In my newsletters last year, I reviewed the proposed changes to ISO 9001:2000 based on a Committee Draft. It was expected at that time that the revised standard would be issued in 2009.

The Draft International Standard version is now being circulated for review and comment. The new publication date is expected to be late 2008, so I will refer to the revised standard as ISO 9001:2008.

This newsletter contains articles describing the changes planned for each of the major clauses, 4 through 8. Most of the suggested changes are just word changes for improved clarity of the requirements.

Please note that only the new or changed sections are discussed. Unaffected text has not been included.

To begin, under 4.1 General Requirements, sub-clause (a), the word "Identify" has been replaced with "Determine":

4.1 General Requirements

a) Identify Determine the processes needed for the quality management system and their application throughout the organization (see 1.2),

Although similar, the words "Identify" and "Determine" have slightly different meanings. To identify is to recognize or establish something as being a particular thing. To determine is to apply reason and reach a conclusive decision. Therefore, to determine the processes implies more analysis and judgment than merely identifying them.

e) monitor, measure (where applicable) and analyze these processes, and ...

Processes are monitored, but may not need to be measured. Therefore, the requirement change indicates processes are only measured where applicable.

Later in clause 4.1 regarding outsourcing:

Control of such The type and extent of control to be applied to these outsourced processes shall be identified defined within the quality management system.

This addition clarifies that specific controls are to be defined and applied, not just identified. See the new Note 3 below for an explanation of the type and extent of controls for an outsourced process.

Next, the current Note under clause 4.1 has been expanded and two new Notes have been added:

NOTE 1: Processes needed for the quality management system referred to above should include processes for management activities, provision of resources, product realization, and measurement, analysis, and improvement.

This change expands from "measurement" to "measurement, analysis, and improvement" to match the title for clause 8. And, by deleting "should", the Note clearly states that these processes are included.

The new Notes are:

NOTE 2: An outsourced process is identified as one being needed for the organization's quality management system but chosen to be performed by a party external to the organization.

This new Note provides an explanation of what is considered an outsourced process. The next Note identifies the factors influencing the control of an outsourced process.

NOTE 3: The type and nature of control to be applied to the outsourced process may be influenced by factors such as:

a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements;

b) the extent to which the control for the process is shared;

c) the capability of achieving the necessary control through the application of clause 7.4.

Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory, and regulatory requirements.

Outsourcing a process to another organization typically involves the purchase of those services. As a result, the requirements of clause 7.4, including the controls mentioned in 7.4.1, apply to the supplier selected to perform the outsourced process.

4.2 Documentation Requirements
4.2.1 General

The requirement changes in 4.2.1 are basically just a restructuring of the sub-clauses c), d), and e).

c) documented procedures and records required by this International Standard, and
d) documents, including records, needed determined by the organization to be necessary to ensure the effective planning, operation and control of its processes, and
e) records required by this International Standard (see 4.2.4).

You can see that adding "records" to sub-clause c) allowed sub-clause e) to be dropped. Sub-clause d) has been expanded to include the necessary records.

The first Note for clause 4.2.1 has added two more sentences:

A single document may include the requirements for one or more procedures.
A requirement for a documented procedure may be covered by more than one document.

An example for the first sentence would be satisfying the requirements for documented procedures in 8.5.2, Corrective Action, and 8.5.3, Preventive Action, by one combined Corrective and Preventive Action procedure. An example for the second sentence would be splitting the required procedure for the Control of Documents into two separate documented procedures.

4.2.2 Quality Manual
The draft ISO 9001:2008 standard keeps the quality manual requirements the same.

4.2.3 Control of Documents
The first sentence of this clause in the draft standard still states that documents required by the quality management system are to be controlled. The only suggested change to clause 4.2.3 is shown below:

f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

The change in sub-clause (f) clarifies that not all external documents have to be identified and controlled; only those necessary for the planning and operation of the quality management system.

4.2.4 Control of Records
The opening sentence for clause 4.2.4 has expanded from records being "maintained" to having them "controlled". Maintaining the records would be to simply keep them in good condition. Controlling the records means to regulate their use.

Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.

Records shall remain legible, readily identifiable and retrievable.

The organization shall establish a documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.

Records shall remain legible, readily identifiable, and retrievable.

The requirement for a documented Record Control procedure was rewritten as shown above, but the content is basically the same. Note that "retention time" has been reduced to "retention". And, you can see that records must still remain legible, readily identifiable, and retrievable. This text was just moved to the end of clause 4.2.4.

So, the changes to clause 4 in the draft ISO 9001 are primarily clarifications for improved understanding of the existing requirements.

