
3.1.
SME
Micro, small and medium-sized enterprises (SMEs) are socially

and economically important, they represent 99 % of all
enterprises in the EU and provide around 65 1 million jobs. Besides
that, they are an essential source for entrepreneurial spirit and
innovation.
Since SMEs play a key role in the economies, the term SME is a
frequently used one. However, there is not one single definition
used by all, on the contrary: the criteria for a small and mediumsized enterprise can vary not only between different European
countries, but even within one country, depending for example
on the field of activity of the enterprise. Selective approach to
SMEs (different criteria for being considered a SME depending on
field of activity) can for example be applied as one of criteria for
obtaining entrepreneurship support in various aid programs.
Compare (http://europa.eu.int/comm/enterprise/enterprise_policy/sme_definition/index_en.htm)
16
3.1.1. EU definition
To introduce one definition, we have chosen the SME definition of The
EU, used apart from statistical purposes also to handle this EU definition
economic phenomenon with respect to support schemes
(especially state aid, Structural Funds and the Research and
Development Framework Programme). In addition, the European
definition gives us the opportunity to demonstrate, that the
content of the term SME also undergoes changes in time.
Since 1996 the following European description of a SME was used
based on Recommendation 96/280/EC:
to the group of SMEs count all enterprises with less than 250
employees, with the balance sum lower than 27 mil. EUR/year or
the turnover per year max. 40 mil. EUR. At the same time the
independency requirement has to be fulfilled (not 25% or more of
capital or votes may be owned by one enterprise or a group of
enterprises, not matching with the SME definition).
Since the economic development has been considered as
relevant for the position of SMEs, the criteria have been revised
and a new definition published by Recommendation 2003/361/EC
in May 2003. It will be applied as of 1 January 2005. 2 While the
headcount requirement remains the same, there are changes
regarding the turnover an balance sheet sums:
Table 3.1
Recent development in SME perception in EU
Enterprise category
Mediumsized
enterprise
Small
enterprise
Micro
enterprise
96-04
05-
96-0
4
05-
96-0
4
05-
< 250
< 250
< 50
< 50
< 10
< 10
Turnover max. (mil. EUR)
40
50
10
Balance sheet total (mil.

EUR)
27
43
10
Headcount
According to EC, the main aim of the increase of the financial

ceilings is to avoid penalizing enterprises that invest. While the
increase is significant in percentage terms, it should not affect
the number of SMEs on the market. From an economic point of
view, it is neutral since it takes account of subsequent price and
productivity increases while maintaining the staff ceilings.
2
On 6 May 2003 the Commission adopted a new Recommendation 2003/361/EC regarding its SME
definition (replacing Recommendation 96/280/EC). For more information please see:
http://europa.eu.int/comm/enterprise/enterprise_policy/sme_definition/index_en.htm.
17
3.1.2. The hidden giants

As stated in the introduction to this chapter, SMEs play a key role SMEs
in our economy. Sometimes they are even called the hidden hidden
giants or the real giants of the European economy, since large giants
enterprises form only 1 % of the total number of enterprises.
More than that, 93 % of all enterprises are micro enterprises (0-9
employees)3.
medium-sized
0,8%
small
6,0%
large
0,2%
micro
93,0%
Figure 3.1 European enterprises by size

(Source: SMEs in focus. Observatory of European SMEs 2002; EC, 2002)
Two thirds of all jobs (private non-primary sector) are in SMEs,

split up roughly equally between micro enterprises, small and
medium sized. The size-class distribution of employment,
however, differs, between countries. Very important is also, that
SMEs create - unlike large enterprises - a net increase of job
opportunities.
The strong position of SMEs, especially micro enterprises can be
considered specific for Europe: an average European enterprise
employs 6 people, while a Japanese 10 and an American 19
people. Therefore SMEs account only for 33 % of employment in
Japan and 46 % in USA whereas in EU for 66 %.4
ISO
certification
Europes private sector jobs are in:

Employment by firm size
3
4
SMEs in focus. Observatory of European SMEs 2002, European Communities, 2002

idem
18
When linking the important market position of SMEs in Europe to

the importance of ISO implementation three figures might be
interesting:
world total of ISO 9000 certificates which shows a
constant increase,
Figure 3.2 Issued ISO 9000 certificates, world total

(Source: http://www.iso.org/iso/survey2007.pdf)
distribution of issued certificates among world

regions, which proves the strong emphasis laid on ISO
certification in European countries,
19
Figure 3.3 Distribution of issued certificates among world regions

(2007)
(Source: http://www.iso.org/iso/survey2007.pdf)
number of certificates issued to the revised standard

ISO 9001:2000 (which replaces the 1994 versions of ISO
9001, ISO 9002 and ISO 9003), which more than tripled in
2002 in comparison to 2001 and represented nearly 30 % of
the overall ISO 9000 total at the end of 2002
ISO 9001:2000
167 210
29,8%
ISO 9000
(1994 +
2000versions)
561 747
70,2%
Figure 3.4 Share of certificates of conformity to ISO 9001:2000 on

ISO 9000 total (2002)
(Source:
http://www.iso.ch/iso/en/iso900014000/pdf/survey12thcycle.pdf)
Even if the extent of this manual does not allow us to go deeper

20
in on the issue, the high share of Europe in issued ISO certificates

together with the overwhelming majority of European enterprises
being SMEs and the high acceptance of the new standard let us
expect a high potential of QMS implementation according to ISO
9001:2000 in SMEs in Europe.
3.2. Implementing the ISO standard

3.2.1. What should ISO (not) be about
Depending on the size of the enterprise, the implemented
quality management system should not draw up something, that
would be totally different from how the organization conducted
its business until now. Please notice, that all enterprises already
have a form of management system and possibly already fulfill
some of the standards requirements, even if they have not, as
yet, necessarily defined and documented how they do it. The
aim of the ISO standard is definitely not to impose a totally new
management system or to force the owner to change existing
management activities.
The sense
of QMS
implementatio
n
in a SMEs
On the contrary, implementing a quality management system

according to ISO 9000+ should be understood as a strategic
mean to control the business, monitor what is going on and
which areas should be focused on. All requirements of the
standard should be applied with insight and commitment. The
quality management system should, to a maximal extent,
implement modes already existing in the enterprise and in
addition proved, known and used by employees. Only then can
the enterprise fully benefit from implementation of the quality
management system it can improve internal processes and
serve as a tool for excellent market performance.
3.2.2. Management principles
In an SME as well as in a large enterprise the company
management consists of several mutually dependant factors, such
as management of human resources, supplier - purchaser
relationship, financial management, marketing, production/services
management, safety management, environmental management
etc.
The eight
The ISO 9001:2008 standard covers in different clauses the whole management
management diversity outlined above. Before implementing the principles of
ISO 9001:2008
standard even in small and medium-sized enterprises the top
management should first of all get acquainted with the eight
management principles, the standard builds on, namely:
Principle 1 Customer focus
Principle 2 Leadership
Principle 3 Involvement of people
Principle 4 Process approach
Principle 5 System approach to management
Principle 6 Continual improvement
Principle 7 Factual approach to decision making
21
Principle 8
Despite the fact, that these eight principles are not explicit
mentioned in the ISO 9001:2008 standard, they provide a
framework for implementation of good management practice. To
make you aware of that we have linked the principles with
different fields of management activities, discussed in individual
clauses of the standard. It regards e.g.:
ensuring resources for human resources development,

development and maintenance of infrastructure and
improvement of the work environment, effective
involvement of employees in processes (principle 2 and
3),
ensuring credible information, so that top management
can define the basic long-term orientation of the company
quality policy,
setting concrete short-term measurable tasks annual
quality objectives for lower management (coming out of
principles 1, 2 and 3),
concluding commercially and technically clear contracts
for products/services (principles 1 and 4),
ensuring economically convenient, high-quality inputs for
the main activity (principle 8),
controlling own activity concerning main processes of
production or providing services the ISO 9001
methodology ensures an adequate level of documentation
of relevant production and control procedures and
instructions, compliance with operational practice, proper
way to handle controlled documentation, identification
and retrospective traceability (principle 4),
ensuring outputs of main processes, thus products or
services of such a quality, that meet customers
requirements (principle 1); the level of customers
satisfaction is proved by gathering and evaluating
information and by implementing measures, resulting
from the evaluation (principles 4 a 7),
development of continual improvement program, being at
the same time an effective management tool and a means
to activate employees; it includes internal quality controls
and transparent, consequent corrective and preventive
actions (principle 6).
The two main
The principles of process and system approach (4 and 5) management

illustrate two aspects: firstly the importance of links between areas
single processes and secondly the importance of links between
processes,
resources
(financial,
qualified
employees,
infrastructure, work environment, information) and conditions
(framework outlined through requirements of interested parties).
At the same time active participation of the organization is
required while executing changes and improving the knowledge
level of employees, both being pre-requisites for continual
improvement (principle 6). Decisions are based on facts results
of tests and analyses (principle 7). Other key factors - attitudes,
motivation and competence of employees are more or less
22
included in all eight principles.

Summarizing, the eight principles for quality management
outlined above can be divided into two main management areas:
1. process management - applying process and system
principles, implementing tools and attitudes of companys
management (principle 4 and 5, further 1, 6, 7 and 8),
2. human resources management implementing tools in
order to form attitudes systematically, to increase work ability
and to create an environment supporting effective and
efficient functioning of human factor (principle 2 and 3, but
also 1, 6 and 7).
While providing management in both these fields, the new ISO
9000:2008 standard stresses evidential care for compliance with
superior laws and standards, related to the main product.
23
CUSTOMER
1
S
U
P
P
L
I
E
R
R
E
L
A
T
I
O
N
S
E
N
V
I
R
O
N
M
E
N
T
S
A
F
E
T
Y
R
I
S
K
S
M
A
R
K
E
T
I
N
G
F
I
N
A
N
C
E
H
U
M
A
N
R
E
S
O
U
R
C
E
S
4
2
processes-resourcesconditions
2-3
leadership and
management
1-8
commitment
attitudes
ability of
managers,
employees
1-8
CHANGES
MANAGEMENT
KNOWLEDGE
MANAGEMENT
CONTINUAL IMPROVEMENT
of
system, processes, resources
USING FACTS
information, data, knowledge
Figure 3.5 QM processes according to the eight ISO 9000 principles: 1 Customer focus, 2
Leadership, 3 Involvement of people, 4 Process approach, 5 System approach to
management, 6 Continual improvement, 7 Factual approach to decision making, 8
24
3.2.3. ISO in SMEs - some characteristics having impact

Even if there is a single ISO 9001:2008 standard and so is the set
of requirements on quality management system, there are some
differences in the character of SMEs and large enterprises having
influence on the implementation. Some of the differences bring
about an easier start for SMEs, generally they ask for special
attention. Within the group of SMEs micro and small enterprises
have an even more specific position. Therefore the two groups
will be dealt with separately.
Medium-sized enterprises (50 to 250 employees)
When implementing a QMS each member of the company must
be aware of the importance of this step and must be motivated to
contribute. Because of their smaller size, it is less difficult for the
quality manager of a medium-sized enterprise to involve
everyone than it is in large enterprises.
The specifics
of medium
sized
enterprises
related to ISO
implementatio
n
Furthermore, compared to large enterprises medium-sized

enterprises may have a more plain organizational structure, run a
lower number of processes liable to QMS and can manage with
more simple communication tools. This might lead to a significant
reduction of system documentation. On the other hand, the
number of employees and the level of complexity of the
enterprise usually result (different than in micro and small
enterprises) in an - at least partly - documented system of
conducting business, so that there is a certain base to build on
when working out the quality documentation.
Another specific resulting from the companys character is a
usually emphasized customer focus. Since market potential of
medium sized enterprises is limited compared to the possibilities
of large enterprises or chains, they can be considered rather
dependent on certain customers (big, important, regionally
present), but in some aspects also strong supplier-dependent.
The specifics
Therefore these enterprises mostly care for good supplier of micro and
purchaser relationship.
small
enterprises
related to ISO
implementatio
The obvious advantage of micro and small enterprises is that n
Micro and small enterprises (up to 50 employees)
they are quite often family-related businesses with a director at

the head, who usually is the owner as well. Consequently, he/she
is directly motivated to lead the company towards prosperity, to
satisfy old and to attract new customers. The customer focus is in
general additionally strengthened since micro and small
enterprises operate usually in regional markets and are in contact
with an often limited number of customers and suppliers. A
consequent care for good supplier purchaser relationship is thus
a precondition to survive.
The informality of the management brings a further advantage:
the director/owner gives oral indications on who does what and
25
how and thus gives constant guidance, checks and controls the
quality of the product/service, the others follow the instructions.
The small size and informal management make it easier to
motivate everybody within the company for the QMS.
In general, all enterprises have an established way or system of
conducting business. As explained above, in micro and small
enterprises informality is quite effective, however, it is rarely
documented. In connection with lack of documented procedures
and processes the quality documentation usually has to be
worked out from scratch.
Micro and small enterprises have a very plain organizational
structure and can manage with few, simple communication tools.
This results in a significant reduction of system documentation.
On the other hand, the unavoidable accumulation of functions
requires multi skilled employees together with a well-advised
definition of authorities and responsibilities, not forgetting a focus
on communication, its content and the way of documenting it.
Another difference between micro and small enterprises on one
hand and medium sized enterprises and on the other can consist
(but not necessarily) in the number of management processes,
where all management effectiveness requirements are
consequently applied, including stated measurable indicators
helping to follow the effectiveness trends.
26
3.2.4. Realization of ISO requirements and differences

between SMEs and Large Enterprises
In the previous chapter some characteristic aspects have been
appointed, having impact on ISO implementation in SMEs. Please
find here an overview of areas which are considered specific,
enriched by the findings resulting from the Correspondence
table, enclosed further on in this chapter.
SMEs vs. large
First of all some specifics of the ISO implementation result enterprises

directly from the very nature of SMEs, such as the character of:
management - informal, directly motivated, plain

organizational structure, requires good definition of
responsibilities/authorities
personnel - few, multi skilled, cumulated functions, not

responsible exclusively for QMS
documentation - lack of documented procedures
communication - simple form and tools
supplier-purchaser relations, customer focus - more

depending on certain subjects, regionally limited
processes lower number, structure rather simple
Further, from the correspondence table some additional trends

emerge as significant for the implementation of individual
clauses and specific requirements in SMEs. To summarize the
Group vs.
most obvious ones:
individual
Group vs. individual

