ISO 9001:2015- Training

WELL COME
TO
ISO 9001 INTERNAL AUDITOR
TRAINING PROGRAME
 Section 1
About the Course
Course Objectives

Related standards, concepts and principles of the

ISO 9001:2015 standard

Clause overview

Overview of Significant Changes

Documentation requirement
Outcomes
• Upon successful completion of this course
you will:
• Be able to understand the proposed changes in
the new version of ISO 9001:2015.
• Have achieved the means to assess and improve
your organisation’s IMS.
Course Critique

• The achievement of the course learning

objectives is essential and your
assessment of this level of achievement
is important to us.
 Delegate Introductions
• Please interview the delegate to your left so you
may introduce them to the group.
• Include the following information in the
introduction:
• Name
• Organisation
• Job Description
• Involvement in QMS – unless already stated.
• Time allowed – 2 minutes for Interview
• 1 minute for Introduction
End of Section 1
 Section 2

ISO 9001:2015-
Overview of changes
 ISO 9001
First published in 1987, ISO 9000 has consistently been ISO’s most popular
series of standards. The 1st edition of ISO 9001 was published, along with
ISO 9002, ISO 9003. Like all ISO standards ISO 9001 generally undergoes a
revision every five years.

1994
2000

1987 Revisions

2008

2015
Reasons for change: 2015 Revision

Areas of consideration that go into the revision relate to

 Improvements and changes in technology,

 environmental factors,
 information management,
 supply chain management,
 and globalisation posing new challenges and opportunities.

The main reasons for the change has been stated to maintain:

 ISO 9001 relevant, consider changes in its environment

 To ensure it continues to deliver “confidence in the organization’s ability to consistently
provide product that meets customer and applicable statutory and regulatory
requirements”.
 Major Differences
• Noticeable change to the standard is
its new structure. (High-Level Structure-Annex SL)

• Quality management principles revisited

• Focus on risk-based thinking.

• Reinforced Process approach which

incorporates PDCA and Risk based
thinking

• Context of an organisation adopted

• Interested Party and Boundaries now

to be well understood

• Flexibility in documenting the QMS

Annex SL

ISO has developed Annex SL in an effort to ensure consistency of

structure and terminology used across the available managements
standards, so that they become more compatible and easier to use
 high level structure
 identical core text
 common terms and key definitions

All MSS shall in the future, in principle, use consistent structure,

common text and terminology so that they are easy to use and
compatible with each other.

not for management standards to have a “same look” only it re-enforces

same “feel”.

Common terms and definitions that are the same across all
management systems standards.
ISO 9001:2015 Structure

ISO 9001:2015

Slide courtesy: External Source

Revision of quality principles

Quality Principles

4. Process
Approach
Basic principles revisited

 Key change is dropping “Principle 5: System approach to

management” (most probably because it is already covered by the act
of having a quality management system).

 The last principle is now referred to as 'Relationship Management',

replacing "Mutually beneficial supplier relationships".

 "continual improvement" to just "improvement".

Risk based thinking

• Risk-based thinking ensures risk is considered from the beginning and

throughout (wider perspective of planning)

• Risk-based thinking makes preventive action part of strategic and

operational planning

• References are made to risk, identification of risks and opportunities

and planning actions to address risks and opportunities identified..
Why use risk based thinking

Successful organizations intuitively apply risk-based thinking because it

brings benefits that:

• improve governance

• establish a proactive culture of improvement

• assist with compliance

• assure consistency of quality of products and services

• improve customer confidence and satisfaction

How to use risk based thinking

• Identify what your risks are – it depends on context

• Use risk-based thinking to prioritize the way you manage your processes
• - Balance risks and opportunities
• Analyse and prioritize your risks
• - what is acceptable and what is unacceptable?
• Plan actions to address the risks
• - how can I avoid, eliminate or mitigate risks?
• Implement the plan; take action
• Check the effectiveness of the action; does it work?
• Learn from experience; improve
Risk based thinking

• is not new
• is something you probably do already
• is ongoing
• ensures greater knowledge of risks and improves preparedness
• increases the probability of reaching objectives
• reduces the probability of negative results
• makes prevention a habit
Risk based thinking

• Risk-based thinking is something we all do automatically and often sub-

consciously

• Risk is often thought of only in the negative sense. Risk-based thinking

can also help to identify opportunities. This can be considered to be the
positive side of risk
Process approach and risk-based thinking

• The process approach incorporates risk-based thinking

• Risk-based thinking ensures risk is considered when establishing,

implementing and maintaining a management system, each process and
each activity
 An example of a process which includes risks and regulatory requirements and
Infrastructure- (process equipment, software Process flow: Human Resources-(education, knowledge, skills,
associated customer requirements.
and hardware, supporting services) training and experience)

Inputs: Outputs
Regulatory Requirements

External and Internal Requirements impacting

process

Process Monitoring- (measurements, key Documentation-(process maps, procedures,

Risks associated with the process
performance indicators, trends, action plans standards, instructions, methods, forms):
for improvement, linkage to BP)
Elements of a single process
PDCA
Context of the organisation

 A whole new clause

 determine the issues and requirements that can impact on the

planning of the quality management system and can be used as an
input into the development of the quality management system.

