Professional Documents
Culture Documents
By
K. G. Garg
Foreword by : Dr Girdhar J. Gyani
ISO 9001:2008
Published by:
Quality Council of India (QCI)
2nd Floor, Institution of Engineers Building
Bahadur Shah Zafar Marg,
New Delhi – 110 002, INDIA.
Printed by:
Perfact Impression Pvt. Ltd.
2, Prem Nagar Market, Tyag Raj Nagar
New Delhi-110 003
Tel. : 011-24602233/77, 24603123/24
E-mail : mail@perfactimpression.com
CONTENTS
FOREWORD I-IV
PREFACE V
REFERENCES VII
CHAPTER PARTICULARS PAGES NO.
1 GENERAL 1-4
1.1 Quality management principles 1-2
1.1.1 Customer focus 1
1.1.2 Leadership 1
1.1.3 Involvement of people 1
1.1.4 Process approach 1
1.1.5 System approach to management 1
1.1.6 Continual improvement 2
1.1.7 Factual approach to decision making 2
1.1.8 Mutually beneficial supplier relationships 2
1.2 Mission, vision, strategy, policy & Objectives 2-5
1.2.1 Mission & Vision 2
1.2.2 Aspects of strategy 2
1.2.3 Strategic planning 3
1.2.4 Policy and objectives 3
1.2.5 Objective deployment 4
1.3 Processes 6-8
1.3.1 Process approach 6
1.3.2 Types of processes 6
- Management processes 7
- Realization processes 7
- Support processes 7
1.4 Measurement and analysis 8-11
1.4.1 Measurement approach 8
1.4.2 Performance matrix 9
1.4.3 Measuring achievements of objectives 9
1.4.4 Key indicators 9
1.4.5 Measurement tools 10
1.5 Improvements 11
1.6 Innovation 11-14
1.6.1 General 11
1.6.2 Types of innovations 12
1.6.3 Factors influencing the effectiveness of the innovations 12
1.6.4 Planning of the innovation processes 13
2 AUDITOR GUIDE 15-47
2.1 Certification Audit types 15
2.1.1 Introduction-Certification 15
2.1.2 Initial certification stage 1 audit 15
- Process audits during stage 1 audit
2.1.3 Initial certification stage 2 audit 21
- Process audits during stage 2 audit
2.1.4 Assumption Audit (Transfer of accredited certification) 23
- Review of certification information & prior reports
- Audit programme development
- Process audits
2.1.5 Surveillance audits 24
- Surveillance audit planning
- Renewal audit planning during last surveillance audit
2.1.6 Renewal audit 25
2.1.7 Corrective action audit 26
2.2 Auditors competence 27
2.3 Roles and responsibilities for
assessment/certification personnel 28-29
2.3.1 Roles and responsibilities of top management 28
2.3.2 Roles and responsibilities of lead auditors 28
2.3.3 Roles and responsibilities of auditors 29
2.3.4 Roles and responsibilities of technical experts 29
2.3.5 Roles and responsibilities of trainee auditors/observers 29
2.4 Audit time 29-36
2.5 Audit scopes 36-45
2.6 Maturity assessment 46
2.6.1 Introduction 46
2.6.2 Description of the maturity levels 46
3 AUDITING GUIDE 47-70
3.0 Process classification 47-52
3.1 Required Processes – Management processes (Group 1) 49
3.1.1 Management involvement & Customer focus 49
3.1.2 Improvement process 51
3.2 Required Processes – Realization processes (Group 2) 52-57
3.2.1 Customer process – contract/ order management 52
3.2.2 Design and development 54
3.2.3 Supplier Management 55
3.2.4 Product manufacturing process or Service delivery process 56
3.3 Required processes, Support Processes - (Group 3 57-60
3.3.1 Document control 58
3.3.2 Customer focus– customer complaints and satisfaction 58
3.3.3 Internal audit 59
3.4 Sample processes, Support Processes - (Group 4) 59-70
3.4.1 Records management 61
3.4.2 Training 62
3.4.3 Employee deployment 63
3.4.4 Maintenance 63
3.4.5 Planning for product realization or 64
Planning for service realization
3.4.6 Customer process - Customer communication 65
- Customer; supplied product
- Customer; supplied product
3.4.7 Purchasing process 66
3.4.8 Process validation 67
3.4.9 Stores management: Packing, shipping and delivery 68
3.4.10 Calibration 68
3.4.11 Inspection - Receiving inspection 69
- Process inspection
- Stage inspection
- Final inspectionTemplate 1: Audit Time table
Template 1: Audit programme 71-72
Template 2: Audit timetable 73-75
Template 3: Nonconformance & Corrective action request format 77-80
Appendix A – Opening Meeting Agenda 81
Appendix B – Closing Meeting Agenda 83
Appendix C – Quality System Questionnaire 85-102
Appendix D - ISO 9001: Auditing Practices Group 103-117
FOREWORD
International Standard ISO 9001:2008 specifies the requirements for a quality management
system (QMS), which an organization must implement to:
The Standard ISO 9001 is one of the most widely used certification system in the world,
against which more than 12, 00,000 organizations have already been certified. The
certificates are issued by Certification Bodies, after verifying that the organization (supplier
of products or services) is complying with the requirements specified in ISO 9001 Standard.
The competency of the Certification Bodies is ensured through a process, wherein a
designated Accreditation Body grants the accreditation to the Certification Body, based on
International Standard ISO 17021 .In addition, the International Accreditation Forum, a
consortium of Accreditation Bodies, has established a mechanism of mutual recognition of
accredited certification world over. By this process of accreditation, products or services of a
certified organization get global acceptance. Such a robust mechanism acts as a guarantee
to the ultimate consumer that the product /services from the certified organizations would
comply with the specified requirements. However, of late, this guarantee has unfortunately
eluded the ultimate user.
I had the opportunity to undertake field survey at Quality Council of India on more than 800
ISO 9001 certified organizations, the first of its kind, undertaken to validate the effectiveness
of certification process, and which revealed wide ranging inadequacies in the certification
process. Analysis of the data conclusively indicated lack of consistency in the certification
process adopted by different Certification Bodies, in spite of the fact that they were
accredited and were expected to follow uniform practices.
ISO 9000 series of standards based on the British standard BS 5750 was first issued in 1987.
i
The certification to BS 5750 was initially started in UK and subsequently the standard was
adopted as ISO 9000 by the international community. The certification activity was mainly led
by the organizations that were involved in third party certification like ship registrars etc.
Later the Certification Bodies established in UK and Europe realized that it would be easier to
operate through branch offices set up in the developing countries.
As the awareness in the market grew and the thrust by the European countries that ISO 9000
certification would help improve the exports potential of developing countries, number of
organization started looking at the ISO 9000 series of standards. The Certification Bodies
took this as a business opportunity and began to look at various options to expand their
operations. They started having partnership or tie-up with appropriate agencies in the
developing countries. Simultaneously, it gave rise to local CBs coming into being and
seeking accreditation from the overseas ABs in the developed countries. This was because
most of the developing countries, at that point of time, did not have their own accreditation
bodies. Proliferation in certification brought in competition and with inadequate control of
foreign Accreditation Bodies on the Certification Bodies, resulted in considerable dilution of
the certification process.