Where in a large enterprise a management meeting and group
decision is needed, in an SME the responsibility often lies with
the owner/managing director - clauses 5.1 Management
responsibility and 5.6 Management review mirror clearly this
aspect.
Long-term vs. short-term
Dealing clauses 5.4 Planning, 6.1 Provision of resources, 6.3 Long-term vs.
Infrastructure, 7.1 Planning and product realization etc. there has short-term
been stated a strong emphasis on short-term planning by SMEs
respecting the cash-flow development. This can be partly
explained by the dependence on individual orders.
Shifting outside
Shifting
While in a large enterprise some activities and inputs are outside

provided internally, in the case of a SME they are substituted by
activities/inputs delivered from outside. Consider e.g. clause 7.4
Purchasing where input control tests are often replaced by
output control results and certificates from supplier. Similar by
7.3 Design and development carried out by customer or 7.5
27
Production and service provision often based on customers

documentation. Last but not least, sometimes 8.2.2 internal
audits cannot be provided by trained employees internal
auditors, because of their low number and thus possible conflict
of interests.
Cumulated responsibilities
Cumulated
responsibilitie
s
Where in a large enterprise selected employees are appointed

and trained to carry responsibility for a certain activity, in SMEs
this task has often to be executed by somebody with other
cumulated functions consider e.g. 5.5 Responsibility, authority,
communication with no quality manager being a member of top
management such as in large enterprises but with the managing
director being usually responsible for the implementation or 7.6.
Control of monitoring and measuring devices with responsibility
for compliance of the devices with laws on metrology
automatically lying with the managing director when there is no
other management member appointed. (It must be added; that
the extent of the accumulation depends on the sector the
company is operating in and by production companies even on
the type of production and quality controls required.)
Flexible
extent
Flexible extent
Another new thing about ISO 9001:2008 standard is, that it
enables the enterprise to fulfill a requirement in an adequate
way (to a certain extent), which was not possible by e.g.
standards in automotive industry. This approach means that e.g.
by 4.2 Documentation requirements the complexity of quality
documentation will be lower in SMEs as well as its quantity, that
extent and amount of information gathered in the frame 8.2.1
Customers satisfaction will differ in SMEs and large enterprises
or that in the frame of 8.5 Improvement there might not be a
separate Continual improvement program but concrete tasks
resulting from periodic evaluation based on quality objectives.
Alternatively, it has to be stressed that the ISO 9001:2008
standard will not forgive the SME anything simply because it
is small. Exceptions in the sense of letting out are possible only
by requirements, discussed in clause 7. Product realization. And
even then possible exceptions are available to all kinds of
enterprises (not depending on size), the eligibility of every
exception has, however, to be justified. Hereby a simple rule can
be applied: no requirements affecting quality of the
product/service may be excluded.
Correspondence table
The requirements of the ISO 9001:2008 standard are defined in
clauses 4 till 8. In this chapter and in the previous one (3.2.3 ISO
in SMEs - some characteristics having impact) we have outlined
some differences between SMEs and large enterprises, which can
affect the implementation of the quality management system.
The table below links these differences together with the
requirements of the standard (clauses 4-8) and gives you an
28
The
differences
between SMEs
and large
enterprises
related to the
ISO
requirements
easy to use overview of those requirements, which may require a

particular approach when implementing the standard in a SME.
The correspondence table is drawn up according to clauses and
requirements of the ISO 9001:2008 standard.
29
Table 3.2 The ISO related differences between SMEs and large enterprises in a nutshell
ISO 9001:2008 standard Correspondence table
Clause
Large enterprise
SME
4.
4.1

General
Quality management system has to be established, documented,
requirement implemented, maintained and continually improved in accordance with
s
requirements of ISO 9001:2000.
4.2
Documentati
on
requirement
s
5.
5.1
Management
Managemen
t
commitment
30
Comments
If an organization will claim or imply

conformity to ISO 9001:2008, then it
may not exclude from its QMS
requirements that do not meet the
criteria stated in clause 1.2 Application
of the standard.
Documented statements of quality
Documented statements of quality
Quality policy is the basic unifying
policy and quality objectives. Threepolicy and quality objectives
document declaring the needs of the
level documentation (quality manual, Two-level documentation (Quality
enterprise and its customers; it should
regulations, work instructions).
include a long-term vision
manual and work instructions).
High number of users = high number Obligatory regulations broadly
Quality objectives have to set up
of copies, partial documentation
discussed in the Quality manual
concrete milestones on the way to fulfill
centres, voluminous system
the vision
Low number of users = low number of
documentation, usually electronic
copies,
one
documentation
centre.
Quality manual by SMEs the most
version (intranet), hypertext links,
way to describe the interaction
links to related documents, forms etc. Form more simple, e.g. Quality manual suitable
between processes of the QMS may be
in
form
of
one
file
folder
with
all
related
Documents and records have to be
the graphical one; in some cases process
documents including example forms
controlled.
cards or hyperlinks in electronic
used for records etc.
documents may be advised
Documents and records have to be
controlled.
The ISO 9001:2008 edition previews that
a single document may include the
requirements for one or more
procedures.
responsibility
Management usually consists of
Owners as managing directors directly By SMEs this field is quite often left out.
several responsible employees
control the company. A specific case is But even in their case, the management
(managing director, directors
a one-owner-company, where the
has to specify its vision and long-term
specialists). The companys owner
management is executed directly by
intentions related to the business
may stay outside QMS (stock
the owner, who does not need a
subject, own optimal product and its
corporation).
management meeting to make
presentation on the market. The
strategic decisions.
intention of a SME can be e.g. to become
partner of a certain client (supplier of an
automotive industry or electroengineering subject), in the case of
commerce or services e.g. to be
authorized partner (dealer or service
provider) etc.
The management shows personal
involvement and activity while improving
the QMS and stimulating continual
improvement through internal message
about the importance of meeting
customers requirements and
requirements imposed by related
5.2
Customer
focus
Usually, information source for the

companys orientation is own
marketing. Customers needs are to
be understood as market potential
having identified it prevents wrong
decisions regarding future orientation.
Information for companys future

orientation mostly won due to
membership in associations, internet
etc.
Own marketing limited, possibly due to
relative high costs.
5.3
Quality
policy
Basic unifying document declaring the results desired by the enterprise. It

should be appropriate to the purpose of the organization and include a longterm vision. It should include the commitment to comply with requirements
and continually improve the QMS. The quality policy provides a framework for
establishing and reviewing quality objectives.
All employees should be aware of the declared quality policy of the
organization.
5.4
Planning
5.5
Responsibili
ty,
authority,
communicat
ion
5.6
Managemen
t review
superior laws and standards.

Both managers and employees of SMEs
usually are more directly motivated to
lead the company towards prosperity
and thus to satisfy old and to attract new
customers.
Even in the case of SMEs, the

management has to specify its vision
and long-term intentions related to the
business subject, own optimal product
and its presentation on the market. The
intention of a SME can be e.g. to become
partner of a certain client (supplier of an
automotive industry or electroengineering subject), in the case of
commerce or services e.g. to be
authorized partner (dealer or service
provider) etc.
Detailed financial plan and exact
Annual plan in financial indicators,
Planning is an integral part of any
calculation of development expenses. cash-flow depending on development
enterprise management. In the case of
expenses, main activity often
SMEs, however, some of the plans (e. g.
Factual production plan
controlled by operative plan.
investment plan, training plan etc.)
might be understood only as a
Establishing measurable quality
Establishing
measurable
quality
framework and may be controlled
objectives consistent with quality
objectives
consistent
with
quality
operatively according to actual cash-flow
policy.
policy.
development.
Branched organizational structure,
Simple organizational structure, often
Appointing a member of management
easier defining of authorities and
cumulated functions. When distributing responsible for the QMS is essential. It
responsibilities, executive and control responsibilities and authorities,
has to be a strong leader provided with
functions.
specifics of the SME and characteristics authority to coordinate the whole
individual managers have to be
system. While there is usually a new
Management representative is usually of
taken into account.
position established in large enterprises,
a member of top management, can
in micro enterprises the task is often
be helped in QMS administrative tasks Management representative for QMS
over by one of the managing
by an employee.
usually has other cumulated functions. taken
directors or by the owner himself.
Sophisticated means of
Elementary communication means
communication (e.g. intranet)
(e.g. joint management and production
meetings)
Complex report on given period as Complex report on given period as
Management review means a
input for management review.
input for management review.
recapitulation of the whole QMS in
periods (annual, biannual). Unlike
Review during a management
Documented owners standpoint to the regular
other system requirements, applied by
meeting, documented in minutes,
report (by companies, where the
SMEs already before the implementation
formulated remarks and actions
influence of management meeting
of QMS, it is not common in SMEs to
resulting from the evaluation.
members on the owner is only
execute management review in an
advisory),
including
specification
of
extent requested by the standard. In the
New challenges for Quality objectives actions if necessary.
context of strategic management such a
or continual improvement program.
standstill and recapitulation is very
Review of quality objectives.
useful. The standard requires decisions
to be made based on facts, not opinions.
In the context of management review
original intentions, objectives and
resulting tasks can be modified.
31
6.
6.1
6.2
6.3
6.4
7.
7.1
32
Resource management
Provision of Detailed financial plan and exact
resources
calculation of development expenses.
Planned resources respecting the cashflow oscillation in the course of the year.
Even an SME should determine resources

needed to implement and maintain the
QMS and to meet quality objectives and
should specify how the resources will be
provided. In the case of SME, distribution
of resources during the year might be
controlled operatively according to
cash-flow development.
Good personnel work can be done even in
Human
Human resources department/section
Cumulated personnel work and training
an SME. It is necessary to evaluate the
resources
with divided personnel and educational management.
performance and reserves of every
activities.
employee and to plan the use of it in a
Map
of
companys
qualification
structure,
broader context, in new fields or at least
Map of companys qualification
specification
of
work
positions.
by conserving the actual state. Employees,
structure, specification of work
however, have to feel that they are
positions, personal development plans.
followed and evaluated and that the
company counts on them. The most
Evaluation of employees through
suitable form of applying the requirement
interview. Annual training plan.
is a simple evaluation of ability and
Annual training plan.
planning personal development of every
Evaluation of training quality and
single employee (regular detecting of
effectiveness.
Training evaluation.
training needs, training plans, evaluation).
Use of experience and ability of employees
is typical for SMEs-service providers,
where the quality of the service often
depends on experience of single
employees.
SMEs often develop their infrastructure
Infrastructur Demanding, large infrastructure.
Rather simple infrastructure.
more dynamically than large enterprises.
e
Continual detecting of the means needed
Infrastructure development planning Infrastructure development realized
based on long-term strategic plans, under conditions of more simple decision to ensure conformity of the products
involves technology, measuring devices,
making use of different investment making processes (owner makes shortinformation system, car park,
studies and scenarios.
term decisions based on actual
communication technologies, work tools
resources).
for employees. It is to be recommended to
Annual maintenance plan.
Annual maintenance plan.
improve the infrastructure development
plan in relation to quality objectives.
Work
The organization determines and
The organization determines and
As an SME: do not forget to fulfill
environment manages the work environment
manages the work environment needed requirements of related laws and
needed to achieve conformity to
to achieve conformity to product
standards, as well as obligatory revision of
product requirements.
requirements.
state authorities!
Besides control of compliance to
obligatory requirements of related laws
The ISO9001:2008 edition pays special
and standards (according to sector and
attention to the management of the work
field of activity) additional surveys are
environment needed in order to achieve
carried out on the impact of work
conformity to sales requirements.
environment on the quality of the
product (especially in production
companies).
Product realization
Planning and Main activity (production) usually
If the production cannot be long-term
Even in an SME it is useful to set
product
planned in an annual or quarterly
factual planned (company satisfies
requirements for the product.
realization
detailed factual plan. Planning
direct demand of individual customers), Consequently, there should be records
quality, detecting risks.
than a planning in e.g. financial
providing evidence that the realization
indicators is necessary.
Products as well as production
Products as well as production
processes have to meet requirements processes have to meet requirements
defined by laws and superior
defined by laws and superior
standards.
standards.
7.2
Customerrelated
processes
Review of order acceptance has always Records on order acceptance review

to be documented (at least simplified), make part of controlled documentation.
even if the owner decides.
By SMEs the development of the product

often happens by the customer, which
can be qualified as not fulfilling of the
requirement and may be even reason for
exclusion.
7.4
Purchasing
List of suppliers for a limited period

derives by running companies from
repeated evaluation. Members of
production and technical control
department should be involved in the
evaluation.
The company has an own test room,
where input control of purchased
material is executed and its release
into production approved.
It is used to execute customer audits
by supplier.
Cases appear, that companies ensure

development mainly utilizing cooperating experts. This demands
proper documentation reflecting
requirements of clause 7.3. of the
standard.
Evaluation of suppliers for a limited
period and documenting of the list of
approved suppliers has to be done
even if a strong accumulation of
information and responsibilities exists.
Acquiring output control results and
certificates from the supplier can
replace the input control tests.
7.5
Production
and service
provision
Production or providing services is

usually operated according to own
documentation and procedures.
Processes being verified.
All material in production is properly
signed, marking enables backward
tracing of all relevant information.
Procedures for providing service of
own products exist, service
realization documented.
Production or providing services often

carried out according to documentation
or procedures delivered by the
customer. Documentation verified and
released before use. Processes verified.
Procedures for providing service of own
products doe not always exist.
If there is no service for own products

provided and there is a co-operation with
a service provider assigned instead. This
co-operation has to be exactly specified
(especially quality requirements).
7.6
Control of
monitoring
and
measuring
devices
In the frame of QMS laws on

metrology usually count as superior
standard. Member of metrology
department participates in
management.
Calibration of measuring devices
often provided internally. If the
company uses to do calibration of
If there is no management member

appointed as responsible for
compliance with laws on metrology,
than this responsibility lies
automatically on the managing director
of the company.
Calibration of measuring devices is
usually provided by an external
Even if calibration of measuring devices

is carried out externally, in the company
there has to be kept documentation that
meets requirements of clause. 7.6 of the
standard.
7.3
During the decision process regarding

order acceptance all managers
influencing the order have to make
their comments. The standpoint has
to be documented (recommended in information system).
Negotiations with customer
specifying the contract are
documented.
Design and
The company usually disposes of own
development capacity for product/processes
development.
process and the product meet set

requirements.
Even by SMEs evaluation of suppliers

forms an important input for preventive
actions and negotiations with partners.
In the organization a permanent drive for
evaluation has to be evident.
33
measuring devices itself, calibration

procedures have to be defined.
34
competent center.
8.
8.1.
Measurement, analysis and improvement

General
The organization shall plan and
implement processes needed to
demonstrate conformity of the
product, ensure conformity of the
QMS and its continually
improvement.
Used methods should be defined,
including statistical methods (if
applied).
8.2
8.2.1
Monitoring and measurement

Customer
Besides top management also
Relevant information on customers
satisfaction
members of other departments have satisfaction can usually be collected
the possibility to obtain information
only by top management members or
on customers satisfaction directly
by the owner. Structure of the
from customers, e.g. members of the information needed (checklist) and
marketing or service department.
strategy of its acquisition have to be
Collected information is processed,
worked out beforehand. Obtained
selected, and based on evaluation
information is evaluated, necessary
necessary actions are defined.
actions defined.
Internal
Internal audit plan guarantees that all External auditors can be accepted for
audit
departments and all clauses of the
carrying out internal audits only if standard will be checked up in the
because of a low number of employees
course of current year.
- own auditors cannot ensure internal
without facing conflict of
There is a team of own auditors audits
ensuring the realization of internal interests.
audits. Members of this team are Audit plan for one year worked out in
regularly
retrained,
their
work advance, compliance with
evaluated.
requirements of the standard as well as
extent and content of audits are
Summary of through internal audits
monitored thoroughly.
acquired information forms an
essential part of the management
Audit findings have to be reflected and
review report.
if necessary the QMS improved.
Monitoring
All management and production activities are, to an adequate extent,
and
monitored and evaluated. By specific production processes (e.g. welding,
measuremen surface treatment) may the data, acquired as a result of control, be further
t of
used in the system of product monitoring and measuring.
processes
Monitoring
Control between individual operations Control between individual operations
and
as well as output control is carried
and sometimes also output control
measuremen out by professional inspectors,
carried out by production workers in
t of product members of independent technical
form of self-test. In that case, workers
control department. All types of
are extra trained for control activity
controls are specified in controlling
and based on training they are
and testing procedures.
entrusted with control.
Control documents archived as
Evidence of conformity/authorization of
8.2.2
8.2.3
8.2.4
In SMEs the use of analyses and

statistical methods is
rather restricted.
However, also in SMEs
there are certain
monitoring, measurement
and improvement outputs
and processes such as
management review
report (owners
documented standpoint),
records of nonconformity,
corrective and preventive
actions records etc., which
should be analyzed and
used for improvement.
Even in SMEs the collected information
on customers satisfaction should be
documented in written form even in case
of a strong accumulation of information
by one person.
Even if the audit is ensured by external

auditors, the audit procedure has to be
described and documented According to
requirements of clause 8.2.2 of the
standard.
By SMEs the number of processes liable

to monitoring and measurement will be
considerably lower than by large
enterprises.
Thanks to the controls nonconformities
can be detected.
35
quality records.
36
release should be documented.
8.3
Control of
nonconformi
ng product
Nonconforming (half-finished) product must be separated and protected from