 This would result in a broader business outlook that would imply a

more detailed operational planning.

 Various well-established methodologies can be employed: SWOT,

PEST, SOAR, Porter’s 5 forces analysis, Value chain analysis
Interested Parties

 Interested parties extends beyond a focus solely on the customer.

 Consider all relevant interested parties.

 The relevant interested parties are those that provide significant risk to
organizational sustainability if their needs and expectations are not
met.
Understanding the Interested Parties

• Identification and analysis of interested parties

Flexibility in documentation

 ISO 9001:2015 contains general requirements for documentation only,

with no reference to documented quality manual, documented
procedures or to quality records.

 'Documented information' now replaces both procedures and

records.

 The terms “document” and “record” have both been replaced

throughout the requirements text by “documented information.”

 No more six mendatory procedures

 Section 3

ISO 9001:2015-
Cl. 4 QMS Requirements
QMS Requirements- Scope (1)

Key changes:
 Used improvement in place of continual improvement

 Use of „products and services“ instead of „product“

 Section 1.2. Application of ISO 9001:2008 erased;

exclusions now governed by Section 4.3. Determining

the scope of the QMS
4.1 Understanding the organization and its context

The organization shall:

- determine external and internal issues, that are

relevant to its purpose and its strategic direction and
that affect its ability to achieve the intended outcome(s)
of its QMS.

- Monitor and review information about these external and

internal issues
Context of the organisation (4)

4.1 Understanding the organisation and its context

4.2 Understanding the needs nad expectations of interested

parties

4.3 Determining the scope of quality management system

4.4 Quality mangement system and its processes

4.2 Understanding the needs and expectations of
interested parties

The organization shall determine

a) the interested parties that are relevant to the quality

management system, and
b) the requirements of these interested parties that are
relevant to the quality management system

Monitor and review information about these interested

parties and their relevent requirements
4.2 Understanding the needs and expectations of
interested parties

The organization shall consider the following relevant

interested parties:
a) direct customers;
b) end users;
c) suppliers, distributors, retailers or others
involved in the supply chain;
d) regulators; and
e) any other relevant interested parties.
4.3 Determining the scope of the quality management
system

“The organization shall

determine the boundaries and applicability of the quality

management system to establish its scope.

When determining this scope, the organization shall consider

a) the external and internal issues
b) the requirements of relevent interested parties.
c) The products and services of the organisation

Apply all the requirements of standard if they are applicable with

in the determind scope of its QMS
4.3 Determining the scope of the quality management
system

- Scope shall be available and maintained as documented

information

- Scope shall state

all type of products and services covered
Provide justification if any of the requirment is not applicable to the
scope of its QMS

- Not applicable requiremntdo not afftect organisaton’s

ability or responsibility to ensure the conformity of its
products and services and the enhancement of customer
satisfaction.
4.4 Quality management system

Similar to ISO 9001:2008 Clause 4.1 with few new additions:

The organisation shall:

a)determine the inputs required and the outputs expected from these processes;
b) determine the sequence and interaction of these processes;
c) determine and apply the criteria and methods (including monitoring,
measurements and related performance indicators)
d) determine the resources needed for these processes and ensure their
availability;
e) assign the responsibilities and authorities for these processes;
f) address the risks and opportunities as determined in accordance with the
requirements of 6.1;
g) evaluate these processes and implement any changes needed to ensure that
these processes achieve their intended results;
h) improve the processes and the quality management system.
4.4 Quality management system

4.4.2 The organisation shall:

To the extent necessary,

a) maintain documented information to support the operation of its

processes;

b) retain documented information to have confidence that the processes are

being carried out as planned.
Activity 1
Working in teams defined by your tutor select a team leader. The leader should
distribute the tasks to each team member or work as a group.

