JARO Thermal ISO9001 2015 internal auditor training 20170118

JARO ISO9001:2015
Internal Auditor Training
Ryan Chen
Jan. 16, 2017
Quality is the foundation of any business relationship

Outlines
1. ISO9001:2015 Quality Management System
2. The major new of ISO 9001: 2015
3. Skills for ISO9001:2015 internal Auditor
Quality is the shared responsibility within an organization
Quality is about process

Foreword
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
ISO9001:2015 Quality Management System
Quality is about data

ISO (the International Organization for Standardization) is a worldwide federation of
national standards bodies (ISO member bodies).
The ISO 9000 family of quality management systems standards is designed to help
organizations ensure that they meet the needs of customers and stakeholders while
meeting statutory and regulatory requirements related to a product or program.
ISO 9000 deals with the fundamentals of quality management systems, including the
seven quality management principles upon which the family of standards is based.
ISO 9001 deals with the requirements that organizations wishing to meet the
standard must fulfill.
This fifth edition (ISO 9001:2015) cancels and replaces the fourth edition (ISO
9001:2008)
Foreword

It is a strategic decision for an organization to adopt a quality
management system to improve its overall performance and provide a
sound basis for sustainable development initiatives. The potential
benefits are:
a) providing qualified products and services consistently;
b) facilitating opportunities to enhance customer satisfaction;
c) addressing risks and opportunities associated with its context and objectives;
d) demonstrating conformity to specified ISO9001:2015 requirements.
This International Standard employs the process approach, which incorporates
the Plan-Do-Check-Act (PDCA) cycle and risk-based thinking.
Introduction -- General

Introduction -- What is Quality
Quality is meeting the requirements / expectations in service or product
that we were committed to.
Other definition:
-- the systematic pursuit of perfect/excellence;
-- doing always better, the right things;
-- do the right thing, by the right way, for right reason, at the first time;
-- what the customer says it is;
-- compliance to a specification;
-- meeting customer requirement;
-- the true value of worth of an entity;

Introduction -- 7 Quality management principles

Introduction -- Process approach
To control the interrelationships and interdependencies among the processes of
the system, so that the overall performance of the organization can be enhanced.
The application of the process approach in a QMS enables:
a) Understanding and consistency in meeting requirements;
b) The consideration of processes in terms of added value;
c) The achievement of effective process performance;
d) Improvement of processes based on evaluation of data and information.
Management of the processes and the system as a whole can be achieved by
using the PDCA cycle with an overall focus on Risk-based thinking aimed at
taking advantage of opportunities and preventing undesirable results.

Introduction -- Process approach

Introduction -- Plan-Do-Check-Act cycle
The PDCA cycle can be applied to all processes and to the quality management
system as a whole.
The PDCA cycle can be briefly described as follows:
— Plan: establish the objectives of the system and its processes, and the
resources needed to deliver results in accordance with customers’ requirements
and the organization’s policies, and identify and address risks and opportunities;
— Do: implement what was planned;
— Check: monitor and (where applicable) measure processes and the resulting
products and services against policies, objectives, requirements and planned
activities, and report the results;
— Act: take actions to improve performance, as necessary.

Introduction -- Plan-Do-Check-Act cycle

Introduction -- Risk-based thinking
Risk-based thinking is something we all do automatically and often sub-consciously.
The concept of risk is more explicit and built into the ISO9001:2015.
Risk-based thinking is already part of the process approach.
Risk – An undesirable situation or circumstance that has both a likelihood of
occurring and a potentially negative consequence.

Introduction -- Risk-based thinking
Organization needs to plan / implement actions to address risks & opportunities.
Addressing both risks and opportunities establishes a basis for increasing the
effectiveness of QMS, achieving improved results and preventing negative effects.
Opportunities can arise as a result of a situation favorable to achieving an
intended result, for example, a set of circumstances that allow the organization to
attract customers, develop new products and services, reduce waste or improve
productivity.
Risk is the effect of uncertainty and any such uncertainty can have positive or
negative effects.

1 Scope
The ISO 9001:2015 specifies requirements for a QMS when an organizations:
• Need to demonstrate its ability to consistently provide products or services that
meet customer and applicable statutory and regulatory requirements, and
• Aims to enhance customer satisfaction through the effective application of the
system, including processes for improvement of the system and the assurance of
conformity to customer and applicable statutory and regulatory requirements
2 Normative references
ISO9000:2015 Quality Management Systems – Fundamental and vocabulary

3 Terms and definitions
• ‘Product’ is replaced by Products and Services
• ‘Purchased Product’ --- Externally Provided Processes, Products and Services
• ‘Work Environment’ --- Environment for the Operation of Processes
Important terms:
 audit
 corrective action
 management system
 measurement
 objective
 policy
 quality
 customer
 product
 service
 design and development
 … …

The organization shall determine external and internal issues that are relevant to
its purpose and its strategic direction and that affect its ability to achieve the
intended result(s) of its quality management system.
The organization shall monitor and review information about these external and
internal issues.
Issues can include positive and negative factors or conditions for consideration.
4.1 Understanding the organization and its context
External factors can arise from legal, technological, competitive, market, cultural, social
and economic environments, whether international, national, regional or local.
Internal factors may be related to values, culture, knowledge and performance of the
organization

Due to their effect or potential effect on the organization’s ability to consistently
provide products and services that meet customer and applicable statutory and
regulatory requirements, the organization shall determine:
a) The interested parties that are relevant to the quality management system;
b) The requirements of these interested parties that are relevant to the QMS.
The organization shall monitor and review information about these interested
parties and their relevant requirements.
An ‘interested party’ is any person or organization that can affect, be affected by, or
perceive themselves to be affected by the decisions or activities of organization.
4.2 Understanding the needs and expectations of interested parties
shareholders, employees, contractors, customers, end users, suppliers, regulators,
neighbors, Non-Governmental Organization, Parent organizations … etc.

