Escolar Documentos
Profissional Documentos
Cultura Documentos
These Guidelines are the result of a project of the ACCREDITAMENTO working group of Conforma to which the following members
belong:
ASACERT
AICQ SICEV
BUREAU VERITAS
CERTIQUALITY
CSI
CSQA
DEKRA
DNV GL
ICIM
ICMQ
IGQ
The document is the outcome of a technical round table CONFORMA ISO 9001:2015, which was attended by:
Valerio PAOLETTI
RINA Services
Andrea ALLOISIO
Michele AVERSA
Giulio BATTISTELLA
Massimo CASSINARI
Luisa COLOMBO
Fiorenzo COSTA
Lionella DAGO
Valentina DORONZO
Lucio GALDANGELO
Roberto GRAMPA
Lodovico JUCKER
Francesca MALINVERNI
Paola PACE
Alessandra PEVERINI
Barbara RENALDI
Angelo SALDUCCO
RINA Services
CSI
CSQA
ICMQ
DNV- GL
AICQ SICEV
CSQA
CONFORMA
ICIM
ICMQ
BUREAU VERITAS
IMQ
DNV-GL
CERTIQUALITY
RINA Services
AICQ SICEV
COORDINATOR
CONTENTS
Introduction........................................................................................................................................... 7
1 Scope ................................................................................................................................................ 10
2 Normative references ........................................................................................................................ 10
3 Terms and definitions ........................................................................................................................ 10
4 Context of the organisation ............................................................................................................... 10
5 Leadership ........................................................................................................................................ 13
6 Planning ............................................................................................................................................ 16
7 Support ............................................................................................................................................. 19
8 Operation ......................................................................................................................................... 24
9 Performance evaluation .................................................................................................................... 31
10 Improvement .................................................................................................................................. 33
ANNEX 1 ........................................................................................................................................... 35
ISO 9001:2008 to ISO 9001 - Correlation Matrix .................................................................................... 35
ANNEX 2 ........................................................................................................................................... 38
Examples of implementation of requirement 4.1 .................................................................................. 38
ANNEX - 3 ............................................................................................................................................ 39
RISK IN ISO 9001:2015 ....................................................................................................................... 39
ANNEX - 4 ............................................................................................................................................ 45
Non-exhaustive examples of possible risks referable to the context/interested parties.......................... 45
ANNEX - 5 ............................................................................................................................................ 47
Considerations on how to conduct audits for conformity to ISO 9001:2015............................................ 47
This document cannot, of course, enter into the specifics of each organisation as
there are too many variables, such as the type of product/service, size, operational
complexity, context in which the organisation operates and above all the objectives
an organisation sets itself when it adopts a quality management system. Therefore,
it offers considerations of a general nature, which can be adapted to individual
organisations to which the ISO 9001:2015 standard will apply.
The guidelines can be used as a reference to assess the compliance and
effectiveness of a quality management system against the ISO 9001:2015 standard,
contributing to a uniform assessment by auditors, an aspect which all parties
concerned are interested in, with particular regard to accreditation bodies.
These guidelines are to be used in conjunction with the standard, which contains the
requirements to be met. For each requirement of the standard, whose heading and
numbering are given in the first column, considerations have been made concerning
the requirement in question and possible evidence to be obtained during the audit.
This can be particularly useful for both organisations already certified according to
ISO 9001: 2008, which intend to prepare for and undergo an audit for the
verification of compliance with the new standard as well as for organisations which
are in the process of setting up and implementing a management system.
With reference to the part related to possible evidence, conditional terms have
been used (could; should; ....) to indicate that what is stated may not be the only way
to meet the requirement.
The annexes contain: a comparative table between the ISO 9001:2008 and ISO
9001:2015 standards, examples of implementation of the requirements as per point
4.1, a translation into Italian of document ISO/TC 176/SC2 N1222 which provides
clarification on the risk based approach which it is necessary to bear in mind when
determining the processes, an example of possible risks referred to the context in
which the organisation operates and some considerations on how to approach an
audit for compliance with the new edition of the standard.
UNI, recognising the value of the guidelines, has supported it and was particularly
involved in the aspect related to consistency of the terminology with the body of
legislation concerning quality management and conformity assessment.
