Iso TS 9002 - 2016-En
Iso TS 9002 - 2016-En
Iso TS 9002 - 2016-En
SPECIFICATION ISO/TS
TECHNIQUE 9002
First edition
Official translation 2016-11-01
Official translation
Official translation
Reference number
ISO/TS 9002:2016(official translation)
© ISO 2016
Machine Translated by Google
Foreword
ISO (International Organization for Standardization) is a global federation of national standards bodies (ISO
member bodies). The work of preparing international standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established
has the right to be represented on said committee. International organizations, public and private, in coordination
with ISO, also participate in the work. ISO collaborates closely with the International Electrotechnical Commission
(IEC) on all matters of electrotechnical standardization.
Part 1 of the ISO/IEC Directives describes the procedures used to develop this standard and for its
subsequent maintenance. In particular, note should be taken of the different approval criteria required for
different types of ISO documents. This standard was written in accordance with the editorial rules of Part 2
of the ISO/IEC Directives. www.iso.org/directives.
Attention is drawn to the possibility that some elements of this document may be subject to patent rights.
ISO assumes no responsibility for the identification of any or all patent rights. Details on any patent rights
identified during the development of this standard are indicated in the introduction and/or in the ISO list of
patent declarations received. www.iso.org/patents.
Any trade names used in this standard are information provided for the user's convenience and do not constitute
a recommendation.
For an explanation of the meaning of ISO-specific terms and expressions related to conformity assessment, as
well as information on ISO's adherence to the World Trade Organization (WTO) principles regarding Technical
Barriers to Trade (OTC), see the following address: http://www.iso.org/iso/foreword.html.
The committee responsible for this standard is ISO/TC 176, Quality management and assurance , Subcommittee
SC 2, Quality systems.
Argentina, Bolivia, Brazil, Chile, Colombia, Costa Rica, Cuba, Ecuador, Spain, United States of America,
Honduras, Mexico, Peru and Uruguay.
Likewise, representatives of COPANT (Pan American Technical Standards Commission) and INLAC (Latin
American Quality Institute) participate in the aforementioned Working Group.
This translation is part of the result of the work that the ISO/TC 176 Group has been developing since its
creation in 1999 to achieve the unification of terminology in the Spanish language in the field of quality
management.
CONTENT
Introduction ................................................. .................................................. ............................................... 5
Introduction
This document has been developed to help users implement the quality management system requirements of
ISO 9001:2015 Quality management systems – Requirements.
This document provides guidance, with section-by-section correspondence to Chapters 4 to 10 of ISO
9001:2015, but does not provide guidance for Annexes A and B of ISO 9001:2015. When there is a direct
correspondence between list elements (i.e. points) of a section of ISO 9001:2015 and the guidance, it is
indicated within the section of this document.
This document provides examples of what an organization can do, but does not add new requirements to ISO
9001. The examples in this document are not definitive and only represent possibilities, not all of which are
necessarily suitable for all organizations.
The ISO 9001 Standard contains requirements that can be audited or evaluated objectively. This document
includes examples, descriptions and options that help both implement a quality management system and
strengthen its relationship with the organization's overall management system. Although the guidelines in this
document are consistent with the quality management systems model of ISO 9001, they are not intended to
provide interpretations of the requirements of ISO 9001 or to be used for audit or evaluation purposes.
Since the requirements of ISO 9001 are generic, this document can be used by organizations of all types, sizes,
maturity levels, sectors and geographic locations. However, the way in which an organization applies the
guidance may vary depending on factors such as the size or complexity of the organization, the management
model it adopts, the range of the organization's activities, and the nature of the risks and opportunities. that you
find.
Risk is the level of uncertainty inherent in a quality management system. Risks exist in all systems, processes
and functions. Risk-based thinking ensures that these risks are determined, considered and controlled
throughout the design and use of the quality management system.
Risk-based thinking has been implicit in previous editions of ISO 9001 in requirements such as determining the
type and extent of control over external suppliers depending on the effect of the product to be provided, or
taking corrective action depending on the effect. potential for an identified nonconformity.
Furthermore, in previous editions of the ISO 9001 Standard, a chapter on preventive actions has been included.
When using risk-based thinking the consideration of risk is integral. This becomes proactive instead of reactive
in order to prevent or reduce unwanted effects through early identification and action. Preventive actions are
integrated when a management system is risk-based.
Not all processes in a quality management system represent the same level of risk in terms of the organization's
ability to meet its quality objectives. Some require more thorough and formal planning and control than others.