It is mandatory for the Accreditation Bodies to carry out a regular surveillance assessment of
the Certification Bodies at least once a year. Similarly the Certification Bodies will carry out a
regular audit, at least once a year, on the certified organizations to ensure continued
compliance. One of the main reason for dilution of the standards of certification process is
inadequate control of the Accreditation Bodies on the Certification Bodies that are operating
through the branch offices, franchisee or through representation. The Certification Bodies
(CBs) operating in most of the developing countries fall into the following three categories;
The CBs in the categories 'A' and 'B' undergo mandatory annual surveillance by their ABs, as
ii
provided in the IAF guidelines. This ensures regular monitoring & control over the functioning
of CBs. The CBs in category 'C' are in fact the ones, which lack in terms of monitoring and
control mechanism. Many CBs in this category have never been subjected to the
surveillance by the concerned ABs.
The ISO 9000 series of quality standards work on the premise that customers require
products with characteristics that satisfy their needs and expectations, collectively referred
to as customer requirements or product specifications. The quality management system
(QMS) approach encourages organizations to determine the needs and expectations of
customers and other interested parties, establish the processes and responsibilities
necessary to address and comply with these needs, establish methods to measure the
effectiveness and efficiency of each process and finally establish & apply a process for
continual improvement of the quality management system. Some organizations have used
the ISO 9000 series of standards to develop quality management systems that are
integrated into the way they do business and are useful in helping them to achieve their
strategic business objectives and add value for the organization. On the other hand, many
other organizations have simply created a set of bureaucratic procedures and records that
do not reflect the way the organization actually works. Setting up such elaborate procedures
simply adds costs, without providing any value additions to the product or process.
Many organizations generally agree that they have been benefited from the ISO 9000
certification. However, most of this initial benefit has been due to the creation of well-defined
documentation of work processes, assimilation of data, and maintenance of records. Many
of these organizations also recognize that benefit has not gone beyond adding any value into
the internal system by way of improvement in efficiency and cost reduction etc. Most of the
audit schedules focus only on determining whether documented procedures are being
implemented in practice. Few procedures, however, define what the process they describe
are designed to achieve or how these are to be measured. The audits in many cases fail to
ascertain whether the process is suitable to deliver products that meet defined requirements
and whether the process has realized the quality objectives of the organization.
Consequently, most of the audit efforts reinforce the status quo and do little to identity the
scope for business improvement. Many consider that such audits add little value to the
organization, and are necessary only to retain certification.
iii
The effectiveness of quality management system certification is based upon the credibility of
the certification process. In this entire process of certification, auditing takes the center
stage and auditor plays the key role. Mr. Garg has done commendable job in bringing out at
one place all the best practices in auditing for value addition. The book will serve as a good
Auditor's Manual in general and as excellent training aid for the new and budding auditors
iv
PREFACE
This document is prepared based on ISO 9000:2005, ISO 9001:2008, ISO 9004:2000, ISO
9004:2007 (draft), 19011:2002, 17021:2006, IAF mandatory documents and experiences of
NVT-Quality Certification audits to ISO 9001 series of standards
Chapter 1: Deals with basic understanding and contains subjects on quality management
principles, mission, vision, strategy, policy, objectives, objective deployment,
processes, measurement, analysis, improvement and innovation.
Chapter 2: Deals with audit understanding and contains subjects on audit: types, planning,
programme, processes, initial certification, assumption (transfer of accredited
certification), surveillance, renewal, corrective action, auditors competence,
audit time, audit scopes including maturity assessment.
Chapter 3: Deals with auditing for required processes (management processes group1,
realization processes group 2 & support processes group 3) and sample
processes (support processes group 4). Each process audit includes purpose
of the process, requirements, audit at operational level and audit at process
owner level.
This document also contains templates on audit timetable, audit programme and corrective
action request format (this is also called nonconformity report format).
This document further contains appendices on quality system questionnaire & ISO 9001
auditing practice group advices/interpretations on different topics.
It is expected that auditors after developing knowledge from chapter 1 and following
practices as per chapter 2 & 3 should be able to add considerable value to the third party
audits.
I acknowledge with thanks KEMA Quality for their excellent support in last 15 years in
assisting and developing our audit process. I also acknowledge with thanks publishers of
ISO standards and IAF since I have quoted and used some of the materials from ISO/IAF
publications.
I am thankful to Prof. Y.R. Rau & Mr. K.T.Thomas for review. I am thankful to Dr. Girdhar J.
Gyani for review and foreword. I am thankful to Prof. A.K. Chaudhuri for guiding me through
out the project. I am also thankful to Mr. Mohan Rao for administrative support.
K.G. GARG
v
REFERENCES
1. ISO 9000:2005 - Quality Management Systems: Fundamentals &
Vocabulary
11. IAF MD 4:2008 - IAF Mandatory Document for the use of Computer
Assisted Auditing Techniques (“CAAT”) for
accredited Certification of Management System
12. IAF MD 5:2009 - IAF Mandatory Document for Duration of QMS and
EMS audits
Note: The requirements given in the ISO standards, IAF documents and decisions of IAF,
shall at any time supersede any of the provisions covered under this document.
vii
General
K.G. Garg
CHAPTER 1
GENERAL
Eight quality management principles have been identified that can be used by top
management in order to lead the organization towards improved performance.
1.1.2 Leadership
Leaders establish unity of purpose and direction of the organization. They should
create and maintain the internal environment in which people can become fully
involved in achieving the organization's objectives.
People at all levels are the essence of an organization and their full involvement
enables their abilities to be used for the organization's benefit.
A desired result is achieved more efficiently when activities and related resources are
managed as a process.
1
General
K.G. Garg
These eight quality management principles form the basis for the quality management
system standards within the ISO 9000 family.
A mission (why we exist?) and vision (what we want to be?) should be developed in
light of external and internal SWOT (strength, weakness, opportunity & threats
analysis) analysis.
The mission should describe the values which the organization seeks to create for its
stakeholders.
The vision presents the state the organization wishes to achieve, once it is equipped
with the necessary competencies.
An organization should develop a strategy to fulfill its mission and vision, which is also
directed towards the achievement of improvements & sustainability. This should
include consideration of:
- products to be provided;
- Risk analysis.
1.2.4 Policy and objectives
Policy and objectives define an organization's desired results and assist the
organization to apply its resources in achieving these results.
The organization should establish policy and objectives, based on its strategy
- to assure that its policy and objectives are aiming for improvements & sustainability.
Policy that is based on the organization's mission, vision and strategy provide a
framework for establishing and reviewing its objectives.
