Professional Documents
Culture Documents
By
K. G. Garg
Foreword by : Dr Girdhar J. Gyani
ISO 9001:2008
Published by:
Quality Council of India (QCI)
2nd Floor, Institution of Engineers Building
Bahadur Shah Zafar Marg,
New Delhi 110 002, INDIA.
Tel: 011-23379321/0567, Fax:011-23379621
Website: www.qcin.org
Month and Year of Publication : September 2009
First Edition
Printed by:
Perfact Impression Pvt. Ltd.
2, Prem Nagar Market, Tyag Raj Nagar
New Delhi-110 003
Tel. : 011-24602233/77, 24603123/24
E-mail : mail@perfactimpression.com
CONTENTS
FOREWORD
I-IV
PREFACE
REFERENCES
VII
CHAPTER
PARTICULARS
PAGES NO.
GENERAL
1-4
1-2
1.1.2 Leadership
2-5
1.3 Processes
6-8
- Management processes
- Realization processes
- Support processes
8-11
9
10
11
11-14
1.6.1 General
11
12
12
13
AUDITOR GUIDE
2.1 Certification Audit types
15-47
15
2.1.1 Introduction-Certification
15
15
21
23
24
25
26
27
28-29
28
28
29
29
29
29-36
36-45
46
2.6.1 Introduction
46
46
AUDITING GUIDE
47-70
47-52
49
49
51
52-57
52
54
55
56
57-60
58
58
59
59-70
61
3.4.2 Training
62
63
3.4.4 Maintenance
63
64
65
66
67
68
3.4.10 Calibration
68
69
- Process inspection
- Stage inspection
- Final inspectionTemplate 1: Audit Time table
Template 1: Audit programme
71-72
73-75
81
83
85-102
103-117
FOREWORD
International Standard ISO 9001:2008 specifies the requirements for a quality management
system (QMS), which an organization must implement to:
a)
b)
The Standard ISO 9001 is one of the most widely used certification system in the world,
against which more than 12, 00,000 organizations have already been certified. The
certificates are issued by Certification Bodies, after verifying that the organization (supplier
of products or services) is complying with the requirements specified in ISO 9001 Standard.
The competency of the Certification Bodies is ensured through a process, wherein a
designated Accreditation Body grants the accreditation to the Certification Body, based on
International Standard ISO 17021 .In addition, the International Accreditation Forum, a
consortium of Accreditation Bodies, has established a mechanism of mutual recognition of
accredited certification world over. By this process of accreditation, products or services of a
certified organization get global acceptance. Such a robust mechanism acts as a guarantee
to the ultimate consumer that the product /services from the certified organizations would
comply with the specified requirements. However, of late, this guarantee has unfortunately
eluded the ultimate user.
I had the opportunity to undertake field survey at Quality Council of India on more than 800
ISO 9001 certified organizations, the first of its kind, undertaken to validate the effectiveness
of certification process, and which revealed wide ranging inadequacies in the certification
process. Analysis of the data conclusively indicated lack of consistency in the certification
process adopted by different Certification Bodies, in spite of the fact that they were
accredited and were expected to follow uniform practices.
ISO 9000 series of standards based on the British standard BS 5750 was first issued in 1987.
i
The certification to BS 5750 was initially started in UK and subsequently the standard was
adopted as ISO 9000 by the international community. The certification activity was mainly led
by the organizations that were involved in third party certification like ship registrars etc.
Later the Certification Bodies established in UK and Europe realized that it would be easier to
operate through branch offices set up in the developing countries.
As the awareness in the market grew and the thrust by the European countries that ISO 9000
certification would help improve the exports potential of developing countries, number of
organization started looking at the ISO 9000 series of standards. The Certification Bodies
took this as a business opportunity and began to look at various options to expand their
operations. They started having partnership or tie-up with appropriate agencies in the
developing countries. Simultaneously, it gave rise to local CBs coming into being and
seeking accreditation from the overseas ABs in the developed countries. This was because
most of the developing countries, at that point of time, did not have their own accreditation
bodies. Proliferation in certification brought in competition and with inadequate control of
foreign Accreditation Bodies on the Certification Bodies, resulted in considerable dilution of
the certification process.
It is mandatory for the Accreditation Bodies to carry out a regular surveillance assessment of
the Certification Bodies at least once a year. Similarly the Certification Bodies will carry out a
regular audit, at least once a year, on the certified organizations to ensure continued
compliance. One of the main reason for dilution of the standards of certification process is
inadequate control of the Accreditation Bodies on the Certification Bodies that are operating
through the branch offices, franchisee or through representation. The Certification Bodies
(CBs) operating in most of the developing countries fall into the following three categories;
Category A:
Category B:
Category C:
The CBs in the categories 'A' and 'B' undergo mandatory annual surveillance by their ABs, as
ii
provided in the IAF guidelines. This ensures regular monitoring & control over the functioning
of CBs. The CBs in category 'C' are in fact the ones, which lack in terms of monitoring and
control mechanism. Many CBs in this category have never been subjected to the
surveillance by the concerned ABs.
The ISO 9000 series of quality standards work on the premise that customers require
products with characteristics that satisfy their needs and expectations, collectively referred
to as customer requirements or product specifications. The quality management system
(QMS) approach encourages organizations to determine the needs and expectations of
customers and other interested parties, establish the processes and responsibilities
necessary to address and comply with these needs, establish methods to measure the
effectiveness and efficiency of each process and finally establish & apply a process for
continual improvement of the quality management system. Some organizations have used
the ISO 9000 series of standards to develop quality management systems that are
integrated into the way they do business and are useful in helping them to achieve their
strategic business objectives and add value for the organization. On the other hand, many
other organizations have simply created a set of bureaucratic procedures and records that
do not reflect the way the organization actually works. Setting up such elaborate procedures
simply adds costs, without providing any value additions to the product or process.
Many organizations generally agree that they have been benefited from the ISO 9000
certification. However, most of this initial benefit has been due to the creation of well-defined
documentation of work processes, assimilation of data, and maintenance of records. Many
of these organizations also recognize that benefit has not gone beyond adding any value into
the internal system by way of improvement in efficiency and cost reduction etc. Most of the
audit schedules focus only on determining whether documented procedures are being
implemented in practice. Few procedures, however, define what the process they describe
are designed to achieve or how these are to be measured. The audits in many cases fail to
ascertain whether the process is suitable to deliver products that meet defined requirements
and whether the process has realized the quality objectives of the organization.
Consequently, most of the audit efforts reinforce the status quo and do little to identity the
scope for business improvement. Many consider that such audits add little value to the
organization, and are necessary only to retain certification.
iii
The effectiveness of quality management system certification is based upon the credibility of
the certification process. In this entire process of certification, auditing takes the center
stage and auditor plays the key role. Mr. Garg has done commendable job in bringing out at
one place all the best practices in auditing for value addition. The book will serve as a good
Auditor's Manual in general and as excellent training aid for the new and budding auditors
iv
PREFACE
This document is prepared based on ISO 9000:2005, ISO 9001:2008, ISO 9004:2000, ISO
9004:2007 (draft), 19011:2002, 17021:2006, IAF mandatory documents and experiences of
NVT-Quality Certification audits to ISO 9001 series of standards
This document contains 3 chapters.
Chapter 1: Deals with basic understanding and contains subjects on quality management
principles, mission, vision, strategy, policy, objectives, objective deployment,
processes, measurement, analysis, improvement and innovation.
Chapter 2: Deals with audit understanding and contains subjects on audit: types, planning,
programme, processes, initial certification, assumption (transfer of accredited
certification), surveillance, renewal, corrective action, auditors competence,
audit time, audit scopes including maturity assessment.
Chapter 3: Deals with auditing for required processes (management processes group1,
realization processes group 2 & support processes group 3) and sample
processes (support processes group 4). Each process audit includes purpose
of the process, requirements, audit at operational level and audit at process
owner level.
This document also contains templates on audit timetable, audit programme and corrective
action request format (this is also called nonconformity report format).
This document further contains appendices on quality system questionnaire & ISO 9001
auditing practice group advices/interpretations on different topics.
It is expected that auditors after developing knowledge from chapter 1 and following
practices as per chapter 2 & 3 should be able to add considerable value to the third party
audits.
I acknowledge with thanks KEMA Quality for their excellent support in last 15 years in
assisting and developing our audit process. I also acknowledge with thanks publishers of
ISO standards and IAF since I have quoted and used some of the materials from ISO/IAF
publications.
I am thankful to Prof. Y.R. Rau & Mr. K.T.Thomas for review. I am thankful to Dr. Girdhar J.
Gyani for review and foreword. I am thankful to Prof. A.K. Chaudhuri for guiding me through
out the project. I am also thankful to Mr. Mohan Rao for administrative support.
K.G. GARG
v
REFERENCES
1.
ISO 9000:2005
2.
ISO 9001:2008
3.
ISO 9004:2000
4.
ISO 9004:2007
5.
19011:2002
6.