The organization shall determine the boundaries and applicability of the QMS.
When determining this scope, the organization shall consider:
a) The external and internal issues referred to in 4.1;
b) The requirements of relevant interested parties referred to in 4.2;
c) The products and services of the organization.
4.3 Determining the scope of the quality management system
The ‘not applicable’ shall not affect its ability to supply products or services which comply
with client requirements, or adversely affect its ability to enhance customer satisfaction.
The scope shall state the types of products and services covered, and provide justification
for any requirement of this International Standard that the organization determines is not
applicable to the scope of its quality management system.

The organization shall establish, implement, maintain and continually improve a QMS, including
the processes needed and their interactions.
The organization shall determine the processes needed for the QMS and shall:
a) determine the inputs required and the outputs expected from these processes;
b) determine the sequence and interaction of these processes;
c) determine and apply the criteria and methods (including monitoring, measurements and
performance indicators) needed to ensure the effective operation & control of the processes;
d) determine the resources needed for these processes and ensure their availability;
e) assign the responsibilities and authorities for these processes;
f) address the risks & opportunities as determined in accordance with the requirements of 6.1
g) evaluate these processes and implement any changes needed to ensure that these processes
achieve their intended results;
h) improve the processes and the quality management system.
4.4 Quality management system and its processes
Documented information shall be retained to have confidence that the processes are being carried out as planned.

5. Leadership
Top management shall demonstrate leadership and commitment with respect to the QMS by:
a) taking accountability for the effectiveness of the quality management system;
b) ensuring that the quality policy and quality objectives are established for the QMS and are
compatible with the context and strategic direction of the organization;
c) ensuring the integration of the QMS requirements into the organization’s business processes;
d) promoting the use of the process approach and risk-based thinking;
e) ensuring that the resources needed for the quality management system are available;
f) communicating the importance of effective quality management and of conforming to the QMS
requirements;
g) ensuring that the quality management system achieves its intended results;
h) engaging, directing and supporting persons to contribute to the effectiveness of the QMS;
i) promoting improvement;
j) supporting other relevant management roles to demonstrate their leadership as it applies to
their areas of responsibility.
5.1 Leadership and commitment -- General

5. Leadership
Top management shall demonstrate leadership and commitment with respect to
customer focus by ensuring that:
a) customer and applicable statutory and regulatory requirements are
determined, understood and consistently met;
b) the risks & opportunities that can affect the conformity of products & services
and the ability to enhance customer satisfaction are determined & addressed;
c) the focus on enhancing customer satisfaction is maintained.
5.1 Leadership and commitment -- Customer focus

5. Leadership
Top management shall establish, implement and maintain a quality policy that:
a) is appropriate to the purpose & context of the organization and supports its strategic direction;
b) provides a framework for setting quality objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continual improvement of the quality management system.
5.2 Policy -- Establishing the quality policy
5.2 Policy -- Communicating the quality policy
The quality policy shall:
a) be available and be maintained as documented information;
b) be communicated, understood and applied within the organization;
c) be available to relevant interested parties, as appropriate. (such as available on website)
Quality Policy is an important document because it acts as the driver for the organization. It provides
the direction and formally establishes goals and commitment. Top management should ensure the
policy is appropriate and compatible with strategic direction.

6. Planning
When planning for the QMS, the organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and opportunities that need to be
addressed to:
a) give assurance that the QMS can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.
6.1 Actions to address risks and opportunities
The organization shall plan:
a) actions to address these risks and opportunities;
b) how to:
1) integrate and implement the actions into its QMS processes (see 4.4);
2) evaluate the effectiveness of these actions.
Actions shall be proportionate to the potential impact on the conformity of products and services.
Options to address risks can include:
• Avoiding risk,
• Taking risk in order to pursue an opportunity,
• Eliminating the risk source,
• Changing the likelihood or consequences,
• Sharing the risk,
• Retaining risk by informed decision.
Risk registers is a well-established approach to manage risks and opportunities across the organization.
Need consider both its ‘context’ &
‘interested parties’ to integrate
the QMS into its business

6. Planning
The organization shall establish quality objectives at relevant functions, levels and processes
needed for the quality management system, the quality objectives shall:
a) be consistent with the quality policy;
b) be measurable;
c) take into account applicable requirements;
d) be relevant to conformity of products & services and to enhancing of customer satisfaction;
e) be monitored;
f) be communicated;
g) be updated as appropriate.
6.2 Quality objectives and planning to achieve them
When planning how to achieve its quality objectives, the organization shall determine:
a) what will be done; b) what resources will be required; c) who will be responsible;
d) when it will be completed; e) how the results will be evaluated.
Organizations will have to demonstrate that the personnel to whom responsibility for quality objectives has been
given are aware of what their responsibilities are and have been given the resources to achieve those objectives.

6. Planning
When the organization determines the need for changes to the QMS, the
changes shall be carried out in a planned manner (see 4.4).
The organization shall consider:
a) the purpose of the changes and their potential consequences;
b) the integrity of the quality management system;
c) the availability of resources;
d) the allocation or reallocation of responsibilities and authorities.
6.3 Planning of changes

7. Support
The organization shall determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of
the QMS. The organization shall consider:
a) The capabilities of, and constraints on, existing internal resources;
b) What needs to be obtained from external providers.
7.1 Resources -- 7.1.1 General
The organization shall determine & provide the persons necessary for the effective
implementation of its QMS and for the operation and control of its processes.
7.1 Resources -- 7.1.2 People
The organization needs to take into account both internal & external resource requirements & capabilities.