Objectives are used to put the policy into operation, i.e. they answer the question "what
should be done to fulfill the policy"? The objectives need to be consistent with the
SWOT ANALYSIS
POLICY
Objective deployment
(PDCA cycle)
M
A Mission Policy & Objectives
I
N N
A T
G Policy & Objectives Policy & Objectives
A P E
E R
M P P P P P P
N
E C D D D D D D D
A
N L
T C C C C C C
D C
A A A A A A A
R U
E P Information on : Information on : A
Corr. & Prev. Action Corr. & Prev. Action
D
V I
I T
E Information on : S
W Corrective & Preventive Action
Policy objective deployment
Return on capital
Financial
Objectives deployed
Customer
Shape customer
requirement
Perspective
1.3 PROCESSES
e) lower costs and shorter cycle times, through the effective use of
resources,
Refer figure 2 and 3 for process approach models for quality management
system.
Processes are specific to the organization, and shall vary depending on its
type, size and degree of development. Process can be identified in terms of
the following types:
Management processes
Realization processes
These include all the processes that provide the intended output of the
organization. (E.g. Contract / order management, design, purchasing,
manufacturing, services).
Support processes
S
and other interested parties
Management A
and other interested parties
responsibility T
R
Customers
E
I
Customers
Q S
U F
I Resource Measurement, A
R management analysis, C
E improvement T
M I
E O
N N
T Product
S Inputs realization Product Outputs
Execution and
Information Control Verification
INPUTS OUTPUTS
Activity Activity
Machines
Materials SMART: Specific,
Man Measurable, Achievable,
Environment realistic and time bound.
Measurement
Figure -3 : Process Approach
- taking corrective action when objectives are not met, for example by
means of additional process activities, or new policy and objectives to
improve the process.
The criteria for measuring the effectiveness and efficiency of a process should
be consistent with the objectives set for its outputs. These should, in turn, be
consistent with the strategy of the organization.
1.4.3 Measuring achievement of objectives
An organization should monitor carefully the degree and speed at which it
achieves its objectives, by defining appropriate key indicators of performance,
by using effective tools to gather information, and by comparing the
information gathered against the established objectives.General
Key indicators can take many different forms, and typically relate to one of the
above topics. The following list gives some examples:
- safety records;
The methods used for collecting information regarding key indicators should
1.5 IMPROVEMENTS
The organization should define objectives for the improvement of its products,
processes and management system, and should seek to improve them
continually and systematically.
1.6 INNOVATION
1.6.1 General
- the possibility that its processes and/or products may become obsolete,
thereby putting its very existence at risk,
CHAPTER-2
AUDITOR GUIDE
c) is effectively implemented.
15
Auditor Guide
K.G. Garg
e) to review the allocation of resources for stage 2 audit and agree with the
organization on the details of the stage 2 audit;
g) to evaluate if the internal audits and management review are being planned and
performed, and that the level of implementation of the management system
substantiates that the organization is ready for the stage 2 audit.
For most management systems, it is recommended that at least part of the stage 1
audit be carried out at the organization's premises in order to achieve the objectives
stated above.
In determining the interval between stage 1 and stage 2 audits, consideration shall be
given to the needs of the organization to resolve areas of concern identified during the
stage 1 audit. The certification body may also need to revise its arrangements for
stage 2.
Organization may request additional process Audit(s) (other than described above) be
included at the stage 1 audit. These usually take approximately 1.0 -2.0 hours per
Process Audit. These process audits are considered part of the Certification process.
When process audits are performed during Stage 1, the organization should be
encouraged to select a variety of processes covering multiple process owners. If the
final Certification Stage 2 is performed within six (6) months of the Stage 1 audit date,
these results are counted as part of the certification process, following completion of
applicable corrective action. If the organization desires to have the Certification Audit
more than six months after Stage 1, then the Stage 1 review and audits shall be
redone.
The Management System Document Review is the most critical part of the
assessment process. The basic Management System design is reviewed in detail to
confirm that the documentation addresses and satisfies the requirements of the
applicable standard(s). The Management System Document Review segment of the
report provides documentary evidence of the assessment process and the outcome.
All elements of the standard shall be represented either directly or indirectly. The only
exception to this pertains to the predefined permissible exclusion of elements of
Section 7 of the ISO 9001:2008 standard. Such exclusions may not affect the
organization's ability or responsibility to provide product that fulfills customer and
applicable regulatory requirements and needs justification.
During the Management System Document Review, the structure of the organization's
Management System should also be reviewed. Aspects of the Management System
that should be considered are description of process interaction, corrective
action/continual improvement mechanisms, management roles, customer
satisfaction processes, documentation approach, and quality objectives and
measurement / analysis processes.
The Management System Document Review should be conducted with a small group
of key employees of the organization. The QA Manager and, where appropriate, the
Management Representative, should be part of this core group. Often, other
participants will join the discussions when relevant sections of the standard are being
reviewed. For a medium-sized enterprise, the Management System Document
Review process should require one day to effectively complete. Even for small
organizations, one-half to three-quarters of a day should be allotted. Auditor notes
taken during the assessment should be complete enough to ensure that the report can
be completed. This includes persons interviewed, documents reviewed, and notes
defining the structure of the management system. Exclusions shall be recorded as
well as all Major and Minor Nonconformance. Strengths and Opportunities for
improvement are not recorded but included in the management summary of the audit
report.
AUDIT PROGRAMME
The Audit Programme defines the processes that comprise the organization's
Management System as certified to ISO 9001:2008. This tool is a matrix that relates
processes to individual process owners who are accountable for the outcome. It is
developed interactively and becomes the consensus definition of the agreed scope as
agreed to by knowledgeable participants.
In order to effectively plan the Certification Cycle, the Audit Programme shall be
developed at or prior to the first Audit Event. Any significant changes to the
management system, such as addition/reduction to scope or change in certification
standard, warrant consideration to redeveloping the Audit Programme. The audit
programme should be generated with the input of key individuals from the organization
and the Auditor. Recommended participants are the Quality Assurance Manager and
the Management Representative; representatives from other functions should
participate as required, but the working group should be manageable in size.
The Audit Programme is created using a template supplied to the auditor (refer
template-1). The Audit Programme includes basic organization information:
- Revised by/on/for
- Scope Statement
- Process Matrix
There are three types (four groups) of processes to be included in the Audit
Programme:
Audit Timetable
The Audit timetable is produced from the Business Process Flow Chart. Lead Auditor
produces or reproduces the business process map and identifies all the
areas/departments/processes and activities within the audit scope that auditors need
to audit (noting supporting activities such as laboratories, quality control,
maintenance, continual improvement, quality objectives, and Information control and
top management). Planning establishes how much time will be needed to effectively
audit each area and allocate auditor time to each area. This defines the timing needed
to complete the audit. The Lead auditor allocates auditors to each area following
activity flows and available time. (Auditees may not be available during lunches, shift
changeover or after normal working hours) Planning may be more difficult due to the
eased requirements for documentation.
Timetable is prepared for stage 1 and stage 2 audits (both) and communicated to the
organization and the team members at each stage prior to the stage 1 and stage 2
audits respectively.
3 CAR findings
The Audit Components for the Certification Stage 2 Audit are Process Audits (from the
Audit Programme) and Corrective Action resolution (of findings from the previous
audit).