In the first article of this newsletter, I reviewed the proposed changes for clause 4 of the draft ISO 9001:2008 standard. Now for a look at the minor change in clause 5, Management Responsibility.

5. Management Responsibility
5.5 Responsibility, Authority, and Communication

Most organizations already appoint a Management Representative that is a member of their own management team. The change below clarifies that requirement.

5.5.2 Management Representative

Top management shall appoint a member of the organization's management who, irrespective of other responsibilities, shall have responsibility and authority that includes:

I've encountered a few small companies that have outsourced the Management Representative role to their consultant. I wonder if this clarification is aimed at that practice?

This article describes the proposed changes to clause 6, Resource Management.

6. Resource Management
6.2 Human Resources
6.2.1 General

The revision for this clause is from work affecting "product quality" to work affecting "conformity to product requirements". Quality is the degree to which a set of inherent characteristics fulfils requirements; Conformity is the fulfillment of a requirement.

Personnel performing work affecting product quality conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience.

I doubt this change will result in new interpretations of the requirement. Anyone performing, verifying, or managing work within the scope of the quality management system, including supporting services, can affect conformity to product requirements.

A new Note has been added for clause 6.2.1 to explain that anyone working within the system may affect product quality.

NOTE: Conformity to product requirements may be affected directly or indirectly by personnel performing any task within the quality management system.

6.2.2 Competence, Training, and Awareness, and Training

The clause title has been changed from "Competence, Awareness, and Training" to "Competence, Training, and Awareness". Maybe the thought was that awareness comes from some form of training and should be last in the title. And, that is also the sequence of the requirements as listed within clause 6.2.2.

The same change made to clause 6.2.1 regarding conformity to product requirements has been included in this sub-clause:

a) determine the necessary competence for personnel performing work affecting product quality conformity to product requirements,

Use below of the phrase "where applicable" seems to recognize that training or other actions may not be necessary, since individuals may already have the necessary competence. And, since "these needs" could be taken out of context, the requirement has been revised to specifically mention competence.

b) where applicable, provide training or take other actions to satisfy these needs achieve the necessary competence,

In the past, people have struggled with how to evaluate the effectiveness of the actions taken, which have been viewed primarily as training. The sub-clause below has been modified to focus more on competency instead of the effectiveness of the training.

c) ensure the effectiveness of the actions taken, ensure that the necessary competence has been achieved,

Evidence for the current requirement has in some cases included students evaluating the effectiveness of their training. However, this approach would not relate as well for the revised requirement as would an evaluation of their skills.

6.3 Infrastructure

The only change under Infrastructure was to include "information systems" as an additional example of a supporting service.

c) supporting services (such as transport, or communication or information systems).

6.4 Work Environment

The only change to this clause was to add a Note to explain the term Work Environment by providing examples of work environment conditions for achieving product conformity.

NOTE: The term "work environment" relates to conditions under which work is performed including physical, environmental, and other factors (such as noise, temperature, humidity, lighting, or weather).

This article looks at the suggested ISO 9001:2008 changes for clause 7, Product Realization.

7.1 Planning of Product Realization

The only change to the text of clause 7.1 is the addition of "measurement" as one of the required activities to be determined during the planning of product realization.

In planning product realization, the organization shall determine the following, as appropriate:

c) required verification, validation, monitoring, measurement, inspection and test activities specific to the product and the criteria for product acceptance;

7.2 Customer-Related Processes
7.2.1 Determination of Requirements Related to the Product

The slight change below from "for delivery and post-delivery activities" to "for delivery, and for post-delivery activities" adds emphasis to post-delivery activities. In addition, a Note has been added with examples of post-delivery activities.

The organization shall determine:

a) requirements specified by the customer, including the requirements for delivery, and for post-delivery activities,

The change below from "related" to "applicable" shifts the meaning from determining legal requirements that are merely associated with the product to those that are relevant and can be applied to the product.

c) statutory and regulatory requirements related applicable to the product, and

The revision below clarifies that the additional requirements aren't just determined, they are determined to be needed by the organization. Since the bulleted list begins with "The organization shall determine", the use of the word "determined" again in this entry was not appropriate.

d) any additional requirements considered necessary determined by the organization.

Readers of the current standard may not have considered the breadth of post-delivery activities as described by the new Note below.

NOTE: Post delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal.

7.3 Design and Development
7.3.1 Design and Development Planning

Clause 7.3.1.b states the organization must determine the review, verification, and validation appropriate for each design and development stage. The new Note below explains that although review, verification, and validation have distinct goals, they can be carried out separately or in any combination.

NOTE: Design and development review, verification and validation have distinct purposes. They may be conducted and recorded separately or in any combination as suitable for the product and the organization.