There is no requirement in ISO 9001 to use formal risk management to determine and address risks and
opportunities. The organization can choose the methods that suit its needs. The IEC 31010 Standard provides
a list of risk assessment tools and techniques that may be considered, depending on the context of the
organization.
In some cases, the organization may already have a formal risk management process required by customers
or legal and regulatory requirements. In such circumstances, the organization may adapt its formal risk
management process to meet the intent of the ISO 9001 requirements regarding risks and opportunities.
In addition to Annex A of ISO 9001:2015, ISO has published several quality management standards and other
information resources that can assist the user and provide information on additional implementation methods,
including:
— the ISO Manual: ISO 9001:2015 for Small Enterprises – What to do? Advice from ISO/ TC 176
2. Normative references
The rules indicated below are essential for the application of this rule. For dated references, only the cited
edition applies. For undated references, the latest edition of the standard (including any modifications to it)
applies.
ISO 9000:2015, Quality management systems — Fundamentals and vocabulary
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
The intent of this section is to understand the external and internal issues that are relevant to the purpose and
strategic direction of the organization, and that can affect, both positively and negatively, the organization's
ability to achieve the intended results of its system. of quality management. The organization should be aware
that external and internal issues can change, and therefore should be monitored and reviewed. The organization
could conduct reviews of its context at planned intervals and through activities such as management review.
Information on external and internal issues can be found in many sources, such as through documented
information and internal meetings, in the national and international press, websites, publications of national
statistical offices and other government departments, professional and technical publications. , conferences and
meetings with relevant agencies, meetings with clients and relevant stakeholders, and professional associations.
Examples of external and internal issues relevant to the organization's context may include, but are not limited to:
1) economic factors such as exchange rates, the economic situation, the inflation forecast, the
credit availability;
4) technological factors such as new technology in the sector, new materials and equipment in the sector, the
patent expiration, the professional code of ethics;
6) legal and regulatory factors that affect the work environment (see section 7.1.4 of the
ISO 9001:2015 Standard), such as regulation of unions and regulations related to a
industry;
2) resource factors, such as infrastructure (see section 7.1.3 of the ISO Standard
9001:2015), environment for the operation of the processes (see section 7.1.4 of the ISO Standard
9001:2015), organizational knowledge (see section 7.1.6 of ISO 9001:2015);
5) factors in the governance of the organization, such as rules and procedures for making decisions
or the organizational structure.
At a strategic level, tools such as the analysis of Weaknesses, Threats, Strengths and Opportunities and the Political,
Economic, Social, Technological, Legal and Ecological analysis can be used. A simple approach, such as
brainstorming and “what if” questions, can be useful for organizations depending on the size and complexity of their
operations.
The intention of this section is to ensure that the organization takes into account the relevant requirements of
relevant stakeholders, not limited to those of its direct customers. The intent is to focus only on those relevant
stakeholders who can impact the organization's ability to provide compliant products and services. Although the ISO
Standard
9001 does not state directly, the organization can consider and rely on its external and internal issues (see section
4.1 of ISO 9001:2015) to determine its relevant stakeholders.
The list of relevant stakeholders may be unique to the organization. The organization may develop criteria to
determine relevant interested parties by considering their:
EXAMPLE 1 The following is a non-exhaustive list of some examples of relevant stakeholders that the
organization may consider relevant:
- customers;
— end users or beneficiaries;
- external suppliers;
— employees and other persons working on behalf of the organization;
— legal and regulatory authorities (local, regional, national or international);
To understand the needs and expectations of relevant stakeholders, various activities and methods can be carried
out, including working with those responsible for the processes, or using methods that allow the collection of
information. Methods include but are not limited to:
— review of orders received;
— market surveillance;
EXAMPLE 2 Examples of relevant stakeholder requirements include, but are not limited to:
The information resulting from these activities should be taken into account when planning the quality management
system (see Chapter 6 of ISO 9001:2015).
The organization should be aware that the relevant stakeholders and their relevant requirements may be different for
different products and services provided, and may change due to unforeseen circumstances or voluntary reactions to
markets.
The organization should have robust systems in place to track and review the relevant requirements of its
stakeholders. Monitoring and review can be done using organizational processes related to customer requirements,
the design and development of products and services, and (at a more strategic level) during management review.
The intent of this section is to determine the boundaries of the quality management system so that it is defined in a
way that helps the organization meet the requirements and intended results of the system.