Duration:30 minutes small group work / 10 minutes classroom feedback discussion)

Working as a team and using ISO 9001:2015 as reference point devise a Matrix
that will help you determine external and internal issues, that are relevant to
the purpose of an organization which involves in Procurement and Installation
of electrical items in Industries, residential and commercial projects and its
strategic direction and that affect its ability to achieve the intended outcome(s)
of its quality management system.

Working as a team and using ISO 9001:2015 as reference point devise a Matrix
that will help you identify the interested parties that are relevant to the quality
management system, and The requirements of these interested parties.
Section 4

ISO 9001:2015-
Cl. 5 Leadership
Cl.6 Planning
Structure

5.1 Leadership and commitment

5.1.1 General
5.1.2 Customer focus

5.2 Policy
5.2.1 Developing of quality policy
5.2.2 Communication of quality policy

5.3 Organisation roles, responsibilities and authorities

Section 5.1 Leadership and commitment

5.1.1 Top Management shall demonstrate leadership and

commitment with respect to QMS by:

a) Taking accountability
b) ensuring that quality policies and quality objectives are
established for the quality management system and are
compatible with the strategic direction of the organization;
c) Ensuring the integration of QMS in business processes
d) Promoting the use of process approach and risk based
thinking
e) ensuring that the resources needed for the QMS are
available
f) Communicating the improtance
g) Ensuring the QMS achieved its intended results
h) Engaging, directinga nd supporting the persons
i) Promotoing improvement
j) Supporting other management roles
Section 5.1 Leadership and commitment

Key changes

To replace Section 5.1 Management commitment ISO 9001:2008

Stronger emphasis on demonstrated leadership added (not just

management); Greater emphasis on business

Top management now has a greater, hands on involvement in the

quality management system; requirements are made now broader, yet
much more specific and tangible

Evidence platform for demonstrated leadership and commitment with

respect to quality policy and objective extended from („establishing
the quality policy“- ISO 9001:2008) to „ensuring QMS requirements
Section 5.1 Leadership and commitment

Added stronger focus on „integration“ – required demonstrated leadership and

commitment through „ensuring the integration of the quality management system
requirements into the organization‘s business processes”

Added stronger focus on „process approach“ – required demonstrated

leadership and commitment through „promoting awareness of the process
approach”

Stronger emphasis on the importance of top management ensuring effectiveness

of the quality management system- required demonstrated leadership and
commitment through “ensuring that the quality management system achieves its
intended outcomes outputs” .Role of involving and supporting others
underlined:“ engaging, directing and supporting persons to contribute to the
effectiveness of the quality management system”.

Decentralized leadership required; „supporting other relevant management

roles to demonstrate their leadership as it applies to their areas of responsibility”
 Leadership

No “Management representative”

• Senior management is now required to take a more active

involvement in the quality management system. Stronger emphasis
on the overall accountability of top management for the
effectiveness of the quality management system.

• The figure of management representative no longer explicitly

mentioned. In the absence of specific requirement for a
management representative, the organization may choose a
structure of assigning responsibilities as appropriate to ensure
relevant responsibilities and authorities are assigned.
5.1.2 Customer focus
“Top management shall demonstrate leadership and commitment
with respect to customer focus by ensuring that

a) customer and applicable statutory and regulatory

requirements determined, understood and consistently
met

b) the risks and oppertunitieswhich can affect conformity of

products
and services and customer satisfaction are determined and
addressed;

d) the focus on enhancing customer satisfaction is maintained.

 5.2 Quality policy

“Top management shall establish implement and maintain a quality

policy that:

a) is appropriate to the purpose and context of the organization;

Supports strategic direction
b) provides a framework for setting quality objectives;
c) includes a commitment to satisfy applicable requirements,
and
d) includes a commitment to continual improvement of the
quality management system.
 5.2 Quality policy

The quality policy shall:

a) be available and maintained as documented information;
b) be communicated, understood and applied within the
organization;
c) be available to interested parties, as appropriate; and

•
 5.3 Organizational roles, responsibilities and
authorities

Top management shall ensure that the responsibilities and authorities

for relevant roles are assigned and communicated within the organization.