In each process audit, the interviews will begin at an appropriate high level (with
process owner) in the organization to understand management objectives and
expectations for the process, as well as how management communicates to the
organization and the customer. The audit will then progress to a review of the process
and implementation, while considering the business objectives. The persons
interviewed should be not only capable of performing the tasks and methods of
measurement and control, but also be able to explain the impacts of their actions on the
product and business objectives.
When appropriate to the organization and the process being assessed, the last phase
of the audit (with process owner) should focus on the continual improvement aspects:
analysis of product, process and data to identify opportunities for improvement. Quality
Objectives and feedback to the Management Review process are the results. The
larger objective is to verify that management initiatives are defined, delegated and
implemented, and that the results are monitored, measured and evaluated.
The audit team shall analyse all information and audit evidence gathered during the
stage 1 and stage 2 audits to review the audit findings and agree on the audit
conclusions.
EITHER
OR
2 An updated Audit Programme defining the processes for the next audit.
3 CAR findings.
The certification body shall make the certification decision on the basis of an
evaluation of the audit findings and conclusions and any other relevant information
(e.g. public information, comments on the audit report from the organization).
Assumption audits (take over audits from other certification body) consist of the
following segments
Processes audit
The required process audit should be performed. Since this will be the first look at the
Management System, and the first chance to work with the organization, the review
shouldbe more detailed than the normal surveillance audit.
Prior to issuing the new certificate, recent audit reports issued by previous certification
body and other documentation should be reviewed. Any open issues and
nonconformance should be reviewed to assure that the Management System has
been maintained. Corrective action plans should be in place for any open findings. The
Certificate should be current and have been issued by a credible, accredited
certification body. For more details refer IAF MD 2:2007.
2. Audit Programme
3. CAR findings
The Audit Components for a Surveillance Audit are the required process audits,
sample of support process audits, and Corrective Action resolution. The process
audits to be performed are defined on the Audit Programme by the code Sx with x
referring to the sequence of surveillance audits and the highest number being the
current audit.
3. CAR Findings
Following the completion of the surveillance audit, the Audit Programme shall be
updated to define the processes that will be audited at the next surveillance. These will
be designated as S (x) with x being the next surveillance number. This updated
programme will be submitted as part of the report package.
During the last Surveillance Audit of the contract period, the Auditor shall discuss the
Certification/renewal situation with the organization.
A full re-Certification Audit shall be performed when, in the judgment of Lead Auditor
and the Certification Official, it is warranted. This could be based on consecutive
surveillance audits with an unsatisfactory quality level. The decision shall be
documented in the last surveillance audit report. A full re-audit may also be required if
the applicable standard is changed, revised, or a significant change in the working
plan or organization structure would warrant.
The organization has the option at this time, to select a six- month or yearly interval for
the surveillance audit process. The audits and days will be as agreed in the approved
quotation and contract agreement.
2. And continue the partnership building. Partnership with Integrity is the objective.
Information gathered shall also be sufficient to generate the report.Auditor Guide
EITHER
OR
2. An updated Audit Programme defining the processes for the next audit.
3. CAR Findings.
Note: as said above, all nonconformances shall be closed and corrective action
verified before certification renewal can be recommended.
EITHER
OR
A schedule for corrective action plan addressing still open nonconformance and a
schedule for additional Corrective Action Audit.
Confidence and reliance in the audit process depend on the competence of those
conducting the audit. This competence is based on the demonstration of
- the ability to apply the knowledge and skills through the education, work
experience, auditor training and audit experience.
Competence
Quality System
Quality-specific Generic knowledge
Knowledge and skills and skills
Personal attributes
For qualification of auditors, auditors shall meet the requirements of ISO 17021 (part 2), ISO
19011and procedures of certification body.
f) decisions on certification;
h) contractual arrangements;
(c) Verify auditor days meets the requirement, sites to be covered, selection of audit
team members and dates of audit, travel arrangements.
(e) Carry out audits as per timetable and prepare corrective action requests based on
audit findings.
(f) Examine and finalise corrective action plans proposed by the organization.
(c) Prepare audit reports for the processes assigned to them and submit to the lead
auditor
(a) Accompany the auditors as per audit time table and observe the happenings
during the audit and is not required to take part in the audit process.
(b) Suggest to the lead auditor and auditor any changes required in the time table so
as to ensure better coverage of the audit scope.
(c) Offer his opinions (if any) on any of the issues arising out of the audit when
requested by the lead auditor/ auditor
(d) Inform to the lead auditor/auditor any specific subject, he considers not
addressed by the lead auditor/auditor.
(e) Submit his report at the end of the audit to the lead auditor.
Trainee auditors/ observers do not take part in the audit and are only observers.
Auditor Guide
Table 1 provides a starting point for estimating initial certification audit (Stage 1 +
Stage 2) duration but is only based upon the number of employees.
Total employee numbers where applicable shall include those working on each shift.
Where product realization processes operate on a shift basis, each shift should be
subject to audit by appropriate methods. The extent of audit activity required during
each shift can depend on the nature of the realization processes; the process
information generated, and personnel availability outside of their shift hours.
For organizations of a similar number of employees, some will need more time and
some less. The variation of time spent on each audit depends on a number of factors
including the size, scope of the audit, logistics, complexity of the organization and its
state of preparedness for audit. These and other factors shall be examined during the
contract review process. Figure 6 below and its associated notes provides a visual
guide to making adjustments from the basic audit times and provides the framework
for a process that should be used for audit planning by identifying a starting point
based on the total number of employees for all shifts, then adjusting for the significant
factors applying to the organization to be audited, and attributing to each factor an
additive or subtractive weighting to modify the base figure. In every situation the basis
for the establishment of audit duration including adjustments made shall be recorded.
The Certification Body shall document the justification for each organization where it is
applying a reduction of audit duration by more than 30% from the times established in
table 1, and where accreditation applies, advise and make the justification available to
their accreditation body.
In the case of multi-site audits, the starting point for calculating audit duration for each
site included in the audit plan shall be consistent with Table 1. However reductions can
be made taking into account situations where certain management system processes
are not relevant to the site and are the primary responsibility of the controlling site. For
the purpose of eligibility of organization for sampling and sampling IAF MD 1:2007
shall be used.
•Includes off-site and on-site time spent by an Auditor or Audit Team in planning
and preparation; document review; interfacing with organization, personnel,
records, documentation and processes; and report writing.
•Is based on an “Auditor Day” of 8 hours. The number of “Auditor Days” employed
may not be reduced at the initial planning stages by programming longer hours
per working day.
For most management systems, it is desired that at least part of the stage 1 audit is
carried out at the organization's premises. The duration is typically 1 auditor day, but
can be less for small organizations and more for large or complex organizations.
Surveillance
During the initial three year certification cycle, surveillance audit duration for a given
organization should be proportional to the time spent at initial certification audit (stage
1 + stage 2) with the total amount of time spent annually on surveillance not less than
1/3 of the time spent on the initial certification audit. The planned surveillance time
shall be reviewed from time-to-time to account for changes in the organization, system
maturity, etc., and at a minimum at the time of recertification. In the case that remote
auditing techniques are utilized, the certification organization's controlling location
shall be physically visited for surveillance audit at a minimum of once per annum.