7.3.2 Design and Development Inputs

This clause requires the design and development inputs to be determined and records to be maintained. It lists several types of requirements to be included. The revision below simply changes from "These inputs" to "The inputs".

These inputs shall be reviewed for adequacy. Requirements shall be complete, unambiguous and not in conflict with each other.

7.3.3 Design and Development Outputs

The change below removes the unnecessary word, "provided". It also switches from "a form that enables verification" to "a form suitable for verification". To enable something is to make it possible. However, to be suitable means it is meant for use, or in this case, for verification.

The outputs of design and development shall be provided in a form that enables suitable for verification against the design and development input and shall be approved prior to release.

The new Note below reminds the reader that clause 7, Production and Service Provision, includes sub-clause 7.5.5, Preservation of product. Why do that? Probably to indicate that the design output should consider product preservation, e.g., product packaging.

NOTE: Information for production and service provision may include details for the preservation of product.

7.5 Production and Service Provision
7.5.2 Validation of Processes for Production and Service Provision

The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement and as a consequence, This includes any processes where deficiencies become apparent only after the product is in use or the service has been delivered.

The revised text makes clear that any process output that can't be verified may result in deficiencies becoming known only after the product is in use or the service has been delivered.

7.5.3 Identification and Traceability

This clause states that, where appropriate, the organization must identify the product by suitable means "throughout product realization". The text below refers to inspection and test status of the product, and some readers may have thought it only applied to final product. The planned revision below clarifies that identifying the product status applies throughout product realization, from received product, through in-process product, to final product.

The organization shall identify the product status with respect to monitoring and measurement requirements throughout product realization.

By moving the "records" reference to the end of the sentence below, the meaning has changed from recording the product identification, to keeping any type of record associated with product traceability.

Where traceability is a requirement, the organization shall control and record the unique identification of the product and maintain records (see 4.2.4).

7.5.4 Customer Property

The change below reads better, but hasn't changed the requirement to report customer property issues to the customer and keep records.

If any customer property is lost, damaged or otherwise found to be unsuitable for use, this shall be reported the organization shall report this to the customer and records maintained maintain records (see 4.2.4).

The existing Note has been modified to include "personal data" as an example of customer property, broadening the applicability of clause 7.5.4 to more organizations, especially service organizations.

NOTE: Customer property can include intellectual property and personal data.

7.5.5 Preservation of product

If anyone was confused over the meaning of "conformity of product" in the current text, using "conformity to requirements" should be easier to understand in the new text.

The organization shall preserve the conformity of product during internal processing and delivery to the intended destination in order to maintain conformity to requirements.

The current requirement that begins with, "This preservation shall include", doesn't give the flexibility to include, or not include, the identification, handling, packaging, storage, and protection of the product. The change below allows product preservation to be applied as appropriate.

This As applicable, preservation shall include identification, handling, packaging, storage and protection. Preservation shall also apply to the constituent parts of a product.

7.6 Control of monitoring and measuring devices equipment

The second clause title to change in ISO 9001:2008 is clause 7.6 where "devices" has been changed to "equipment". The term equipment was already used in several places in clause 7.6. The term devices has a broader scope and could include non-equipment types of tools. Equipment is the better choice for this calibration clause.

The planned changes to the clause below are to replace "devices" with "equipment" and to remove the reference to clause 7.2.1, Determination of Requirements Related to the Product.

The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring devices equipment needed to provide evidence of conformity of product to determined requirements, (see 7.2.1)

A minor change to 7.6.a is shown below.

Where necessary to ensure valid results, measuring equipment shall:

a) be calibrated and/or verified, or both, at specified intervals, or prior to use,

This requirement went from "calibrated or verified" to "calibrated and/or verified", meaning a device might be calibrated and verified. Adding the "or both" is unnecessary since "and/or" covers that case.

Stating below that measuring equipment must "be identified" sounds like the organization is to add identification. However, the measuring equipment may come with the identification already in place, thus the wording change. In addition, measuring equipment is a term that typical covers multiple devices, so the text has been changed from "the" to "their" calibration status.

c) be identified have identification to enable the their calibration status to be determined;

The current Note for clause 7.6 has been dropped. It referred the reader to the ISO 10012-1 and ISO 10012-2 standards for guidance. Although these standards have been replaced with ISO 10012:2003, the reference was not retained.

NOTE: See ISO 10012-1 and ISO 10012-2 for guidance.

Software development organizations may have been unsure how to confirm, per clause 7.6, that software used for monitoring and measurement has the ability to satisfy the intended application. This new Note explains that it should include verification and configuration management for the software.

NOTE: Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.