(even unintended) use, assessed and handled in one of the by the standard
accepted ways.
8.4
Analysis of
data
Adequate analyses are a non-excludable instrument for decision making and

management.
8.5
Improvemen
t
The company usually has a separate

document to deal with improvement,
the Continual improvement program.
It expands on declared quality
objectives specifying minor important
tasks.
8.5.2
Corrective
action
8.5.3
Preventive
action
Annual quality objectives include

usually also minor concrete tasks
ensuring development of the
enterprise. Thanks to a frequent
actualization and completion in the
course of the year an up-to-date state
and effectiveness is guaranteed.
The corrective action control system guarantees in both, a large enterprise as
well as a SME, that suggestions for preventing insufficiencies will be evaluated,
a procedure for a corrective action will be established and executed and result
of the action controlled.
The preventive action control system guarantees in both, a large enterprise as
well as a SME, that suggestions for preventing insufficiencies will be evaluated,
a procedure for a preventive action will be established and executed and result
of the action controlled.
Even by SMEs, monitoring and analysis

of nonconformities is one of the inputs to
be considered for decision on a
corrective/preventive action.
The standard requires decisions to be
made based on facts, not opinions.
Monitoring of processes/products and
analysis of acquired data is thus
unavoidable even by SMEs (in
appropriate extent).
Overview of actions undertaken to
improve the QMS forms a part of the
complex report on given period (being
input for management review).
Every corrective action has to be
proportional to consequences of
nonconformity stated.
Every preventive action has to be
proportional to consequences of possible
nonconformity.
37
CHAPTER 4. THE STANDARD ISO 9001:2008

4.1.
Introduction
The objective of the chapter 4 of these guidelines is to present the Objective of

requirements as stated in ISO 9001:2008 international standard, the chapter
in an easy to understand way and to give examples of their 4
fulfilment.
A new requirement of the 2000 version standard is the Outsourced
documentation of the control methods of potential outsourced processes
processes of the company (TC 176, ISO 9000 Introduction and
Support Package: Guidance on "Outsourced processes"). This
element refers only to outsourced processes that may affect
product conformity with specific requirements. For example, if an
apparel industry outsources the clothes sewing or processing, the
control methods over the external supplier must be documented,
as well as their results.
Structure of
the chapter
Chapters 4.2 presents the main characteristics of ISO 9001:2008 4

standard that differentiates it from the version ISO 9001:1994
Chapter 4.3 presents the standards ISO 9000 and ISO 9004 that
are related to ISO 9001.
Chapters 4.4-4.8 include the respective clauses 4-8 of the
standard and their interpretation. In this way it is easy for the
beginner as well as for the advanced reader to study this
guidelines in relation to the standard, so as to understand it better
and fulfil the requirements.
4.2.
Characteristics and contents of ISO 9001:2008

standard
ISO 9001:2008 is a quality management system international

Introduction
standard, issued by ISO. It was first issued in 1987, based on the to ISO
British standard BS 5750. It was first time revised in 1994 (series 9001:2008
ISO 9000:1994), second time in 2000 (series ISO 9000:2000) and
the last revision is that of 2008.
This new version contains no new requirements. It contains only a
few changes and clarifications in Notes. The points of
clarification focus on outsourcing, documentation, management
representative, employee competence, design verification and
validation, process monitoring, control of nonconforming product
and corrective and preventive action.
Main
characterist
ics of the
current
version of
ISO 9000
The international standard ISO 9001:2008 maintains the process Process

approach of the previous version. As process is defined any approach
activity that receives inputs and converts them to outputs. The
processes of the company are linked together and outputs from
one process can be input to another.
The systematic identification and management of the processes
employed within an organization and the interactions between
38
such processes may be referred to as the process approach.

The company has to identify and analyse its processes and their
interactions and document them in the extent that it is needed to
ensure their good performance.
The standard categorises company processes in 4 categories:
Management
Resources management
Product realisation
Measurement, analysis and improvement
ISO 9001:2008 pays special attention to the fulfilment of customer Customer

needs and expectations. One of the main responsibilities of top oriented
management is to ensure that customer needs and expectations
are determined, converted into requirements and fulfilled with the
aim of achieving customer satisfaction as stated in paragraph 5.2.
Chapter 7.2 of the standard describes in detail the way, with which
management shall identify and review customer requirements.
According to paragraph 7.2.1 regulatory and legal requirements
should also be taken into consideration.
In addition paragraph 8.2.1 states that the company shall establish a
way to monitor and measure customer satisfaction.
0 Introduction
0.1
General
0.2
Process approach
0.3
Relationship with ISO 9004
0.4
Compatibility with other management systems
Contents of
the
standard
1 Scope
1.1 General
1.2 Application
2 Normative reference
3 Terms and definitions
4 Quality management system
4.1 General requirements
4.2 Documentation requirements
5 Management responsibility
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.4 Planning
5.5 Responsibility, authority and communication
5.6 Management review
6 Resource management
6.1 Provision of resources
6.2 Human resources
6.3 Infrastructure
6.4 Work environment
39
7 Product realization
7.1 Planning of product realization
7.2 Customer-related processes
7.3 Design and development
7.4 Purchasing
7.5 Production and service provision
7.6 Control of monitoring and measuring devices
8 Measurement, analysis and improvement
8.1 General
8.2 Monitoring and measurement
8.3 Control of nonconforming product
8.4 Analysis of data
8.5 Improvement
4.3.
Other related standards
Directly related to ISO 9001:2008 are the standards ISO

9000:2000 and ISO 9004:2000. These two standards do not have
a certification value.
ISO 9000:2000 Quality management systems - Fundamentals and ISO
vocabulary has double scope. At first it provides the fundamental 9000:2000
concepts for quality management systems in an informative way.
Secondly it provides the terminology used in the ISO 9001
international standard. This second part has a normative character.
ISO 9004:2000 Quality management system Guidelines for ISO
performance improvement is an independent standard that may be 9004:2000
used in relation to ISO 9001:2000 standard. ISO 9004 has similar
structure with ISO 9001, so that the two standards can be easily
used together. ISO 9004 is wider in scope than ISO 9001, focusing on
companys overall performance improvement. ISO 9004:2000 are
not guidelines for implementing ISO 9001:2000 and is not intended
for certification or contractual use. The two International Standards
are designed to be used together, but can also be used
independently.
4.4.
Quality Management System (clause 4)
This chapter follows the structure and content of ISO 9001:2008

standard in order to facilitate its interpretation. When appropriate,
there are citations of the ISO 9000:2000 and ISO 9001:2008
standards and applications of standard requirements in practice.
40
Words or sentences marked with apostrophe and italic

(italic) are direct citations from ISO 9000:2000 and ISO
9001:2000 standards.
Reference of each chapter to the ISO 9001:2000 standard

is presented after titles (e.g. clause 4.1).
Documented procedures and records required by ISO

9001:2000 are marked with a picture of book.
4.4.1.General Requirements (clause 4.1)
The organization shall establish, document, implement and

maintain a quality management system and continually improve
its effectiveness in accordance with the requirements of this
International Standard.
Managemen
Establish, document, implement and maintain` should not be t system
interpreted as separate words. Instead, it is expected to see a

functioning management system to direct and control an
organization with regard to quality, e.g. encouraging organizations
to analyse customer requirements and defining the processes that
contribute to the achievement of a product 5.
The focus should be on continually improving the systems ability
to produce conforming6 products in an effective and efficient
manner. Improvement refers to the actions taken to enhance
the features and characteristics of products and/or to increase the
effectiveness and efficiency of processes. The term continual
recognises that improvements may be made in a step-like
manner and not necessarily as a smooth, joined-together flowing
process.
The only part that ISO 9001:2008 standard requires to be
documented
concerns
here
the
chapter
4.4.2.
Documentation Requirements. Otherwise organizations can by
themselves determine the necessary level of documentation. Also,
it is completely within their rights to manipulate order of the
standard to suit own needs, e.g. by rearranging the standards
clauses into a more practical sequences. Although documentation
requirement concerns only one chapter, our recommendation is to
document also the processes (discussed below), because by
documenting them many of the standard requirements will be
5
Product: result of a process i.e. result of a set of interrelated or interacting activities which
transforms inputs into outputs (process: set of interrelated or interacting activities which
transforms inputs into outputs)
6
Conformity: fulfilment of a requirement. Requirement: need or expectation that is stated,
generally implied or obligatory. Nonconformity: non-fulfilment of a requirement.
41
rather easily met, such as control methods, which as a separate

matter are otherwise difficult to prove to the auditor.
ISO 9001:2008 states that the top management in an organization
shall ensure the planning of the Quality Management System,
including following six (af) clauses:
a) Identify the processes and their application:
Identification of processes means that all essential activities that

are needed to produce the products or supply the services (or
both) should be identified, including management activities,
provision of resources and measurement. Processes are discussed
in detail in chapter 4.7.
Identification of processes and their application can be

documented (e.g. process map), but also an obvious knowledge
base shared by all practitioners might suffice. Although
documentation is not specifically required, it is recommended
since it is an illustrative and useful communication tool about
organizations mission.
Process
map
b) Determine the sequence and interaction of processes:
This is a follow-up to a) above. A useful and demonstrative tool

showing sequence of processes and linkages between them is a
process map. Since it presents all essential activities, it actually
clarifies the whole meaning of an organization, a reason for its
existence (mission). Usually a process map is a one-page
illustration showing the sequence and interaction of top-level
processes and including indicators for lower level processes and
additional information.
Process map is not a requirement of ISO 9001:2008, and

sometimes a text-only description might be more suitable in some
organizations. Example of a process map is presented in the
figure below. The map is an artificial example of the process map
Measurement
of processes
Information
management
C
O
R
E
P
R
O
C
E
S
S
E
S
Management
Order entry
- Shipment
-Production
Design and Development
CUSTOMER
Finance
ADP
Cleaning
andSecurity
Figure 4.1 Process map of a construction company

(artificial)
in a construction company:
42
CUSTOMER
Technical support an Maintenance
In this process map there are three core processes which serve
Process
the external customers and bring money to the company (the
flow chart
outputs of core processes are those that a customer buys from
the company; that is why the customer is presented in the map).
At the top there are three boxes including management,
information management and measurement of processes. There
are activities applied to all processes in the company e.g. where
management includes strategic decision, quality policy,
management reviews etc. Below the core processes there are
supporting activities finance, ADP and cleaning and securing
to support the performance of core processes. When seeing this
one page map, it easily presents the purpose of the company i.e.
what products and services it sells to customers and what
activities and resources are needed to produce them and to
support them.
In addition to a process map, many organization use second-level

models displaying one box of the process map in a more detailed
way. The most popular model is a process flow chart (see figure 6
as an example of a process flow chart). They identify inputs,
resources, process owner, control methods, outputs, records and
other necessary information concerning the process. The thirdlevel models are usually too detailed to be displayed in a model,
and thus they are usually defined in work instructions.
43
Name of the process: Order entry-Production-Shipment

Owner: General manager/production manager
Objectives: To process orders from order entry to a finished
product in less than five days
IN
- Customers order
- Drawings etc.
Review
-Do we have enough
or raw material?
-Are we able to
produce in
time?
Order entry to computenzed system

-Instructions and drawings to
production
-Acknowledgement to customer
Packaging
Transport
arrangements
Paperwork
Shipment to customer
Production or take out
from inventory
END
NO
Inspection
OK
Figure 4.2 Artificial example of process flow chart
According to Oxebridge Quality Resources, Inc. (2003) graphical

process models provide a number of benefits, including:
-
providing employees with an understanding of how the

processes they perform affect subsequent processes,
departments and employees
providing a means for employees to understand what their

internal customers (the subsequent processes shown on the
diagrams) need from them
providing a quick and easy snapshot of a process that can

link to subsequent, and more detailed, instructions or
documents
providing a single place to summarize all important aspects of

a process, including its objectives and owners.
c) Determine criteria and methods needed to ensure that both

the operation and control of processes are effective:
This involves a set of policies, procedures, requirements and
methods, that are needed to ensure a smooth operation of
processes. Usually they are self-evident matters such as
44
Statistical
tools (e.g. 7
quality
tools)
previews if all necessary information is included, procedures

completed and parameters met, and other practical things to
be checked out about activity in question.
This clause addresses the use of statistical tools in the control
of processes. The tools and methodology of Statistical Process
Control (SPC) and Six Sigma can be too difficult for small
enterprises, but some of them e.g. histogram, scatter diagram,
fishbone chart and control chart, which all belong to Seven
Quality Tools, are rather easy-to-use tools. The use of statistical
tools is recommended by ISO 9001:2008, but they are not
compulsory.
To summarize data from a process

that has been collected over time,
and
graphically
present
its
frequency distribution in bar form
(Brassard & Ritter 1994).
To study and identify the possible

relationship between the changes
observed in two different sets of
variables (Brassard & Ritter
1994).
To identify, explore, and graphically

display, in increasing detail, all of the
possible causes related to a problem
or condition to discover its root causes
To monitor, control, and improve

process performance over time by
studying variation and its source
Figure 4.3
Some of the 7 quality tools
d) Ensure the availability of resources and information

necessary to support the operation and monitoring of
processes:
Resources include human resources, infrastructure and work
environment. They are discussed in chapter 4.6.
e) Monitor, measure and analyse processes:
Usually monitoring and measuring are done as an integral

part of the operation. It means that the performance of
processes should be evaluated and rated somehow, in
order to analyze whether they perform well and produce
expected results. Many times the terms inspection and test
45
are used synonymously with monitoring and measurement.
Example of a metric in order processing-productionshipment process (a process starting from order entry, then
proceeding to production, shipment to the customer and
finally ending to the point when customer receives the
delivery) is the number of shipments delivered in time. Its
sub-processes, e.g. production, might have their own
metrics such as raw material consumption and machining
time. Some of the metrics equal to quality objectives, which
are discussed in chapter 4.4.2.
f) Implement actions necessary to achieve planned results

and continual improvement of processes:
This is a claim that the processes must perform as indicated in
clauses a)e) and continually improve their ability to do so. It is up
to every organisation whether it chooses to document these
clauses or not.
4.4.2. Documentation Requirements (clause 4.2)
ISO 9000:2008 defines document as information and its Document

supporting medium7. It can be a record8, specification9,
procedure document, drawing, report or standard.
Documentation shall include:
a) Statements
objectives:
of
quality
policy
and
quality
Quality
Quality policy: Overall intentions and direction of an policy
organization related to quality as formally expressed by top

management.
There is no specific description of the structure and the contents
of quality policy, but there are some principles to follow: Firstly, it
is the uppermost document to address the commitment of top
management to continually improve systems ability to comply
with requirements (incl. description of what is meant by continual
improvement). Furthermore, it has to be aligned with any other
7
Medium: paper, magnetic, electronic or optical computer disc, photograph or master sample, or a
combination thereof.
8
Record: document stating results achieved or providing evidence of activities performed
9
Specification: document stating requirements, e.g. procedure document, process specification
and test specification, product specification, performance specification and drawing
46
policy and aims of the organization, be communicated,

understood and found meaningful, and be used as a framework
for setting various objectives. It is important to show dedication to
improve competence and empower personnel, and to meet
statutory and regulatory requirements and interests of
stakeholders.
Usually quality policy is a one page statement signed by the top
manager. It doesnt need to be contained in the quality manual,
nor to be signed. Since quality policy is a formal part of the QMS,
it is usually included to the manual and signed by top
management to show evidence of its endorsement.
Example of quality policy (abridged and artificial version):
Our mission is to be a leading supplier of high quality products (name of
the products) in Scandinavia and Northern Europe. This vision will be met
by:
-
Providing goods which consistently exceed the expectations of our

external customers.
Involving all our employees and partners in an effort to continually

improve the value of our products, services and processes.
Ensuring that when complaints are received, they will be responded
in a timely manner with a view to eliminate the root cause and Quality
prevent recurrence.
objectives
In order to achieve these objectives, it is important that all our employees

understand this quality policy and associated quality objectives. We will
continuously make an effort to comply with the requirements of ISO
9001:2008 and improve the effectiveness of our Quality Management
System.
Quality objectives: Something sought, or aimed

for, related to quality...Top management shall ensure that
quality objectives, including those needed to meet
requirements for product, are established at relevant
functions and levels within the organization. The quality
objectives shall be measurable and consistent with the
quality policy.
Quality objectives are realistic objectives converted from the
quality policy and focused on all critical activities in the
organization. It is advisable to link objectives to quality policy,
because it makes the policy more understandable and concrete,
and it is easier for personnel to see what is their contribution to
achieve objectives and finally, how the objectives support
intentions of quality policy. Of course, not all the objectives and
associated metrics have a visible link to quality policy, but at least
they align with the general direction.
According to ISO 9001:2008, the objectives shall be measurable,
47
which usually means a comparison with some fixed unit of a

known size and capacity. An example of converting objectives and
metrics from the quality policy is presented below. Not all
objectives are measurable, and for them there should be some
other measuring system to suit particular purposes of the
organization.
Example:
See the previous chapter of quality policy: ... Ensuring that when
complaints are received, they will be responded in a timely manner..
OBJECTIVE: a quick response time to customer complaints
METRIC: database of complaints (If a written form is used for processing
of customer complaints, it is easy to see how many complaints have
been responded to and at what response time)
Same sentence continues with:

...with a view to eliminate the root cause and prevent recurrence.
OBJECTIVE: Elimination of causes and prevention of recurrence
METRIC: Number of corrective and preventive actions
Quality
manual
Objectives can even be expanded to each process, because every

process has an objective and it exists to accomplish something,
whether it is known and written down or not. As presented earlier,
a metric of order processing-production-shipment process could
be the number of shipments delivered in time to the customer.
Management can keep specific numeric goals for objectives (e.g.
90 % of complaints responded within one day; 0 % corrective
action rate). Usually it is advisable to keep them separate at
management use only, because updating of numeric figures would
require too frequent revision of quality policy, and also less than
100 % figures may be offensive to the customer.
b) A quality manual
A quality manual is a must, it must exist. It can be a printed or
electronic document, but it can vary in detail and format to suit
best the purpose of an organization. Quality manual specifies the
Quality Management System of an organization and proves that
all ISO 9001:2008 requirements are met.
If some requirements cannot be applied due to the nature of an
organization and its product, they can be excluded. However, the
exclusions are limited to requirements within clause 7 (chapter 4.7
here). Such exclusions shall not affect the organizations ability, or
responsibility, to provide product that meets customer and
applicable regulatory requirements. The fact that a specific
process (e.g. manufacturing, design & development) is outsourced
is not a justification for the exclusion. Instead, the organization
Documente
must be able to demonstrate that it has sufficient control to d
ensure such processes. Possible exclusions can be for example
procedures
48
Design and development; where the organization has no (mandatory
responsibility for the design and development of the products

it provides.
-
Identification and traceability; applicable where there is no

specific traceability requirement for the organizations
products.
Customer property; where an organization doesnt use

customer property in its product or product realization
processes. However, if the customer provides a proprietary
design for the product, it cannot be excluded.
Control of monitoring and measuring devices; where the

organization doesnt need monitoring or measuring devices to
provide evidence of conformity of its product (e.g. in service
organizations).
c) Documented procedures required by ISO 9000

The mandatory documented procedures include
-
control of documents; There shall be a documented

procedure in the quality manual about how to approve and
update documents, how to store and protect them (e.g. back
up of files, safe deposits for documents, retention time), how
to control and update external documents like industry
standards and customer drawings and how to prevent
unintended use of obsolete documents. At some point it is Other
advisable to name an authorized person to carry out these documents
activities.
control of quality records; The same procedure as above,

applying to records presented in section e).
internal audit; Documented procedure about how to

conduct internal auditing: how often, what activities and areas
of the system to include, who will report etc. See chapter 4.8
for more information.
control of nonconforming product; Documented procedure

about how to control nonconforming product. See chapter 4.8
for more information.
corrective action; Documented procedure about how to

review nonconformities, determine their causes, implement
action needed, document results and review corrective action
taken. See chapter 4.8 for more information.
preventive action; Documented procedure to detect root

causes for nonconformities in order to prevent nonconformities
to occur in the first place. See chapter 4.8 for more
information.
d) Documents needed to ensure the effective
planning, operation and control of processes
Mandatory
49
records
There are several requirements of ISO 9001:2000 where an

organization could add value to its Quality Management System
and demonstrate conformity by the preparation of other
documents, even though the standard does not specifically
require them. Examples may be:
-
process maps, process models/flow charts
organization charts
specifications
work and/or test instructions
documents containing internal communications
production schedules
approved supplier lists
test and inspection plans
quality plans. (ISO/TC 176/SC 2: 4).
These documents are not mandatory, but by using them many of

the standard requirements will be quite easily met. They act as a
documented proof to auditors about meeting the requirements, at
the same time communicating them effectively to own
employees.
e) records required by ISO 9000
These are the records specifically required by ISO 9001:2008.
Examples of each record are presented too.
50
Table 4.1
Records required by ISO 9001:2008
Clause
Record
require
d
5.6.1
Records from management reviews

Example: Table of minutes, memo or equivalent document presenting
the results and actions made in a management review.
6.2.2
(e)
Records of education, training skills and experience

Example: An Excel-table including information of employees
education and work history, training during current employment,
specific skills etc. => All in one database; easier to predict future
training needs. Alternative records are copies of curriculum vitae,
certificates and attendance sheets from training.
7.1 (d)
Evidence that the realization processes and resulting product fulfil

requirements
Example: Usually these are normal delivery documents, such as work
orders or equivalent documents.
7.2.2
Results of the review of requirements related to the product and

actions arising from the review
Example: The record of the review can be e.g. a signature on a quotation
or an order-entry into a computerized system. The idea is to check if all
customer requirements can be met by checking e.g. raw material
availability and delivery time.
7.3.2
Design and development (inputs for R & D, review and verification of

results against the input requirements, validation prior to delivery or
implementation)
Example: A memo, drawing or equivalent document to present all
needed information, including product parameters, possible
amendments, accomplished results and authorized validation of the
product prior to delivery or implementation. The use of planning tools
or organizations own models of conducting design and development
is advisable.
7.4.1
Results of supplier evaluations and any necessary actions arising from

the evaluations
Example: This can be discussed during internal auditing and be
reported in the table of minutes.
7.5.2
(d)
Demonstration of the validation of processes where the resulting

output cannot be verified by subsequent monitoring or measurement
Example: A document showing acceptance of tolerances
parameters.
7.5.3
and
Record of the identification of the product, where traceability is a

requirement
Example: Usually a work order includes information for traceability.
7.5.4
Reports on customer property that is lost, damaged or otherwise

found to be unsuitable for use. ISO 9001:2008 previews that
customer data are also considered as customer property and have to
51
be protected.
Example: The use of internal complaint form.
7.6 a)
Records on calibration and verification (basis for calibration or

verification of measuring equipment where no international or national
measurement standards exist; results)
Example: Memo of calibration.
8.2.2
Internal audit results and follow-up actions

Example: Documented audit report.
8.2.4
Indication of the person(s) authorizing release of product

Example: Usually stated on a work order.
8.3
Nature of the product nonconformities and any subsequent actions

taken, including concessions obtained
Example: The use of internal complaint form.
8.5.2
Results of corrective action

Example: Nonconformities are documented using an internal
complaint form or a written complaint sent by the customer.
Nonconformities are discussed and corrective actions composed
(useful tools: fishbone, brainstorming). Results are documented on
table of minutes and relevant instructions and information distributed
to personnel.
8.5.3
Results of preventive action

Example: The use of different methods (such as Failure Mode and
Effect Analysis, FMEA) to detect root causes i.e. factors that can, at
some point in the future, cause conformities such as customer
complaints or deficiencies in products.
4.5.
Management Responsibility (clause 5)
4.5.1. Management Commitment (clause 5.1)
Top management10 shall provide evidence of its

commitment
to
the
development
and
10
52
implementation of the quality management system

and continually improving its effectiveness by
a) communicating to the organization the importance of
meeting customer as well as statutory and regulatory
requirements,
b) establishing the quality policy,
c) ensuring that quality objectives are established,
d) conducting management reviews, and
e) ensuring the availability of resources.
All the above mentioned 5 ways (ae) are mandatory options for
the top management to prove its consistent support to the
development, implementation and continual improvement of the
Quality Management System. Options be are discussed as own
subsequent chapters. Option a) is discussed in the next chapter
and chapter 4.7.2. In addition to customer requirements, the
management should also ensure that all statutory and regulatory
requirements are identified, communicated in the organization
and updated for the latest version. Statutory and regulatory
requirements can be in written or electronic form, since many of
the requirements are available within public databases on the
internet.
4.5.2. Customer Focus (clause 5.2)
Top management shall ensure that customer

requirements are determined and are met with the aim
of enhancing customer satisfaction.
This sentence is quite superfluous, because its requirements are
discussed in several references in the standard. For example,
during the management reviews customer requirements and
priorities and process performance can be discussed and
necessary actions taken.
The sentence itself emphasizes the obligation that top
management takes an active and leading role in ensuring all of
the customer requirements. Many times though this is achieved in
normal checking and other practical procedures accompanied with
good customer and internal communications. It is something that
53
every organization should know: what are those properties in our

products and operations (e.g. product properties, maintenance
availability, means of delivery, quick response time) that the
customer appreciates the most? By writing these down in the
quality manual many of the standard requirements will be met.
4.5.3. Quality Policy (clause 5.3)
Quality policy is the premier document to address the

commitment of top management to continually improve systems
ability to comply with requirements. It is strongly emphasized in
the standard that quality policy must be issued by the top
management. Quality policy was earlier discussed in detail in
chapter 4.4.2. a).
4.5.4. Planning (clause 5.4)
Planning includes the establishment of quality objectives and

planning of the Quality Management System, both being
responsibilities of top management. The establishment of quality
objectives was earlier discussed in chapter 4.4.2 a). Likewise, the
planning of QMS was discussed in chapter 4.4.1 a)f).
When there are changes to QMS (e.g. because of corrective and
preventive actions or because of adaptations to specific market,
customer preferences or to statutory/regulatory requirements),
their effect on present procedures and conflicts with the system
has to be considered.
54
4.5.5. Responsibility, Authority and Communication (clause

5.5)
Top management shall ensure that responsibilities

and authorities are defined and communicated
within the organization.
Each person in charge of some critical activity must have a
precise conception of their assignments. Typically the
responsibilities and authorities appear as part of several
documents, such as assignment contracts, organisational charts
and process maps. When responsibilities and authorities are not
documented, they have to be communicated otherwise, for
Management
example during classroom training.
ISO 9001:2008 also requires that top management has to appoint
a management representative to look after QMS affairs and to
report about them to the top management. Usually the
representative organizes internal audits, reports on performance
to management, monitors customer complaints and effects of
corrective and preventive actions etc. It is intended that the
representative is a regular member of the management team. His
authority and responsibility has to be defined and communicated
as any other assignment.
representativ
e
Internal communication within the organization must be effective

to ensure, that correct information is transmitted from one
function, process or individual to another.
4.5.6. Management Review (clause 5.6)
Top management shall review the organizations

quality management system, at planned intervals, to
ensure its continuing suitability, adequacy and
effectiveness. This review shall include assessing
opportunities for improvement and the need for
55
changes to the quality management system,

including the quality policy and quality objectives.
The idea of the reviews is that the top management review of the
performance of the system at certain intervals laid out
beforehand. There is no maximum interval specified in the
standard, but a common practice is to have them once per year or
more frequently if needed.
The idea of the reviews is to analyse the information of audit
findings (including corrective and preventive actions), customer
complaints, process capabilities, performance indicators, product
conformance, improvement activities, needs for a change and any
other relevant issues in order to see where we are now and how
we have operated, and where we want to go. A common practice
is that the management representative collects the information
from relevant persons and forwards the report for a management
review. Decisions from previous management reviews should also
be included, which could be a separate page attached to a
minutes of the review.
The results of the review can lead to updates of QMS, policies and
objectives, actions to increase customer satisfaction or overall
effectiveness, allocation of necessary resources and to some other
actions needed to improve the performance of QMS.
The ISO 9001:2008 standard specifically requires a documented
record from management reviews.
The format of the record is informal, it can be e.g. a
conventional minutes of meeting.
The way of conducting reviews is up to an organisation to decide:
they can be dedicated reviews or combined with any other
relevant management activity.
4.6.
Resource Management (clause 6)
The standard ISO 9001:2008 requires that the organization should

identify the resources needed to support and improve the quality
systems processes, and to achieve customer satisfaction. Resources
include human resources, infrastructure and work environment.
Concerning human resources, the standard requires that before
56
organizations assign personnel to an activity they will first have to

define a minimum competence requirement for the activity in terms
of education, training, skills and experience. This may be handled by
e.g. job descriptions, although specific documentation requirement
doesnt exist. Furthermore, the standard requires that if there are
competence gaps, the organization has to provide training or take
other actions to fill the gap. It is stated in the standard that the
personnel has to be aware of the relevance and importance of their
activities and how they contribute to the achievement of quality
objectives. High priority is given to knowing the customer needs.
Training and meetings are some possible ways to ensure this
awareness. The effectiveness of actions taken has to be evaluated
somehow, e.g. by monitoring the process performance.
There is one documentation requirement concerning
human resources management: the organization has to
maintain appropriate records of the individuals education, training,
skills and experience. Some examples of records are curriculum
vitae, copies of certificates and attendance sheets from training.
Alternatively, some organizations may choose to fill in a separate
form for each employee, including their education, work and training
history and extension studies during current employment.
Concerning infrastructure, the organization has to identify facility
needs, provide needed facilities and maintain them, and perform
these actions on two levels: as a part of top managements
consideration and on a individual contract basis. The ISO 9000:2008
standard defines infrastructure as a system of facilities, equipment
and services needed for the operation of an organization.
Infrastructure includes, as applicable, buildings, workspace and
associated utilities, process equipment (hardware and software) and
supporting services such as transport and communication.
Correspondingly, the same standard defines work environment as
a set of conditions under which work is performed (conditions
include physical, social, psychological and environmental factors;
physical conditions including factors such as temperature, humidity,
vibration, air quality, lighting and cleanliness). The organization has
to determine what effect the human and physical factors have on
quality and ensure that the right conditions exist.
4.7.
Product Realisation (clause 7)
This chapter of product realisation includes planning of product

realization, customer-related processes, design and development,
purchasing, production and service provision, and control of
monitoring and measuring devices (chapters 4.7.14.7.6). Usually all
these activities are part of the processes, i.e. jobs and activities within
57
an organization with an effort to produce something for the internal or

external customers, and therefore, will be naturally handled when
identifying the processes. When the standard presents them Typical QMS
processes
separately, they seem a little bit illogical.
In order to better understand product realization and the Quality
Management Systems as a whole, we present here the typical
processes that constitute the QMS. In figure 7 there are four
typical process groups: 1) management processes including
strategic decisions, determination of quality policy and quality
objectives and other management tasks, 2) product realization
processes which describe the sector which the organization is in,
including the activities that are needed to produce the products
and services to internal and external customers, 3) processes of
resource management including determination and allocation
of human resources, infrastructure and work environment, and 4)
measurement, analysis and improvement processes which
ensure that the product and QMS meet the requirements and the
system is continually improved.
Management processes
- establishing the quality policy and quality objectives
- conducting management reviews
- communicating customer, statutory and other
requirements within the organization
- ensuring the availability of resources, etc
Measurement, analysis and
improvement processes
Resource management
Determination and allocation of
- human resources
- infrastructure
- work environment
QMS
processes
- to demonstrate conformity
of the product and QMS
- to continually improve the
effectiveness of QMS
Product realization processes

- planning of product realization
- customer-related processes
- design and development
- purchasing, and production and service provision
- control of monitoring and measuring devices
Figure 4.4 Typical QMS Processes
Management processes are specifically required by ISO 9001:2008

standard, all used by the top management and applied to the
entire company. Resource management is put in separate in the
figure, but it can also be understood to be part of management
processes, since ensuring the resources is one of the duties of top
management.
Product realization processes are different for every company,
although some processes generally exist in any company: for
production operations they typically involve activities like order
entry, purchasing and production, and for service companies
58
service provision e.g. customer greeting and events coordination.