7. Support
The organization shall determine, provide and maintain the infrastructure
necessary for the operation of its processes and to achieve conformity of
products and services. Infrastructure can include:
a) Buildings and associated utilities;
b) Equipment, including hardware and software;
c) Transportation resources;
d) Information and communication technology.
7.1 Resources -- 7.1.3 Infrastructure

7. Support
The organization shall determine, provide and maintain the environment
necessary for the operation of its processes and to achieve conformity of
products and services.
A suitable environment can be a combination of human and physical factors,
such as:
a) Social (e.g. non-discriminatory, calm, non-confrontational);
b) Psychological (e.g. stress-reducing, burnout prevention, emotionally protective);
c) Physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).
These factors can differ substantially depending on the products and services
provided.
7.1 Resources -- 7.1.4 Environment for the operation of processes

7. Support
The organization shall determine and provide the resources needed to ensure
valid and reliable results when monitoring or measuring is used to verify the
conformity of products and services to requirements.
7.1 Resources -- 7.1.5 Monitoring and measuring resources -- General
The organization shall ensure that the resources provided are
a) suitable for the specific type of monitoring & measurement activities being undertaken;
b) maintained to ensure their continuing fitness for their purpose.
The organization shall retain appropriate documented information as evidence of fitness
for purpose of the monitoring and measurement resources.
There is now a greater emphasis on monitoring and measuring ‘resources’ rather than just equipment.
In this context, resources would include personnel, training, workplace environment, etc.

7. Support
7.1 Resources -- 7.1.5 Monitoring and measuring resources
-- Measurement traceability
When measurement traceability is a requirement, or is considered by the
organization to be an essential part of providing confidence in the validity of
measurement results, measuring equipment shall be:
a) Calibrated or verified, or both, at specified intervals, or prior to use, against measurement
standards traceable to international or national measurement standards; (when no such standards
exist, the basis used for calibration or verification shall be retained as documented information);
b) Identified in order to determine their status;
c) Safeguarded from adjustments, damage or deterioration that would invalidate the
calibration status and subsequent measurement results.
The organization shall determine if the validity of previous measurement results has been adversely
affected when measuring equipment is found to be unfit for its intended purpose, and shall take
appropriate action as necessary.

7. Support
7.1 Resources -- 7.1.6 Organizational knowledge
The organization shall determine the knowledge necessary for the operation of
its processes and to achieve conformity of products and services.
This knowledge shall be maintained and be made available to the extent necessary.
When addressing changing needs and trends, the organization shall consider its current
knowledge and determine how to acquire or access any necessary additional knowledge and
required updates.
NOTE 1 Organizational knowledge is knowledge specific to the organization; it is generally gained by
experience. It is information that is used and shared to achieve the organization’s objectives.
NOTE 2 Organizational knowledge can be based on:
a) Internal sources (e.g. intellectual property; knowledge gained from experience; lessons learned
from failures and successful projects; capturing and sharing undocumented knowledge and
experience; the results of improvements in processes, products and services);
b) External sources ( e.g. standards; academia; conferences; gathering knowledge from customers
or external providers).

7. Support
The organization shall:
a) Determine the necessary competence of person(s) doing work under its control that
affects the performance and effectiveness of the QMS;
b) Ensure that these persons are competent on the basis of appropriate education,
training, or experience;
c) Where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken;
d) Retain appropriate documented information as evidence of competence.
Applicable actions can include -- the provision of training to, the mentoring of, or the
reassignment of currently employed persons; or the hiring or contracting of competent persons
7.2 Competence
Now this apply to all/any personnel ‘under its control’ that affect the organization's performance. This
will include any sub-contract, as well as anyone undertaking outsourced processes and functions.

7. Support
The organization shall ensure that persons doing work under the organization’s
control are aware of:
a) The quality policy;
b) Relevant quality objectives;
c) Their contribution to the effectiveness of the QMS, including the benefits of improved
performance;
d) The implications of not conforming with the QMS requirements.
7.3 Awareness
‘Under the organization’s control’ means including any sub-contract, as well as anyone undertaking
outsourced processes and functions.

7. Support
The organization shall determine the internal and external communications
relevant to the quality management system, including:
a) on what it will communicate;
b) when to communicate;
c) with whom to communicate;
d) how to communicate;
e) who communicates.
7.4 Communication
Changes in the QMS should be communicated appropriately to interested parties and should identify
appropriate levels of re-training.
Mechanisms for communication could include; meetings, notice boards, in-house publications,
awareness raising seminars, toolbox talks, intranet, email, etc.

7. Support
The organization’s quality management system shall include:
a) Documented information required by this International Standard;
b) Documented information determined by the organization.
7.5 Documented information -- 7.5.1 General
When creating & updating documented information, the organization shall ensure appropriate
a) Identification and description (e.g. a title, date, author, or reference number);
b) Format (e.g. language, software version, graphics) and media (e.g. paper, electronic);
c) Review and approval for suitability and adequacy.
7.5 Documented information -- 7.5.2 Creating and updating
The extent of documented information for a QMS can differ from one organization to another due to:
— the size of organization and its type of activities, processes, products and services;
— the complexity of processes and their interactions;
— the competence of persons.
“documented information” now replaces the previously used terms “documented procedure” & “records”.

7. Support
Documented information required by shall be controlled to ensure:
a) It is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
7.5 Documented information -- 7.5.3 Control of documented information
At the same time, the organization shall address the following activities, as applicable:
a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.
Documented information of external origin needed shall be identified as appropriate, and be controlled.
Documented information retained as evidence of conformity shall be protected from unintended alterations.
Access can imply -- the permission to view the documented information only, or to view and change it.