17021:2006
7.
www.tc176.org/default.asp
8.
IAF MD 1:2007
9.
IAF MD 2:2007
Note: The requirements given in the ISO standards, IAF documents and decisions of IAF,
shall at any time supersede any of the provisions covered under this document.
vii
General
K.G. Garg
CHAPTER 1
GENERAL
1.1
General
K.G. Garg
General
K.G. Garg
b)
c)
d)
General
K.G. Garg
Product related
perspective
Key objectives
Financial related
perspective
Key objectives
Innovative related
perspective
Key objectives
Key objectives
M
A
N
A
G
E
M
E
N
T
R
E
V
I
E
W
Mission
A
C
D
P
Information on :
Corr. & Prev. Action
Information on :
Corr. & Prev. Action
Information on :
Corrective & Preventive Action
P
D
I
N
T
E
R
N
A
L
C
A
A
U
D
I
T
S
General
K.G. Garg
The Vision
Financial
Perspective
Return on capital
Cash flow
Project profitability
Reliability of performance
Customer
Perspective
Internal
Perspective
Shape customer
requirement
Tender effectiveness
Quality service
Safety /loss control
Superior project
management
Innovative
Perspective
Continuous improvement
Product and service
innovation
Empowered work force
Strategy
Policy
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
SMART
Objectives
Objectives deployed
to relevant process
owner
General
1.3
K.G. Garg
PROCESSES
General
K.G. Garg
Management processes
These include the processes relating to strategic planning, establishing policy,
setting objectives, providing communication, ensuring availability of
resources needed, life cycle management and management reviews. This
includes all the processes for the provision of the resources that are needed
for the realization of organization's objectives. This includes improvement
processes based on analysis of data, corrective and preventive actions,
projects of improvements and innovative approaches for future of the
organization.
Realization processes
These include all the processes that provide the intended output of the
organization. (E.g. Contract / order management, design, purchasing,
manufacturing, services).
Support processes
These include all those processes needed to contribute directly or indirectly to
the realization processes (e.g. financial, training, maintenance, marketing,
sales, and quality management).
Continual Improvement of the
Quality Management System
Inputs
Product
realization
Measurement,
analysis,
improvement
Customers
Resource
management
S
A
T
I
S
F
A
C
T
I
O
N
Customers
R
E
Q
U
I
R
E
M
E
N
T
S
Management
responsibility
Product Outputs
General
K.G. Garg
Information
Execution and
Control
INPUTS
Verification
OUTPUTS
Activity
Methods
Resources
Materials
Machines
Man
Environment
Activity
Process Requirements
Process and
company objectives
SMART: Specific,
Measurable, Achievable,
realistic and time bound.
Measurement
Figure -3 : Process Approach
1.4
General
K.G. Garg
taking corrective action when objectives are not met, for example by
means of additional process activities, or new policy and objectives to
improve the process.
General
K.G. Garg
safety records;
10
General
K.G. Garg
1.5
IMPROVEMENTS
An organization's improvement activities should focus on the processes
needed to improve the satisfaction of stakeholders, as well seeking to improve
its products.
The organization should define objectives for the improvement of its products,
processes and management system, and should seek to improve them
continually and systematically.
Management should ensure that continual improvement becomes
established as part of the organization's culture through:
1.6
INNOVATION
1.6.1 General
Innovation is essential for sustainability; it needs to be based on the
Quality Management System Auditing For Value Addition
11
General
K.G. Garg
12
General
K.G. Garg
the possibility that its processes and/or products may become obsolete,
thereby putting its very existence at risk,
13
General
K.G. Garg
14
Auditor Guide
K.G. Garg
CHAPTER-2
AUDITOR GUIDE
2.1
b)
c)
is effectively implemented.
b)
Auditor Guide
K.G. Garg
c)
d)
e)
to review the allocation of resources for stage 2 audit and agree with the
organization on the details of the stage 2 audit;
f)
g)
to evaluate if the internal audits and management review are being planned and
performed, and that the level of implementation of the management system
substantiates that the organization is ready for the stage 2 audit.
For most management systems, it is recommended that at least part of the stage 1
audit be carried out at the organization's premises in order to achieve the objectives
stated above.
16
Auditor Guide
K.G. Garg
17
Auditor Guide
K.G. Garg
Process Audit. These process audits are considered part of the Certification process.
When process audits are performed during Stage 1, the organization should be
encouraged to select a variety of processes covering multiple process owners. If the
final Certification Stage 2 is performed within six (6) months of the Stage 1 audit date,
these results are counted as part of the certification process, following completion of
applicable corrective action. If the organization desires to have the Certification Audit
more than six months after Stage 1, then the Stage 1 review and audits shall be
redone.
MANAGEMENT SYSTEM DOCUMENT REVIEW
The Management System Document Review is the most critical part of the
assessment process. The basic Management System design is reviewed in detail to
confirm that the documentation addresses and satisfies the requirements of the
applicable standard(s). The Management System Document Review segment of the
report provides documentary evidence of the assessment process and the outcome.
The Management System Document Review consists of a clause by clause
comparison of the standard(s) requirements to the solutions presented in the Quality
Manual, the second-tier Documented Procedures and other forms of documentation
such as work instructions, specifications, policy, training documents, records, etc.
Occurrences where the requirements have not been satisfied or where
documentation is unclear or ambiguous are noted as a major nonconformance or a
minor nonconformance. Completion of the Management System Document Review,
including resultant corrective action, establishes the foundation for audits to verify
effective implementation with the confidence that structural problems due to
documentation will not be encountered.
All elements of the standard shall be represented either directly or indirectly. The only
exception to this pertains to the predefined permissible exclusion of elements of
Section 7 of the ISO 9001:2008 standard. Such exclusions may not affect the
organization's ability or responsibility to provide product that fulfills customer and
applicable regulatory requirements and needs justification.
During the Management System Document Review, the structure of the organization's
Management System should also be reviewed. Aspects of the Management System
that should be considered are description of process interaction, corrective
action/continual improvement mechanisms, management roles, customer
satisfaction processes, documentation approach, and quality objectives and
measurement / analysis processes.
18
Auditor Guide
K.G. Garg
The Management System Document Review should be conducted with a small group
of key employees of the organization. The QA Manager and, where appropriate, the
Management Representative, should be part of this core group. Often, other
participants will join the discussions when relevant sections of the standard are being
reviewed. For a medium-sized enterprise, the Management System Document
Review process should require one day to effectively complete. Even for small
organizations, one-half to three-quarters of a day should be allotted. Auditor notes
taken during the assessment should be complete enough to ensure that the report can
be completed. This includes persons interviewed, documents reviewed, and notes
defining the structure of the management system. Exclusions shall be recorded as
well as all Major and Minor Nonconformance. Strengths and Opportunities for
improvement are not recorded but included in the management summary of the audit
report.
AUDIT PROGRAMME
The Audit Programme defines the processes that comprise the organization's
Management System as certified to ISO 9001:2008. This tool is a matrix that relates
processes to individual process owners who are accountable for the outcome. It is
developed interactively and becomes the consensus definition of the agreed scope as
agreed to by knowledgeable participants.
The audit programme is used throughout to communicate in the organization which
processes will be audited at the upcoming audit. In this way the Audit Programme is a
dynamic tool that changes throughout audit cycle and is useful for internal audits &
certification audit.
In order to effectively plan the Certification Cycle, the Audit Programme shall be
developed at or prior to the first Audit Event. Any significant changes to the
management system, such as addition/reduction to scope or change in certification
standard, warrant consideration to redeveloping the Audit Programme. The audit
programme should be generated with the input of key individuals from the organization
and the Auditor. Recommended participants are the Quality Assurance Manager and
the Management Representative; representatives from other functions should
participate as required, but the working group should be manageable in size.
Structure of audit programme
The Audit Programme is created using a template supplied to the auditor (refer
template-1). The Audit Programme includes basic organization information:
19
Auditor Guide
K.G. Garg
Revised by/on/for
Scope Statement
Process Matrix
Auditor Guide
K.G. Garg
The Audit timetable is produced from the Business Process Flow Chart. Lead Auditor
produces or reproduces the business process map and identifies all the
areas/departments/processes and activities within the audit scope that auditors need
to audit (noting supporting activities such as laboratories, quality control,
maintenance, continual improvement, quality objectives, and Information control and
top management). Planning establishes how much time will be needed to effectively
audit each area and allocate auditor time to each area. This defines the timing needed
to complete the audit. The Lead auditor allocates auditors to each area following
activity flows and available time. (Auditees may not be available during lunches, shift
changeover or after normal working hours) Planning may be more difficult due to the
eased requirements for documentation.
Timetable is prepared for stage 1 and stage 2 audits (both) and communicated to the
organization and the team members at each stage prior to the stage 1 and stage 2
audits respectively.
The outputs of the Certification Stage 1 Audit are:
1
CAR findings
b)
21
Auditor Guide
K.G. Garg
c)
d)
e)
f)
g)
22
Auditor Guide
K.G. Garg
EITHER
A Certification recommendation and description of resolution of all nonconformances
closed at the Certification Audit, if applicable.