Recertification
The duration of the recertification audit should be approximately 2/3 of the time that
would be required for an initial certification audit (Stage 1 + Stage 2) of the organization
if such an initial audit were to be carried out the time of the recertification (i.e. not 2/3 of
the original certification duration).
Table 1:
CERTIFICATION
No. of Total With design With design Without design Without design
employ Initial
Less 10% of B Less 20% of B Less 20% of B Less 30% of B
ee Audit
towards planning rounded upwards to 0.5 or rounded upwards to rounded upwards to
and reporting whole number 0.5 or whole number 0.5 or whole number
rounded upwards to
0.5 or whole number
6801- 15.0
21 19.0 17.0 17.0
8500
8501- 15.5
22 20.0 18.0 18.0
10700
- 10% to 20% reduction for time spent on audit planning and report writing for complex to simple organization.
- 20% to 30% reduction for exclusion of the design and development clause for complex to simple organization.
- Up to 30% reduction from total initial audit days is allowed (maximum) for organizations having few processes,
small scope, repetitive processes etc.
- Assessment mandays have been rounded upwards to 0.5 or whole number.
- Annual surveillance audit onsite time shall be 1/3 of initial audit onsite time.
- Renewal audit onsite time shall be 2/3 of initial onsite time for number of employees at the time of audit.
Multi-site Multi-site
Few Many
- Organization Distribution +
processes processes
Design
responsible
Starting point from Auditor Time Chart
Few Many
processes processes
Small Complex
Figure 6
Notes to Figure 6:
Once the general starting point for determining the required Auditor Time has been
made for the typical organization with the number of employees indicated, some
adjustments need to be considered to account for the differences that could affect the
actual Auditor Time required to perform an effective audit for the specific organization
to be audited.
•Complicated logistics involving more than one building or location where work is
carried out. e.g., a separate Design Centre shall be audited
•High degree of regulation (food and drugs, aerospace, nuclear power, etc.)
•Activities that require visiting temporary sites to confirm the activities of the
permanent site(s) whose management system is subject to
certification/registration. (see xxx Temporary Sites)
•Organization is not “Design Responsible” and/or other Standard elements are not
covered in the scope
•Very small site for number of employees (e.g., Office complex only)
•Where a significant proportion of staff carry out a similar simple low risk function
sampling the activities of approximately 10% of such staff can be considered.
•Where staff include a number of people who work “off location” e.g. salespersons,
drivers, service personnel, etc. and it is possible to substantially audit compliance
of their activities with the system through review of records, Appropriate
documentation available on constantly positive outputs and results of the
management system.
A Certification Body should agree with the organization to be audited the timing of the
audit which will best demonstrate the full scope of the organization. The consideration
should include the effective number of employees present by season, month, day/date
and shift as appropriate.
For the second and subsequent assessment cycles, the Certification Body may
choose to design an individualized surveillance and recertification programme
Temporary Sites
Temporary sites could range from major project management sites to minor
service/installation sites. The need to visit such sites and the extent of sampling
should be based on an evaluation of the risks of the failure of a product or service to
meet needs/expectations due to system nonconformity. The sample of sites selected
should represent the range of the organization's competency needs and service
variations having given consideration to sizes and types of activities, and the various
stages of projects in progress. Typically on-site evaluations of temporary sites should
be performed. However, the following methods could be considered as alternatives to
replace some physical on-site visits.
- Remote access to electronic site(s) that contains records or other information that is
relevant to the assessment of the management system and the temporary site(s)
- Use of video and teleconference and other technology that enable effective auditing
to be conducted remotely. In each case the method of evaluation should be fully
documented and justified in terms of its effectiveness.Auditor Guide
Scopes of Accreditation
08 Publishing Companies DE
Publishing of books; publishing of newspapers, journals, periodicals,
sound recordings and other publishing DE 22.1
09 Printing Companies DE
Printing of newspapers; printing n.e.c.; bookbinding and finishing;
composition and plate making; other activities related to printing DE 22.2
Reproduction of recorded media DE 22.3
11 Nuclear Fuel DF
Processing of nuclear fuel DF 23.3
13 Pharmaceuticals DG
Manufacture of pharmaceuticals, medicinal chemicals and botanical products DG 24.4
20 Ship Building DM
Building and repairing of ships and boats DM 35.1 3
21 Aerospace DM
Manufacture of aircraft and spacecraft DM 35.3 3
24 Recycling DN
Recycling of metal waste and scrap DN 37.1
Recycling of non-metal waste and scrap DN 37.2
25 Electricity Supply E
Production and distribution of electricity E 40.1
26 Gas Supply E
Manufacture of gas; distribution of gaseous fuels through mains E 40.2
27 Water Supply E
Steam and hot water supply E 40.3
Collection, purification and distribution of water E 41.0
28 Construction F
Site preparation F 45.1
Building of complete constructions or parts thereof; civil engineering F 45.2
Building installation F 45.3
Building completion F 45.4
Renting of construction or demolition equipment with operator F 45.5
33 Information Technology K
Hardware consultancy K 72.1
Software consultancy and supply K 72.2
Data processing K 72.3
Data base activities K 72.4
Maintenance and repair of office, accounting and computing machinery K 72.5
Other computer related activities K 72.6
34 Engineering Services K
Research and experimental development on natural sciences and engineering K 73.1
Research and experimental development on social sciences and humanities K 73.2
Architectural and engineering activities and related technical consultancy K 74.2
35 Other Services K
Legal, accounting, bookkeeping and auditing activities;
tax consultancy; market research and public opinion polling;
business and management consultancy; holdings K 74.1
Technical testing and analysis K 74.3
Advertising K 74.4
Labor recruitment and provision of personnel K 74.5
Investigation and security activities K 74.6
Industrial cleaning activities K 74.7
Other business activities n.e.c. K 74.8
36 Public Administration L
Administration of the State and the economic and
social policy of the community L 75.11
Provision of services to the community as a whole L 75.21
Compulsory social security activities L 75.31
37 Education M
Primary education M 80.1
Secondary education M 80.2
Higher education M 80.3
Adult and other education M 80.4
Note: Certification body could follow other system of scope classification as per their
procedures and approved by accreditation board.
2.6.1 Introduction
Organizations should use an assessment tool, to determine their maturity level, i.e.
how well their essential capabilities are developing and growing towards the
achievement of sustainability.
The use of such a tool should enable an organization to identify specific areas for
improvement and to establish any action plans needed for the organization's further
development.
Experience demonstrates that the results of assessment are more balanced and
complete when the assessments are conducted by teams.
Prior to carrying out this assessment, users should familiarize themselves with the
maturity levels described in table 1 below.
CHAPTER-3
AUDITING GUIDE
Value-Added
Work
Waste
Other
Necessary
Work
Management involvement & Customer focus - (Clause 5 & 6 all sub clauses except
6.2.2, 6.3 & 6.4)
A. Purpose
The term objective is to be interpreted broadly the same as goal, target, or aim.