1 Scope
2 Normative references
3 Terms and definitions
4 Context of the organisation
4.1 Understanding the organisation and its context
This point is completely new compared to the previous ISO
9001:2008 edition.
The organisation shall determine and analyse the internal and
external issues (positive and negative) which are relevant to
its strategic objectives and which influence its ability to obtain
the results expected from its quality management system.
The objective is to increase the organisations strategic vision
level when designing its quality management system, bearing
in mind the context in which it operates.
It is essential to identify the factors which can influence the
organisations ability to achieve the desired results in order to
reason according to Risk Based Thinking (see 6.1) and
consequently, to suitably define and develop the quality
management system.
For an overall view of the internal and external factors which
influence the organisation, it may be appropriate to involve
different sectors: marketing and sales, purchasing,
administration and finance, human resources, technical
management, production.
10
11
12
5 Leadership
5.1 Leadership and commitment
5.1.1 General
The responsibilities of the top management and its role have
been emphasised, in terms of support and motivation
relevant to human resources and quality management system
implementation.
The new standard no longer mentions a Management
Representative but explicitly involves the Top Management.
In this connection, it is to be noted that the new standard
introduces the concept of top management as:
Person or group of persons who direct and control an
organisation at the highest level.
The need to promote use of the process approach and of riskbased thinking is more explicit.
to
mandatory
the top management could activate risk analyses (see 6.1) and
related opportunities.
Finally, verification of the effectiveness of the tools prepared may,
in any case, be demonstrated through results, in terms of
customer satisfaction/dissatisfaction (performance analyses by
means of indicators, complaint analyses, returns, etc).
13
5.2 Policy
5.2.1 Establishing the quality policy
The new aspect consists in making reference to the context in
which the organisation operates and communicating it to
relevant interested parties.
In relation to the new edition of the standard, it can be said
that the period of generic and static quality policies is
definitely over.
The contents of the policy should be consistent with the
results of the context analysis, requirements of customers,
other interested parties and applicable mandatory
requirements and the established objectives should be in line
with the policy.
Continuous changes to the organisation and to the context in
which it operates necessitate a periodic review of the policy.
process flows;
management procedures;
operational instructions;
restricted access to the organisations IT system.
14
15
6 Planning
6.1 Actions to address risks and opportunities
Although the standard does not specifically talk about risk
analysis, a risk based thinking approach is considered
fundamental to plan a quality management system,
considering that one of the aims of the system is to provide a
prevention tool for the organisation which adopts it.
Even if the word risk is normally considered negative, it may
have either a positive or negative connotation.
Risk management is specifically required in relation to the
following:
-
16
17
organisations strategies;
market analyses;
customer requirements;
mandatory requirements;
analyses of processes;
risk analyses;
etc.
18
7 Support
7.1 Resources
7.1.1 General
The organisation shall determine and provide the human and
infrastructural resources, in-house and external, needed to
manage the processes which come under the scope of the
quality management system.
To identify what is needed, the organisation shall take into
consideration the capabilities of and constraints on existing
internal resources and the need to involve also external
resources in order to comply with customer requirements and
expectations and to develop the new business activities
identified.
7.1.2 People
The organisation shall provide the personnel necessary for the
effective implementation of its quality management system
and for the operation and control of its processes so as to
continuously meet customer requirements and the applicable
statutory and regulatory requirements.
For example:
-
7.1.3 Infrastructure
To ensure the adequacy and effectiveness of its
infrastructure, the organisation shall provide suitable work
instructions, taking into account appropriate user competency
and programme routine maintenance works.
19
protect
NOTE
KNOWLEDGE: Acquisition of contents, that is to say,
principles, theories, concepts, terms, rules, procedures,
methods and techniques.
20
7.2 Competence
The concept expressed in the standard is that the competence
necessary for each activity to be carried out shall be
determined and that the people who carry out the activity
have the necessary competence.
NOTE
COMPETENCE
Utilisation of knowledge acquired to resolve situations or
produce new products/services
It is to be noted that competence can be acquired in many
ways and is not strictly connected with training; training is
only one aspect to be considered.
It is necessary to also determine the competence required of
the people doing work under the organisations control,
external to the organisation (e.g. external providers).