OR
A schedule for corrective action plans addressing open nonconformance and a
schedule for follow-up to assess Corrective Action.
2
An updated Audit Programme defining the processes for the next audit.
CAR findings.
The certification body shall make the certification decision on the basis of an
evaluation of the audit findings and conclusions and any other relevant information
(e.g. public information, comments on the audit report from the organization).
2.1.4 Assumption audit (transfer of accredited certification)
Assumption audits (take over audits from other certification body) consist of the
following segments
Audit Programme Development
A new Audit Programme should be developed. Since a previous programme probably
does not exist, writing an Audit Programme may be a new experience for the
organization. The concept should be clearly explained to the organization. When
developing the Audit Programme, focus should be on the most critical processes, with
attention given to the amount of time and number of audits remaining before the
certificate expires. The audit shall include at a minimum: management review, quality
system documentation, internal auditing, corrective preventive action (even though
these processes may have been included in the last audit by the former certification
body).
Processes audit
The required process audit should be performed. Since this will be the first look at the
Management System, and the first chance to work with the organization, the review
shouldbe more detailed than the normal surveillance audit.
23
Auditor Guide
K.G. Garg
2.
Audit Programme
3.
CAR findings
4.
2.
3.
CAR Findings
4.
5.
Following the completion of the surveillance audit, the Audit Programme shall be
updated to define the processes that will be audited at the next surveillance. These will
be designated as S (x) with x being the next surveillance number. This updated
programme will be submitted as part of the report package.
Renewal Audit Planning during last Surveillance Audit
24
Auditor Guide
K.G. Garg
During the last Surveillance Audit of the contract period, the Auditor shall discuss the
Certification/renewal situation with the organization.
Inputs for this discussion are:
-
A full re-Certification Audit shall be performed when, in the judgment of Lead Auditor
and the Certification Official, it is warranted. This could be based on consecutive
surveillance audits with an unsatisfactory quality level. The decision shall be
documented in the last surveillance audit report. A full re-audit may also be required if
the applicable standard is changed, revised, or a significant change in the working
plan or organization structure would warrant.
The organization has the option at this time, to select a six- month or yearly interval for
the surveillance audit process. The audits and days will be as agreed in the approved
quotation and contract agreement.
2.1.6 Renewal Audit
A Renewal Audit is carried out at the conclusion of the three-year Certification
Agreement period for Management System contracts. The audit structure will be
identical to the Surveillance audit, although more process audits will be performed.
Again there are two objectives:
1.
2.
And continue the partnership building. Partnership with Integrity is the objective.
Information gathered shall also be sufficient to generate the report.Auditor Guide
25
Auditor Guide
K.G. Garg
EITHER
A Certification renewal recommendation
OR
A schedule for corrective action plans addressing open nonconformance and a
schedule for Corrective Action Audit to assess corrective action.
2.
An updated Audit Programme defining the processes for the next audit.
3.
CAR Findings.
4.
Note: as said above, all nonconformances shall be closed and corrective action
verified before certification renewal can be recommended.
Refer IAF MD 3 for more details on recertification and advance surveillance
procedures.
2.1.7 Corrective Action Audit
Corrective Action Audits are intended to document the closure of nonconformities
following an audit. The corrective action audit can be the review of documents off site
or an on site verification.
Again there are two objectives:
1.
2.
EITHER
Closure of the corrective action with either a certification recommendation or
surveillance schedule as agreed,
OR
A schedule for corrective action plan addressing still open nonconformance and a
schedule for additional Corrective Action Audit.
2.
26
Auditor Guide
2.2
K.G. Garg
AUDITORS COMPETENCE
Confidence and reliance in the audit process depend on the competence of those
conducting the audit. This competence is based on the demonstration of
-
the ability to apply the knowledge and skills through the education, work
experience, auditor training and audit experience.
Competence
Quality System
Quality-specific
Knowledge and skills
Education
Work
Experience
Generic knowledge
and skills
Auditor
Training
Auditor
experience
Personal attributes
For qualification of auditors, auditors shall meet the requirements of ISO 17021 (part 2), ISO
19011and procedures of certification body.
Quality Management System Auditing For Value Addition
27
Auditor Guide
2.3
K.G. Garg
b)
c)
d)
e)
f)
decisions on certification;
g)
h)
contractual arrangements;
I)
28
Auditor Guide
K.G. Garg
AUDIT TIME
Methodology for Determining Audit Duration
Table 1 provides a starting point for estimating initial certification audit (Stage 1 +
Stage 2) duration but is only based upon the number of employees.
Total employee numbers where applicable shall include those working on each shift.
Where product realization processes operate on a shift basis, each shift should be
subject to audit by appropriate methods. The extent of audit activity required during
each shift can depend on the nature of the realization processes; the process
information generated, and personnel availability outside of their shift hours.
29
Auditor Guide
K.G. Garg
For organizations of a similar number of employees, some will need more time and
some less. The variation of time spent on each audit depends on a number of factors
including the size, scope of the audit, logistics, complexity of the organization and its
state of preparedness for audit. These and other factors shall be examined during the
contract review process. Figure 6 below and its associated notes provides a visual
guide to making adjustments from the basic audit times and provides the framework
for a process that should be used for audit planning by identifying a starting point
based on the total number of employees for all shifts, then adjusting for the significant
factors applying to the organization to be audited, and attributing to each factor an
additive or subtractive weighting to modify the base figure. In every situation the basis
for the establishment of audit duration including adjustments made shall be recorded.
The Certification Body shall document the justification for each organization where it is
applying a reduction of audit duration by more than 30% from the times established in
table 1, and where accreditation applies, advise and make the justification available to
their accreditation body.
Multi-site audit durations:
In the case of multi-site audits, the starting point for calculating audit duration for each
site included in the audit plan shall be consistent with Table 1. However reductions can
be made taking into account situations where certain management system processes
are not relevant to the site and are the primary responsibility of the controlling site. For
the purpose of eligibility of organization for sampling and sampling IAF MD 1:2007
shall be used.
The average initial certification audit duration (stage 1 + stage 2) shown in
Table 1:
Includes off-site and on-site time spent by an Auditor or Audit Team in planning
and preparation; document review; interfacing with organization, personnel,
records, documentation and processes; and report writing.
30
Auditor Guide
K.G. Garg
31
Auditor Guide
K.G. Garg
Table 1:
ASSESSMENT MANDAY CALCULATION SHEET ISO 9001-2008
(Refer IAF MD 5:2009)
CERTIFICATION
No. of
employ
ee
Total
Initial
Audit
With design
With design
Without design
Without design
Less 10% of B
towards planning
and reporting
rounded upwards to
0.5 or whole number
Less 20% of B
rounded upwards to 0.5 or
whole number
Less 20% of B
rounded upwards to
0.5 or whole number
Less 30% of B
rounded upwards to
0.5 or whole number
Complex
Simple
Complex
Simple
(A)
(B)
(C)
(D)
(E)
(F)
1-5
6-10
11-15
16-25
26-45
46-65
66-85
86-125
126-175
176-275
276-425
426-625
626-875
8761175
11761550
15512025
20262675
26763450
34514350
43515450
1.5
2
2.5
3
4
5
6
7
8
9
10
11
12
1.5
2
2.5
3
4
4.5
5.5
6.5
7.5
8.5
9.0
10.0
11.0
1.5
2
2
2.5
3.5
4.0
5.0
6.0
6.5
7.5
8.0
9.0
10.0
1.5
2
2
2.5
3.5
4.0
5.0
6.0
6.5
7.5
8.0
9.0
10.0
13
12.0
10.5
10.5
1.5
1.5
2
2.5
3
3.5
4.5
5.0
6.0
6.5
7.0
8.0
8.5
9.5
14
13.0
11.5
11.5
15
13.5
12.0
12.0
16
14.5
13.0
13.0
17
15.5
14.0
14.0
18
16.5
14.5
14.5
19
17.5
15.5
15.5
20
18.0
16.0
16.0
21
19.0
17.0
17.0
10.0
10.5
11.5
12.0
13.0
13.5
14.0
54516800
68018500
850110700
22
20.0
18.0
18.0
15.0
15.5
- 10% to 20% reduction for time spent on audit planning and report writing for complex to simple organization.
- 20% to 30% reduction for exclusion of the design and development clause for complex to simple organization.
- Up to 30% reduction from total initial audit days is allowed (maximum) for organizations having few processes,
small scope, repetitive processes etc.
- Assessment mandays have been rounded upwards to 0.5 or whole number.
- Annual surveillance audit onsite time shall be 1/3 of initial audit onsite time.
- Renewal audit onsite time shall be 2/3 of initial onsite time for number of employees at the time of audit.