8. Operation
Shall plan, implement and control the processes (see 4.4) needed to meet the requirements for
the provision of products and services, and to implement the actions determined in Clause 6, by:
a) Determining the requirements for the products and services;
b) Establishing criteria for:
1) the processes; 2) the acceptance of products and services;
c) Determining the resources needed to achieve conformity to the product & service
requirements;
d) Implementing control of the processes in accordance with the criteria;
e) Determining, maintaining and retaining documented information to the extent necessary:
1) to have confidence that the processes have been carried out as planned;
2) to demonstrate the conformity of products and services to their requirements.
8.1 Operational planning and control
The organization shall control planned changes and review the consequences of unintended changes, taking
action to mitigate any adverse effects, as necessary, and shall ensure that outsourced processes are controlled
The processes mentioned here
include the outsourced processes.

8. Operation
Communication with customers shall include:
a) Providing information relating to products and services;
b) Handling enquiries, contracts or orders, including changes;
c) Obtaining customer feedback relating to products and services, including
customer complaints;
d) Handling or controlling customer property;
e) Establishing specific requirements for contingency actions, when relevant.
8.2 Requirements for products and services
- 8.2.1 Customer communication
Organizations will need to demonstrate that they have a controlled methodology in place for
communicating with clients and that these processes are systematically and consistently carried out.

8. Operation
When determining the requirements for the products and services to be offered
to customers, the organization shall ensure that:
a) The requirements for the products and services are defined, including:
1) any applicable statutory and regulatory requirements;
2) those considered necessary by the organization;
b) The organization can meet the claims for the products and services it offers.
- 8.2.2 Determining the requirements for products and services
Any claims made about products and services shall can be proved or demonstrated, and the claim
includes direct communication with clients, technical product information, marketing materials, etc.

8. Operation
Shall ensure that it has the ability to meet the requirements for products & services, and
shall conduct a review before committing to supply products & services, to include:
a) Requirements specified by the customer, including for delivery and post-delivery
b) Requirements not stated by the customer, but necessary for the specified or intended use, when
known;
c) Requirements specified by the organization;
d) Statutory and regulatory requirements applicable to the products and services;
e) Contract or order requirements differing from those previously expressed.
- 8.2.3 Review of the requirements for products and services
*Shall ensure that contract or order requirements differing from those previously defined are resolved.
*The customer’s requirements shall be confirmed by the organization before acceptance, when the
customer does not provide a documented statement of their requirements.
The organization shall retain documented information, as applicable:
a) on the results of the review; b) on any new requirements for the products and services.

8. Operation
- 8.2.4 Changes to requirements for products and services
The organization shall ensure that relevant documented information is amended, and
that relevant persons are made aware of the changed requirements, when the
requirements for products and services are changed.
The details of changes to requirements and review of those changes has to be retained as documented
information

8. Operation
8.3 Design and development of products and services
The organization shall establish, implement and maintain a design and development
process that is appropriate to ensure the subsequent provision of products and services
- 8.3.2 Design and development planning
In determining the stages & controls for design & development, organization shall consider:
a) The nature, duration and complexity of the design and development activities;
b) The required process stages, including applicable design and development reviews;
c) The required design and development verification and validation activities;
d) The responsibilities and authorities involved in the design and development process;
e) The internal and external resource needs for the design and development of products and services;
f) The need to control interfaces between persons involved in the design and development process;
g) The need for involvement of customers and users in the design and development process;
h) The requirements for subsequent provision of products and services;
i) The level of control expected for the design & development process by customers and other parties;
j) The documented information needed to demonstrate meeting design & development requirements.
- 8.3.1 General

8. Operation
- 8.3.3 Design and development inputs
Shall determine the requirements essential for the specific types of products and
services to be designed and developed. The organization shall consider:
a) Functional and performance requirements;
b) Information derived from previous similar design and development activities;
c) Statutory and regulatory requirements;;
d) Standards or codes of practice that the organization has committed to implement;
e) Potential consequences of failure due to the nature of the products and services.
* Inputs shall be adequate for design & development purposes, complete & unambiguous.
* Conflicting design and development inputs shall be resolved.
* Shall retain documented information on design and development inputs.

8. Operation
- 8.3.4 Design and development controls
Shall apply controls to the design and development process to ensure that:
a) The results to be achieved are defined;
b) Reviews are conducted to evaluate the ability of the results of design and development
to meet requirements;
c) Verification activities are conducted to ensure that the design and development
outputs meet the input requirements;
d) Validation activities are conducted to ensure that the resulting products and services
meet the requirements for the specified application or intended use;
e) Any necessary actions are taken on problems determined during the reviews, or
verification and validation activities;
f) Documented information of these activities is retained.
Design & development reviews, verification & validation have distinct purposes. They can be conducted
separately or in any combination, as is suitable for the products and services of the organization.

8. Operation
- 8.3.5 Design and development outputs
The organization shall ensure that design and development outputs:
a) Meet the input requirements;
b) Are adequate for the subsequent processes for the provision of products and services;
c) Include or reference monitoring and measuring requirements, as appropriate, and
acceptance criteria;
d) Specify the characteristics of the products and services that are essential for their
intended purpose and their safe and proper provision.
The organization shall retain documented information on design and development outputs.

8. Operation
- 8.3.6 Design and development changes
The organization shall identify, review and control changes made during, or subsequent to,
the design and development of products and services, to the extent necessary to ensure
that there is no adverse impact on conformity to requirements.
The organization shall retain documented information on:
a) Design and development changes;
b) The results of reviews;
c) The authorization of the changes;
d) The actions taken to prevent adverse impacts.