For points a) to c) of section 4.3 of ISO 9001:2015, the scope should be established on the basis of:
a) external and internal issues, as determined by the requirements of section 4.1 of the ISO Standard
9001:2015;
When determining the scope, the organization should also establish the limits of the quality management
system, taking into account issues such as:
All requirements of ISO 9001 are considered applicable unless they have no effect on the organization's
ability to provide a product or service that meets the requirements or on improving the satisfaction of its
customers.
When determining the application of the requirements of ISO 9001, the organization should take into account
each individual requirement, and not simply decide that an entire chapter is not applicable. Sometimes some
of the requirements may be applicable in a chapter, or all of the requirements in a chapter may or may not be
applicable.
The scope should be maintained as documented information. The scope should include details of the products
and services covered. This documented information may be maintained by any method that the organization
determines meets its needs, such as a manual or a website.
4.4.1 The intention of this section is for the organization to determine the processes necessary for its quality
management system in accordance with ISO 9001. This includes not only the processes for the production
and provision of services, but also the processes necessary for the effective implementation of the system,
such as internal audits, management review and others (including processes performed by external providers).
For example, if the organization determines the need for a process to track and measure resources, the
process will need to meet the requirements of section 7.1.5 of ISO 9001:2015. The level at which processes
need to be determined and detailed may vary depending on the context of the organization and the application
of risk-based thinking –
taking into consideration the degree to which the process affects the organization's ability to achieve its
intended results, the likelihood that problems with the process will occur, and the potential consequences of
such problems.
A process is a set of interrelated or interacting activities that use inputs to provide intended results. For points
a) to h) of section 4.4.1 of the ISO 9001:2015 Standard:
a) the organization should determine the required inputs and expected outputs of its processes; the
inputs required by the processes should be taken into account from the point of view of what is
required for the implementation of the process as planned; planned departures should be
taken into account from the point of view of what customers expect or subsequent processes; the tickets
and outputs can be tangible (e.g., materials, components, or equipment) or intangible (e.g.,
b) when determining the sequence and interaction of these processes, the links with
the inputs and outputs of the previous and subsequent processes; methods for providing details of the
sequence and interaction of processes depend on the nature of the organization; can be used
different methods, such as preserving or maintaining documented information (for example, process maps
or flowcharts), or a simpler approach, such as a verbal explanation of the sequence and interaction
of the processes;
c) to ensure that processes are effective (i.e., provide planned results), the
organization should determine and apply process control criteria and methods; the criteria for
monitoring and measurement could be process parameters, or specifications for products and services;
performance indicators should relate to monitoring and measurement, or can relate
with the objectives (criteria) of the quality of the organization; Other methods of indicating performance
include but are not limited to reports, diagrams or the results of audits;
d) the organization should determine the resources necessary for the processes, such as people,
infrastructures, environment for the operation of processes, organizational knowledge, and resources
monitoring and measurement (see section 7.1 of ISO 9001:2015); considerations about the
Resource availability should include the capabilities and constraints of internal resources
existing and those that can be obtained from external suppliers;
e) the organization should assign responsibilities and authorities for its processes by determining
first the activities of the process and then determining the people who will perform the activity;
Responsibilities and authorities can be established in documented information such as diagrams
organizational structures, documented procedures, operational policies and job descriptions, or
using a simple verbal instruction approach;
f) the organization should ensure that all necessary actions are implemented to address the
risks and opportunities associated with the processes (see section 6.1 of ISO 9001:2015);
g) the organization should take into account performance data obtained by reviewing the
established criteria for monitoring and measurement; analyze and evaluate this data; and implement
any changes necessary to ensure that these processes achieve their intended results
systematic way;
h) the organization may use the results of the analysis and evaluation to determine management actions.
necessary improvements; Improvements can be made at the process level (for example, reducing variations in
the way an activity is performed) or at the level of the quality management system (e.g.
reducing paperwork associated with the system, allowing people to focus more on managing
the processes).
4.4.2 The intention of this section is to ensure that the organization determines the extent of documented information
that is needed.
Documented information is information that requires to be controlled and maintained by the organization as well as
the medium that contains it.
The appropriate person (e.g., process owner, process output owner, person controlling the process) should review
the information that is used to make the process perform to consistently provide the intended outputs. For information
(e.g., procedures, work instructions, visual aids, information and communication systems, drawings, specifications,
metrics, reports, Key Performance Indicators (KPIs), meeting minutes, representative samples , conversations
verbal) is used, a value analysis/review needs to be carried out to support the process. The result will be the decision
of what information is
will be treated as documented information. For example, when top management conducts strategic planning,
it could consult and review relevant information on the Internet, such as reports on the current and future
status of the organization's industry sector, developed by government agencies and other relevant parties.