Note that this chapter is the only part where exclusions
can be made. This refers to ISO 9001:2008 clause: Where any
requirement(s)...cannot be applied due to the nature of an
organization and its product, this can be considered for
exclusion...unless such exclusions do not affect the organizations
ability, or responsibility, to provide product that meets customer
and applicable regulatory requirements. Sometimes an
organization might decide to exclude design and development
activities or outsourced processes, if they are not an integral part
of organizations core business and do not affect product
conformity. For example some raw material can be so critical that
its purchase from suppliers and delivery at a right time is essential
to their own production and delivery processes and thus, it should
be controlled and included to the QMS.
Measurement, analysis and improvement processes include

activities such as control and inspection during production,
criteria of nonconforming product and metrics to measure
process performance (e.g. raw material consumption, amount
of customer complaints, in-time deliveries). These activities are
typically done as a part of processes, so in this respect they
are more like the tools and methods rather than processes.
They are used as tools to improve process performance and
assure their smooth operations.
4.7.1. Planning of Product Realization (clause 7.1)
Planning of product realization means that the organization

should plan and develop processes for the realization of the
product. To clarify this, it means that the organization should
prove that it has the correct operations, documents and
resources in order to produce the required product, starting
with the enquiry process and leading through to the delivery
process. In its simplest form the proof of this is nothing more
than the processes of the QMS. When at least the most
important and critical processes and procedures (e.g. quality
plan, project) are documented in written or graphically (e.g.
process flow chart), they easily prove to the auditor both the
existence of product realization plans and many control and
acceptance criteria required by the standard.
The outset for planning product realization are quality

objectives, including customer and statutory requirements.
They determine what the product should be. Next step is to
ensure that all activities (i.e. processes), documents and
Right
operations,
documents,
controls,
inspections
and
resources
59
resources needed for a product realization are available. This is

particularly relevant when a new product is to be introduced.
Furthermore, the standard requires that there are adequate
acceptance methods and criteria on both the product and the
processes.
There is one documentation requirement here: identification of

what records are to be generated by the processes and
required to provide evidence of product conformance. Usually
these are normal delivery documents, such as work order or an
equivalent document (which will be naturally presented when
describing the performance of processes).
4.7.2. Customer-related Processes (clause 7.2)
Concerning the requirements related to the product, the ISO

9001:2008 standard states that the organization shall determine
-
requirements specified by the customer, including

requirements for delivery and post-delivery activities
the
requirements not stated by the customer but necessary for

specified or intended use, where known,
statutory and regulatory requirements related to the product,

and
any additional requirements determined by the organization.
Customer
needs
The first clause means that the organization has to know what recognized
customer requirements in terms of product characteristics and and silent
delivery and post-delivery activities such as after-sales service and needs
technical support, it should comply with. Usually these requirements

are mentioned in purchasing document. Equally important is to
identify hidden and silent needs of the customer, the needs that
even the customer itself is not conscious of. By deeply analyzing
customer satisfaction questionnaires some of these needs can be
detected, but it requires much more than just summarizing the
findings a deep speculation and retrieving of ground reasons and
root causes is needed. Other means to get insight of customer
requirements are interviewing them, participating in joint
development projects with customers, etc.
The second clause includes the requirements that are not known by
the customer but are necessary for the intended use of the product.
Examples of these might be some regulatory rules and standards.
The third clause of statutory and regulatory requirements is quite
60
unambiguous: statutory and regulatory requirements have to be

addressed during the design, manufacture, delivery and servicing of
the product. The information needed should be available to every
relevant person in the organization.
The last clause of additional requirements refers to the product
properties which are developed as a response to the customers
unstated expectations. These are the expectations that are hidden
and not mentioned by the customer, but based on the idea of the
organization of what the customer appreciates.
The ISO 9001:2008 further requires that the review of requirements
related to the product should be made before committing to supply
the product. This review should involve all relevant activities affected
by an order, for example before quotation and upon receipt of a
contract or order. For example when receiving an order, the raw
material availability, delivery time, possible amendments compared
to previous quotation and other things have to be checked in order
to meet the defined requirements. The standard specifically requires
that there should be a documented record of the review, which can
be a signature on a quotation or an order-entry into a computerized
system.
Customer-related processes also include customer communication,
which has to provide the customer with correct product information
(using e.g. brochures and datasheets), and effective handling of
enquiries, orders, customer complaints and other feedback.
All the requirements of this clause 4.7.2 are naturally included in the
normal order handling process. Again, we recommend here the
documentation of the process to prove its existence.
4.7.3. Design and Development (clause 7.3)
The ISO 9001:2008 standard states that the organization shall A systematic
and
determine
-
identified
process of
design and
the review, verification and validation that are appropriate to development
the design and development stages,
each design and development stage, and

-
the responsibilities
development.
and
authorities
for
design
and
Following records are imposed by the standard in order

to ensure that design and development activities are
carried out systematically, including, that all relevant information
is available all the time and it is reviewed regularly:
61
Records of inputs relating to product requirements; including

functional and performance requirements, statutory and
regulatory requirements, information on previous similar
designs when applicable, and other essential requirements.
Example: a technical drawing accompanied with all necessary
details.
Records of the review of design and development; the idea is

to check design outputs (drawings, specifications, calculation
etc) against the specified inputs, assess how good the design
is, identify any problems and to propose necessary actions.
Example. Authorized signature on a drawing after review.
Records of verification; Verification means that theres

objective evidence that specified requirements have been
fulfilled. Example: authorized signature on a drawing.
Records of validation; Validation confirms that the actual

product performs as it should under specified conditions.
Validation should be completed, when applicable, prior to the
delivery or implementation of the product. Example:
prototypes.
Records of changes in design and development; the changes

should be reviewed, verified, validated and approved before
implementation. Example: authorized signature on a drawing.
When the design and development activities are rather simple, it

is convenient to combine for example review and verification into
a single activity. In small organizations the responsibility and
authority of design and development very often rest with only a
few people, perhaps only with the owner. Also, many time the new
ideas for design and development come from the customer, either
from the final end-user or from a subcontractor.
When design and development is a central part of organizations
business, it is advisable to document it as a graphical process.
This helps to establish a more logical and systematic way to
produce new products or applications.
4.7.4. Purchasing (clause 7.4)
According to ISO 9001:2008, the organization shall ensure that

purchased product conforms to specified purchase requirements.
The type and extent of control applied to the supplier and the
62
purchased product shall be dependent upon the effect of the

purchased product on subsequent product realization or the final
Control of
product.
purchased
All the purchased products and services are not critical to the items
achievement of quality of the final product and therefore may not

require same control as some other more critical item. Sometimes
it is enough to check the quantities and possible transit damages
of the dispatch, but when the purchased item is more critical, its
inspection at suppliers premises prior to the delivery might be
appropriate. Other ways to control the outsourced processes are
by carrying out periodic audits of the supplier, by close monitoring
customer satisfaction or by providing a full specification of the Evaluation
process parameters that have to be met (ISO/TC 176/SC 2: and approval
Guidance on Outsourced processes).
of suppliers
The standard requires that the organization should evaluate and
select suppliers in order to ensure that suppliers meet the
requirements. The criteria for selection and evaluation have to
exist. One criterion can be a good historical performance of the
supplier in the past or the existence of certified quality
management system by the supplier. Evaluation can be done by
reviewing the records of historical performance, visiting suppliers
premises, evaluating product samples or conducting a survey (a
written questionnaire with a few critical issues sent to suppliers).
The suppliers have to be re-evaluated in order to ensure that they
are constantly able to meet the requirements.
According to the standard, there should be records of
the results of evaluations and any necessary actions, like
records of historical performance of the suppliers, a list of
approved suppliers, etc.
Successful purchasing calls for a clear definition of the purchased
item (product characteristics, quantity, required delivery date,
possible testing or inspection, etc). If there are any requirements
for review, approval or other qualifications, they should be stated
clearly.
Verification of purchased product means that the products are
inspected or otherwise verified in order to ensure that they meet
specified purchase requirements. The standard does not say that
all incoming goods must be inspected. Instead, the organization
can freely decide methods of verification. Sometimes it can be a
review of purchase documents against delivery note or at the
other end, an extensive inspection of the goods before their
dispatch. Person responsible for purchases should possess
relevant knowledge and skills to make a complaint to supplier
when necessary, since this is the way to improve both their own
and the suppliers operation.
63
4.7.5. Production and Service Provision (clause 7.5)
The ISO 9001:2008 standard states that the organization shall

plan and carry out production and service provision under
controlled conditions.
This is a standard requirement to make sure that production and
servicing processes are effective and that the focus is on the
prevention of nonconformities rather than on inspection and
testing to detect them. Controlled conditions include, when
applicable, that there is adequate product information available
(specifications, drawings, work orders etc), suitable equipment
and preventive maintenance are used, products and processes are
monitored and measured with applicable devices, and that there
are suitable methods and procedures for a product release and
service delivery. These requirements may sound artificial, since in
practice many of them are already in use order processing surely
has adequate documentation, suitable production equipment,
exact product parameters to meet the qualification, and specific
procedures to be done before the dispatch or service delivery. The
language of standard sounds artificial, but it refers to practical
everyday procedures that have to be effective. Great emphasis is
on preventive actions: on preventive maintenance to ensure that
machines and equipment are working, on preventive identification
of root causes that might emerge in a form of nonconformities,
errors, lack of information, customer complaints etc.
If there are special processes where the resulting output

cannot be verified by monitoring and measuring and where
deficiencies become apparent only after the product is in use
or service has been delivered, it has to be proved that these
processes as themselves are qualified along with the
personnel. This is called a validation of processes. Examples
of these special processes are food preparation and air traffic
control services.
Referring to the previous chapter, there should be records

verifying that the special processes are qualified and able to
produce planned outputs. Example: a document showing
acceptance of tolerances and parameters or a memo of
calibration.
Concerning the product identification and traceability, the

ISO 9001:2008 standard states that where appropriate, the
organization shall identify the product by suitable means
throughout product realization. Identification means that
when the products cannot be identified inherently, they should
be marked, labelled and located in a way that connects the
64
Effective
processes
Prevention of
nonconformities
product to a particular batch, work order, raw material and any

other source of origin, and shows the status of the product
(e.g. tested, inspected or not).
If traceability is specifically required for example by the

customer, the organization shall control and record the unique
identification of the product. Example: Usually this information
is recorded on a work order. Sometimes even a work number
suffices to track each process step.
Furthermore, the ISO 9001:2008 states that the

organization shall identify, verify, protect and safeguard
customer property provided for use or incorporation into the
product. Customer property is any material or supplies
provided by the customer to the organization, e.g. material
and components, tooling, packaging material and drawings.
If any customer property is lost, damaged or otherwise found

to be unsuitable for use, this shall be reported to the customer
and records maintained. Example: an internal complaint form.
Generally, the organization should preserve the

products, materials and components from receipt through
processing to delivery in a way that damages and deterioration
wont occur. Preservation includes identification, handling,
packaging, storage and protection. Storage and handling are
especially important for time and moisture sensitive material
(e.g. foodstuffs), components that can deteriorate because of
electrostatic discharge and for other equivalent material.
4.7.6. Control of Monitoring and Measuring Devices

(clause 7.6)
This clause of monitoring and measuring devices concerns the

fact that the organization should, when necessary, measure the
product and monitor process performance with applicable devices
in order to be convinced that the product will meet all its
requirements. In order to understand this better, in practice
monitoring and measuring usually means inspection and test
during relevant points e.g. during production.
Monitoring and measuring device can be a measuring
instrument, software, measurement standard, reference material
or auxiliary apparatus or combination thereof necessary to realize
a measurement process (ISO 9000:2008).
65
When it is necessary to ensure valid results, measuring equipment

should be calibrated or otherwise verified, against measurement
standards traceable to international or national measurement
standards; where no such standards exist, the basis used for
calibration or verification shall be recorded (ISO 9001:2008).
There should be records of calibration and verification
results.
Example: The organization may wish to keep a list of devices to
be calibrated at certain time intervals. This can be a simple Exceltable. Results of each calibration can be attached to the list.
4.8.
Measurement, Analysis and Improvement (clause 8)
This clause includes four main chapters: monitoring and

measurement, control of nonconforming product, analysis of data
and continual improvement.
Monitoring and measurement
A system to
The clause of monitoring and measurement requires that the provide
organization has to show that it has established a system which information
produces information of 1) customer satisfaction, 2) internal

audits, 3) process performance and 4) product conformance, in
order to demonstrate conformity of the product, to ensure
conformity of the quality management system, and to continually
improve the effectiveness of the quality management system.
The idea is to prove that there is systematic way to monitor
processes and products (e.g. by inspection and test), analyse
customer-, product- and process-related information, and based
on this information take relevant improvement actions. When the
standard puts it as a requirement it might sound complicated and
difficult, but in practice they are usually normal information flows,
inspection and checking against tolerances during the production,
and other so called self-evident back-up things in everyday
operations. When processes are documented, it proves the
existence of all relevant requirements.
The
standard
emphasizes
the
meaning
of
customer
satisfaction. The ISO 9001:2008 standard states: As one of the
measurements of the performance of the quality management
system, the organization shall monitor information relating to
customer perception as to whether the organization has met
66
customer requirements. It is essential that everybody in the

organization know what is meant by customer satisfaction and
dissatisfaction. Information should be gathered on both. The ways
to get feedback from the customers are e.g. visits to customers
premises or vice versa, direct communication with them,
complaint handling, customer satisfaction questionnaires and
news in the media.
The ISO 9001:2008 standard requires that the organization shall
conduct internal audits at planned intervals... Internal audit is a
systematic evaluation performed within an organization to ensure
that the organization employs the principles of standard
requirements and the processes perform according to standard
and the organizations own requirements. Auditing should be done
at planned intervals, but at least annually during twelve months
and covering all the units of the organization.
At first, the management and/or management representative has
to plan an audit programme to decide what activities and areas of
the system are the most critical ones and therefore to be audited
at that time. The activities and areas of quality management
systems where problems, nonconformities and changes have been
more frequent are subject to be included. Also, the findings of
previous audits should be considered if they reveal the areas of
nonconformities. During the auditing all deficiencies should be
identified. In a following page theres an example of a simple audit
list including areas to be audited and their time schedule (Table
1). In this example, the matters that are checked and have no
deficiencies are marked with a cross. If deficiencies are noticed
they are written down under the list. The idea is to check matters
in any month during one year.
Table 4.2. Audit list (abridged and artificial version)
Area / activity to be audited
Jan
Feb
Marc
April
May
June
Acceptance criteria for the most

important suppliers are defined and in
use. There is a record of approved
suppliers.
The performance of suppliers is
monitored and evaluated regularly.
Feedback is given to suppliers.
Purchasing and sales orders include all
relevant information and there is no
possibility for false interpretation.
Methods to check incoming goods are

defined and in use.
There are predefined areas to be used
for the storage of goods.
X
X
67
Condition of goods in storage is

evaluated at relevant intervals. To
prevent the damage and deterioration a
proper storage is applied.
Means to identify products, parts,

components, raw material etc is used
(e.g. marking with a stamp, a part
number on a work order).
When traceability is required, all the
material and parts used can be
identified from a written document.
The criteria for nonconforming products
exist and are applied.
The ISO 9001:2008 standard requires a documented