Top management shall assign the responsibility and authority for:

a) ensuring that the QMS conforms to the requirements of this
International Standard and,

b) ensuring that the processes are delivering their intended outputs,

c) reporting on the performance of the QMS to top management and any

need for improvement, and

d) ensuring the promotion of awareness of customer requirements

throughout the organization

e) Ensuring that integrity of QMS maintained

Structure

6 Planning
6.1 Actions to address risk and oppertunities
6.1.1
6.1.2

6.2 Quality objectives and planning to achieve them

6.2.1
6.2.2

6.3 Planning of changes

6.1 Actions to address risks and opportunities

6.1.1
“When planning for the quality management system, the
organization shall consider the issues referred to in 4.1
and the requirements referred to in 4.2 and determine the
risks and opportunities that need to be addressed to
•a) assure the QMS can achieve its intended result),
•b) Enhance desirable effects,
•c) prevent, or reduce, undesired effects, and
•d) Achieve improvement.
6.1 Actions to address risks and opportunities

“The organization shall plan:

•a) actions to address these risks and opportunities,
and
•b) how to
•1) integrate and implement the actions into its QMS processes
(see 4.4), and
•2) evaluate the effectiveness of these actions.
•
Any actions taken to address risks and opportunities shall be
proportionate to the potential effects on conformity of products and
services

.
How should you do

>Identify what the risks and opportunities are in your organization – it

depends on context

>ISO 9001:2015 will not automatically require you to carry out a full, formal
risk assessment, or to maintain a “risk register”

>ISO 31000 (“Risk management — Principles and guidelines”) will be a useful

reference (but not mandated)
.
How should you do

Analyse and prioritize the risks and opportunities in your organization

– what is acceptable?
– what is unacceptable?

Plan actions to address the risks

– how can I avoid or eliminate the risk?
– how can I mitigate the risk?

Implement the plan – take action

Check the effectiveness of the actions – does it work?

Learn from experience – continual improvement

.
Risk Management techniques

Risk management process could be made in accordance with ISO

31000
>Risk management = Risk assessment + Risk control + Residual risk
>Risk assessment = Risk identification + Risk analysis + Risk evaluation
>Risk control and Risk treatment – 4 T concept of risk treatment
• Terminate
• Treat
• Tolerate
• Transfer
Risk Management techniques

• Preliminary Hazard Analysis (PHA)

•Fault Tree Analysis (FTA)
•Failure Mode and Effects Analysis (FMEA)
What is Risk

Risk is the possibility of events or activities impeding the

achievement of an organization’s strategic and operational
objectives.

Risk can be defined by two (2) parameters

– Severity
This is the Seriousness of the harm

– Probability
This is the Probability that the harm will occur
Risk Assessment-Quantitative

Negligible Minor Serious Critical Catastrophic

(1) (2) (3) (4) (5)
Frequent
(5)
Probable
(4)
Occasional
(3)
Remote
(2)
Improbable
(1)

• Red- High Generally Unacceptable

• Yellow- Medium (ALARP- As low as reasonably Practical)
• Green-Low (Generally Acceptable
Risk Assessment-Qualitative

Probability
L M H
L L L M
SEVERITY

M L M H
H M H H
Risk Register

• The risk register or risk log becomes essential as it

records identified risks, their severity, and the actions
steps to be taken.

• It can be a simple document, spreadsheet, or a

database system, but the most effective format is a table.

• A table presents a great deal of information in just a few

pages.
Risk Register

• The risk register or risk log becomes essential as it

records identified risks, their severity, and the actions
steps to be taken.

• It can be a simple document, spreadsheet, or a

database system, but the most effective format is a table.

• A table presents a great deal of information in just a few

pages.
Risk Register ( Qualitative)
Risk Register ( Quantitative)
 Risks (What
can go wrong)

Manpower
Materials Measures
(Trend Charts) (Training)
(With What?) (Metrics) (Skills)
Risks (What
can go wrong)

Processes
Suppliers Inputs (Major Elements & Boundaries) Customers
(By Whom)
Outputs
• Start (for Whom?)
• End
• Process Owners
Risks (What
can go wrong)
Risks (What
can go wrong)

Environment
Methods Machine
(Area
(How?) (With What?)
Conditions?)
Proposed Risk Model (Example)
Activity 2
Identify at least 5 Risks in the company which referred in case study 2. While
identifying risk cover the internal, external issue from context of organisation
and interested parties.

(Duration:30 minutes small group work / 10 minutes classroom feedback

discussion)
6.2 Quality objectives and planning to achieve them

“The organization shall establish quality objectives at relevant functions, levels and
processes. The quality objectives shall

•a) be consistent with the quality policy,

•b) be relevant to conformity of products and services and customer satisfaction,
•c) be measurable
•d) take into account applicable requirements,
•e) be monitored,
•f) be communicated, and
•g) be updated as appropriate.

The organization shall retain documented information on the quality objectives.

When planning how to achieve its quality objectives, the organization shall determine
•a) what will be done,
•b) what resources will be required
•c) who will be responsible,
•d) when it will be completed, and
•e) how the results will be evaluated.
6.3 Planning of changes

To replace Section 5.4.2 Quality management system planning

“The organization shall determine the needs for change to the QMS.