7.3 Awareness
The requirement states more specifically what the personnel
shall be aware of, focusing attention on the quality policy,
quality objectives, the contribution of each person to the
effectiveness of the management system and to the benefits
associated with enhanced performance and the
implications/repercussions of nonconforming situations
relative to the management system.
Awareness becomes a requirement.
The requirements in point 7.3 are not only aimed at the
organisations personnel but also at external providers and
external parties.
The requirement necessitates a guarantee that the personnel
operating within the organisation, also personnel not directly
employed but involved in the organisations processes, is
aware of the importance of its work as a contribution to the
effectiveness of the management system.
direct communications;
meetings;
management system audits;
specific training;
sharing of objectives/results;
sharing of NC found;
sharing of the contents of the quality policy;
awareness questionnaires;
any instructions/procedures.
21
7.4 Communication
This requirement is more detailed compared to the previous
edition of the standard and introduces the concept of external
communication with interested parties.
The organisation shall determine the internal and external
communications to be made, by whom and to whom, how
they are to be made and when, the responsibilities and
authorities.
The top management shall ensure communications are sent
out at all levels, clearly, understandably and in line with the
objective; external communications enable the needs and
expectations of relevant interested parties to be understood
and met.
Scope (see 4.3) (including any justifications for nonapplicability of the requirement).
Description of the quality management system and its
processes (see 4.4).
Quality policy (see 5.2.2).
Quality objectives (see 6.2.1).
Adequacy of the monitoring and measuring resources
(see 7.1.5).
When measurement traceability is a requirement, the
calibration or verification methods; if there is no such
standard, the basis used for calibration or verification is
to be indicated (see 7.1.5.2).
Competence (see 7.2).
Demonstration of conformity of the process as planned
and of the product to the requirements (see 8.1).
Review of the requirements for products (see 8.2.3).
Design and development inputs (see 8.3.3)
Design and development controls (see 8.3.4).
Design and development outputs (see 8.3.5).
Design and development changes (see 8.3.6).
Documentation on the evaluation and monitoring of
performance of external providers (see 8.4.1).
Definition of the characteristics of the products/services
and the results to be achieved (see 8.5.1).
Activities to be performed and results to be achieved
(see 8.5.1).
Identification and traceability (see 8.5.2).
Property of a customer or external provider is lost,
damaged or found unsuitable for use (see 8.5.3).
Control of changes (see 8.5.6).
Evidence of conformity with the acceptance criteria of
the product/service released (see 8.6).
Traceability to the person(s) authorising the release of
22
23
8 Operation
8.1 Operational planning and control
This is a general requirement to be incorporated in each
operational process, to the extent necessary in relation to the
organisations characteristics and scope of its quality
management system, taking into account what has been
planned to ensure achievement of the objectives and
prevent/reduce risk.
quality plans;
quality control plans;
design plans;
product manufacture /service provision plans;
work cycles;
planning of resources;
list of materials.
brochures
web site
catalogues
advertising
labelling and packaging
products instructions for use
services charter
training offer plan
offers / confirmation of orders
etc.
24
Possible cases:
-
25
26
27
8.5.4 Preservation
There are no significant changes compared to the previous
edition of the standard.
The word product has been replaced by process
outputs; however, in the 2008 edition it talks about during
internal processing.
In the 2015 edition, the word delivery has disappeared
but returns in the note as transportation.
In fact, the two variations compensate one another and the
meaning is that preservation is to be ensured during all
stages of the production process and extended to the stages
related to the process of transmission, transportation,
28
verification of criteria to determine the extent of postdelivery activities, in line with the assessment of
risk/opportunities and customer needs;
verification of contractual and warranty conditions;
verification of communications with customers following
delivery and which are not only replies to complaints.
29
30
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.1.1 General
The requirement explains the planning of the monitoring
activities related to the product/service.
The monitoring, measurement and analysis activities serve to
guarantee the effectiveness of the quality management
system
and
continuous
conformity
to
the
requirements/objectives which the organisation has
established.
31
improvement opportunities;
decisions related to the actions to be taken;
assignment of responsibility and adequate resources for
each activity;
need to modify the management system;
need for resources.