32
- Organization Distribution +
Auditor Guide
K.G. Garg
Large Simple
Large Complex
Multi-site
Multi-site
Few
processes
Many
processes
Repetitive
processes
Large scope
Unique
processes
Small scope
Design
responsible
Starting point from Auditor Time Chart
Few
processes
Many
processes
Small scope
Design
responsible
Repetitive
processes
Large scope
Small Simple
Unique
processes
Small Complex
Figure 6
33
Auditor Guide
K.G. Garg
Notes to Figure 6:
Once the general starting point for determining the required Auditor Time has been
made for the typical organization with the number of employees indicated, some
adjustments need to be considered to account for the differences that could affect the
actual Auditor Time required to perform an effective audit for the specific organization
to be audited.
Some factors requiring additional auditor time could be, as examples:
Complicated logistics involving more than one building or location where work is
carried out. e.g., a separate Design Centre shall be audited
High degree of regulation (food and drugs, aerospace, nuclear power, etc.)
Activities that require visiting temporary sites to confirm the activities of the
permanent site(s) whose management system is subject to
certification/registration. (see xxx Temporary Sites)
Some factors permitting less auditor time could be, as examples:
Organization is not Design Responsible and/or other Standard elements are not
covered in the scope
Very small site for number of employees (e.g., Office complex only)
34
Auditor Guide
K.G. Garg
Where a significant proportion of staff carry out a similar simple low risk function
sampling the activities of approximately 10% of such staff can be considered.
Where staff include a number of people who work off location e.g. salespersons,
drivers, service personnel, etc. and it is possible to substantially audit compliance
of their activities with the system through review of records, Appropriate
documentation available on constantly positive outputs and results of the
management system.
All attributes of the organization's system, processes, and products/services should be
considered and a fair adjustment made for those factors that could justify more or less
auditor time for an effective audit. Additive factors may be off-set by subtractive
factors.Auditor Guide
Effective Number of Employees
A Certification Body should agree with the organization to be audited the timing of the
audit which will best demonstrate the full scope of the organization. The consideration
should include the effective number of employees present by season, month, day/date
and shift as appropriate.
Part-time employees should be treated as full-time-equivalent employees. This
determination will depend upon the number of hours worked as compared with a fulltime employee.
Second and subsequent assessment cycles
For the second and subsequent assessment cycles, the Certification Body may
choose to design an individualized surveillance and recertification programme
Quality Management System Auditing For Value Addition
35
Auditor Guide
K.G. Garg
Temporary Sites
Temporary sites could range from major project management sites to minor
service/installation sites. The need to visit such sites and the extent of sampling
should be based on an evaluation of the risks of the failure of a product or service to
meet needs/expectations due to system nonconformity. The sample of sites selected
should represent the range of the organization's competency needs and service
variations having given consideration to sizes and types of activities, and the various
stages of projects in progress. Typically on-site evaluations of temporary sites should
be performed. However, the following methods could be considered as alternatives to
replace some physical on-site visits.
- Interviews or progress meetings with the organization organization and/or its
customer in person or by teleconference
- Document review of temporary site activities
- Remote access to electronic site(s) that contains records or other information that is
relevant to the assessment of the management system and the temporary site(s)
- Use of video and teleconference and other technology that enable effective auditing
to be conducted remotely. In each case the method of evaluation should be fully
documented and justified in terms of its effectiveness.Auditor Guide
2.5
AUDIT SCOPES
Scopes of Accreditation
This list of scopes of accreditation is based on NACE classification revision 1 1994.
The auditors are required to be qualified based on qualification and technical
experience in the respective scope sector.
No Description NACE Class
NACE
A, B
A 01.1
Farming of animals
A 01.2
A 01.3
Agricultural and animal husbandry service activities, except veterinary activities A 01.4
Hunting, trapping and game propagation including related service activities A 01.5
36
Auditor Guide
K.G. Garg
A 02.0
B 05.0
CA 10.1
CA 10.2
CA 10.3
CA 11.1
CA 11.2
CA 12.0
CB 13.1
CB 13.2
Quarrying of stone
CB 14.1
CB 14.2
CB 14.3
Production of salt
CB 14.4
Other mining and quarrying n.e.c.
03 Food Products, Beverages and Tobacco
CB 14.5
DA
DA 15.1
DA 15.2
DA 15.3
DA 15.4
DA 15.5
DA 15.6
DA 15.7
DA 15.8
Manufacture of beverages
DA 15.9
DA 16.0
DB
DB 17.1
Textile weaving
DB 17.2
37
Auditor Guide
K.G. Garg
Finishing of textiles
Manufacture of made-up textile articles, except apparel
DB 17.3
DB 17.4
DB 17.5
DB 17.6
DB 17.7
DB 18.1
DB 18.2
DB 18.3
DC
DC 19.1
DC 19.2
Manufacture of footwear
DC 19.3
DD
DD 20.1
DD 20.3
DD 20.4
DD 20.5
DE
DE 21.1
DE 21.2
08 Publishing Companies
DE
DE 22.2
DE 22.3
DE 22.1
DE
DF
DF 23.1
Quality Management System Auditing For Value Addition
Auditor Guide
K.G. Garg
DF 23.2
DF
DF 23.3
DG
DG 24.1
DG 24.2
Manufacture of paints, varnishes and similar coatings, printing ink and mastics DG 24.3
Manufacture of soap and detergents, cleaning and polishing preparations,
perfumes and toilet preparations
DG 24.5
Manufacture of other chemical products including: explosives, glues and
gelatins, essential oils, photographic chemical material, prepared
unrecorded media, and other chemical products n.e.c.
DG 24.6
DG 24.7
13 Pharmaceuticals
DG
DH
DH 25.1
DI
DI 26.1
DI 26.2
DI 26.3
DI 26.4
DI 26.7
DI 26.8
DI
DI 26.5
DI 26.6
39
Auditor Guide
K.G. Garg
DJ
DJ 27.1
DJ 27.2
DJ 27.3
DJ 27.4
Casting of metals
DJ 27.5
DJ 28.1
DJ 28.2
Manufacture of steam generators, except central heating hot water boilers DJ 28.3
Forging, pressing, stamping and roll forming of metal; powder metallurgy
DJ 28.4
DJ 28.5
DJ 28.6
DJ 28.7
DK
DK 29.1
DK 29.2
DK 29.3
Manufacture of machine-tools
DK 29.4
DK 29.5
DK 29.7
DL]
40
DL 30.0
DL 31.1
DL 31.2
DL 31.3
DL 31.4
DL 31.5
Auditor Guide
K.G. Garg
DL 31.6
Manufacture of electronic valves and tubes and other electronic components DL 32.1
Manufacture of television and radio transmitters and apparatus
or line telephony and line telegraphy
DL 32.2
DL 32.3
DL 33.3
DL 33.4
DL 33.5
DM
DM 35.1 3
DM
DM 35.3 3
DM
DM 34.1
DM 34.2
Manufacture of parts and accessories for motor vehicles and their engines DM 34.3
Manufacture of railway and tramway locomotives and rolling stock
DM 35.2
DM 35.4
DM 35.5
DN
Manufacture of furniture
DN 36.1
DN 36.2
DN 36.3
41
Auditor Guide
K.G. Garg
DN 36.4
DN 36.5
DN 36.6
24 Recycling
DN
DN 37.1
DN 37.2
25 Electricity Supply
E 40.1
26 Gas Supply
E 40.2
27 Water Supply
E 40.3
E 41.0
28 Construction
Site preparation
F 45.1
F 45.2
Building installation
F 45.3
Building completion
F 45.4
F 45.5
G 50.1
G 50.2
G 50.3
Sale, maintenance and repair of motorcycles and related parts and accessories G 50.4
42
G 50.5
G 51.1
G 51.2
G 51.3
G 51.4
G 51.5
Auditor Guide
K.G. Garg
G 51.6
Other wholesale
G 51.7
G 52.1
G 52.2
Retail sale of pharmaceutical and medical goods, cosmetics and toilet articles G 52.3
Other retail sale of new goods in specialized stores
G 52.4
G 52.5
G 52.6
G 52.7
Hotels
H 55.1
H 55.2
Restaurants
H 55.3
Bars
H 55.4
H 55.5
I 60.1
I 60.2
I 60.3
I 61.1
I 61.2
I 62.1
I 62.2
Space transport
I 62.3
I 63.1
I 63.2
I 63.3
I 63.4
I 64.1
I 64.2
J, K
J 65.1
43
Auditor Guide
K.G. Garg
J 65.2
J 66.0
J 67.1
J 67.2
K 70.1
K 70.2
K 70.3
Renting of automobiles
K 71.1
K 71.2
K 71.3
K 71.4
33 Information Technology
Hardware consultancy
K 72.1
K 72.2
Data processing
K 72.3
K 72.4
K 72.5
K 72.6
34 Engineering Services
K 74.2
K
44
K 74.1
K 74.3
Advertising
K 74.4
K 74.5
K 74.6
K 74.7
K 74.8
Quality Management System Auditing For Value Addition
Auditor Guide
K.G. Garg
36 Public Administration
L 75.11
L 75.21
L 75.31
37 Education
Primary education
M 80.1
Secondary education
M 80.2
Higher education
M 80.3
M 80.4
N
N 85.11
N 85.12
N 85.13
N 85.14
Veterinary activities
N 85.2
N 85.3
O 90.0
O 91.1
O 91.2
O 91.3
O 92.1
O 92.2
O 92.3
O 92.4
O 92.5
Sporting activities
O 92.6
O 92.7
O 93.0
Note: Certification body could follow other system of scope classification as per their
procedures and approved by accreditation board.