Changes shall be in a planned manner.

Organisation shall consider:

•Purpose of changes
•Integrity of QMS
•Availability of resources
•Allocation and reallocation of responsibilities and authorities
Section 5

ISO 9001:2015-
Cl. 7- Support
Structure

7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
Section 7.1. Resources

“The organization shall determine and provide the

resources needed for the establishment, implementation,
maintenance and continual improvement of the QMS.

The organization shall consider

•a) capabilities and constraints on existing internal
resources,, and
•b) What needs to be obtained from external providers
7.1.2 People

“The organization shall determine and provide:

Person necessary for effective implementation and operation of QMS

Key changes:
Clarity on expectation
7.1.3 Infrastructure

“The organization shall determine, provide and maintain the

infrastructure necessary for the operation of its processes and to
achieve conformity of products and services.

Note: Infrastructure can include,

a) buildings and associated utilities,
b) equipment including hardware and software, and
c) transportation,
d) information and communication technology
7.1.4 Environment for operation of its processes

“The organization shall determine, provide and maintain

the process environment necessary for its operations
and to assure conformity of products and services

NOTE environment can be combination of human

(social, psychological) and physical factors
Key changes
7.1.5 Monitoring and measuring resources

 To replace Section 7.6 Control of monitoring and

measuring equipment (ISO 9001:2008)
 More generic and less technical approach maintained-
monitoring and measuring devices „ needed to verify
conformity to product requirements“ shall be „fit for
purpose.“
 General has given adequate coverage for service
sector
7.1.6 Organisational Knowledge

“The organization shall determine the knowledge necessary for the

operation of its processes and to achieve conformity of products
and services.
This knowledge shall be maintained and made available as
necessary.

Where addressing changing needs and trends the organization

shall take into account its current knowledge base and determine
how to acquire or access the necessary additional knowledge
7.1.6 Organisational Knowledge

“Organizational knowledge should facilitate the flow of knowledge

from where it resides, to where it is required (that is, where it can be
applied or used), to achieve the organization's objectives.

a technology-only approach to organisational knowledge (which,

unfortunately, some organizations take) is a narrow view that treats
the implementation of some form of technology—usually an
intranet/portal with some features of document management, storage,
and collaboration
 7.2 Competence
“The organization shall:

•a) determine the necessary competence of person(s) doing

work under its control that affects its quality performance, and

•b) ensure that these persons are competent on the basis of

appropriate education, training, or experience;

•c) where applicable, take actions to acquire the necessary

competence, and evaluate the effectiveness of the actions
taken, and

•d) retain appropriate documented information as evidence of

competence.
 7.3 Awareness

“Persons doing work under the organization‘s control

shall be aware of
•a) the quality policy,
•b) relevant quality objectives,
•c) their contribution to the effectiveness of the
quality management system, including the benefits of
improved quality performance, and
•d) the implications of not conforming with the
quality management system requirements.”
 7.4 Communication

“The organization shall determine the need for internal

and external communications relevant to the quality
management system including
•a) on what it will communicate,
•b) when to communicate, and
•c) with whom to communicate. “
•d) How
•e) Who
7.5 Documented information

“The organization‘s QMS shall include

•a) documented information required by this International

Standard,
•b) documented information determined by the organization
as being necessary for the effectiveness of the quality
management system.

• Documents as maintained documented information

• Records as retain documented information

•
7.5.2 and 7.5.3

7.5.2 Creating and updating

 No longer is a documented procedure required
 FDIS adopts a clear cut, referenced to practical examples
approach to creating and updating documented
information, flexibility underlined

7.5.3 Control of documented Information

 No longer is a documented procedure required

 Documented information“ to cover both documents and
records
Mandatory Documented Information in
ISO 9001:2015
Documented information to be retained
• Documented information to the extent necessary to have
confidence that the processes are being carried out as planned
(clause 4.4).
• Evidence of fitness for purpose of monitoring and measuring
resources (clause 7.1.5.1).
• Evidence of the basis used for calibration of the monitoring and
measurement resources (when no international or national
standards exist) (clause 7.1.5.2).
• Evidence of competence of person(s) doing work under the
control of the organization that affects the performance and
effectiveness of the QMS (clause 7.2).
• Results of the review and new requirements for the products
and services (clause 8.2.3).
Documented information to be retained