32
10 Improvement
10.1 General
A new requirement has been introduced concerning the
approach to improvement in general.
Improvement is to be seen as an ongoing activity: each time
an opportunity for improvement is identified, the organisation
should decide whether to pursue it and the resources needed.
Improvement does not just mean product/service
improvement but also improvement of the management
system.
The improvement process can include a series of stages,
among which:
-
nonconformities;
problems with external providers;
customer complaints;
requests for assistance during warranty;
internal audits (see 9.2).
33
34
ANNEX 1
ISO 9001:2008 to ISO 9001 - Correlation Matrix
ISO 9001:2008
ISO 9001:2015
4.2.1 General
7.5.1 General
5.2 Policy
5.4 Planning
5 Leadership
7.4 Communication
5.6.1 General
9.3.1 General
35
ISO 9001:2008
ISO 9001:2015
6 Resource management
7.1 Resources
7.1.1 General
7.1.2 People
7.2 Competence
6.2.1 General
7.2 Competence
7.2 Competence
7.3 Awareness
6.3 Infrastructure
7.1.3 Infrastructure
7 Product realization
8 Operation
8.3.1 General
8.3.2 Design and development planning
7.4 Purchasing
7.4.1 Purchasing process
36
ISO 9001:2008
ISO 9001:2015
8.5.4 Preservation
9 Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
8.1 General
9.1.1 General
9.1.1 General
8.5 Improvement
10 Improvement
10.1 General
10.3 Continual Improvement
37
ANNEX 2
Examples of implementation of requirement 4.1
Product/market
Environmental
factors
Economic and
political factors
Human resources
Infrastructure
Internal issues
External issues
Transport of goods
38
ISO/TC 176/SC2
ANNEX - 3
2. Overview
One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk, rather
than treating it as a single component of a quality management system.
In previous editions of ISO 9001, a clause on preventive action was separated from the whole. Now risk is
considered and included throughout the standard.
By taking a risk-based approach, an organization becomes proactive rather than purely reactive, preventing
or reducing undesired effects and promoting continual improvement. Preventive action is automatic when
a management system is risk-based.
39
ISO/TC 176/SC2
It is necessary to analyse the opportunities and consider which can or should be acted on. Both the
impact and the feasibility of taking an opportunity must be considered. Whatever action is taken will
change the context and the risks and these must then be reconsidered.
40
ISO/TC 176/SC2
ISO 9001:2015 uses risk-based thinking to achieve this in the following way:
Clause 4 (Context) the organization is required to determine the risks which may affect this.
Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
Clause 6 (Planning) the organization is required to take action to identify risks and opportunities.
Clause 8 (Operation) the organization is required to implement processes to address risks and
opportunities.
In Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and
evaluate the risks and opportunities.
In Clause 10 (Improvement) the organization is required to improve by responding to changes in risk.
41
ISO/TC 176/SC2
ISO/TC 176/SC2
It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the likelihood
of being injured by crossing the road directly is high.
I analyse the situation. The footbridge is 200 metres away and will add time to my journey. The weather is
good, the visibility is good and I can see that the road does not have many cars at this time.
I decide that walking directly across the road carries an acceptably low level of risk of injury and an
opportunity to reach my meeting on time.
Plan actions to address the risks
How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury by using the footbridge but I have already decided that the risk
involved in crossing the road is acceptable.
Now I plan how to reduce the likelihood of injury and/or the effect of injury. I cannot reasonably expect to
control the effect of a car hitting me. I can reduce the probability of being hit by a car.
I plan to cross at a time when there are no cars moving near me and so reduce the likelihood of an accident.
I also choose to cross the road at a place where I have good visibility and can safely stop in the middle to reassess the number of moving cars, further reducing the probability of an accident.
Implement the plan take action
Example
I move to the side of the road, check there are no barriers to crossing and that there is a safe place in the
centre of the moving traffic. I check there are no cars coming. I cross half of the road and stop in the central
safe place. I assess the situation again and then cross the second part of the road.
Check the effectiveness of the actions does it work?
Example
I arrive at the other side of the road unharmed and on time: this plan worked and undesired outcomes
have been avoided.
Learn from experience continual improvement
Example
I repeat the plan over several days, at different times and in different weather conditions.