This article looks at the suggested changes for clause 8, Measurement, Analysis, and Improvement.

8.1 General

The organization shall plan and implement the monitoring, measurement, analysis and improvement processes needed

a) to demonstrate conformity of the to product requirements,

The current use of "conformity of the product" might be interpreted as more limiting than the new "conformity to product requirements".

8.2.1 Customer Satisfaction

A new Note has been added for clause 8.2.1 to provide examples of sources for monitoring customer perceptions.

NOTE: Monitoring customer perception may include obtaining input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, warranty claims, dealer reports.

8.2.2 Internal Audit

A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.

The requirement above has been edited to emphasize the need for a documented procedure (by placing it first in the sentence). Also, "establishing records" has been moved ahead of "reporting results" in the list of topics to be defined in the procedure. Records are being captured throughout the audit and should be listed before the reporting of results. The reference to 4.2.4 for record control was moved to the new text below.

Records of the audits and their results shall be maintained (see 4.2.4).

The new text above highlights the need to maintain records of the audit and its results.

The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.

Expanding "actions" to "any necessary corrections and corrective actions" reminds us that an immediate correction might be needed before determining the cause of the nonconformity and taking corrective action to prevent its recurrence.

NOTE: See ISO 19011 ISO 10011-1, ISO 10011-2 and ISO 10011-3 for guidance.

The reference to the withdrawn ISO 10011, Guidelines for Auditing Quality Systems, has been replaced with a reference to ISO 19011, Guidelines for Quality and/or Environmental Management Systems Auditing.

8.2.3 Monitoring and Measurement of Processes

When planned results are not achieved, correction and corrective action shall be taken, as appropriate, to ensure conformity of the product.

Clause 8.2.3 requires applying suitable methods for monitoring and measuring processes to demonstrate their ability to achieve planned results. For some supporting processes, these results are only indirectly related to product conformity. Therefore, the reference to product conformity has been moved to the new Note below.

NOTE: When determining suitable methods, the organization should consider the type and extent of monitoring or measurement appropriate to each of its processes in relation to their impact on the conformity to product requirements and on the effectiveness of the quality management system.

What is a "suitable" method for monitoring and measuring processes? The Note above says to consider the type and extent of monitoring or measurement based on the impact of the process on product conformity and system effectiveness.

8.2.4 Monitoring and Measurement of Product

The organization shall monitor and measure the characteristics of the product to verify that product requirements have been met. This shall be carried out at appropriate stages of the product realization process in accordance with the planned arrangements (see 7.1). Evidence of conformity with the acceptance criteria shall be maintained.

The requirement to maintain evidence of conformity with acceptance criteria has been moved from the paragraph below to the paragraph above.

Evidence of conformity with the acceptance criteria shall be maintained. Records shall indicate the person(s) authorizing release of product for delivery to the customer (see 4.2.4).

The release of product release and delivery of service delivery to the customer shall not proceed until the planned arrangements (see 7.1) have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.

The requirement above has been edited slightly and clarifies that the release of product and delivery of service is to the customer.

8.3 Control of Nonconforming Product

A documented procedure shall be established to define Tthe controls and related responsibilities and authorities for dealing with nonconforming product. shall be defined in a documented procedure.

The sentence above has been edited to begin with (instead of end with) the requirement for a documented procedure.

Where practicable, the organization shall deal with nonconforming product by one or more of the following ways:

The requirement now begins with "where practicable", meaning where feasible or possible, deal with nonconforming product in one or more of the four ways listed.

d) by taking action appropriate to the effects, or potential effects, of the nonconformity when nonconforming product is detected after delivery or use has started.

The new entry above in the list of ways to deal with nonconforming product is text that has been moved from the last sentence in clause 8.3 to become part of the list.

Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4).

The deleted text above wasn't actually deleted, it was just moved below the next sentence.

When nonconforming product is corrected it shall be subject to re-verification to demonstrate conformity to the requirements.

Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4).

The deleted text below was moved to entry (d) in the list of ways to deal with nonconforming product.

When nonconforming product is detected after delivery or use has started, the organization shall take action appropriate to the effects, or potential effects, of the nonconformity.

If you have any questions about the changes proposed by the ISO/DIS 9001:2008 standard, please let me know.

ISO 9001:2000
Understanding ISO 9001:2000
Implementing ISO 9001:2000
Quality System Documentation
ISO 9001:2000 Internal Auditor
ISO 9001:2000 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001 / ISO 17799
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 22000
Understanding ISO 22000
ISO 22000 Internal Auditor
Understanding HACCP
Implementing SQF Systems
Advanced HACCP

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2008 Whittington & Associates, LLC