procedure for internal audits: The responsibilities and
requirements for planning and conducting audits, and for reporting
results and maintaining records shall be defined in a documented
procedure. Documented procedure can be mentioned in a quality
manual, defining the scope, frequency, methods of auditing and
records (such as list presented here) to be generated.
The organization should have at least two internal auditors since the
one performing audit should not audit his own work. Usually auditors
are organizations own employees but when necessary, they can be
outside consultants too. In a small organization where there are only
few employees, the one auditor usually is the owner and another is
some manager or person with required knowledge of an audited
matter. The auditors report the results of auditing to the
management who is responsible to ensure that corrective actions
are taken without undue delay to eliminate detected
nonconformities and their causes. There should be some evidence
that corrective actions are taken and they are effective.
The ISO 9001:2008 standard clause of monitoring and
measurement of processes, the organization shall apply suitable
methods for monitoring and, where applicable, measurement of the
quality management system processes, means that once the
organization has determined suitable methods it should implement
them. This clause is actually a restatement for what has been
mentioned earlier about monitoring and measuring processes.
Similarly, the clause of monitoring and measurement of
product, the organization shall monitor and measure the
characteristics of the product to verify that product requirements
have been met, is a restatement to implement the methods.
Methods can be e.g. inspection and test by the person performing
the task, or taking of testing samples at certain time intervals.
Furthermore, evidence of conformity with the acceptance criteria
shall be maintained. Records shall indicate the person(s) authorizing
release of product. In practice this requirement is met as a
consequence of normal checking and inspection procedures and
68
using relevant documents. For example concerning the production

process, if the product has no deficiencies it proceeds to the next
stage e.g. to packaging and further to shipment. Examples of the
records that indicate acceptance criteria and authorized persons
usually are work orders or records in operations management
programme. They also track the order to the correct raw material,
components, machines and employees.
Control of nonconforming product
The ISO 9001:2008 standard states: The organization shall
ensure that product which does not conform to product Continual
requirements is identified and controlled to prevent its improvement
unintended use or delivery...
...The controls and related responsibilities and authorities for
dealing with nonconforming product shall be defined in a
documented procedureRecords of the nature of nonconformities
and any subsequent actions taken, including concessions
obtained, shall be maintained.
When nonconforming product is corrected, the standard requires
that it should be subject to re-verification by a relevant authority
or, where applicable, by the customer.
Analysis of data
This clause concerns the organizations requirement to determine,
collect and analyse appropriate data relating to customer
satisfaction, product conformity, characteristics and trends of
processes and products including opportunities for preventive
action, and suppliers, to demonstrate the suitability and
effectiveness of the quality management system and to evaluate
where continual improvement of the effectiveness of the quality
management system can be made.
Improvement
This clause is, by and large, a restatement of the above: The
organization shall continually improve the effectiveness of the
quality management system through the use of the quality policy,
quality objectives, audit results, analysis of data, corrective and
preventive actions and management review.
In order to simplify this circle of continual improvement it can be
described as follows: Quality policy and quality objectives (derived
from the quality policy) steer the organization towards the targets,
as they tell the employees where to aim at and what kind of
performance is needed from everyone in order to reach the
targets. Audits are conducted to find out whether processes
perform according to the principles of standard and targets set by
the organization. They also address the possible opportunities for
improvements. If any deficiencies are noticed, they are handled
69
during management reviews along with any other relevant

information relating to customers, suppliers, own products and
processes etc. As a result, corrective and preventive actions are
taken for the improvement. Naturally, improvement actions are
implemented when there is a need for them, not only as a result
of audits and management reviews. It is essential to empower and
commit personnel to make improvement actions in relation to
everyday operations.
The ISO 9001:2008 standard puts a great emphasis on the
elimination of root causes. It is not enough to solve the symptom
of the problem, but the root cause of it in order to prevent it
recurring. Typical root causes are lack of information and training.
The ISO 9000:2008 standard explains, that corrective action is
taken to prevent recurrence whereas preventive action is taken to
prevent occurrence. In other words, preventive actions try to
eliminate the root cause of the problem in order to prevent its
occurrence in the first place. When concerning corrective action,
the problem has already happened and actions are taken to
prevent its recurrence again in the future. It has to be noted that
corrective and preventive actions do not have to be implemented
for every nonconforming situations, but a cost-value consideration
has to be made to decide whether actions are worth for
implementation or not.
The standard requires that there should be a documented
procedure both to corrective action and preventive action,
including
-
4.9.
reviewing of nonconformities
preventive action)
(not
concerning
determining the causes of nonconformities
evaluating the need

recurrence/occurrence
for
action
to
determining and implementing action needed
records of the results of action taken
reviewing corrective/preventive action taken.
prevent
Minimum Requirements According to ISO
The only part what ISO 9001:2008 standard requires to be

documented
concerns
chapter
4.4.2
Documentation
Requirements. Otherwise organizations can by themselves
determine the necessary level of documentation.
In many parts documentation is advisable, although not
specifically required as a mandatory requirement by the standard.
At least the product realization processes are recommended, since
70
documentation proves the existence of meeting many standard

requirements rather easily. Also, it provides employees with an
understanding of how their performance affects other processes
and employees and how the process as a whole has to perform
smoothly in order to produce required products and services.
4.10. Permissible Exclusions
Permissible exclusions were discussed in chapter 4.7 Product
realization. To make a restatement, such exclusions shall not
affect the organizations ability, or responsibility, to provide
product that meets customer and applicable regulatory
requirements. The fact that a specific process (e.g. manufacturing,
design & development) is outsourced is not a justification for the
exclusion. Instead, the organization must be able to demonstrate
that it has sufficient control to ensure such processes. In chapter
4.4.2 b) there were some examples of possible exclusions.
71
72
CHAPTER 5.
5.1.
STEPS TO IMPLEMENT A QMS
Steps to decide
Every decision making process in a company is accompanied by a

more or less detailed research of data or at least discussion of
experience and personal opinion of business leaders.
Implementation of a quality management system, which could be
quite a challenging task especially for smaller sized companies,
also needs a certain amount of preparation and planning.
Some
preparation
work is
necessary
5.1.1. Decision to implement a QMS

If a company wants to decide if it should implement a QMS it has
to take a lot of different facts into consideration, which could be
worked out in an internal management meeting. Main players in
this meeting are the general manager who has to decide from a
more strategic viewpoint, and the existing quality representative
(quality manager) who should be aware of more QMS details
(necessary resources, costs, etc.) and its business impact. The
marketing/sales manager or a technical officer may support the
decision making process by daily business experience.
Definition of
quality
manager /
First
information to
the
management
level
Some companies start their own research but most of the time
the decision is made after a deep discussion of the topic with a
chances and risk analysis, which is strongly connected with the
later first planning of resources (5.1.3). In addition to that, a
person who will take the responsibility for the next steps has to
be named of course the quality manager (QM) is the bestqualified person. If there is no quality manager available who has
the necessary knowledge about this topic, it might be a
worthwhile investment to send the management representative
to an external training on QMS. Quality managers should be able
to build and improve the management system but also bring in as
well an excellent level of social competence.
Once the decision is made by the top management as another
early step the whole management level should be informed and
committed to the QMS because full management support is a
crucial factor for a successful implementation process. Lack of
information about what a QMS stands for and which changes will
occur might create misunderstandings and restrictions against
the implementation process. The top management has the task
to create a positive awareness for this new quality initiative by
providing the necessary information and participative leadership.
Another important decision the management has to take is the
level of outsourcing during the implementation process, which
means the scope of consultant involvement.
73
5.1.2. First planning of resources

Implementing a QMS could be quite a challenge for a company
because the elements of a QMS are interdependent with most of
the vital parts of the organisation. For this reason a first rough
projects plan with the most important milestones and the
corresponding resources should be sketched. Many QMS
implementations are divided into phases like:
Rough
projects plan
including
main phases
assessment phase: identification of actual strengths and and resources
for implemenweaknesses
tation
Start-up phase: collection of information about QMS,

decision making process, training on QM, support of
consultants, benchmarking
system building phase: management handbook, creation of

documents, identification and description of key processes
and quality relevant issues
training phase: training of staff in all areas of the

organisation
improvement phase: first review of the system (internal

audit) and improvement activities
auditing phase: external certification audit
Each of these phases should be roughly estimated concerning

time plus money and in addition to that clear responsibilities
should be defined. During the next step the self assessment
this plan should be reviewed and revised.
5.1.3. External consultants

Organisations choose different ways how to implement a QMS
regarding the scope of external involvement. The range runs from
a totally home made system to a complete outsourcing of all
implementation activities. An advantage of the first case is that
deep knowledge about the system is built up in the company
whereas the danger of creating only a sub optimal QMS is higher
because of the fact that a consultant will encompass high
implementation experience often in the same branch. The
decision which grade of outsourcing has to be taken is depended
on certain factors. Some of the most important are:
74
Level of internal knowledge: if there is already an expert in

the company, the planning and implementation can easily
be done in house. Perhaps external help could be
worthwhile during the internal audit phase. Furthermore
the role of consultants is to adjust the requirements of the
standard to each company, since the standard is quite
general and open, so an inexperienced person could omit
things.
Available internal human resources: some companies are

so lean in their organisational structures that it is not
Outsourcing
factors:
internal
knowledge,
available
internal
human
resources,
financial
resources
possible to transfer enough staff capacity to a new

implementation project and work for this reason
intensively with external consultants. Furthermore
external consultants can stimulate the staff in the
implementation of the quality process.
Financial resources: of course external consultants cost

money but in most cases the payback time of this
investment is very short because of an efficient project
management system and high knowledge about how to
design a QMS could save a lot of money in the longer run.
In addition to that many companies hire consultants with
high reputation and use this fact as a first marketing
instrument for their customers.
Either way the top management of the company has to take care
that the QMS is strictly result oriented, which means it has to be
aligned with the companys success factors and its strategy. QMS
that are focused only on achieving the certificate are not strictly
result oriented and are often perceived as red tape and a topic,
which is for the QM department or the quality manager himself
only.
For the two following phases, it is a great advantage to work with
an external consultant because he has a new and neutral look on
the enterprise and on its organization.
5.2.
First self assessment
The first self assessment or horizontal assessment (some or all

aspects of the ISO standard) has the goal to figure out which
actual level of QMS maturity the organisation has and where the
fields of highest potentials are as every organisation that is
seeking certification is required to:
Formalize the way things are done
Demonstrate assurance that things are done in the right

way
Monitor the effectiveness of what is done and
Improve
Check lists /
Strenghts and
weaknesses
analysis /
Force field
analysis
For this reason using some tools could be very helpful. Beside
some software products which are provided by many different
companies and are designed to help identifying unknown land
in the ISO world, check lists, strengths-weaknesses analysis
and forced field analysis are often used tools for the first
assessment. Normally the first self-assessment is a mixture of
analysis and workshops, respectively in small companies one
single assessment workshop. The output of all these methods
and tools is to measure and assess the actual state of the
75
organisation against the elements of the ISO standard.

Checklists are the most frequent tools, which are used in this
phase and can easily be found in ISO literature. In long lists
there are detailed questions about every single element of the
ISO but for smaller sized companies a certain amount of
simplification work is often necessary because in this case the
organisational structures and documentations are less complex.
The best way to conduct checklists is an individual interview
with key persons of the company.
Chapter 5:
Management
responsibility
Ye
s
Question:
N
o
Remarks
5.1.1
Does a quality policy

exist?
5.1.2
Do management
reviews exist and do
they include all essential
aspects?
There is no
systematic customer
satisfaction analysis
5.1.3
Figure 5.1 Example of a first assessment checklist.
In the workshop itself the concentrated results should be

presented and discussed. One of the most common supportive
tools is the so called strengths and weaknesses analysis,
whereby the areas of high ISO maturity are highlighted against
the areas of extraordinary low maturity in a kind of balance
sheet.
Input
Output
of
LeLevel
v
el of
m
aturity
Level
of maturity
maturity
Definition of ISO elements
In columns.
Assessment of maturity
levels of the elements.
Identification of critical
elements (low level).
Elements
of
Elem
ents of
ISO
Elements
of ISO
ISO
Processes
Processes
Processes
Continual
Improvement
Weak
Weak
Weak
Average
Average
Average
Strong
Strong
Strong
Visualization of
strengths and
weaknesses.
Definition of
improvement actions.
Continual
Continual Improvement
Improvement
Supplier
Development
Supplier
Supplier
Development
SupplierDevelopment
Development
..
Figure 5.2
Example of a strengths and weaknesses analysis
Beside this comparison of the organisational state in relation to

ISO elements, human aspects and the organisational change
process should be taken into consideration. A very simple
method to do this is the so called force field analysis (FFA). The
76
underlying model of the FFA states that during a change process

there will always be enforcing and constraining forces in an
organisation such as the mind set of specific employees (e.g.
members of works council), experience with former changes,
motivational aspects, incentive systems, etc. As well as in the
strength and weaknesses analysis both kinds of forces are listed
and discussed. As the major result enforcing aspects should be
supported by actions and constraining aspects should be
weakened or eliminated.
Input
Output
The goal has to be defined

(e.g. efficient
implementation process).
Visualization of project
forces
Which
Which forces
forces are
are effecting
effecting the
the goal?
goal?
Determination of
improvement activities
Identification of
reinforcing and
constraining forces
(brainstorming)
Results in form of a balance
sheet
Reinforcing
aspects
Constraining
aspects
Support reinforcing aspects

and eliminate constraining
aspects
Figure 5.3 Force Field Analysis
With the collected, discussed and committed knowledge of the

actual ISO maturity and change aspects, a more detailed
implementation plan can be developed.
5.3.
Detailed implementation plan
The implementation plan is strongly interrelated with all afore

mentioned contents and draws a general picture of what should be
done and when it should be done until the certification audit has
been successfully passed and encompasses the system building
phase, the training phase, the improvement phase and the audit
phase of the implementation project.
Project
organisation /
Goal
description /
Early planning
of trainings /
Definition of
Between each of these phases milestones should be defined which quality policy
are in most cases points for top management reports or workshops.

For example the milestone after the system building phase could be
a completed QM handbook plus ready designed and described
processes. After the training phase all learning and training activities
should be completed whereas the milestone for the improvement
phase could be a successfully passed internal audit with a timetable
for the elimination of minor and major nonconformities. And finally
the audit phase could be completed by the certification of the
company whereas the last phase (improvement) shouldnt find an
end at all.
77
Phase 1
Self Assessment
Start
09/03
Data analysis
Strenghts weaknesses
Phase 3
Phase 2
System Building
10/03
Completed
first
self
assessment
Force field analysis
Improvement
01/04
Completed
system
draft
Generation of Q M
Handbook
Identification of Processes
Definition of
Documentation
Design of records
Management Commitment
and responsibilities
.
Figure 5.4 Example of an implementation plan with milestones

details are shown in this graph)
(no
Besides phases and milestones the project organisation should be

clearly defined. Even in small companies it doesnt make sense that
one single person is in charge of every activity during the whole
implementation project. For this reason it is common to create a
multi layer project organisation. This means that different
employees of various departments are responsible for smaller
tasks; the quality manger or the external consultant does the
coordination and the main decisions and directives are given by a
steering group which consists of top management members. As
mentioned above, the steering group is only active in milestone
workshops or if there are exceptional decisions to make.
All subprojects and tasks have to have at least a very short form of
goal description:
What is to be done (if necessary in form of a detailed

description)?
Until when should it be done (check the correlation with the

master plan)?
Who should do it?
Which resources
infrastructure)?
are
available
(staff,
money
and
One of the core elements of systems engineering a widely used