The objectives should be SMART i.e. Specific, Measurable, Achievable, Realistic,
& Time bound. Basically they should include those needed to meet requirements
of product i.e. how customer perceives. In addition, for business strategy they
should also include financial, internal business process and learning & growth
perspectives. For the purpose of deployment use of balanced scorecard (as
recommended by Mr. Kalpan & Mr. Norton) could be used. The steps include
communicating & Linking, Business planning & Feedback.
The various roles of personnel in the organization shall be defined so that their
responsibility, authority, and interactions are clear.
Quality management system records should indicate that the requirements of this
clause have been considered and addressed.
The human factors in the work environment include work methods, safety rules
and guidance, including use of protective equipment's and, ergonomics. The
physical factors include heat, noise, light, hygiene, humidity, cleanliness,
vibration, pollution, electrostatic discharge, radiation and airflow.
B. Requirements (refer clause 5 & 6 all sub clauses except 6.2.2, 6.3 & 6.4 of
ISO 9001:2008 standard)
- Employee motivation
- Growth
- Performance improvement-
- System improvement
A. Purpose:
This clause requires that the organization plan the processes for continual
improvement of quality management system through deployment of quality
objectives, effective internal audit, and analysis of data leading to proper controls
on processes and identifying improvement projects, and effective management
reviews.
B. Requirements (refer clause 8.4 & 8.5 all sub clauses of ISO 9001:2008
standard)
C. Audit at Management level (compliance audit as per clause 8.4 & 8.5 all sub
clauses of ISO 9001:2008)
- Employee motivation
- Performance improvement
- System improvement
- Customer process
- Purchasing
OR
A. Purpose:
C. Audit at operational level (compliance audit as per clause 7.2.1 & 7.2.2 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.2.1, 7.2.2 and other
applicable clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
This provision of the standard requires the availability of objective evidence that
the design and/or development has been executed in accordance with
requirements that would defined at the inception of the project.
In addition to documenting that the output results need the input requirements, the
standard requires that information be provided to facilitate product realization.
The design and development review is used to assure timely release of a new
product that fully needs the needs of the customer. The design and development
reviews are required to be recorded.
- Meeting targets
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
The organization to decide the "type and extent of control" which should be based
on the effect of purchase material on the product realization processes and on the
products produced. e.g.: Bolt used on aircraft engine mount and bolt used in
sub-assembly of an aircraft will have different types of controls. The organization
shall maintain data of evaluations of suppliers with a focus on obtaining
confirming materials.
D. Audit of process owner(s) level for compliance to 7.4.1 and other applicable
clauses of ISO 9001:2008
- Growth
- Performance improvement
- System improvement
OR
A. Purpose:
The degree of product identification and traceability depends upon the nature of
product, the nature and complexity of process, industry practice, and whether
identification is required in a contract.
C. Audit at operational level (compliance audit as per Clause 7.5.1, 7.5.2, 7.5.3,
8.3 of ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.5.1, 7.5.2, 7.5.3, 8.3and
other applicable clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
- Customer focus
A. Purpose:
D. Audit of process owner(s) level for compliance to 4.2.3 and other applicable
clauses of ISO 9001:2008
- Employee motivation
A. Purpose:
The organization shall think about how to gather information and what will be done
with the information after it is gathered from the customer. Although organization
typically has many sources of information the standard encourages organizations
to better utilize "gold mine" of information available/obtained by them. It involves
taking actions to eliminate the causes of non-conformities in order to prevent
recurrence
C. Audit at operational level (compliance audit as per Clause 8.2.1, 8.5.2 of ISO
9001:2008)
D. Audit of process owner(s) level for compliance to 8.2.1, 8.5.2 and other
applicable clauses of ISO 9001:2008
- Performance improvement
- System improvement
A. Purpose:
D. Audit of process owner(s) level for compliance to 8.2.2 and other applicable
clauses of ISO 9001:2008
- Auditors motivation
- Performance improvement
- System improvement
- Capability of processes, use of SPC & IT, analysis of quality cost data,
resource management and relationship with interested parties, statutory
and regulatory requirements.
OR
- Inspection
A. Purpose:
Records are a special type of documents, and they have their own control
requirements. Records are documents that provide evidence that an activity has
been accomplished or that an event has happened. The record management
shall also include records given by suppliers.
- Employee motivation
- System improvement
A. Purpose:
The intend of the standard is to relate this requirement to the personnel assigned
responsibilities defined in the quality management system. This clause includes
personnel involved in top management, resource management, product
realization, and measurement-analysis-improvement processes. All these
personnel are required to be competent based on education, training, skills and
experience.
D. Audit of process owner(s) level for compliance to 6.2.2 and other applicable
clauses of ISO 9001:2008
- Competence assessment:
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
The intend of the standard is to relate this requirement to the personnel assigned
responsibilities defined in the quality management system. This clause includes
personnel involved in top management, resource management, product
realization, and measurement-analysis-improvement processes. All these
personnel are required to competent based on education, training, skills and
experience.
D. Audit of process owner(s) level for compliance to 6.2.2 and other applicable
clauses of ISO 9001:2008
- Employee motivation
Maintenance (6.3)
A. Purpose:
The organization shall identify, provide, and maintain all facilities of the
organization.
Quality management system records should indicate that the requirements of this
clause have been considered and addressed
D. Audit of process owner(s) level for compliance to 7.1 and other applicable
clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
OR
A. Purpose:
The planning activity for realization processes shall address the quality objectives
for the product, project, or contract; the need to establish appropriate processes
and documentation; they need to provide resources and facilities specific to the
product; and the consideration of verification and validation activities and the
criteria for acceptability. The organization is required to determine what records
are necessary to provide confidence that the processes and resulting product
conform to requirements. Perhaps flowcharts/or process mapping could define
these aspects.
D. Audit of process owner(s) level for compliance to 7.1 and other applicable
clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
D. Audit of process owner(s) level for compliance to 7.2.3, 7.5.4 and other
applicable clauses of ISO 9001:2008
- System improvement
A. Purpose:
This clause requires a process to assure that the purchasing process is controlled
and complete purchasing information is provided to the supplier to ensure that the
requirements are complied by the suppliers.
D. Audit of process owner(s) level for compliance to 7.4.2 and other applicable
clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
4. Involvement of suppliers?
A. Purpose:
There is a requirement for defining the conditions and criteria for validation and
revalidation.
D. Audit of process owner(s) level for compliance to 7.5.2 and other applicable
clauses of ISO 9001:2008
- System improvement
A. Purpose:
The organization shall safeguard and protect the product during and between all
processing steps through to delivery. It should have a system for appropriately
identifying, handling, packaging, storing, and delivering the product, including its
components.
D. Audit of process owner(s) level for compliance to 7.5.5 and other applicable
clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
Measuring and monitoring devices that are required to assure conformity of
product need to be controlled. It requires achieving and maintaining a capable
measurement system and the concept of achieving and maintaining a stable
measurement system.