8. Operation
8.4 Control of externally provided processes, products and services
Shall ensure that externally provided processes, products & services conform to requirements.
Shall determine the controls to be applied to externally provided processes, products & services
when:
a) Products and services from external providers are intended for incorporation into the
organization’s own products and services;
b) Products and services are provided directly to the customer(s) by external providers on
behalf of the organization;
c) A process, or part of a process, is provided by an external provider as a result of a decision
by the organization.
- 8.4.1 General
The organization shall determine and apply criteria for the evaluation, selection, monitoring of
performance, and re-evaluation of external providers, based on their ability to provide processes or
products and services in accordance with requirements.
The organization shall retain documented information of these activities and any necessary actions
arising from the evaluations.

8. Operation
The organization shall ensure that externally provided processes, products and services do
not adversely affect the organization’s ability to consistently deliver conforming products
and services to its customers.
a) Ensure that externally provided processes remain within the control of its QMS;
b) Define both the controls that it intends to apply to an external provider and those it intends
to apply to the resulting output;
c) Take into consideration:
1) the potential impact of the externally provided processes, products and services on the
organization’s ability to consistently meet customer and applicable legal requirements;
2) the effectiveness of the controls applied by the external provider;
d) Determine the verification, or other activities, necessary to ensure that the externally
provided processes, products and services meet requirements.
- 8.4.2 Type and extent of control
Not all external providers
have the same impact on
the final product/service

8. Operation
The organization shall ensure the adequacy of requirements prior to their communication
to the external provider.
The organization shall communicate to external providers its requirements for:
a) The processes, products and services to be provided;
b) The approval of:
1) products and services;
2) methods, processes and equipment;
3) the release of products and services;
c) Competence, including any required qualification of persons;
d) The external providers’ interactions with the organization;
e) Control & monitoring of the external providers’ performance to be applied by the
organization;
f) Verification or validation activities that the organization, or its customer, intends to perform
at the external providers’ premises.
- 8.4.3 Information for external providers

8. Operation
8.5 Production and service provision
The organization shall implement production and service provision under controlled
conditions. Controlled conditions shall include, as applicable:
a) The availability of documented information that defines:
1) the characteristics of the products to be produced, the services to be provided, or the
activities to be performed;
2) the results to be achieved;
b) The availability and use of suitable monitoring and measuring resources;
c) The implementation of monitoring and measurement activities at appropriate stages to
verify that criteria for control of processes or outputs, and acceptance criteria for products
and services, have been met;
d) The use of suitable infrastructure and environment for the operation of processes;
e) The appointment of competent persons, including any required qualification;
- 8.5.1 Control of production and service provision

8. Operation
…, Controlled conditions shall include, as applicable:
f) The validation, and periodic revalidation, of the ability to achieve planned results of the
processes for production and service provision, where the resulting output cannot be
verified by subsequent monitoring or measurement;
g) The implementation of actions to prevent human error;
h) The implementation of release, delivery and post-delivery activities.
- 8.5.1 Control of production and service provision
- 8.5.2 Identification and traceability
The organization shall use suitable means to identify outputs when it is necessary to ensure
the conformity of products and services.
The organization shall identify the status of outputs with respect to monitoring and
measurement requirements throughout production and service provision.
The organization shall control the unique identification of the outputs when traceability is a
requirement, and shall retain the documented information necessary to enable traceability.

8. Operation
• The organization shall exercise care with property belonging to customers or external
providers while it is under the organization’s control or being used by the organization.
• The organization shall identify, verify, protect and safeguard customers’ or external
providers’ property provided for use or incorporation into the products and services.
• When the property of a customer or external provider is lost, damaged or otherwise found
to be unsuitable for use, the organization shall report this to the customer or external
provider and retain documented information on what has occurred.
- 8.5.3 Property belonging to customers or external providers
- 8.5.4 Preservation
The organization shall preserve the outputs during production and service provision, to
the extent necessary to ensure conformity to requirements.
Preservation can include identification, handling, contamination control, packaging,
storage, transmission or transportation, and protection.
Include materials, components, tools & equipment, premises, intellectual property & personal data

8. Operation
Shall meet requirements for post-delivery activities associated with the products & services.
In determining the post-delivery activities that are required, the organization shall consider:
a) statutory and regulatory requirements;
b) the potential undesired consequences associated with its products and services;
c) the nature, use and intended lifetime of its products and services;
d) customer requirements;
e) customer feedback.
- 8.5.5 Post-delivery activities
- 8.5.6 Control of changes
The organization shall review and control changes for production or service provision, to
the extent necessary to ensure continuing conformity with requirements.
Shall retain documented information describing the results of the review of changes, the
person(s) authorizing the change, and any necessary actions arising from the review.
Post-delivery activities can include actions under warranty provisions, contractual obligations such
as maintenance services, and supplementary services such as recycling or final disposal
(in a controlled manner)

8. Operation
8.6 Release of products and services
The organization shall implement planned arrangements, at appropriate stages, to verify
that the product and service requirements have been met.
The release of products and services to the customer shall not proceed until the planned
arrangements have been satisfactorily completed, unless otherwise approved by a relevant
authority and, as applicable, by the customer.
The organization shall retain documented information on the release of products and
services. The documented information shall include:
a) Evidence of conformity with the acceptance criteria;
b) Traceability to the person(s) authorizing the release.