43
ISO/TC 176/SC2
This gives me data to understand that changing context (time, weather, quantity of cars) directly affects the
effectiveness of the plan and increases the probability that I will not achieve my objectives (being on time
and avoiding injury).
Experience teaches me that crossing the road at certain times of day is very difficult because there are too
many cars.
To limit the risk I revise and improve my process by using the footbridge at these times.
I continue to analyse the effectiveness of the processes and revise them when the context changes.
I also continue to consider innovative opportunities:
-
can I move the meeting place so that the road does not have to be crossed?
can I change the time of the meeting so that I cross the road when it is quiet?
can we meet electronically?
7. Conclusion
Useful documents
ISO 31000:2009 Risk Management Principles and guidelines
PD ISO/TR 31004:2013. Risk management - Guidance for the implementation of ISO 31000
44
ANNEX - 4
Non-exhaustive examples of possible risks referable to the context/interested
parties
Threat
Note
Cybernetic attack
IT- telephone
Data loss
Interruption of external provision
Destabilisation of external provision chain
Security theft
Climatic events (i.e. earthquakes, floods, tsunami,
etc.)
Industrial accidents
In relation to the
seriousness
Environmental incidents
Ethics / business
Industrial controversy
Defective product liability
Insolvency of main customers
Cost / financing availability
Volatility of money exchange rates
45
acquired
Animal diseases /epidemics
46
ANNEX - 5
Considerations on how to conduct audits for conformity to ISO 9001:2015
The method for conducting audits is essentially unchanged.
In order to have reasonable certainty of system conformity to the requirements, an auditor should however modify
his/her approach from search for conformity to greater conformity assessment of the management system.
An example can be given by checking the adequacy of the documented information, which an organisation has the
right to determine to ensure effective implementation of the quality management system. Examination of this
documented information should contribute to the auditors assessment of the effectiveness of the system.
In view of the top managements greater and explicit involvement required, it would be advisable for auditors to
request top management participation at the opening and closing meetings, in particular, but also during the audit
process.
During this meeting, which takes on considerable importance as concerns quality management system assessment,
the top management should be asked to illustrate how the context in which the organisation operates has been
identified and how a Risk Based Approach has been taken into account in the planning of the quality management
system and should be able to justify all decisions taken to plan and manage the company system. It shall also
demonstrate how it pursues its policy, which instruments and means it uses and how it ensures implementation by
the personnel. The managements effectiveness in this sense can be evaluated throughout the audit by means of
interviews or talks with the personnel and by verifying the outputs of the various processes.
An open-ended question approach should be adopted to allow interviewees to explain how system implementation is
ensured and to allow the auditor to assess their replies.
A result-based approach (Bottom Up) is also to be preferred. If the result is a nonconformity, this means there is a
hole in the management system. The organisation is to be called upon to analyse the causes and propose real
corrective action. Also mystery audit methods may be adopted for organisations which provide services.
POSSIBLE CRITICAL POINTS FOR THE ORGANISATION
-
Context
Quality system expectations
Identification of risks and opportunities
Identification of interested parties
Identification of roles and responsibilities
Identification of competences
Documented information (Expectations)
47
CONFORMA Association of Certification, Inspection, Testing and Calibration Bodies which operates in the
TIC (Testing, Inspection, Certification) sector, that is to say, in the conformity assessment sector,
understood as a series of activities, generally carried out under accreditation and/or authorisation of the
pertinent ministries, on a voluntary or mandatory basis, related to the certification of management
systems, products, personnel and services, inspection, CE marking, laboratory tests and calibration.
It was set up in 2012 by some of the most important national and international organisations in the
independent third party conformity assessment sector; it is based in the centre of Milan and has 4 technical
sectors: Certification, Inspection, Testing and Calibration.
Members of CONFORMA:
Aicq Sicev
ICIM S.p.A.
Asacert S.r.l.
ICMQ S.p.A.
Boreas S.r.l.
IGQ
IMQ S.p.A.
Certiquality S.r.l.
Inarcheck S.p.A.
CSI S.p.A.
McJ S.r.l.
Tecnoprove S.r.l.
Icila S.r.l.
48
49
50