philosophical approach on how to build a QMS states that it is
crucial to establish a model or system from the top perspective
and on this basis continue step by step towards more detailed
levels. This low to high detail dogma is as applicable in the
implementation plan: start with the master plan (phases) and
develop top down until the most detailed level is reached.
Feedback and results are reported bottom up and are collected
and condensed until the top level (steering group meeting) is
reached. Only under these conditions can a permanent flow of
78
information be guaranteed.
Of course many software solutions are available to support these
planning issues (e.g. MS Project) but for small enterprises, in
particular, where the knowledge of project management tools is
often not very well established it sometimes makes more sense
to sketch the plan simply on a flip chart and pin it on a wall.
The earlier training activities can be done the better for the QMS
because the more employees that are aware of the new system
and are involved in the implementation process, the easier the
information will flow. Especially in the first phases as it may be
necessary to train selected groups of employees in the basics of
ISO standards and in the tools they will have to use during the
following phases (process orientation, documentation of quality
relevant issues, etc.). Training and quality education of
employees is one of the most important and regarding the
duration of the corresponding activities, one of the most
underestimated aspects.
One of the first steps in the implementation plan is the
discussion and definition of the quality policy and quality
objectives wherein the top management draws a picture of
strategic quality issues. As a rule the quality policy describes
how the company is aiming at permanent improvement via the
QMS, the importance of quality for every single member of the
organisation and the relationship with customers and suppliers.
Of course it has to be aligned with the companys general
strategy, it should be known and understood by all employees
and should be much more than only a lip-service by the
companys leaders.
5.4 Development of QM Handbook
The Din ISO 9000:ff, also known as process-oriented standard,
requires a process-oriented composition within the company but
also of the QM system. The standards demand the development
and the introduction of a documented quality system, which can
consist of different elements. One of these elements is the QM
handbook, where the structure of the documentation is set down;
usually the content is oriented to the original structure of the DIN
ISO 9001:2000 (guidelines on creating the handbook ISO/DIS 100
13 "Guidelines for developing handbooks") using in most cases
the following chapters.
Management Responsibility
Resource Management
Product Realization Requirements
Remedial
Requirements-Measurement,
Analyses
Structure of
documentation /
Customer
benefit
and
79
Improvement
In addition, it must contain, or refer to, the instructions on
procedure that are an integral part of the QM system. By the
figure of the process architecture of the company using a
systemic process model, varying levels are visualised. These
levels correspond with the different documents within the QM
system. Typical examples are: in level 1 - statements of the
quality policy and quality objectives, in level 2 - process
instructions,
introduction
on
procedures
(describing
responsibilities, purviews, and relationships with the staff and
stating how different activities must be performed), in level 3 work instructions (descriptions of activities related to the
workplace) and other quality relevant documents.
Level 1
Black
Box
B
lack B
ox
Vision
QM Handbook
Level 2
Q-Policyand Objectives
Level 3
Process Instructions,
Work Flows
Process Model
Work procedures, Formularies, Functional

descriptions
Level 4
Figure 5.5 QM Handbook Hierarchies
From the customer's view, the QM handbook offers the possibility

to verify the supplier has adhered to the specifications and
guidelines of the customer and is making every effort to fulfil the
quality requirements. So the QM handbook documents the
operative installation and further development of the whole
Quality Management System.
5.5 Design or check up of processes
Processes are the core element of the new (2008) revision of
the ISO 9000 standard (available from the 1 st January 2004). In
almost every element there can be found one or more
statements how processes should be monitored, measured and
improved whereas a closer description of the way that processes
should be identified is not provided.
First of all it is necessary to define what is understood by
processes. In general a process is a logical and sequential flow of
activities which are repeatable and fulfil the following criteria:
80
Clear starting point and end (process boarders)
Well defined input factors (material, information, human
SIPOC method
/ Process
map / Levels
of processes /
Performance
indicators
resources, etc.) and a clear output (result)
Suppliers and customers
A tool, which encompasses theses elements, is the so called

SIPOC method. SIPOC stands for Supplier Input Process
Output Customer and helps to identify the main aspects of
processes. As the first step the process is sketched as a black
box (top down procedure) and the starting point and the end are
determined. Then continue to develop on the right side of the
process and proceed with the output and the customers. A
critical point is the correct identification of customers needs and
later the continuous improvement in fulfilling these needs. As a
last step the input is specified and the suppliers are named. It is
important to understand that suppliers are not only external
companies but also internal departments or processes (internal
supplier-customer relationships).
Output
Input
Name the process.
Define start and end.
Consistent understanding of
process.
Clear boundary of process.
Specify the output and the customers
of the process.
Start
End
Identify the necessary input factors.

Name the supplier of the process.
Supplier
Supplier
Input
Process
Process
Output
Customer
Customer
Figure 5.6 SIPOC method
As mentioned in the preceding chapter, in most companies

processes are seen in different levels. The highest level of
process visualisation is called a process map and shows the
interaction between the main processes of the organisation. In
these process maps, there can be found, as a rule, three different
types of processes:
Core or key processes: these are value adding processes

where the start is normally defined by a certain customer
need and the end is the delivered good or service this
means core processes are so called customer-to- customer
processes.
Support processes: core processes are normally not able to

work properly without a certain amount of support. For
example: a production process needs the support of a
maintenance process customers are not willing to pay for
the maintenance, but it is necessary for a continuous
81
performance of the value adding process.
Management processes: these processes are mainly

planning, steering and development activities, like
strategic planning or controlling. Again, customers do not
pay for them but they are necessary for the long term
survival of the company
Normally, the definition of a specific process map is the first step

in this project phase: main processes are identified, interactions
are visualised and process owners are named. The latter is one of
the most important functions in a process oriented organisation.
Process owners (PROs) are responsible for the detailed definition
and sufficient resource supply of the process. In addition to that,
they have to care for the right measurement tools (performance
indicators) and continual improvement.
Management
processes
Managem
ent proces
ses
MP
1: S
trategic
MP1:
Strategic
Contolling
Support
processes
S
upport proce
sses
SSP2:
P2:
SPSP1:
1:
RRP3:
P3: Hum
an
Human
Maintenance Procurement Resources
Key processes
Customers
KP
1:
KP1:
R
esearch and
elopment
Research
and Dev
Development
KPKP2:
2:
Product
ion
Production
KP3 KP3:
Mark
ing
: etMarketing
Customers
Figure 5.7: Example of a process map
Once this process map is sketched and approved by top

management every process has to be defined in more detail by
process owners until in level two or three a clear structure is
achieved which can be displayed in a flow chart. In these flow
charts step after step of the processes are defined and adjusted
together with some additional information:
Responsibilities
Corresponding documents and records
Interfaces with other processes
Flow of information
A process owner also to find the right performance indicators

because the ISO standard demands monitoring and improvement of
processes. Most of the time output indicators (customer
satisfaction, productivity, yield, etc.) are defined but in many cases
input or process indicators could be of great help (e.g. cost, time,
quality).
Of course this detailed definition of processes needs to be
coordinated by the quality manager or/and the external experts. At
the end of this phase the company has a well defined process map
or model where different levels lead to detailed descriptions of
82
procedures which have to be linked to the QM handbook as

described in the preceding chapter.
5.6 Final implementation QMS kick off
Now, as the formal aspects of the QMS are established the official
release of the system should be the next step. Management and
the management representative have to ensure that every
process and procedure, which is followed together with every
document and form, which is used in the organisation has to be
part of the QMS from now on. On the one hand the new tools
have to be provided by the system and on the other hand the
users have to have the capability to work with them. Normally
employees are informed about the system in advance but now
they have to be trained in procedures and tool handling in quality
relevant areas, which could be an extensive task especially in
larger companies.
5.6.1. Training
Planning and deploying QMS training is a critical factor in many Customized
ways. First: numerous organisations fail in the certification audit training /
because employees do not know the relevant quality documents Training plans
and procedures as individually they do not operate with them.
Second: training costs a lot of time and a lot of money this is
why management tries to keep the training efforts low and third:
customized training is required for every class of employees.
For all of these reasons companies create training plans wherein
classes of employees are defined and connected with training
contents inclusive dates in form of a matrix. These training plans
should be finished before the official start or release of the QMS is
done. Of course not only blue collar workers have to be trained, a
high percentage of employees of all departments and hierarchies
will have to take part in different training initiatives. In general
there are four types of trainings used during an QMS
implementation:
Management training: provides upper and middle management
with an overview of the ISO standard, the requirements and what
they look like at the own location (changes in processes or
responsibilities) are discussed, and maybe it is told about the
benefits of certification explained.
Start-up training: provides all employees with an introduction to
the QMS and how the management intends to implement it.
Especially what the next steps will be and how individuals will be
affected by the QMS.
Point training: provides all or most employees with information
regarding specific procedures and working instructions such as
design & development, production processes, equipment
83
handling or corrective actions.

Work instruction training: trains all employees on the
documentation describing their jobs. This training can be minimal
if the employee is already doing the job, but helps ensure that
everyone is doing the job correctly and in the same way.
As mentioned above, an effective and efficient training process is
absolutely crucial for the future success of the QMS and must be
defined quite soon in the project so that everyone will be ready to
use the QMS from the end of its implementation.
5.7 Internal Audit
Internal Audits also known as First Party Audits - are normally
used before the first official certification and in addition during
two following independent audits. The organisation should
conduct internal audits at planned intervals to determine two
different characteristics of the quality system. Firstly it should prove
the conformity to the planned arrangements, to the requirements of
the international standard and to their own quality management
system requirements and secondly the effective implementation
and maintenance.
The flow of the internal Audit consists of three major steps and is
defined in a documented procedure:
Prearrangement, information and scheduling: all involved

persons should be informed on time when and how long
they should be prepared for the internal audit.
Controlling QM documents: these documents could be QM

handbook,
process
descriptions,
quality
reports,
procedures, working instructions, etc. An experienced
auditor will recognize the critical areas and elements and
will focus his interview on these fields.
Internal audit:
(introduction, analysing and testing,
variation description, final report, and documentation) most
internal auditors use a predefined checklist which is the
output of the preceding document controlling phase for
interviews and make additional site inspections. Audit
checklists ensure that nothing is missed, highlight critical
areas and provide a record of the acceptable and
unacceptable evidences. All unacceptable evidences must
be recorded in detail for future tracing and for non
compliance reporting. Every action during the audit should
follow the circle: ask look check record.
An audit program should be planned, taking into consideration the

status and importance of the different processes running in the
company. The criteria for the audit, scopes, frequencies and
methods should be defined. Especially in smaller companies the
84
First party
audit /
Preparation
and behaviour
/ Audit report
management representative is also the auditor. This person is

responsible for the audit, should be objective and impartial, the only
restriction is to audit the own work. To sum up, there are 8 major
points which describe the behaviour of an internal auditor during
the auditing process:
Act goal oriented
Determinate employee motivation
Define your minimum standards of acceptance
Consider benefit and work relationship
Count only facts and no assumptions
If a nonconformity is found do not criticise, look for the

reasons, record all details, try to assess if the nonconformity
is a single case of if it is normal
Understand yourself as a partner of the auditees
Communicate honestly (explanations, open ended questions,

good listening)
As a result an audit report with all nonconformities is generated

and presented to the management. Such a report should include:
Scope and target of the audit
Date and signature of auditor
Members of the audit team
Referring documents (ISO 9000:2008, QM handbook, etc.)
Detected Nonconformities
Assessment of ISO standard conformance
Capability of QMS achieving the defined quality objectives
The management who are responsible for the organisation being

audited should ensure that identified problems (corrective and
preventive improvement activities) are solved without delay. The
objective is to detect and eliminate the reasons for
nonconformities and their causes. Following activities should
include the verification of these actions and the reporting and
documentation of the results.
Only when the results of the internal audit shows a high
conformance to the ISO 9000 standards should a company apply
for an external audit, which is the next logical step. If many major
nonconformities are detected during the internal audit, the
company should really think about postponing the external audit
and work on the elimination of nonconformities. This is
particularly so when problems emerge among employees and
85
new/further training is required which often costs more time than

fixing documentation or system problems.
5.8 External audit
External audits, certification audits or third party audits are the
highlights of all ISO 9000:2008 implementation processes. Many
problems and surprises could be avoided with a professional
choice and management of the certification process because a lot
of companies underestimate the importance of this part.
5.8.1. Certification Body

When choosing a certification body to carry out ISO 9000:2008 Choosing a
certification, there are some aspects an organization needs to certifcation
take into account. The first point is that an organization can body
implement ISO without seeking certification, but many reasons
speak for an independent audit: for example if it is a contractual
or regulatory requirement, if it is a market requirement or to
meet customer preferences or if the management thinks it will
motivate staff by setting a clear goal for the development of the
management system.
If the decision has been made to apply for a certificate some
criteria for the choice of the certification body should be taken
into account:
It has to be clarified whether or not the certification body

has been accredited and, if so, by whom. Accreditation
means that a certification body has been officially
approved as competent to carry out certification in
specified business sectors by a national accreditation body.
The cheapest certification body might prove to be the most

costly if its auditing is below standard, or if its certificate is
not recognized by the companys customers.
It should be evaluated whether the certification body has

auditors with experience in the organisations business
sector.
Maybe most of all harmony between auditor and auditee should

be taken into consideration because both sides have to cooperate
for a long period of time.
5.8.2. The certification process

The certification process is never a one day activity. It takes some
preparation and cooperation with the external auditors because
they need to be informed about the formal aspects of the
companys QMS, like the handbook and procedures plus some
86
Information
meeting / Preaudit /
Certification
audit /
Surveillance
basic data of the company itself (size, branch, etc.). For this audit
reason the cooperation with the certification body will occur in
some steps, like a first information meeting, maybe a pre-audit,
the certification audit and periodical surveillance audits.
An information meeting will be the first opportunity for the
company representatives to meet the so called registrar (external
auditor) who will perform the ISO 9000 quality audit. In this
meeting the timetable of the certification phase is adjusted and
the form of cooperation is discussed.
Although a pre-audit is not a formal requirement for certification,
it could be a highly beneficial step for many organisations
because documentation is reviewed according to the
requirements of the appropriate standard. A pre-audit will help to
educate management and staff on third party auditing. It will also
eliminate many possible surprises and it will help assure those
people who are implementing the quality system that the process
is on track for successful certification.
Certification audit: in addition to assessing whether or not the
organisation is in compliance with the applicable ISO 9000
standard, the final audit also assesses whether the system is
implemented effectively and is capable of achieving the quality
and objectives of the companys product or service. The size of
the business will determine the number of auditors needed to
perform the formal certification audit. Many small businesses or
offices may be audited by a single auditor in a day, while very
large organizations may be audited by several auditors over
several days. The auditor(s) will evaluate the elements of the
quality management system according to the requirements of the
appropriate ISO 9000 standard.
Audits are typically performed by:
Touring the facilities and observing ongoing operations
Interviewing employees
Reviewing documentation and evaluating quality-related

records.
In most cases at the conclusion of the audit, a closing meeting is

conducted during which any identified problems are reviewed. If
all goes well, the organisation will be recommended for
certification and will be issued an ISO 9000 certificate. If
nonconformities are identified required follow-up actions are
defined by the auditor. Certification is generally not considered a
pass / fail activity but an eventual certainty, unless the
company decides not to proceed or is simply unable to correct its
problems.
87
Once certification is achieved, the auditors will return periodically

for routine surveillance visits. These follow-up examinations
ensure that the management system continues to operate
effectively
and
continual
improvement
activities
are
implemented.
Finally for the enterprises: if the organization is certified to ISO
9001:2008, the full designation should be used, not just ISO 9001
because latter one might concern either the 2008, or 2000 or
1994 version.
5.9 Continual improvement
Continual Improvement is one of the cornerstones of the ISO
9000 standard and can be found in almost every single element.
Every company selects its own approach on how to achieve this
target because the right way of improvement actions is
determined by several factors like speed of change, knowledge
level of employees, application of tools, number of hierarchies
and leadership style. Independent from this, the ISO 9000
standard demands that every single individual has to know the
quality goals and how he or she may contribute to them. For this
reason continual improvement has to be established on every
level of processes and in every element of the QM handbook
whereby three main levels of improvement can be subdivided:
Top management improvement: this organisational level

has to take care that the framework for a QMS in
working order (effectiveness and efficiency) is
permanently
improved,
products
fulfil
customer
requirements and use mainly the instrument of
management reviews which is described in the ISO 9000
standard (audit results, customer feedback, Process
performance, product conformity, preventive and
corrective actions, recommendations for improvement,
etc.).
Process owner improvement: as already mentioned,

process owners have to take care of the optimum
performance of their processes and have to monitor,
measure and improve them continuously. The main
instrument is the use of process oriented performance
indicators.
Employee improvement: every employee is responsible

for producing the best possible quality (zero waste and
zero defects) and for this reason continuous
improvement process (CIP) activities like proposal
systems or quality circles are established.
Many companies face the problem that after a successful

certification audit everybody returns to normal business where
88
Management
review /
Process
management /
Continuous
improvement
process
continual improvement actions are reduced to a minimum. As

mentioned above, the ISO standard demands permanent
activities for continual improvement, which should animate
companies to keep up their efforts for high customer
satisfaction and efficient internal processes. It can easily be
seen that both elements are definitely success factors of
almost every company. Companies which use the QMS as their
improvement driver develop success oriented QMS structures;
in contrast to that so called certification QMS fulfil the
minimum requirements but do not boost their company
towards a quality leader on the markets.
As a lesson learned many companies use internal audits
(system audits, process audits, etc.) as a regular tool and
discuss the results in the form of corrective and preventive
improvement actions standardised in several management
meetings. Companies that have achieved such an integrated
improvement where the QMS is the main instrument for
standardisation, measurement and improvement have reached
one of the highest levels in QM.
89
CHAPTER 6.
ADDITIONAL REQUIREMENTS
As stated in chapter 4.2 of the present guidelines, ISO 9001 does

not only consider customer requirements but also regulatory and
legal requirement. In this framework sometimes a company in
order to obtain an ISO 9001 certification must meet other
requirements as well. These other requirements can be other
management systems standards, European directives, technical
standards or national laws, presidential degrees and directives.
6.1.
Management system standards
ISO 14001: Environmental management system belongs to the ISO