8. Operation
8.7 Control of nonconforming outputs
The organization shall ensure that outputs that do not conform to their requirements are
identified and controlled to prevent their unintended use or delivery.
The organization shall take appropriate action based on the nature of the nonconformity
and its effect on the conformity of products and services. This shall also apply to
nonconforming products and services detected after delivery of products, during or after
the provision of services.
Shall deal with nonconforming outputs in one or more of the following ways:
a) correction;
b) segregation, containment, return or suspension of provision of products and services;
c) informing the customer;
d) obtaining authorization for acceptance under concession.
Conformity to requirements shall be verified when nonconforming outputs are corrected.
Options can include scrapping, supplying under concession, alternative uses, product rework or recall

8. Operation
8.7 Control of nonconforming outputs
The organization shall retain documented information that:
a) Describes the nonconformity;
b) Describes the actions taken;
c) Describes any concessions obtained;
d) Identifies the authority deciding the action in respect of the nonconformity.

9.1 Monitoring, measurement, analysis and evaluation
The organization shall determine:
a) What needs to be monitored and measured;
b) The methods for monitoring, measurement, analysis and evaluation needed to ensure valid results;
c) When the monitoring and measuring shall be performed;
d) When the results from monitoring and measurement shall be analyzed and evaluated.
The organization shall evaluate the performance and the effectiveness of the QMS.
The organization shall retain appropriate documented information as evidence of the results.
- 9.1.1 General
- 9.1.2 Customer satisfaction
The organization shall monitor customers’ perceptions of the degree to which their needs
and expectations have been fulfilled. The organization shall determine the methods for
obtaining, monitoring and reviewing this information.
Examples can include customer surveys, customer feedback on delivered products and services,
meetings with customers, market-share analysis, compliments, warranty claims and dealer reports.

9.1 Monitoring, measurement, analysis and evaluation
The organization shall analyze and evaluate appropriate data and information arising from
monitoring and measurement.
The results of analysis shall be used to evaluate:
a) Conformity of products and services;
b) the degree of customer satisfaction;
c) the performance and effectiveness of the quality management system;
d) if planning has been implemented effectively;
e) the effectiveness of actions taken to address risks and opportunities;
f) the performance of external providers;
g) the need for improvements to the quality management system.
Methods to analyze data can include statistical techniques
- 9.1.3 Analysis and evaluation
As a minimum, analysis should be performed in relation to customers, product conformance,
processes and supplier performance.

9.2 Internal audit
Shall conduct internal audits at planned intervals to provide information on whether QMS:
a) Conforms to:
1) the organization’s own requirements for its quality management system;
2) the requirements of this International Standard;
b) is effectively implemented and maintained.
a) plan, establish, implement and maintain an audit programme including the frequency,
methods, responsibilities, planning requirements and reporting, which shall take into
consideration the importance of the processes concerned, changes affecting the
organization, and the results of previous audits;
b) define the audit criteria and scope for each audit;
c) select auditors & conduct audits to ensure objectivity & impartiality of the audit process;
d) ensure that the results of the audits are reported to relevant management;
e) take appropriate correction and corrective actions without undue delay;
f) retain documented information as evidence of the implementation and the audit results.

9.3 Management review
Top management shall review the QMS, at planned intervals, to ensure its continuing
suitability, adequacy, effectiveness and alignment with the strategic direction.
The management review inputs shall take into consideration:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the QMS;
c) information on the performance and effectiveness of the QMS, including trends in:
1) customer satisfaction and feedback from relevant interested parties;
2) the extent to which quality objectives have been met;
3) process performance and conformity of products and services;
4) nonconformities and corrective actions;
5) monitoring and measurement results;
6) audit results;
7) the performance of external providers;
d) the adequacy of resources;
e) the effectiveness of actions taken to address risks and opportunities (see 6.1);
f) opportunities for improvement.
These broader organizational issues (organizational
context and actions to address risks & opportunities)
shall be integrated into the review process.

9.3 Management review
The management review outputs shall include decisions and actions related to:
a) opportunities for improvement;
b) any need for changes to the quality management system;
c) resource needs.
Documented information as evidence of the results of management reviews shall
be retained

10. Improvement
10.1 General
The organization shall determine & select opportunities for improvement and implement
any necessary actions to meet customer requirements and enhance customer satisfaction.
These shall include:
a) Improving products and services to meet requirements as well as to address future
needs and expectations;
b) Correcting, preventing or reducing undesired effects;
c) Improving the performance and effectiveness of the QMS.
Improvement can include correction, corrective action, continual improvement,
breakthrough change, innovation and re-organization.

10. Improvement
10.2 Nonconformity and corrective action
When a nonconformity occurs, including any arising from complaints, the organization shall:
a) React to the nonconformity and, as applicable:
1) take action to control and correct it; 2) deal with the consequences;
b) Evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that
it does not recur or occur elsewhere, by:
1) reviewing and analyzing the nonconformity;
2) determining the causes of the nonconformity;
3) determining if similar nonconformities exist, or could potentially occur;
c) Implement any action needed;
d) Review the effectiveness of any corrective action taken;
e) Update risks and opportunities determined during planning, if necessary;
f) Make changes to the quality management system, if necessary.
Corrective actions shall be appropriate
to the effects of the nonconformities
encountered with considering both the
type and level of risk
The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.

10. Improvement
10.3 Continual improvement
The organization shall continually improve the suitability, adequacy and effectiveness of the
quality management system.
The organization shall consider the results of analysis and evaluation, and the outputs from
management review, to determine if there are needs or opportunities that shall be
addressed as part of continual improvement.
Improvement does not have to take
place in all areas of the business at the
same time. Focus should be relevant to
risks and benefits. Improvement can be
incremental (small changes) or
breakthrough (new technology).