Quality Management System Auditing For Value Addition
45
Auditor Guide
2.6
K.G. Garg
MATURITY ASSESSMENT
2.6.1 Introduction
Organizations should use an assessment tool, to determine their maturity level, i.e.
how well their essential capabilities are developing and growing towards the
achievement of sustainability.
The use of such a tool should enable an organization to identify specific areas for
improvement and to establish any action plans needed for the organization's further
development.
The results of an organization's assessments should be a valuable input into its
management review process, for both strategic and operational issues; consequently
such assessments should be conducted periodically.
Experience demonstrates that the results of assessment are more balanced and
complete when the assessments are conducted by teams.
2.6.2 Description of the maturity levels
Prior to carrying out this assessment, users should familiarize themselves with the
maturity levels described in table 1 below.
The maturity levels describe the degree of development of the capabilities of an
organization and are given on a rising scale from 1 to 5..
Table 1 Description of the maturity levels
Level 1
Beginner
organization
Level 2
Proactive
organization
Management focus
on production and
rendering the
service.
No systematic
approach and
planning of
activities.
Unpredictable
results.
Improvements as
reactions to request
or complaints
Customer
oriented
management.
Quality Mgt
System
implemented.
Some results are
predictable.
Corrective and
preventive
actions
systematically
performed.
Level 3
Flexible
organization
The strategic
plan addresses
customers and
stakeholders.
Process based
approach.
Effective and
agile
Management
Systems.
Results are
predictable.
Level 4
Innovative
organization
Balanced focus on
stakeholders
Effective interrelated
process approach.
Consistent, positive, results
and sustained trends.
Continual improvement
based on learning and
culture of sharing.
Level 5
Sustainable
organization
Ability to maintain
and develop its
performance in the
long term.
Auditing Guide
K.G. Garg
CHAPTER-3
AUDITING GUIDE
3.0
PROCESS CLASSIFICATION
MANAGEMENT
PROCESS
Required processes
(Group 1)
Management
involvement
(Clause 5 & 6 all sub
clauses except 6.2.2)
Customer focus
(Clause 5.2)
Improvement processes
(Clause 8.4 & 8.5 all
sub clauses)
47
Auditing Guide
K.G. Garg
In case process owner is responsible for document issue address clause 4.2.3
3.
During certification audit, all processes group1 to 4 shall be audited to cover all
clauses of the standard however within a clause/ sub clause, sampling of activities
could be followed. During surveillance audit, all processes of group 1 to 3 shall be
audited. For group 4 only few of the processes could be audited.
4.
During 3 years of certification cycle ensure that all processes as per audit program
are audited.
5.
6.
Value adding clauses are with respect to realization processes and improvement
processes
7.
Value-Added Work:
-
e.g.: Entering order, Ordering materials, Designing the Product, Manufacturing &
Assembling, Legally mandated testing, Packaging and Shipping to customer.
Nonvalue-Added Work:
-
Value-Added
Work
Waste
Other
Necessary
Work
Auditing Guide
3.1
K.G. Garg
- Customer focus
(Clause 5.2)
- Improvement processes
Purpose
Top management commitment is required not only to develop the quality
management system but also to continually improve it.
Top management shall communicate to the organization the importance of
meeting customer requirements, regulatory and legal requirements and shall
ensure that customer needs an expectations are determined and converted into
internal requirements
Organizations wanting successful quality management systems should align the
quality policy with the overall strategies and needs of their business.
The term objective is to be interpreted broadly the same as goal, target, or aim.
The objectives should be SMART i.e. Specific, Measurable, Achievable, Realistic,
& Time bound. Basically they should include those needed to meet requirements
of product i.e. how customer perceives. In addition, for business strategy they
should also include financial, internal business process and learning & growth
perspectives. For the purpose of deployment use of balanced scorecard (as
recommended by Mr. Kalpan & Mr. Norton) could be used. The steps include
communicating & Linking, Business planning & Feedback.
The various roles of personnel in the organization shall be defined so that their
responsibility, authority, and interactions are clear.
The communication structure within the organization needs to be defined.
Management review shall identify opportunities to improve the quality
management system and its processes. This could include actions to simplify or
foolproof processes, to develop improve methods, to improve documentation,
and so on.
49
Auditing Guide
K.G. Garg
Requirements (refer clause 5 & 6 all sub clauses except 6.2.2, 6.3 & 6.4 of
ISO 9001:2008 standard)
C.
D.
50
Auditing Guide
K.G. Garg
Purpose:
The organization is required to analyze data to identify areas where
improvements can be made. The analysis shall provide information in four
specific areas; customer satisfaction and/or dissatisfaction; conformance to
customer requirements; characteristics of processes, product and their trends;
and suppliers. The information may differ based on type and size of the
organization as well as the product category.
This clause requires that the organization plan the processes for continual
improvement of quality management system through deployment of quality
objectives, effective internal audit, and analysis of data leading to proper controls
on processes and identifying improvement projects, and effective management
reviews.
It involves taking actions to eliminate the causes of non-conformities in order to
prevent recurrence.
It involves finding potential causes of possible problems to eliminate the cause of
potential non-conformities.
B.
Requirements (refer clause 8.4 & 8.5 all sub clauses of ISO 9001:2008
standard)
51
Auditing Guide
C.
K.G. Garg
Audit at Management level (compliance audit as per clause 8.4 & 8.5 all sub
clauses of ISO 9001:2008)
D.
3.2
- Purchasing
- Purchasing process
- Product manufacturing processes
(Clause 7.4.2)
(Clause 7.5.1, 7.5.3, 8.3)
OR
- Service delivery process
Auditing Guide
A.
K.G. Garg
Purpose:
It is important that determination and review of customer requirements gets full
attention on the management since it is survival issue for the organization. This
has an enormous impact of the quotation and order process and on ultimate
customer satisfaction.
The acceptance of order or the submission of a quote or a tender by an
organization creates an obligation on the organization to meet the conditions
stated in the order and to provide goods and services included in the scope of
quotation or tender.
The complexity of the order/quote review process is highly dependent on the
business of organization.
B. Requirements (refer Clause 7.2.1 & 7.2.2 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per clause 7.2.1 & 7.2.2 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.2.1, 7.2.2 and other
applicable clauses of ISO 9001:2008
E. In addition address following subjects for performance improvement
and sustainability for value addition.
1.
53
Auditing Guide
K.G. Garg
Purpose:
Planning is required to the level of detail necessary to achieve the design
objectives-not to generate an excessive amount of paper work. A typical
approach that is used to effectively address the planning requirement is to
generate project flowchart that incorporates the pertinent personnel, timing and
interrelationship information.
It is intended to assure the development and documentation of a requirements
specification or an equivalent statement of the general and the specific
characteristics of a product to be developed, including the suitability of the
product to meet the market place, customer needs and statutory and/or
regulatory requirements.
This provision of the standard requires the availability of objective evidence that
the design and/or development has been executed in accordance with
requirements that would defined at the inception of the project.
In addition to documenting that the output results need the input requirements, the
standard requires that information be provided to facilitate product realization.
The design and development review is used to assure timely release of a new
product that fully needs the needs of the customer. The design and development
reviews are required to be recorded.
Verification makes a determination, by any reasonable means, that the product
does meet the standard requirements. Verification can be done by review and
analysis of test data, by making alternative calculations, by additional testing of
the product or its components or by any other means.
Verification addresses conformance to requirements, while validation addresses
meeting defined user needs and the product is capable of meeting the
requirements for the intended use in an environment that approximates as closely
as possible the operating conditions that will exist in actual use. The results of
validation should be recorded.
Changes to a product should be considered to be like mini projects within a
project. All changes should be exercised through design review, verification, and
validation processes including evaluation of the effect of changes and follow-up
actions.
54
Auditing Guide
K.G. Garg
2.
3.
55
Auditing Guide
K.G. Garg
D. Audit of process owner(s) level for compliance to 7.4.1 and other applicable
clauses of ISO 9001:2008
E. Audit of process owner(s) level for performance improvement and
sustainability for value addition.
1. Does the process owner ensure:
- Meeting objective targets
- Growth
- Performance improvement
- System improvement
2. Does Organizations supplier process controls includes evaluation of relevant
experience, performance of suppliers against competitors, review of purchase
quality, price, delivery performance and response to problems, audits of
suppliers, financial assessment, supplier awareness of and compliance with
relevant statutory and regulatory requirements, supplier logistics capability
including locations and resources?