14000 series of international standards on environmental
management. ISO 14001 is the standard that specifies the
requirements for the certification of an organisation that has
implemented an environmental management system.
ISO 14001:
Environment
al
managemen
t system
ISO 14001 is meant to develop a systematic management

approach to the environmental concerns of an organization. The
goal of this approach is continual improvement in environmental
management.
Requirements of ISO 14001 standard described in chapter 4 of the
standard are categorised in:
General requirements
Environmental policy
Planning
Implementation and operation
Checking and corrective actions
Management review
ISO 9001 gives in Annex 1 the correspondence between the two

standards.
EMAS: Eco Management and Audit Scheme is a voluntary standard

designed by European Commission and intended to be used by
both private and public organisations throughout European Union
and European Economic Area. Since 2001 EMAS has integrated
ISO 14001 as the environmental standard required by EMAS.
EMAS: Eco
Managemen
t and Audit
Scheme
EMAS aims at organisations that want to evaluate, report and

improve their environmental performance.
HACCP: Hazardous analysis of Critical Control Points is a standard HACCP:
90
Hazardous
applying in the food industry. It aims at eliminating risks for health analysis of
and hygiene related to all stages of the food industry: supplies, Critical
Control
manufacturing, storage and distribution.
Points
HACCP involves seven principles:
Analyse hazards.
Identify critical control points.
Establish preventive measures with critical limits for each

control point.
Establish procedures to monitor the critical control points.
Establish corrective actions to be taken when monitoring shows

that a critical limit has not been met
Establish procedures to verify that the system is working

properly
Establish effective record keeping to document the HACCP

system.
Although an American system, HACCP has been adapted by many

European organisations and in some countries it is legally
required.
HACCP applies to all companies that produce, store and distribute
food products.
OHSAS 18001 Health and Safety Management System is intended

to help an organisation to control occupational health and safety
risks.
OHSAS 18001 was created by a number of the worlds leading
national standards bodies, certification bodies, and specialist
consultancies.
OHSAS 18001 has been developed to be compatible with the ISO
9001 and ISO 14001 management systems standards, in order to
facilitate the integration of quality, environmental and
occupational health and safety management systems by
organizations, should they wish to do so.
OHSAS 18001 can be applied to all types of companies and
organisations The OHSAS specification gives requirements for an
occupational health and safety management system, to enable an
organisation to control its risks and improve its performance. It
does not state specific occupational health and safety
performance criteria, nor does it give detailed specifications for
the design of a management system.
OHSAS
18001:
Health and
Safety
Managemen
t System
ISO 17799: Information Security Management System is a
ISO 17799:
91
comprehensive set of controls comprising best practices in

information security. It was published in December of 2000,
based on the British standard BS7799 and since then it gained
worldwide recognition in the information security industry.
Information
Security
Managemen
t System
The ISO 17799 standard comprises ten prime sections:
Security Policy
System Access Control
Computer & Operations Management
System Development and Maintenance
Physical and Environmental Security
Compliance
Personnel Security
Security Organisation
Asset Classification and Control
Business Continuity Management (BCM)
Within these sections are the detailed statements and clauses that
comprise the standard itself.
A company that operates in the construction industry, undertaking Example:
public or private works that want to be certified with ISO Construction
9001:2000 standard in the framework of its quality management industry
system should take measures for the occupational health and
safety of its employees and for the protection of the environment.
In this case the adoption of ISO 14001 and OHSAS 18001
standards are recommended.
An enterprise that wants to implement a management system in
the 3 domains (quality, security, environment) cannot do it
separately: the two or three management systems must be
connected and integrated.
Frequently in SMEs, the same person is the manager of all the
management systems implemented, for example quality and
security.
Norms in quality, security and environment are built on the same
principles: processes approach, continual improvement this
gives rules but also facilitates the building of an integrated
system.
ISO 9001 doesnt explicitly require other standards to be applied,
92
However, the implementation and certification with the globally

recognised international standards give the company a
competitive advantage.
6.2.
European Directives and Technical Standards
European Directives and technical standards regulate European

companies, products, processes and services. The new approach
standardisation in the European internal market is a recent
initiative that aims at bringing together the expertise of European
Standards Organisation with that of the European Commission and
EFTA. All directives and standards can be found In a single web
site at www.newapproach.org. This is a first step in promoting
awareness of the role that standards can play in developing the
single European market.
www.newap
proach.org
European Directives and the associated standards regulate a

number of different types of companies. For example we can refer
to companies that produce, sell or use medical devices,
construction materials, personal protective equipment, pressure
equipment, toys, etc. Information on mandatory directives and
standards can be found in the New Approach web site, National
Organisations of Standardisation, Certification Authorities,
Chambers of Commerce and in the relevant Ministries.
Production, distribution and use of medical devices are regulated
by the European Directive 93/42/EEC. The directive specifies the
requirements that medical devices should conform with, the
obligation for CE marking and the obligation for the company to
have implemented a quality management system as well as a
quality control system. In addition for special medical devices
other standards apply such as:
EN 1642:1996: Dentistry - Medical devices for dentistry Dental implants
EN 50323:1999: General requirements for hearing aids
EN 13503-8:2000 Ophtalmic implants - Intraocular lences
Example:
Medical
devices
93
CHAPTER 7.
GLOSSARY
A
audit: systematic, independent and documented process
for obtaining audit evidence and evaluating it objectively
to determine the extent to which audit criteria are
fulfilled.
audit criteria: set of rules, objectives and/or principles
used as a reference for inspection actions (such as
policies, procedures, requirements, etc.).
audit program: set of audits planned for a specific time
frame and directed towards a specific purpose.
auditor: person with the competence to conduct an
audit.
availability: capability to realize a function in a specified
time.
C
capability: ability of an organization, process or system to
realize a product that will fulfil the customer and other
interested parties requirements.
characteristic: distinctive feature.
competence: ability to apply knowledge and skills.

concession: permission to release or use a product that
does not conform to specified requirements.
conformity: fulfilment of a requirement.
continual improvement: recurring activity to obtain
better results with harder objectives.

control and inspection: set of operations required to
evaluate
nonconformity
through
observations
and
measurements.
corrective action: action to correct a detected
nonconformity, eliminating the causes which generated it.
correction: action to eliminate a detected nonconformity
(such as rework or repair).
customer: organization or person that receives a product.
defect: non-fulfilment of a requirement related to an

intended use (generally deduced by the customer
according to the information communicated by the supplier),
or specified by the customer. The distinction between the
concepts nonconformity and defect is important as it has
legal connotations particularly those associated with product
liability issues.
dependability: collective term used to describe the
94
organization availability and its influencing factors.

design and development: set of processes that
transform requirements into the specifications of a product,
process or system.
development: see Design.
deviation permit: permission to depart from the originally
specified requirements of a product prior to realization.
document: supporting medium stating information.
E
effectiveness: extent to which planned activities are
achieved.
efficiency: relationship between the result achieved and
the resources used.
I
information: meaningful data.
infrastructure: system of facilities and equipment
needed for the operation of an organization.
inspection: see Control and inspection.
interested party: person or group having an interest in
the performance or success of an organization.
M
management: coordinate activities to direct and control
an organization and/or part of it.
measurement: activity to measure a quantity.
measurement control system: system necessary to
achieve metrological confirmation and control of
measurement processes.
measurement equipment: tools needed to operate the
measurement process.
measurement process: set of operations to determine
the value of a quantity.
metrological characteristic: distinguishing feature of
measurement equipment.
metrological confirmation: set of operations required
to ensure that measurement equipment conforms to the
requirements for its intended use.
metrological function: function for defining and
implementing the measurement control system.
N
nonconformity: non-fulfilment of a requirement.
O
objective evidence: date supporting the existence or
verity of something.
95
organization: group of people and facilities with an
arrangement
of
responsibility,
authorities
and
relationships.
organizational
structure:
arrangement
of
responsibilities, authorities and relationships between
people in an organization.
P
preventive action: action to correct a potential
nonconformity, eliminating the causes which generated
it.
procedures: specified way to carry out an activity or a
process.
process: set of interrelated activities which transforms
inputs into outputs, producing added value.
product: the result of a process.
project: process consisting of a set of activities with start
and finish dates undertaken to achieve an objective
conforming to specific requirements, including time, cost
and resources.
Q
quality: degree to which a set of inherent characteristics
fulfils customer requirements and of the other interested

parties.
quality assurance: set of correlated activities, part of
the quality management system, capable to guarantee
the observance of the requirements.
quality characteristic: inherent characteristic of a
product, process or system related to a requirement.
quality control: set of related operations part of quality
management, required to monitor results to quality and
control requirement fulfilment.
quality improvement: part of quality management
focused on increasing the capability of the organization
itself.
quality management: coordinated activities to direct
and control an organization with regard to quality.
quality management system: management system to
direct and control an organization with regard to quality.
quality manual: complex document describing the
whole quality management system of an organization.
quality objective: objective related to quality.
quality plan: document specifying which procedures and

associated resources shall be applied to a specific
process, product or project.
96
quality planning: part of quality management focused
on setting quality objectives and process definition.

quality policy: overall objectives of an organization
related to quality, as formally expressed by top
management.
R
record: document stating results achieved or providing
evidence of activities performed (for example, a control).
release: permission to proceed to the next stage of a
process.
repair: action on a nonconforming product to make it
acceptable for the intended use. Unlike reworking,
repairing can involve specific parts of a product.
requirement: need or expectation that is stated,
generally implied or obligatory.
review: activity undertaken to determine the suitability,
adequacy and effectiveness of the subject matter to
achieve established objectives.
rework: action on a nonconforming product to make it
conform to the requirements.
scrap: action on a nonconforming product to preclude its

originally intended use, such as destruction, recycling,
etc.
specification: document stating requirements.
supplier: person or organization that provides a product.
system: set of interrelated elements.
T
top management: leaders - a person or a group of
people - managing an organization who establish
objectives and try to achieve them.
traceability: ability to trace history, application or
location of that which is under consideration.
V
validation: confirmation, through the provision of
objective evidence, that the requirements for a specific
intended use or application have been fulfilled.
verification: confirmation, through the provision of
objective evidence, that the specified requirements have
been fulfilled.
W
work environment: set of interacting variables
which
97
constitute the contest where people work.
98
BIBLIOGRAPHY
Standards
ISO 9001:2008
ISO 9001:2000
ISO 9000:1994
Literature
Joseph M. Juran. Jurans Quality Handbook 5th ed. Mac Grew Hill
Brassard, Michael & Diane Ritter (1994). The Memory JoggerTM II. A
Pocket Guide of Tools for Continuous Improvement & Effective
Planning. First Edition. Salem, the United Sates of America:
GOAL/QPC.
European Committee for Standardization CEN (2000). Quality
management systems Fundamentals and vocabulary (ISO
9000:2000). Management Centre: rue de Stassart, 36 B-1050
Brussels.
European Committee for Standardization CEN (2000). Quality
management
systems
Requirements
(ISO
9001:2000).
Management Centre: rue de Stassart, 36 B-1050 Brussels.
ISOs Technical Committee ISO/TC 176/SC 2 (2001). ISO 9000
Introduction and Support Package: Guidance on the Documentation
Requirements
of
ISO
9001:2000.
Available
at:
http://www.bsi.org.uk/iso-tc176-sc2.
Paris, Christopher (2003). The Complete Guide to Understanding &
Implementing ISO 9001s Process Management Requirements. Part
Two: Defining & Mapping Your Companys Processes. Available at:
http://www.oxebridge.com/news.asp?ID=157
Secretariat of ISO/TC 176/SC 2 (2003): (Draft) ISO 9000 Introduction
and Support Package: Guidance on Outsourced processes.
Available at:
http://www.bsi.org.uk/iso-tc176-sc2
Web references
http://europa.eu.int/comm/enterprise/enterprise_policy/analysis/doc/execsu
m_2002_en.pdf
http://europa.eu.int/comm/enterprise/enterprise_policy/sme_definition/i
ndex_en.htm
http://europa.eu.int/comm/enterprise (SMEs in focus. Observatory of
European SMEs 2002, European Communities, 2002)
http://www.iso.ch/iso/en/iso9000-14000/pdf/survey12thcycle.pdf
http://www.eiso.cz
http://www.iso.cz
99
http://www.fmmi.vsb.cz
100

English Version

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

English Version

Uploaded by

Copyright:

Available Formats

Quality Management Systems Training

GUIDELINES FOR THE IMPLEMENTATION OF

This book was produced in the framework of Leonardo da Vinci project

6.2. EUROPEAN DIRECTIVES AND TECHNICAL STANDARDS............................................................88

The ISO-related differences between SMEs and large

Records required by ISO 9001:2008

processes according to the eight ISO 9000 principles

Artificial example of process flow

Example of a first assessment checklist

Example of an implementation plan with milestones

Figure 5.7 Example of a process map

During the last decades enterprises made an effort to achieve

enterprises power in Europe, have complained that implementing

Companies are facing new challenges due to the more dynamic

Criteria, if for implementing a QMS, can be subdivided mainly into

The sense of the word Quality

The word "Quality", being an abstract concept, can have many

A traditional meaning - but nowadays quite old fashioned - is

1. Quality intended as the features of the products meeting

something, especially as a permanent characteristic.

The development phases of Quality: culture,

The origin of the problems related to Quality can be

After the First

In the years preceding the First World War there was a

Between 1935 and 1945 the so-called Quality Control

In the 50s the approach to Quality is greatly modified and

In the 60s the concept of Quality is newly modified and

product itself, the so-called Quality Guarantee (QG). QG is a

integrated approach to Quality management, considered

immediate applicability to services;

attention to planning and activity recording;

widening of planning and testing concepts, from production

The difference between Quality Guarantee and Quality Total

In the 70-80s the concept of Quality is also extended to

any manufactured product - such as:

the product does not exist before purchasing;

the product cannot be stocked;

production and consumption happens in the same time;

the customer is involved in the production phase;

the product cannot be touched;

mobility of the service supply system.

The attention paid to services helps to change the perspective

attitudes, expectations, how carefully his request is considered,

Quality Management System

The quality management system is a wide concept and it can Definition

Quality assurance (QA) activities aim to guarantee that all

Quality control (QC) is a process also known as quality

Quality improvement is a systematic and continuing activity,

Why the implementation of a Quality Management

The creation of a quality management system can help the

The increasing of customer satisfaction (CS) - as well as of satisfaction

The ISO 9000:2008 standard

the right calibration of measurement and testing equipment (e.g.

ISO 9000:2005, Quality management

ISO 9004:2000- under revision, Quality management

Rephrasing to improve consistency between the ISO 9000

Adding the concept of business environment and risk

Better definition of the control over outsourced processes

Upgrading statutory and regulatory requirements

Including the goal of managing the work environment

Definition of personal data as a key example of type of

Information systems as a key example of the type of

Making explicit reference to post delivery activities such as