The major new of ISO 9001: 2015
1. Adoption of the Annex SL framework and core text.
2. Organization’s ‘context’ and associated internal and external issues
3. Major differences in terminology between ISO 9001:2008 and ISO 9001:2015
4. Highlight/emphasize potential risks and opportunities.
5. Top management need to show the direct leadership in QMS. No ISO M.R.
6. Risk based approach to determine type & extent of control external providers.
7. ‘Documented Information’ – no more Quality Manual, Procedures or Records.
8. Organizational knowledge

1. Adoption of the Annex SL framework and core text.
Note: other management system have the same Annex SL framework and core text:
(ISO14001 Environmental / OHSAS 18001 Occupation Health and Safety …)

The ‘context’ of the organization refers to the combination of internal and external factors
and conditions that can have an effect on an organization's approach to its products and/or
services. The design & implementation of QMS will be influenced by its context.
External factors can arise from legal, technological, competitive, market, cultural, social
and economic environments, whether international, national, regional or local.
Internal factors is related to values, culture, knowledge & performance of the organization

Internal and External Issues
• Key economic and market development which can impact on the organization; your
organization is probably acutely aware of what is happening in its markets but it may
be undertaken in a very ad-hoc way
• Technological innovations and developments; this is also an area critical to your
business success and is also probably being monitored and discussed at numerous
levels
• Regulatory developments; a whole range of external regulations are being monitored
by your organization. If you miss them then it could seriously damage your business,
or if you capture early intelligence on them, you could realize better opportunities.
• Political and other instabilities; if for example you rely on raw materials from one
particular country which experiences major instability, your whole business could be
jeopardized; or if there are major ethical concerns regarding a source of materials or
goods
• Organizational culture and attitudes; an effective and motivated workforce will give
you positive impacts, and many organizations canvas feedback from employees

3. Major differences in terminology between ISO 9001:2008 and ISO 9001:2015
Risk-based thinking
Organizational knowledge

4. Highlight/emphasize potential risks and opportunities
This is a new requirement which obliges organizations to identify those risks and
opportunities (considering external and internal issues that are relevant to its context, as
well as the needs of interested parties) that have the potential to impact (negatively or
positively) on the operation and performance of their QMS. In order to:
• Ensure that its management system can achieve its intended outcome(s)
• Prevent, or reduce, undesired effects
• Achieve improvement
Based on the results of this assessment, organizations then have to:
• Take action to address any risks and opportunities identified
• Integrate and implement these actions into their QMS processes
• Evaluate the effectiveness of the actions taken
Note: A well-established approach already implemented by many organizations is the use
of risk registers, which if properly managed and implemented can effectively manage risks
and opportunities across a wide range of areas and issues.

4. Highlight/emphasize potential risks and opportunities

5. Top management need to show the direct leadership in QMS. No ISO M.R.
Top management are now required to demonstrate a greater direct involvement in
the organisation’s QMS and remove the need for a ‘Management Representative’;
Top management must show leadership rather than just demonstrate commitment.
Top management can’t just effectively delegate the responsibility for QMS to M.R.
The standard is driving the oversight of the QMS to the highest level and making it a
key component of the organization and its core business processes and activities.

6. Risk based approach to determine type & extent of control external providers.
When defining the controls to be applied to external providers themselves and to
the products and services they supply, the organizations shall consider:
• The potential impact of the externally provided processes, products and services on
the organization's ability to …..
• The perceived effectiveness of the controls applied by the external providers themselves.
(Not all suppliers have the same impact on the final product/service)

7. ‘Documented Information’ – no more Quality Manual, Procedures or Records.
The extent of documented information required is due to:
• The size of organization and its type of activities, processes, products & services
• The complexity of processes and their interactions
• The competence of organizational personnel.
The “documented information” need to be controlled, including adequate
protection “...from loss of confidentiality, improper use, or loss of integrity”.
Control of ‘access’ to documented information -- view or view and change.
Organizations need think where documented information is critical for the QMS.

8. Organizational knowledge.
The organizations need to determine and maintain the knowledge obtained by the
organization (including its personnel) to ensure that it can achieve conformity of
products and services.
This knowledge needs to be maintained and made available where and when
necessary. It is up to the organization to decide how to do this.
When planning changes to its QMS or operational activities, an organization is
required to assess whether its existing organizational knowledge is sufficient to
satisfactorily manage these changes or if it needs to obtain additional knowledge
and take steps to get it if necessary.

Concepts and Principles
Processes of Audit
Documents of Audit
Audit Skills
Auditor Tips
Skills for ISO9001:2015 Internal Auditor
A – Achieve / Accurate
U – Up to date
D – Diligent (hard working)
I – Intelligent / Impartial / Independent
T – Tactful / Transparent
O – Objectives / Honest
R -- Responsible

1 . Audit –
A systematic, independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which
audit criteria are fulfilled.
• First part audit – internal audit
• Second part audit – customer audit
• Third part audit – independent organization audit
(second part audit and third part audit are belong to external audit)

Conduct audits per audit schedule
Contact appropriate personnel in the area being audited to establish specific
date/time and agenda for audit
Review information related to the area being audited
Prepare a checklist of questions to guide the audit process
Collect objective evidence to support audit findings
Report the results of the audit in a timely manner
Organize verification of corrective actions to audit non-conformances
2. Auditor Responsibilities –

Adequacy – are the requirements of the quality system standard recognized and
addressed/understood?
Conformance – are we consistently following our system as defined?
Effectiveness – are we meeting requirements/objectives and satisfying our
customers by following our system?
Continual Improvement – are we striving to increase the capability of achieving
requirements/objectives of systems towards enhancing customer satisfaction?
3. Four Audit Evaluators –