3.2.4 Required processes - Realization processes (Group 2)
Product manufacturing processes (Clause 7.5.1, 7.5.2, 7.5.3, 8.3)
OR
Service delivery process (Clause 7.5.1, 7.5.2, 7.5.3, 8.3)
A. Purpose:
The processes need to be carried out under controlled conditions. Appropriate
criteria and controls for these processes need to be determined and implemented
to maintain process capability and to prevent non-conformities from occurring. In
determining the extent of documentation needed, the organization should
consider the criticality of the product, training level of its people, and complexity as
well as size of the organization.
The degree of product identification and traceability depends upon the nature of
56
Auditing Guide
K.G. Garg
product, the nature and complexity of process, industry practice, and whether
identification is required in a contract.
The primary requirement is to assure the effective implementation of processes
that prevent unintended use or delivery of product that does not conform to
requirements.
B. Requirements (refer Clause 7.5.1, 7.5.2, 7.5.3, 8.3 of ISO 9001:2008
standard)
C. Audit at operational level (compliance audit as per Clause 7.5.1, 7.5.2, 7.5.3,
8.3 of ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.5.1, 7.5.2, 7.5.3, 8.3and
other applicable clauses of ISO 9001:2008
E. Audit of process owner(s) level for performance improvement and
sustainability for value addition.
1. Does the process owner ensure:
- Meeting targets (production, schedules, cost)
- Employee motivation
- Performance improvement
- System improvement
2. Has the organization identified and implemented any improvement projects?
3. Improving effectiveness & efficiency of process by reducing waste, training of
people, communication and recording information, developing supplier
capabilities, improving infrastructure, preventing problems, process yields &
methods of monitoring?
3.3
(Clause 4.2.3)
- Customer focus
- Customer complaints and satisfaction
- Internal audit
(Clause 8.2.2)
57
Auditing Guide
K.G. Garg
58
Auditing Guide
K.G. Garg
59
Auditing Guide
K.G. Garg
(Clause 4.2.4)
- Training
(Clause 6.2.2)
- Employee development
(Clause 6.2.2)
- Maintenance
(Clause 6.3)
(Clause 7.1)
OR
60
(Clause 7.1)
- Purchasing process
(Clause 7.4.2)
- Process validation
(Clause 7.5.2)
- Customer process
Auditing Guide
K.G. Garg
- Customer communication
(Clause 7.2.3)
(Clause 7.5.4)
- Inspection
- Receiving inspection
(Clause 7.4.3)
- Process inspection
(Clause8.2.3)
- Stage inspection
(Clause 8.2.4)
- Final inspection
(Clause 8.2.4)
- Calibration
(Clause 7.6)
- Stores management
(Clause 7.5.5)
- Packing, shipping/delivery
(Clause 7.5.5)
61
Auditing Guide
K.G. Garg
62
Auditing Guide
K.G. Garg
63
Auditing Guide
K.G. Garg
Auditing Guide
K.G. Garg
65
Auditing Guide
K.G. Garg
66
Auditing Guide
K.G. Garg
67
Auditing Guide
K.G. Garg
Auditing Guide
K.G. Garg
A. Purpose:
Measuring and monitoring devices that are required to assure conformity of
product need to be controlled. It requires achieving and maintaining a capable
measurement system and the concept of achieving and maintaining a stable
measurement system.
B. Requirements (refer Clause 7.6 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per Clause 7.6 of ISO
9001:2008)
D. Audit of process owner(s) level for compliance to 7.6 and other applicable
clauses of ISO 9001:2008
E. Audit of process owner(s) level for performance improvement and
sustainability for value addition.
1. Does the process owner ensure?
- Meeting objective targets
- Employee motivation
- Performance improvement
- System improvement
2. Does the organization considers to eliminate potential errors from processes,
such as fool proofing, for verification of process outputs in order to minimize
the need for calibrations, and to add value for interested parties since
calibration is a costly process?
3.4.11 Sample processes, Support Processes (Group 4)
Inspection - Receiving inspection (Clause 7.4.3)
Process inspection (Clause 8.2.3)
Stage inspection (Clause 8.2.4)
Final inspection (Clause 8.2.4)
A. Purpose:
Whatever methods are used, the verification activities for purchased products
shall be planned and effectively implemented. The measurements that are used
to assure conformity and achieve improvement need to be defined based on
scientific principles (analysis of data, statistical techniques, FMEA etc). The
process management results should indicate fulfillment of requirements and
Quality Management System Auditing For Value Addition
69
Auditing Guide
K.G. Garg
conform the continuing suitability for each process to satisfy its intended purpose.
This includes all measurement activities from receiving inspection to product
delivery. It covers the actual measurements used to verify that the requirements
are met for the incoming materials and up to the final product. Conformity to
requirements needs to be documented and release controlled.
B. Requirements (refer Clause 7.4.3, 8.2.3, 8.2.4 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per Clause 7.4.3, 8.2.3, 8.2.4 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.4.3, 8.2.3, 8.2.4 and other
applicable clauses of ISO 9001:2008
E. Audit of process owner(s) level for performance improvement and sustainability
for value addition.
1. Does the process owner ensure?
- Meeting objective targets
- Employee motivation
- Performance improvement
- System improvement
2. Measurement of process performance includes capability, reaction time, cycle
time, yield, waste reduction, cost reduction. Does organization considers
these (as applicable) for the purpose of process performance
measurements?
3. Does the organization reviews methods used for measuring products and the
plan records of verification, to consider opportunities for performance
improvements. Typical example of product measurement records. That could
be considered for performance improvement include inspection and test
reports, material release reports, product acceptance reports, certificate of
conformity as required.
70
Auditing Guide
K.G. Garg
Template 1
AUDIT PROGRAMME
Organization
Location(s):
Organization A
Certificate Nr.:
New
Total ftes/shifts:
650/1
17
Standard(s) &
Exclusion(s):
ISO 9001:2008
7.3 (Design and development)
Revised by / on:
A1/16.09.08 for S1
Clause No.
Process Owner
4 to 8
Process
Documented Management
System
Required Processes
Management process Group 1
5&65&6
except
Management Involvement
6.2.2, 6.3 &
6.4
5.2
Customer focus
71
Auditing Guide
K.G. Garg
Document control
Customer focus: customer
8.2.1, 8.5.2
complaints and satisfaction
8.2.2
Internal audit
Sample Processes, Support
Processes Group 4
6.2.2
Training
6.2.2
Employee development
6.3
7.2.3
Customer communication
7.4.2
Purchasing process
7.4.3
Receiving inspection
7.5.2
Process validation
7.5.4
7.5.5
Stores management
7.5.5
7.6
72
Maintenance
7.1
Calibration
8.2.3
Process inspection
8.2.4
Stage inspection
8.2.4
Final inspection
Auditing Guide
K.G. Garg
Template 2
AUDIT TIMETABLE
Organization / Location(s)
Certificate Nr.
Total ftes/shifts
IAF / EAC Code
Organization A
New
650/1
17
ISO 9001:2008
Standard(s) & Exclusion(s)
7.3. (Design and development)
Scope
ManufactureRIPDFKLQHGFRPSRQHQWV.
Audit type
Assessor 1: (A1)
Date
Time
16.09.2008
Assessor
Expert:
Process/Process owner
08.30
A1
Opening Meeting
09.00
A1
MR
- Organization structure
- Review of the management system documents
- Internal audits including corrective action closure
- Management review
- Control of documents
- Records management
- Finalization of timetable and audit program
13.00
A1
15.00
A1
MR
- Review of audit findings
73
Auditing Guide
K.G. Garg
Organization / Location(s)
Certificate Nr.
Total ftes/shifts
IAF / EAC Code
Organization A
New
650/1
17
ISO 9001:2008
Standard(s) & Exclusion(s)
7.3. (Design and development)
Scope
Manufacture of machined components,
Audit type
Assessor 1: (A1)
Date Time
14.10.2008
Assessor
Expert:
Process/Process owner
08.30
All
Opening Meeting
09.00
A1
MR
- Corrective actions on Stage 1 audit findings
CEO & HODs (If not carried out during Stage 1
audit)
- Customer satisfaction processes
- Continual improvement processes
- Management involvement
74
11.00
A1
PROCESS OWNER
- Manpower planning, MIS
14.00
A1
PROCESS OWNER
- Contract review
- Customer complaints, customer feedback
09.00
A2
PROCESS OWNER
- Control of documents
11.00
A2
PROCESS OWNER
- Stage & final inspection
Auditing Guide
15.10.2008
K.G. Garg
09.00
A1
PROCESS OWNER
- Training
10.30
A1
PROCESS OWNER
- Supplier Management
- Outsourcing, Purchasing
14.00
A1
PROCESS OWNER
- Calibration
09.00
A2
PROCESS OWNER
- Manufacturing process 1
11.00
16.10.2008
14.00
PROCESS OWNER
- Manufacturing process 2
14.00
A2
PROCESS OWNER
- Manufacturing process 3
09.00
A1
PROCESS OWNER
- Calibration (shops)
10.30
A1
PROCESS OWNER
- Receiving inspection
14.00
A1
PROCESS OWNER
- Stores
09.00
A2
PROCESS OWNER
- Methods
- Tooling
- Progress
A2
PROCESS OWNER
- Maintenance
15.30
All
Review of findings
16.30
All
Closing Meeting
75
Auditor Guide
K.G. Garg
Template 3
NONCONFORMANCE DEFINITIONS:
Whenever it is found that a requirement of the standard or of the organization's management
system is not fully conformed to, the nonconforming condition is documented in a Corrective
Action Request, and included in the report. The Nonconformance is classified according to
risk, as major and minor:
MAJOR NONCONFORMANCE:
The requirement has not been met. Evidence indicates one or more of the following:
A)
B)
C)
Conditions that could result in the failure or reduced usability of products or services
MINOR NONCONFORMANCE:
The requirement has not been fully met. Evidence indicates the finding is:
A)
Non-systemic
B)
An isolated occurrence
C)
CORRECTIVE ACTION:
Closed loop Corrective Action by the organization is required to be initiated, carried out, and
completed in a timely manner whenever a requirement of the standard or of the
organization's management system has not been met. Corrective action analysis by the
organization shall include determination of applicability to other parts and processes of the
organization.