• Records needed to demonstrate that design and development

requirements have been met (clause 8.3.2)
• Records on design and development inputs (clause 8.3.3).
• Records of the activities of design and development controls (clause
8.3.4).
• Records of design and development outputs (clause 8.3.5).
• Design and development changes, including the results of the review
and the authorization of the changes and necessary actions (clause
8.3.6).
• Records of the evaluation, selection, monitoring of performance and re-
evaluation of external providers and any and actions arising from these
activities (clause 8.4.1)
Documented information to be retained

• Evidence of the unique identification of the outputs when traceability is

a requirement (clause 8.5.2).
• Records of property of the customer or external provider that is lost,
damaged or otherwise found to be unsuitable for use and of its
communication to the owner (clause 8.5.3).
• Results of the review of changes for production or service provision, the
persons authorizing the change, and necessary actions taken (clause
8.5.6).
• Records of the authorized release of products and services for delivery
to the customer including acceptance criteria and traceability to the
authorizing person(s) (clause 8.6).
Documented information to be retained

• Records of nonconformities, the actions taken, concessions

obtained and the identification of the authority deciding the action
in respect of the nonconformity (clause 8.7).
• Results of the evaluation of the performance and the effectiveness
of the QMS (clause 911)
• Evidence of the implementation of the audit programme and the
audit results (clause 9.2.2).
• Evidence of the results of management reviews (clause 9.3.3).
• Evidence of the nature of the nonconformities and any subsequent
actions taken (clause 10.2.2).;
• Results of any corrective action (clause 10.2.2).
Section 6

ISO 9001:2015-
Cl. 8- Operation
Structure

8.1 Operational planning and control

8.2 Requirements for products and services
8.3 Design and development of products and services
8.4 Control of externally provided processes, products
and services
8.5 Production and service provision
8.6 Release of products and services
8.7 Control of nonconforming outputs
 Section 8.1 Operational planning and control

“The organization shall plan, implement and control the processes (4.4)
needed to meet requirements and to implement the actions determined in 6
by

a) Determining the requirements for products and services

b) establishing criteria for the:
processes
acceptance of products and services
c) Determining the resources needed
d)implementing control of the processes in accordance with the criteria,
and
e) Determining and keeping documented information
 Section 8.1 Operational planning and control

•
• control planned changes and review the consequences of unintended
changes, taking action to mitigate any adverse effects, as necessary.

• ensure that the outsourced processes are controlled

Whatever the organization is in business to achieve, clause 8 is it.

Umbrella clause to enforce a risk based approach in planning,

implementing and controlling the processes needed to meet the
requirements and implement operational controls-

Links to Section 6.1. Actions to address risks and opportunities

This targets both in-house and any outsourced processes

 8.2 Determination of market needs and interactions with
customers. 8.2.1. General

“8.2.1: Customer communication:

Communication with customers shall include:

a) providing information relating to products and services;
b) handling enquiries, contracts or orders, including changes;
c) obtaining customer feedback relating to products and services, including customer
complaints;
d) handling or controlling customer property;
e) establishing specific requirements for contingency actions, when relevant.

Key Changes:
Additional requirement related to customer
property and contingency actions
 8.2.2 Determination of requirements
related to the Products and services
When determining the requirements for the products and
services
to be offered to customers, the organization shall ensure that:

a) the requirements for the products and services are defined,

including:
1) any applicable statutory and regulatory requirements;
2) those considered necessary by the organization;

b) the organization can meet the claims for the products and services
it offers.
 8.2.3 Review of requirements related
to the Products and services
• Replaces 7.2.2 of ISO 9001:2008

• No new requirement added

 Documented information to be maintained refers results of the review only

 More explanatory
8.2.4 Changes to requirements for products and
services

• Replaces 7.2.2 of ISO 9001:2008

• No new requirement added

• More explanatory
 8.3 Design and Development of products and
services

8.3.1 General

The organization shall establish, implement and maintain a design

and development process that is appropriate to ensure the
subsequent provisions of product and services.

8.3.2 Design and development planning

8.3.3 Design and development inputs
8.3.4 Design and development controls
8.3.5 Design and development outputs
8.3.6 Design and development changes

More clarity for service organisations. Design and development

planning can address the whole service delivery process for
service organisation.
 Key changes
 Detailed, extended list of parameters introduced to be factored in in
determining the stages and controls for the development processes; Risk
based approach underlined

 Reference to the applicable legal and other requirements, i.e. standard

code of practices adopted

 Explicit coverage of the various aspects of managing communication

and responsibilities between the different groups involved: focus on the
“need for clarity with respect to the responsibilities and authorities”; the
“management needs” and “involvement” of customer and used groups

 Stronger emphasis on the “necessary documented information” on the

application of development processes, the outputs and their suitability that
needs to be taken into concern
Key changes
 Integrated the requirement of review, verification and validation in single
clause

 Transfer from development to production or service provision always

under controlled risk management conditions
 8.4 Control of external provision of processes, products
and services.