Requirement is not being followed
Reactive opportunity to improve the QMS
Audit nonconformance report provides record of current condition to allow
comparison after action is taken.
4. Audit nonconformance

Purpose of process must be clearly understood, (objectives)
Desired outcome from process must be defined, (goals)
Process outcomes must be measured, (results)
Individual processes and their objectives should relate to overall QMS quality
objectives.
5. Challenges of Auditing for Effectiveness

Opening Meeting
Conduct Audit
Auditor Team Meeting
Closing Meeting
Reporting
Follow up after Audit
Processes of Audit

To confirm:
Audit objectives, scope, criteria, plan,…
Method of reporting
Conditions on which the audit can be terminated
Appeal mechanism
Processes of Audit -- Opening Meeting

Identify the items/finding that they consider should be reported
and check that they have sufficient evidence
Collects and discusses all the nonconformities to be raised
Decides whether major, minor or observation
Checks on conformity and good points
Allocates writing of NCR’s
Processes of Audit -- Auditor Team Meeting

To reiterate/repeat the audit basis
• Audit objectives, scope, criteria
To report:
• Audit coverage (against plan)
• Audit findings
• Overall comments
• Audit conclusions
To Confirm
• Follow-up agenda
Processes of Audit -- Closing Meeting

Follow-up audit: to close out audit findings
Verify completion of agreed corrective actions
Verify effectiveness of agreed corrective actions
Processes of Audit -- Follow-up after audit

Audit Plan
Audit Plan is a detailed time schedule for who will conduct what activities for
a single audit
Identify all the key processes and activities and allocate the time to audit
Audit Checklists
Checklists guide the auditor through the audit and to cover all the main
points
Useful as a record of the topics covered as auditors can put comments
against each point
Documents of Audit

Audit Report
Audit basis (objective, scope, criteria, time/duration, auditors)
Audit finding
Audit team’s overall comments, including:
 Strength/Concerned areas/Areas for further improvement
 Audit team’s recommendation
 Follow-up agenda
Documents of Audit

Process Auditing
Audit skill

Questioning sequence
Who
When
What
Where
How
What if
Why
How good, how frequent
Any correction, any improvement
Audit Skills

Questioning techniques
Open questions (please describe…)
Closed questions (Do/Have you …; yes or no ?)
Leading questions (is it correct ?)
Hypothetical questions (what if ?)
Repeat questions
Short silence
Audit Skills

Evidence verification
Fact-finding
Examine all related processes
Evaluate it objectively (against audit criteria)
Weighing of audit findings
Risk Level
Probability of recurrence
Consequence
Audit Skills

To get effective corrective action
Helps people understand the problem.
Acts as starting point for problem solving.
Formula for documenting Non-conformances
 Concern – what condition was identified during audit;
 Requirement – defines “what should be” (based on requirements of
ISO9001, customers, quality manual, procedure, instructions)
 Evidence – supports non-fulfillment of requirement;
Example:
From the STAR system, the technical drawing of XXX could not be linked,
as per requirement of XXX, technical drawing shall be linked from STAR.
The Purpose of Writing a Nonconformance
Audit Skills

Actions taken to eliminate the causes of a detected nonconformance
to prevent recurrence.
Manager of the area where nonconformance was identified is
responsible for these actions
 Fix it, (correction)
 Investigate why it happened, (root cause analysis)
 Implement actions to prevent it from happening again (prevention)
 Evaluate results and verify that actions taken do prevent
nonconformance from happening again (effectiveness)
Corrective/Preventive Action
Audit Skills

Case study - 1
In the audit of a food manufacturer, the auditor noticed 6 cans of an
unknown product in an unmarked box under the production line. The
cans were unmarked and the operator told the auditor that they were
left from the previous shift and he thought they might be reject beans.

During an audit of internal audits, you are shown internal audit reports
from the last audit. These include a non-conformity report stating that 3
people in the purchasing department had not been trained in the use of
the approved supplier list. The corrective action taken was to train the 3
members of staff. The audit report has been closed. The management
representative tells you that no further investigation was made, as the
corrective action was obvious. The internal auditor had checked the
training records of the staff concerned before closing the reports.
Case study - 2

In the Purchasing Department the auditor asks how the new
subcontractor for PAF items was selected. The purchasing clerk
explains that the regular supplier could not meet the delivery date and
the order was placed with a subcontractor, which they had never used
before, only because the price quoted was extremely low. The clerk
states that no other evaluation was conducted.
Case study - 3

During an audit at the packaging area the auditor encountered the
operator not following the procedure OP 18 issue 7 for packing. He
was using different component polythene T2 to those specified in the
instruction and required by the customer specification. T2 made from
cardboard. The operator informed the auditor that he was acting on the
verbal instruction of the supervisor whilst they were temporally out of
that component. The working instruction was issued by the Production
Manager and no amendments had been produced.
Case study - 4

During an audit management review activities you notice from the minutes
of management review meetings that the meetings are not attended by
any of the top management team. When you query this, the management
representative tells you that management review has evolved into a two-
tier process, as it was proving so difficult to get all of the departmental and
top managers available at the same time. The process is now that
departmental managers meet and conduct the first level of management
review. The management representative prepares a summary report
including actions and recommendations. This is passed round each of the
top management team for comment, and the Managing Director finally
agrees the action plan.
Case study - 5

JARO Thermal ISO9001 2015 internal auditor training 20170118

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to JARO Thermal ISO9001 2015 internal auditor training 20170118

Similar to JARO Thermal ISO9001 2015 internal auditor training 20170118 (20)

Recently uploaded

Recently uploaded (20)

JARO Thermal ISO9001 2015 internal auditor training 20170118