Minor/Major Nonconformances are required to be settled effectively by the organization.
Lead auditor is required to monitor and evaluate the effective implementation of the actions
taken by the organization. The time frame to settle these nonconformances will depend on
certification bodies procedures as approved by accreditation boards.
All open major and minor nonconformances shall be closed by the Lead Auditor prior to a
recommendation for certification.
77
Auditor Guide
K.G. Garg
78
Auditor Guide
K.G. Garg
Template 3
Organisation: Organization A,
Bangalore, India.
Audit: Surveillance 1
Process: Maintenance
Date: MM/DD/YY
Auditor:A1
DESCRIPTION OF FINDING............................................................................................................................
There is no evidence of carrying out routine and preventive maintenance of CNC machine (No. CA/765) since
installation 3 years back.
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
ASSESSMENT
...........................
..............................
...........................
signature of auditor
signature of auditee
CONTAINMENT ACTION
79
Auditor Guide
K.G. Garg
SIGNATURE OF AUDITEE/ MR
A1
MM/DD/YY
DATE
Date
80
Auditor Guide
K.G. Garg
Appendix A:
OPENING MEETING AGENDA
(For Certification /Surveillance)
1.
2.
3.
4.
5.
Review of audit schedule [Time table] [day / time / process owner (auditee) / auditor]
6.
Audit procedure
- Define nonconformity (major / minor)
- Define opportunities for improvement
- Define responsibilities and consequences of Corrective Action Requests (CARs)
for Certification
for Surveillance
7.
8.
9.
10.
Statement of confidentiality
11.
12.
Thank the management and announce date and time of closing meeting.
81
Auditor Guide
K.G. Garg
Appendix B
CLOSING MEETING AGENDA
1.
2.
3.
4.
Scope (redefined)
5.
Findings / results:
- summary of nonconformity (major / minor) /
opportunities for improvement
- Strengths as appropriate from results
6.
7.
8.
10.
11.
12.
13.
14.
15.
16.
17.
9.
Certification
Surveillance
[Note: for closing meeting during stage 1 state that please resolve
all NC's before stage 2 audit]
Quality Management System Auditing For Value Addition
83
Auditor Guide
K.G. Garg
Appendix C
Quality System Questionnaire
ASSESSMENT QUESTIONS
KEY
Requirements
General requirements
01
02
identify the processes needed for the quality management system and
their application throughout the organization?
b)
c)
d)
e)
f)
03
04
85
Auditor Guide
4.2
K.G. Garg
DOCUMENTATION REQUIREMENTS
4.2.1 General
06 Does the quality management system documentation include:
a) documented statements of a quality policy and quality objectives?
b) a quality manual?
c) documented procedures required by this International Standard?
d) documents needed by the organization to ensure the effective
planning, operation and control of its processes?
e) records required by this International Standard (see 4.2.4)?
Note 1:
Note 2:
Note 3:
Auditor Guide
K.G. Garg
MANAGEMENT RESPONSIBILITY
5.1
Management commitment
01 Has top management provided evidence of its commitment to the M
development and implementation of the quality management system
and continually improving its effectiveness by:]
a) communicating to the organization the importance of meeting
customer as well as statutory and regulatory requirements? M
b) establishing the quality policy?
c) ensuring that quality objectives are established?
d) conducting management reviews?
e) ensuring the availability of resources?
5.2
Customer focus
02 Has top management ensured that customer requirements are
determined and are met with the aim of enhancing customer
satisfaction (see 7.2.1 and 8.2.1)?
87
Auditor Guide
5.3
K.G. Garg
Quality policy
03 Has top management ensured that the quality policy:
a) is appropriate to the purpose of the organization?
b) includes a commitment to comply with requirements and continually
improve the effectiveness of the quality management system?
c) provides a framework for establishing and reviewing quality
objectives?
d) is communicated and understood within the organization?
e) is reviewed for continuing suitability?
5.4
PLANNING
88
Auditor Guide
K.G. Garg
Note 2:
MANAGEMENT REVIEW
5.6.1 General
10 Has top management reviewed the organization's quality management
system, at planned intervals, to ensure its continuing suitability,
adequacy and effectiveness?
11 Does this review include assessing opportunities for improvement and
the need for changes to the quality management system, including the
quality policy and quality objectives?
12 Are records from management reviews maintained (see 4.2.4)?
5.6.2 Review input
13 Does the input to management review include information on :
a) results of audits?
b) customer feedback?
c) process performance and product conformity?
d) status of preventive and corrective actions?
e) follow-up actions from previous management reviews?
f) changes that could affect the quality management system?
g) recommendations for improvement?
5.6.3 Review output
14 Does the output from the management review include any decisions and M
actions related to :
a) improvement of the effectiveness of the quality management
system and its processes?
Quality Management System Auditing For Value Addition
89
Auditor Guide
K.G. Garg
RESOURCE MANAGEMENT
6.1
Provision of resources
01 Has the organization determined and provided the resources needed:
a) to implement and maintain the quality management system and
continually improve its effectiveness? and
b) to enhance customer satisfaction by meeting customer
requirements?
6.2
HUMAN RESOURCES
6.2.1 General
02 Are personnel performing work affecting product quality competent on
the basis of appropriate education, training, skills and experience?
6.2.2 Competence, awareness and training
03 Does the organization:
INFRASTRUCTURE
04 Does the organization determine, provide and maintain the
infrastructure needed to achieve conformity to product requirements?
Infrastructure includes, as applicable:
a) buildings, workspace and associated utilities?
b) process equipment (both hardware and software)?
c) supporting services (such as transport or communication)?
90
Auditor Guide
6.4
K.G. Garg
WORK ENVIRONMENT
05 Does the organization determine and manage the work environment
needed to achieve conformity to product requirements?
Note: Factors that may affect the conformity of the product include temperature,
humidity, lighting, cleanliness, protection from electrostatic discharge, etc.
P: Product related - M: Management related
7
PRODUCT REALIZATION
7.1
CUSTOMER-RELATED PROCESSES
91
Auditor Guide
K.G. Garg
Auditor Guide
7.3
K.G. Garg
93
Auditor Guide
K.G. Garg
Auditor Guide
K.G. Garg
PURCHASING
95
Auditor Guide
7.5
K.G. Garg
96
Auditor Guide
K.G. Garg
97
Auditor Guide
K.G. Garg
Auditor Guide
K.G. Garg
99
Auditor Guide
K.G. Garg
100
Auditor Guide
8.4
K.G. Garg
ANALYSIS OF DATA
27 Does the organization determine, collect and analyze appropriate data M
to demonstrate the suitability and effectiveness of the quality
management system and to evaluate where continual improvement of
the effectiveness of the quality management system can be made?
28 Does this include data generated as a result of monitoring and
measurement and from other relevant sources?
29 Does the analysis of data provide information relating to:
a) customer satisfaction (see 8.2.1)?
b) conformity to product requirements (see 7.2.1)?
c) characteristics and trends of processes and products including
opportunities for preventive action?
d) suppliers?
8.5
IMPROVEMENT
101
Auditor Guide
K.G. Garg
102
Auditor Guide
K.G. Garg
Appendix D
ISO 9001 AUDITING PRACTICES GROUP
1.
Scope of ISO 9001:2008, Scope of Quality Management System (QMS) and the
Scope of Registration/Certification
2.
3.
103
Auditor Guide
1.
K.G. Garg
105
Auditor Guide
K.G. Garg
conformity to ISO 9001. The certificate will usually include a synthesized description of
the scope of registration/certification, but not the details of the ISO 9001 requirements
that have been excluded; however, it may include a note to refer to the fact that the
exclusions are detailed in the organization's Quality Manual.)
It is essential that a scope of registration/certification be drafted by the organization
prior to applying for registration/certification. This should then be analysed by the CRB
during the Stage 1 audit, for appropriate planning of the Stage 2 audit.