8.4.1. General

8.4.2 Type and extent of control

8.4.3 information for external providers

Key changes
 To replace Section 7.4.1 ,7.4.2 and 7.4.3 (ISO 9001:2008).

 Extended platform adopted by ISO 9001:2015. The

requirement now applies to all categories of external
provision of processes, products and services. Thus, it
shelters also cases „where the organization has arranged for
an external provider to perform a function or process of the
organization“.

adopted by ISO 9001:2015. The information

 Extended platform
requirement from „purchasing information“ becomes now
„documented intormation for external providers“.
 Key changes

 Accordingly, information now discribe not only the „product to be

purchased“, but relates to „products and services to be provided or the
process to be performed“

 “The control and monitoring of the external provider’s performance to be

applied by the organization” has been added to the information requirements,
competence requirement has been extended and clarified “the requirements for
competence of personnel, including necessary qualification”.

 The broader formula of “monitoring performance of external providers”

adopted

 potential impact of the externally provided processes, products and services

 effectiveness of the controls applied by the external provider

 Key changes

 Accordingly, information now discribe not only the „product to be

purchased“, but relates to „products and services to be provided or the
process to be performed“

 “The control and monitoring of the external provider’s performance to be

applied by the organization” has been added to the information requirements,
competence requirement has been extended and clarified “the requirements for
competence of personnel, including necessary qualification”.

 The broader formula of “monitoring performance of external providers”

adopted

 potential impact of the externally provided processes, products and services

 effectiveness of the controls applied by the external provider

8.5 Production service provision
8.5.1 Control of production and service provision
Controlled conditions shall include, as applicable:

a) the availability of documented information that defines:

1) the characteristics of the products to be produced, the services to be provided, or

the activities to be performed;
2) the results to be achieved;

b) the availability and use of suitable monitoring and measuring resources;

c) the implementation of monitoring and measurement activities at appropriate

stages to verify that criteria for control of processes or outputs, and acceptance
criteria for products and services,have been met;

d) the use of suitable infrastructure and environment for the operation of processes;
8.5 Production service provision
8.5.1 Control of production and service provision

Controlled conditions shall include, as applicable:

e) the appointment of competent persons, including any required

qualification;

f) the validation, and periodic revalidation, of the ability to achieve planned

results of the processes for production and service provision, where the
resulting output cannot be verified by subsequent monitoring or
measurement;

g) the implementation of actions to prevent human error;

h) the implementation of release, delivery and post-delivery activities.

8.5.2 Identification and traceability

NO changes.

More clarity in intent

intermediate parts, components, etc“ in addition to

products and services. Extended platform therein.
8.5.3 Property belonging to customers
or external providers
The organization shall exercise care with property belonging to
customers or external providers while it is under the organization’s
control or being used by the organization.
8.5.4 Preservation

No new addition
8.5.5 Post delivery activities (New
requirement)

The organization shall meet requirements for post-delivery activities

associated with the products and services.

In determining the extent of post-delivery activities that are required, the

organization shall consider:
a) statutory and regulatory requirements;
b) the potential undesired consequences associated with its products and
services;
c) the nature, use and intended lifetime of its products and services;
d) customer requirements;
e) customer feedback.
 Key changes
 Explicit, risk based approach to regulation of post
delivery activities undertaken; recognition of the
prominence of these activities by the new revision
 To achieve more clarity, a detailed explanatory note
introduced. Examples of post delivery activities provided
 8.5.6 Control of changes
The organization shall review and control changes for
production or service provision, to the extent necessary to
ensure continuing conformity with requirements.

The organization shall retain documented information

describing the results of the review of changes, the
person(s)
authorizing the change, and any necessary actions arising
from the review.
Key changes
 Control of changes now explicitly extended to cover all
operation phases
 Risk based approach maintained
 Emphasis on the “planned and systematic” manner in
undertaking changes
 Specific requirements to documenting changes
8.6 Release of products and services

 No changes

 More clarity in intent

 8.7 Control of nonconforming outputs

8.7.1 The organization shall ensure that outputs that do not conform to
their requirements are identified and controlled to prevent their
unintended use or delivery.