B. Requirements (refer Clause 7.6 of ISO 9001:2008 standard)
C. Audit at operational level (compliance audit as per Clause 7.6 of ISO
9001:2008)
D. Audit of process owner(s) level for compliance to 7.6 and other applicable
clauses of ISO 9001:2008
E. Audit of process owner(s) level for performance improvement and
sustainability for value addition.
1. Does the process owner ensure?
- Meeting objective targets
- Employee motivation
- Performance improvement
- System improvement
A. Purpose:
Whatever methods are used, the verification activities for purchased products
shall be planned and effectively implemented. The measurements that are used
to assure conformity and achieve improvement need to be defined based on
scientific principles (analysis of data, statistical techniques, FMEA etc). The
process management results should indicate fulfillment of requirements and
conform the continuing suitability for each process to satisfy its intended purpose.
This includes all measurement activities from receiving inspection to product
delivery. It covers the actual measurements used to verify that the requirements
are met for the incoming materials and up to the final product. Conformity to
requirements needs to be documented and release controlled.
C. Audit at operational level (compliance audit as per Clause 7.4.3, 8.2.3, 8.2.4 of
ISO 9001:2008)
D. Audit of process owner(s) level for compliance to 7.4.3, 8.2.3, 8.2.4 and other
applicable clauses of ISO 9001:2008
- Employee motivation
- Performance improvement
- System improvement
3. Does the organization reviews methods used for measuring products and the
plan records of verification, to consider opportunities for performance
improvements. Typical example of product measurement records. That could
be considered for performance improvement include inspection and test
reports, material release reports, product acceptance reports, certificate of
conformity as required.
K.G. Garg
Template 1
AUDIT PROGRAMME
Organization
Organization A
Location(s):
Certificate Nr.: New
Total fte’s/shifts: 650/1
IAF / EAC Code: 17
Standard(s) & ISO 9001:2008
Exclusion(s): 7.3 (Design and development)
Revised by / on: A1/16.09.08 for S1
Scope: Manufacture of machined componets
Process Owner
Clause No.
Process
Documented Management
4 to 8
System
Required Processes –
Management process -
Group 1
5&65&6
except
Management Involvement
6.2.2, 6.3 &
6.4
5.2 Customer focus
8.4, 8.5 Improvement processes
Required Processes –
Realization Process -
Group 2
7.2.1 & Customer process – Contract
7.2.2 order management
Design and development
7.3
(Not applicable)
Purchasing, Supplier
7.4.1
management
7.5.1, 7.5.2, Product manufacturing
7.5.3, 8.3 processes
Required Processes -
Support Processes - Group 3
4.2.3 Document control
Customer focus: customer
8.2.1, 8.5.2
complaints and satisfaction
8.2.2 Internal audit
Sample Processes, Support
Processes – Group 4
6.2.2 Training
6.2.2 Employee development
6.3 Maintenance
7.1 Planning for product
realization
7.2.3 Customer communication
7.4.2 Purchasing process
7.4.3 Receiving inspection
7.5.2 Process validation
7.5.4 Customer supplied product
7.5.5 Stores management
Packing and shipping and
7.5.5
delivery
7.6 Calibration
8.2.3 Process inspection
8.2.4 Stage inspection
8.2.4 Final inspection
Template 2
AUDIT TIMETABLE
09.00 A1 MR
- Organization structure
- Review of the management system documents
- Internal audits including corrective action closure
- Management review
- Control of documents
- Records management
- Finalization of timetable and audit program
15.00 A1 MR
- Review of audit findings
09.00 A1 MR
- Corrective actions on Stage 1 audit findings
Template 3
NONCONFORMANCE DEFINITIONS:
MAJOR NONCONFORMANCE:
The requirement has not been met. Evidence indicates one or more of the following:
C) Conditions that could result in the failure or reduced usability of products or services
MINOR NONCONFORMANCE:
The requirement has not been fully met. Evidence indicates the finding is:
A) Non-systemic
B) An isolated occurrence
CORRECTIVE ACTION:
Closed loop Corrective Action by the organization is required to be initiated, carried out, and
completed in a timely manner whenever a requirement of the standard or of the
organization's management system has not been met. Corrective action analysis by the
organization shall include determination of applicability to other parts and processes of the
organization.
All open major and minor nonconformances shall be closed by the Lead Auditor prior to a
recommendation for certification.
Additionally, Lead Auditor/ auditors may identify strengths and opportunities for
improvement in areas where requirements of the standard and of the organization's
management system have been met. In these cases, no corrective action is required, and
there is no formal review by the Lead Auditor/ auditors.
DESCRIPTION OF FINDING............................................................................................................................
There is no evidence of carrying out routine and preventive maintenance of CNC machine (No. CA/765) since
installation 3 years back.
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
CONTAINMENT ACTION
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
.........................................................................................................................................................................
RECTIFICATION .............................................................................................................................................
PROPOSED ....................................................................................................................................................
- CNC machine CA/765 was under AMC contract with supplier which has not been effective.
- Spares will be prepared and maintenance procedures will be established or new maintenance contract will
be agreed upon................................................................................................................................................
.........................................................................................................................................................................
Evidences......................................................................................................................................................
Verified that the proposed action has been implemented. Ref. Production of MM/DD/YY
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
........................................................................................................................................................................
Appendix A:
OPENING MEETING AGENDA
(For Certification /Surveillance)
Appendix B
CLOSING MEETING AGENDA
[Note: for closing meeting during stage 1 state that please resolve
all NC's before stage 2 audit]
Appendix C
Quality System Questionnaire
KEY
ASSESSMENT QUESTIONS Requirements
6 RESOURCE MANAGEMENT
6.1 Provision of resources
01 Has the organization determined and provided the resources needed:
a) to implement and maintain the quality management system and
continually improve its effectiveness? and
b) to enhance customer satisfaction by meeting customer
requirements?
6.2 HUMAN RESOURCES
6.2.1 General
02 Are personnel performing work affecting product quality competent on
the basis of appropriate education, training, skills and experience?
6.2.2 Competence, awareness and training
03 Does the organization: P
a) determine the necessary competence for personnel performing
work affecting product quality?
b) provide training or take other actions to satisfy these needs?
c) evaluate the effectiveness of the actions taken?
d) ensure that its personnel are aware of the relevance and importance
of their activities and how they contribute to the achievement of the
quality objectives?
e) maintain appropriate records of education, training, skills and
experience (see 4.2.4)?
Note: It requires organizations to ensure necessary competencies have been
achieved.
6.3 INFRASTRUCTURE
04 Does the organization determine, provide and maintain the
infrastructure needed to achieve conformity to product requirements?
Infrastructure includes, as applicable:
a) buildings, workspace and associated utilities?
b) process equipment (both hardware and software)?
c) supporting services (such as transport or communication)?
7 PRODUCT REALIZATION
7.1 Planning of product realization
01 Does the organization plan and develop the processes needed for
product realization
(see 4.1)?
02 Is planning of product realization consistent with the requirements of
the other processes of the quality management system (see 4.1)?
