ISO 9001:2008 – Clause 4

In my newsletters last year, I reviewed the proposed changes to ISO 9001:2000 based on a Committee Draft. It was expected at that time that the revised standard would be issued in 2009.

The Draft International Standard version is now being circulated for review and comment. The new publication date is expected to be late 2008, so I will refer to the revised standard as ISO 9001:2008.

This newsletter contains articles describing the changes planned for each of the major clauses, 4 through 8. Most of the suggested changes are just word changes for improved clarity of the requirements.

Please note that only the new or changed sections are discussed. Unaffected text has not been included.

To begin, under 4.1 General Requirements, sub-clause (a), the word “Identify” has been replaced with “Determine”:

4.1 General Requirements

a) Identify Determine the processes needed for the quality management system and their application throughout the organization (see 1.2),

Although similar, the words “Identify” and “Determine” have slightly different meanings. To identify is to recognize or establish something as being a particular thing. To determine is to apply reason and reach a conclusive decision. Therefore, to determine the processes implies more analysis and judgment than merely identifying them.

e) monitor, measure (where applicable) and analyze these processes, and …

Processes are monitored, but may not need to be measured. Therefore, the requirement change indicates processes are only measured where applicable.

Later in clause 4.1 regarding outsourcing:

Control of such The type and extent of control to be applied to these outsourced processes shall be identified defined within the quality management system. 

This addition clarifies that specific controls are to be defined and applied, not just identified. See the new Note 3 below for an explanation of the type and extent of controls for an outsourced process.

Next, the current Note under clause 4.1 has been expanded and two new Notes have been added:

NOTE 1: Processes needed for the quality management system referred to aboveshould include processes for management activities, provision of resources, product realization, and measurement, analysis, and improvement.

This change expands from “measurement” to “measurement, analysis, and improvement” to match the title for clause 8. And, by deleting “should”, the Note clearly states that these processes are included.

The new Notes are:

NOTE 2: An outsourced process is identified as one being needed for the organization’s quality management system but chosen to be performed by a party external to the organization.

This new Note provides an explanation of what is considered an outsourced process. The next Note identifies the factors influencing the control of an outsourced process.

NOTE 3: The type and nature of control to be applied to the outsourced process may be influenced by factors such as:

a) the potential impact of the outsourced process on the organization’s capability to provide product that conforms to requirements;

b) the extent to which the control for the process is shared;

c) the capability of achieving the necessary control through the application of clause 7.4.

Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory, and regulatory requirements.

Outsourcing a process to another organization typically involves the purchase of those services. As a result, the requirements of clause 7.4, including the controls mentioned in 7.4.1, apply to the supplier selected to perform the outsourced process.

4.2 Documentation Requirements
4.2.1 General

The requirement changes in 4.2.1 are basically just a restructuring of the sub-clauses c), d), and e).

c) documented procedures and records required by this International Standard, and
d) documents, including records, needed determined by the organization to be necessary to ensure the effective planning, operation and control of its processes, and
e) records required by this International Standard (see 4.2.4).

You can see that adding “records” to sub-clause c) allowed sub-clause e) to be dropped. Sub-clause d) has been expanded to include the necessary records.

The first Note for clause 4.2.1 has added two more sentences:

A single document may include the requirements for one or more procedures.
A requirement for a documented procedure may be covered by more than one document.

An example for the first sentence would be satisfying the requirements for documented procedures in 8.5.2, Corrective Action, and 8.5.3, Preventive Action, by one combined Corrective and Preventive Action procedure. An example for the second sentence would be splitting the required procedure for the Control of Documents into two separate documented procedures.

4.2.2 Quality Manual
The draft ISO 9001:2008 standard keeps the quality manual requirements the same.

4.2.3 Control of Documents
The first sentence of this clause in the draft standard still states that documents required by the quality management system are to be controlled. The only suggested change to clause 4.2.3 is shown below:

f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled, and

The change in sub-clause (f) clarifies that not all external documents have to be identified and controlled; only those necessary for the planning and operation of the quality management system.

4.2.4 Control of Records
The opening sentence for clause 4.2.4 has expanded from records being “maintained” to having them “controlled”. Maintaining the records would be to simply keep them in good condition. Controlling the records means to regulate their use.

Records shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system shall be controlled.

Records shall remain legible, readily identifiable and retrievable.

The organization shall establish a documented procedure shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.

Records shall remain legible, readily identifiable, and retrievable.

The requirement for a documented Record Control procedure was rewritten as shown above, but the content is basically the same. Note that “retention time” has been reduced to “retention”. And, you can see that records must still remain legible, readily identifiable, and retrievable. This text was just moved to the end of clause 4.2.4.

So, the changes to clause 4 in the draft ISO 9001 are primarily clarifications for improved understanding of the existing requirements.