It is responsibility of the auditor:
- to ensure that the final statement of the scope of registration/certification is not
misleading;
- to verify that this scope only refers to the processes, products, sites, departments, or
divisions etc. of the organization that were assessed during the registration/
certification audit; and
- to verify that this scope defines any excluded requirements from ISO 9001, and that
justification for such exclusions is provided and is reasonable.
As an additional measure to combat potential confusion among customers and end
users, the scope of registration/certification should be clearly defined in the
organisation's Quality Manual and any publicly available documents (this includes, for
example promotional and marketing material).
However, promotional statements should never be included in the scope of
registration/ certification itself.
106
Auditor Guide
2.
K.G. Garg
107
Auditor Guide
K.G. Garg
the
characteristics of the physical means used to deliver the service, e.g. the
maximum speed of an aircraft, or of the environment in which the service is
provided, e.g. the interior temperature or facilities of an aircraft).
It is quite common for organizations to consider only the tangible component of their
product when addressing the requirements of clause 7.3, forgetting that the design
and development of the intangible product (the service itself) should be the main focus.
Additionally, the organization will need to design how the service will be delivered to its
customers.
If the organization proposes to justify the exclusion of design and development from its
QMS, the auditor should make a careful assessment of the justifications in light of the
above. The auditor should also examine whether the organization has an effective
design and development process that sufficiently defines the characteristics of its
service, and of its service delivery processes, that are needed to meet customer needs
and expectations.
Validation of processes for production and service provision
In terms of the processes needed to realize the service, we can identify two types of
service processes:
those involving the customer in the realization of the service itself (real time
delivery) and
those in which the output is delivered to the customer after the realization of the
process
Using the example of a hotel, the guest "check-in" and "check-out" processes would
probably involve "real-time" delivery of the service, whilst the cleaning of the guest's
room would generally be "delivered" to the guest only after completion of the process
(which could be subject to inspection and rework if necessary, to correct any
nonconformities).
Similar processes can also be found in manufacturing organizations providing
services related to their products, for example, the handling of claims and warranties;
the repair of products by the organization's service units; or product maintenance
108
Auditor Guide
K.G. Garg
whether the personnel involved are sufficiently empowered with the authority to
decide the disposition of the service, for example:
"
"
"
to offer an alternative
109
Auditor Guide
K.G. Garg
any temporary corrections that are implemented to mitigate the effect of the
nonconformity (e.g. refund, credit, upgrade, etc.)
110
Auditor Guide
3.
K.G. Garg
111
Auditor Guide
K.G. Garg
to the certification body, by improving the credibility of the third party certification
process.
The approach to "adding value" is likely to be a function of the level of maturity of the
organization's quality culture and the maturity of its QMS, with respect to the
requirements of ISO 9001:2008.
Non--conforming Conforming
Non
Maturity of QMS
Zone 3
Zone 4
Zone 1
Zone 2
Low
High
Maturity of Quality culture
Figure 7
Zone 1: (Low maturity of "quality culture"; immature QMS, not conforming to
ISO 9001:2008)
Zone 2: (Mature "quality culture"; immature QMS, not conforming to ISO
9001:2008)
Zone 3: (Low maturity of "quality culture"; mature QMS, conforming to ISO
9001:2008)
112
Auditor Guide
K.G. Garg
113
Auditor Guide
K.G. Garg
114
Auditor Guide
K.G. Garg
In order to add value in these circumstances, the primary objective of the auditor
should be to act as a catalyst for the organization to build on its ISO 9000-based quality
management system, and to integrate the system into its day-to-day operations. While
the third party certification auditor cannot provide recommendations on how to meet
the requirements of ISO 9001:2008, it is acceptable and indeed good practice to
encourage and stimulate (but not require!) the organization to go beyond the
requirements of the standard. The questions the auditor asks (and the way he or she
asks those questions) can provide valuable insights for the organization into how the
QMS could become more efficient and useful. Identification of "Opportunities for
Improvement" by the auditor should include ways in which the effectiveness of the
QMS might be enhanced, but could also address opportunities for improved
efficiency.
Zone 4: (Mature "quality culture"; mature QMS, conforming to ISO 9001:2008)
For an organization that has a mature "quality culture", and has been certified to one of
the ISO 9000 series of standards for a significant period of time, the expectation of how
an audit might add value will be the most challenging for an auditor. A common
complaint among this kind of organization is that the "routine surveillance visits" by the
auditor may be superfluous, and do little to add value in the organization's eyes.
In these cases, top management becomes an important customer of the certification
process. It is therefore important for the auditor to have a clear understanding of the
organization's strategic objectives, and to be able to put the QMS audit within that
context. The auditor needs to dedicate time for detailed discussions with top
management, to define their expectations for the QMS, and to incorporate these
expectations into the audit criteria.
Some tips for the auditor on how to add value
1)
Audit planning:
a. Understand the auditee's expectations/corporate culture
b. Any specific concerns to be addressed (output from previous audits)?
c. Risk analysis of industry sector / specific to organization.
d. Pre-evaluation of statutory/regulatory requirements
e. Appropriate audit team selection to achieve audit objectives
f. Adequate time allocation
2)
Audit technique:
a. Focus more on the process, and less on procedures. Some documented
procedures, work instructions, check-lists etc. may be necessary in order for
115
Auditor Guide
K.G. Garg
the organization to plan and control its processes, but the driving force should
be process performance.
b. Focus more on results and less on records. In a similar fashion, some records
may be necessary in order for the organization to provide objective evidence
that its processes are effective (generating the planned results) but in order to
add value, the auditor should be aware of and give credit for other forms of
evidence.
c. Remember the 8 Quality Management Principles
d. Use the "Plan-Do-Check-Act" approach to evaluate the organization's
process effectiveness.
i.
ii.
iii.
iv.
4)
116
Auditor Guide
K.G. Garg
o Proactive
o Reactive
ii.
iii.
iv.
117
Auditor Guide
K.G. Garg
& CEO of
NVT Group (consisting of NVT Quality Certification Pvt. Ltd., & NVT Education Trust
Operating International School of Management Excellence).
Beginning with the year 1968, Garg has worked in the areas of manufacturing, processing,
casting, forging, electronics, electrical, software & engineering services related to
aerospace industry for civil & military aircrafts. He has carried out more than 200 audits for
ISO 9001, ISO 14001, and TL 9000 & AS 9100.
Born in India, Garg holds Bachelor and Master's Engineering degree from Indian Institute of
Technology (Roorkee University) and has honor of being the recipient of university Gold
Medal at IIT (Roorkee University). He is Graduate in Non-Destructive Inspection from AFTC,
Chanute, United States Air force securing 1st position in Graduate NDI AFTC, USA.
Garg has written/presented more than 50 papers in national/international journals/seminars.
Garg has been honored as Quality Guru at International Asia Pacific Quality World conference at
Mexico.
Contact Address :
NVT Quality Certification Pvt. Ltd.
Cap1, Export Promotion Industrial Park
Near ITPL, White Field, Bangalore-560066
Tel. ; +91-50-65343536/37, Fax : +91-50-28416767
Website : www.nvtquality.com, E-mail: nvtqc@vsnl.com
119
Auditor Guide
K.G. Garg
Dr Girdhar J. Gyani has been associated with the discipline of Quality since year 1980,
when he took up assignment on Airworthiness Assessment & Quality Certification of Military
Airplane (1980-90) with Defence Research & Development Organization at Hindustan
Aeronautics Limited, involving application of quality in state-of-art, multidisciplinary &
complex manufacturing sector.
Dr Gyani later joined Standardization, Testing & Quality Certification Directorate
(Department of Information Technology, Government of India) as CEO of a Test & Calibration
Laboratory & Founder Director of Indian Institute of Quality Management (1990-2003) and
during this period, Mr. Gyani as trainer & consultant facilitated large number of industries,
both in manufacturing as well as in service sector covering different facets of TQM. Mr.
Gyani is credited with designing & launching, country's first M.S. program in Quality
Management, which has been adapted by premier Indian university BITS Pilani
In year 2003, he took up prestigious assignment as Secretary General, Quality Council of
India (apex quality body of country), responsible for establishing & operating national
accreditation structure and promoting quality in all walks of life. Mr. Gyani is elected director
on board of IAF since 2004. He has worked extensively on improving effectiveness of QMS
certification process through actual field validation, findings of which have appeared in
prominent international quality journals. He is widely traveled and has been invited speaker
at several international seminars on quality. He has of late been active in pursuing quality in
health and education. He has been instrumental in establishing national accreditation
structure for healthcare and quality school governance.
Dr Gyani holds Master's Degree in Engineering and a Doctorate in Quality. He has been
conferred with 16th Lal C. Verman Award in year 2002 in recognition with distinguished
contribution in the field of standardization, precision measurement & quality control. He is
recipient of Rotary Centenary Award in year 2004 for Excellence in the field of Quality.
121