03 In planning product realization, does the organization determine the
following, as appropriate:
a) quality objectives and requirements for the product?
b) the need to establish processes, documents, and provide resources
specific to the product?
c) required verification, validation, monitoring, inspection and test
activities specific to the product and the criteria for product
acceptance?
d) records needed to provide evidence that the realization processes M
and resulting product meet requirements (see 4.2.4)?
04 Is the output of this planning in a form suitable for the organization's
method of operations?
Note1:A document specifying the processes of the quality management system
(including the product realization processes) and the resources to be
applied to a specific product, project or contract, can be referred to as a
quality plan.
Note2:The organization may also apply the requirements given in 7.3 to the
development of product realization processes.
7.2 CUSTOMER-RELATED PROCESSES
7.2.1 Determination of requirements related to the product M
05 Does the organization determine:
a) requirements specified by the customer, including the requirements
for delivery and post-delivery activities?
Appendix D
1. Scope of ISO 9001:2008, Scope of Quality Management System (QMS) and the
Scope of Registration/Certification
conformity to ISO 9001. The certificate will usually include a synthesized description of
the scope of registration/certification, but not the details of the ISO 9001 requirements
that have been excluded; however, it may include a note to refer to the fact that the
exclusions are detailed in the organization's Quality Manual.)
It is essential that a scope of registration/certification be drafted by the organization
prior to applying for registration/certification. This should then be analysed by the CRB
during the Stage 1 audit, for appropriate planning of the Stage 2 audit.
It is responsibility of the auditor:
- to ensure that the final statement of the scope of registration/certification is not
misleading;
- to verify that this scope only refers to the processes, products, sites, departments, or
divisions etc. of the organization that were assessed during the registration/
certification audit; and
- to verify that this scope defines any excluded requirements from ISO 9001, and that
justification for such exclusions is provided and is reasonable.
As an additional measure to combat potential confusion among customers and end
users, the scope of registration/certification should be clearly defined in the
organisation's Quality Manual and any publicly available documents (this includes, for
example promotional and marketing material).
However, promotional statements should never be included in the scope of
registration/ certification itself.
Zone 3 Zone 4
Maturity of QMS
Zone 1 Zone 2
“Non
Low High
Maturity of “Quality culture”
Figure 7
In order to add value in these circumstances, the primary objective of the auditor
should be to act as a catalyst for the organization to build on its ISO 9000-based quality
management system, and to integrate the system into its day-to-day operations. While
the third party certification auditor cannot provide recommendations on how to meet
the requirements of ISO 9001:2008, it is acceptable and indeed good practice to
encourage and stimulate (but not require!) the organization to go beyond the
requirements of the standard. The questions the auditor asks (and the way he or she
asks those questions) can provide valuable insights for the organization into how the
QMS could become more efficient and useful. Identification of "Opportunities for
Improvement" by the auditor should include ways in which the effectiveness of the
QMS might be enhanced, but could also address opportunities for improved
efficiency.
Zone 4: (Mature "quality culture"; mature QMS, conforming to ISO 9001:2008)
For an organization that has a mature "quality culture", and has been certified to one of
the ISO 9000 series of standards for a significant period of time, the expectation of how
an audit might add value will be the most challenging for an auditor. A common
complaint among this kind of organization is that the "routine surveillance visits" by the
auditor may be superfluous, and do little to add value in the organization's eyes.
In these cases, top management becomes an important customer of the certification
process. It is therefore important for the auditor to have a clear understanding of the
organization's strategic objectives, and to be able to put the QMS audit within that
context. The auditor needs to dedicate time for detailed discussions with top
management, to define their expectations for the QMS, and to incorporate these
expectations into the audit criteria.
Some tips for the auditor on how to add value
1) Audit planning:
a. Understand the auditee's expectations/corporate culture
b. Any specific concerns to be addressed (output from previous audits)?
c. Risk analysis of industry sector / specific to organization.
d. Pre-evaluation of statutory/regulatory requirements
e. Appropriate audit team selection to achieve audit objectives
f. Adequate time allocation
2) Audit technique:
a. Focus more on the process, and less on procedures. Some documented
procedures, work instructions, check-lists etc. may be necessary in order for
the organization to plan and control its processes, but the driving force should
be process performance.
b. Focus more on results and less on records. In a similar fashion, some records
may be necessary in order for the organization to provide objective evidence
that its processes are effective (generating the planned results) but in order to
add value, the auditor should be aware of and give credit for other forms of
evidence.
c. Remember the 8 Quality Management Principles
d. Use the "Plan-Do-Check-Act" approach to evaluate the organization's
process effectiveness.
i. Has the process been planned?
ii. Is it being carried out according to plan?
iii. Are the planned results being achieved?
iv. Are opportunities for improvement being identified and implemented?
- By correcting non-conformities
- By identifying root causes of problems and implementing corrective
action
- By identifying trends, and the need for preventive action
- By innovation
e. Adopt a "holistic" approach to evidence gathering throughout the audit,
instead of focusing on individual clauses of ISO 9001:2008.
3) Analysis and decision
a. Put the findings into perspective (Risk assessment / "common sense").
b. Relate findings to the effect on the organization's ability to provide conforming
product (see ISO 9001:2008 clause 1.1).
4) Report and follow-up
a. Sensible reporting of audit findings
i. Different approaches may be required depending on:
the organization's maturity (Zones 1, 2, 3 and 4)
•
Beginning with the year 1968, Garg has worked in the areas of manufacturing, processing,
casting, forging, electronics, electrical, software & engineering services related to
aerospace industry for civil & military aircrafts. He has carried out more than 200 audits for
ISO 9001, ISO 14001, and TL 9000 & AS 9100.
Born in India, Garg holds Bachelor and Master's Engineering degree from Indian Institute of
Technology (Roorkee University) and has honor of being the recipient of university Gold
Medal at IIT (Roorkee University). He is Graduate in Non-Destructive Inspection from AFTC,
Chanute, United States Air force securing 1st position in Graduate NDI AFTC, USA.
Garg has written/presented more than 50 papers in national/international journals/seminars.
Garg has been honored as “Quality Guru” at International Asia Pacific Quality World conference at
Mexico.
Contact Address :
NVT Quality Certification Pvt. Ltd.
Cap1, Export Promotion Industrial Park
Near ITPL, White Field, Bangalore-560066
Tel. ; +91-50-65343536/37, Fax : +91-50-28416767
Website : www.nvtquality.com, E-mail: nvtqc@vsnl.com
119
Auditor Guide
K.G. Garg
Dr Girdhar J. Gyani has been associated with the discipline of Quality since year 1980,
when he took up assignment on Airworthiness Assessment & Quality Certification of Military
Airplane (1980-90) with Defence Research & Development Organization at Hindustan
Aeronautics Limited, involving application of quality in state-of-art, multidisciplinary &
complex manufacturing sector.
Dr Gyani holds Master's Degree in Engineering and a Doctorate in Quality. He has been
conferred with 16th Lal C. Verman Award in year 2002 in recognition with distinguished
contribution in the field of standardization, precision measurement & quality control. He is
recipient of Rotary Centenary Award in year 2004 for Excellence in the field of Quality.
121