8.7.2 The organization shall retain documented information that:

a) describes the nonconformity;
b) describes the actions taken;
c) describes any concessions obtained;
d) identifies the authority deciding the action in respect of the nonconformity

Key Changes:
 No documented procedure
 Self explanatory
 Section 7
ISO 9001:2015-
Cl. 9- Performance
Evaluation
Cl.10 Improvement
Structure
Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review
9.3.1 General
9.3.2 Management review inputs.
9.3.3 Management review outputs

10 Improvement
10.1 General
10.2 Nonconformity and corrective action
10.3 Continual improvement
9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine:

a) what needs to be monitored and measured;

b) the methods for monitoring, measurement, analysis and evaluation
needed to ensure valid results;
c) when the monitoring and measuring shall be performed;
d) when the results from monitoring and measurement shall be analysed
and evaluated.

The organization shall retain appropriate documented information as

evidence of the results.
 9.1.2 Customer satisfaction
“The organization shall monitor data relating to customer
perceptions of the degree to which requirements have been
met.
 9.1.3 Analysis and evaluation of data

“The organization shall analyze and evaluate appropriate data

arising from monitoring, measurement and other relevant sources.
This shall include determination of applicable methods.

The results of analysis shall be used to evaluate:

a) conformity of products and services;
b) the degree of customer satisfaction;
c) the performance and effectiveness of the quality management system;
d) if planning has been implemented effectively;
e) the effectiveness of actions taken to address risks and opportunities;
f) the performance of external providers;
g) the need for improvements to the quality management system.
9.2 Internal Audit
 To replace Section 8.2.2 Internal audit
 A documented procedure is no longer required.
Requirements for documented information instead.
 Key factors to influence audit planning redrafted; reference to „
quality objectives“ and „related risks“ added. Risk based
approach underlined
 Stronger emphasis on the results being reported to relevant
management and becoming an input data for decision making
“ensure that the results of the audits are reported to relevant
management for evaluation”; system approach maintained
 Responsibility for taking appropriate corrective action
without undue delays transferred from “the management
responsible for the area being audited“ to the organisation itself
 9.3 Management review
• “Top management shall review the organization's quality
management system, at planned intervals, to ensure its continuing
suitability, adequacy, and effectiveness and alignment with the
strategic direction of the organization..

• Stronger emphasis on the need to allign management review with

the needs of the „changing business environment“ and „the
strategic direction of the organization“. Business flavour added.

• Input platform extended; the following input data added:

„monitoring and measurement results“; „ supplier and external
provider issues“.

• The output section redrafted, now more flexible and opportunities

sensitive, focused on „improvement opportunities“ and relevant „
needs for changes to the QMS“ to emrace these opportunities
10 Improvement

10.1 General
The organization shall determine and select opportunities for
improvement and implement any necessary actions to meet customer
requirements and enhance customer satisfaction.

These shall include:

a) improving products and services to meet requirements as well as to
address future needs and expectations;
b) correcting, preventing or reducing undesired effects;
c) improving the performance and effectiveness of the quality
management system.
 10.2 Nonconformity and corrective action

“When a nonconformity occurs, the organization shall:

a) react to the nonconformity, and as applicable
•1) take action to control and correct it; and
•2) deal with the consequences;
b) evaluate the need for action to eliminate the causes of the
nonconformity, in order that it does not recur or occur elsewhere, by
•1) reviewing the nonconformity;
•2) determining the causes of the nonconformity, and
•3) determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken; and
e) update risks and opportunities determined during planning, if necessary;
e) make changes to the quality management system, if necessary.
Nonconformity and corrective action (Cont’d)

“Corrective actions shall be appropriate to the effects of the

nonconformities encountered.
The organization shall retain documented information as evidence of
•a) the nature of the nonconformities and any subsequent actions
taken; and
•b) the results of any corrective action. “
 CORRECTIVE ACTION
NON-CONFORMITY
RAISED
& AUDIT CLOSE OUT

UNDERSTAND

ANALYSE

ROOT CAUSE
DETERMINATION

CORRECTIVE AUDITING
ACTION PROPOSAL ORGANISATION

IMPLEMENT

FOLLOW UP AUDIT
VERIFICATION

ONGOING SURVEILLANCE
10.3 Continual Improvement

“The organization shall continually improve the suitability, adequacy

and effectiveness of the quality management system

The organization shall consider the results of analysis and evaluation, and
the outputs from management review, to determine if there are needs or
opportunities that shall be addressed as part of continual improvement.
Benefits: new version brings

• Puts greater emphasis on leadership engagement

• Helps address organizational risks and opportunities in a structured manner

• Uses simplified language and a common structure and terms, which are
particularly helpful to organizations using multiple management systems,
such as those for the environment, health & safety, or business continuity

• Addresses supply chain management more effectively