This information should not be considered documented information as it is available in the public domain.
Instead, a business plan that includes quality objectives, risks and opportunities and strategies among other
relevant elements (for example, the mission, vision and values and a process map of the organization) would
need to be considered as documented information.
It is up to the organization to specify the different types of documented information necessary to support the
operation of its processes and its quality management system. When determining the type and degree of
documented information needed, the organization should evaluate its own needs and apply risk-based
thinking. You should also take into account your size, activities, types of products or services, complexity of
your processes, resources, etc., as well as the potential consequences of failures.
conformities.
Although ISO 9001 specifies the use of documented information in several of its requirements, the organization
may need to have additional documented information (such as documented procedures, web pages, work
instructions, manuals, regulations, standards, forms, guides, computer programs, applications on phones) to
control the operation of your processes.
Some of the organization's documented information will need to be periodically reviewed and modified to keep
it up to date. ISO 9001 uses the phrase “maintain documented information” in reference to this type of
documented information.
Other documented information needs to be retained unchanged (unless a correction is authorized) to
demonstrate conformance and to have confidence that processes are carried out as planned, or to demonstrate
whether or not requirements are being met (often reference is made to this type of
information documented as a “record”). The ISO 9001 Standard uses the phrase “preserve information
documented” in reference to this type of documented information. This type of documented information
is frequently related to customer requirements, legal and regulatory requirements, or
the organization's own requirements for retaining documented information.
5. Leadership
5.1.1. Generalities
The intention of this section is to ensure that senior management demonstrates leadership and commitment
by taking an active role in engaging, encouraging and ensuring, communicating and monitoring the performance
and effectiveness of the quality management system. The ways it can be applied are based on several factors,
such as the size and complexity of the organization, management style, and organizational culture.
For an organization, "senior management" may include, for example, the chief executive officer, the managing
director, the general manager, the president, the board of directors, the executive directors, the managing
partners, the sole proprietor, the partners and senior managers. Top management has the power to delegate
authority and provide resources within the organization. If the scope of the management system covers only a
part of an organization, then top management refers to those who direct and control that part of the organization.
Each organization has different needs and its own specific solution, which will be decided by senior
management. It is important for senior management to ensure that quality management system processes are
integrated with their business processes.
For points a) to j) of section 5.1.1 of ISO 9001:2015, this includes:
a) that senior management makes it clear that they understand and are accountable for the effectiveness
of the quality management system by taking responsibility for their activities, and being able to explain the
results that are achieved; and although certain authorities and responsibilities (see section 5.3 of ISO
9001:2015) can be delegated, accountability remains at senior management;
b) ensure that the quality policy (see section 5.2 of ISO 9001:2015) and quality objectives (see section 6.2
of ISO 9001:2015) are established taking into account the strategic direction and the context of the
organization; The quality policy and quality objectives could be established or reviewed during regular
senior management meetings, such as those for strategic planning or management review purposes;
c) ensure that the organization's quality management system processes are integrated and managed within
its overall business processes, and are not addressed as add-on or conflicting activities;
d) promote process approach and risk-based thinking, for example, ensuring effective interaction between
processes, with a systematic approach designed to achieve effective flow of inputs and outputs and
cooperation in addressing risks and opportunities;
e) track current and projected workload and schedules to ensure that appropriate quality management
system resources (people, tools, equipment, etc.) are provided when and where they are needed. need;
f) communicate, through internal meetings, email, personal conversations, the organization's intranet, etc.,
the value and benefits of the quality management system and adherence to its requirements;
g) ensure that the quality management system achieves its intended results by tracking its outputs; At
times, actions may be required to correct or improve system processes or its components, and senior
management should ensure that any necessary actions are appropriately allocated and resourced;
h) engage, direct and support people in the organization to contribute to the effectiveness of the quality
management system, communicating with them (see section 7.4 of ISO 9001:2015); This could include
senior management serving as the project leader when improvements are needed, and encouraging
employees and others to participate as members of improvement teams;
i) promote improvement while ensuring that information and recommendations from audits and other
evaluations and management reviews (see section 9.3 of ISO 9001:2015) are communicated to responsible
persons (which may also help demonstrate the value and benefits of improvements);
j) provide support and guidance to individuals in other relevant management positions, to help them
demonstrate leadership as applicable to their own areas of influence; This could include guiding and
supporting them in making specific decisions that help the organization better meet requirements, or drive
improvements where necessary.
Effective leadership and commitment can lead to a better understanding by people in the organization of
how they contribute to the quality management system, which can help the organization consistently
achieve its intended results.
The intent of this section is to ensure that senior management visibly demonstrates leadership and commitment to
keeping the organization focused on meeting customer requirements and improving customer satisfaction.
Customers are generally the people or organizations who purchase products and services from the organization;
However, they can also be individuals or organizations such as citizens, clients, patients, students, etc. who are
recipients of the organization's products and services.
Senior management needs to ensure that effective processes are established to determine customer requirements
and legal and regulatory requirements related to the organization's products and services, and that these
requirements are understood. In many cases, focusing on on-time delivery performance and customer complaints
can provide insight into actions that may be necessary to achieve or improve customer satisfaction.
Top management needs to ensure that appropriate actions are implemented to address risks and opportunities, so
that intended results are consistently achieved; If these are not achieved, then a Plan-Do-Check-Act (PHVA)
approach should be followed to ensure that responsibilities are assigned to implement further improvements, until
customer needs and expectations are met.
Top management can focus on improving customer satisfaction using the results of the analysis and evaluation of
customer satisfaction data (see section 9.1.2 of ISO 9001:2015).
As a result of this analysis, top management could direct a change in the organization's customer-related processes
and operations, including resource allocation.
5.2. Policy
The intention of this section is to ensure that a quality policy is established that is aligned with the strategic direction
of the organization, including the organization's general understanding of what quality means to it and its customers.
The quality policy describes the intentions and direction of the organization as formally expressed by top
management.
For points a) to d) of section 5.2.1 of ISO 9001:2015, the established quality policy should:
b) provide a framework for setting objectives (which implies that any statement in
quality policy should be measurable);
c) provide a commitment to the organization by satisfying applicable requirements, such as the requirements of the
client or legal and regulatory;
In order to establish the quality policy, inputs such as the following can be taken into account:
—a clear understanding of the organization's context, including the current performance of its management system
and the needs and expectations of its relevant stakeholders;
—the strategic direction of the organization, based on its mission, vision, guiding principles and core values;
—the level and type of future improvements necessary for the organization to be successful;
The intention of this section is to ensure that the quality policy is communicated to all people in the
organization, that everyone understands and applies it, so that they are able to contribute to the effectiveness
of the quality management system, and that is available to relevant interested parties.
The organization should ensure that the quality policy is readily available and maintained as documented
information. In order to maintain the quality policy, the organization should review it periodically to determine
whether it remains appropriate for the organization's purpose.
This could be done, for example, as part of the management review process (see section 9.3 of ISO
9001:2015).
The organization needs to ensure that the quality policy is clearly understood throughout the organization.
This can be achieved by taking into account the awareness (see section 7.3 of ISO 9001:2015) and
communication requirements (see section 7.4 of ISO 9001:2015) of people at different levels of the
organization. The quality policy can be communicated in different ways, such as through communication
boards, screen savers, the organization's website, or during routine meetings.
The organization should make the quality policy, as appropriate, available to relevant interested parties, such
as external suppliers, partners, customers, and regulatory agencies. This can be done on demand, or by
publishing the quality policy on a web page.
The intention of this section is for senior management to assign relevant roles in relation to the quality
management system, in order to ensure effectiveness and achievement of planned results. Senior
management will need to establish specific responsibilities and authorities for roles, and ensure that people
in the organization understand and are aware of their assignments through effective communication activities.
Responsibilities and authorities may be assigned to one or more people. They should be able to make
decisions and make changes in the area and/or processes to which they have been assigned. It is essential
to emphasize that although authority can be delegated, overall responsibility and accountability for the quality
management system is maintained by top management.
For points a) to e) of section 5.3 of ISO 9001:2015, responsibilities and authorities should be assigned for the
following:
a) ensure that the quality management system meets the requirements of ISO 9001 for
specific roles, such as internal auditors, or for management review;
b) ensure that processes are providing their intended outputs; this action could be assigned
more than one person, each of whom would have different responsibilities, such as doing the
Monitor quality objectives, determine if processes are achieving their results
planned, or carry out internal audits;
c) present reports on the performance of the quality management system; this presentation of
Reporting is typically carried out as part of the management review process (see
section 9.3 of ISO 9001:2015); responsibility could be assigned to one person to coordinate
reporting, with other people taking responsibility for reporting on
specific processes of the quality management system;
e) maintain the integrity of the quality management system when changes are made such as
implementation of a new enterprise resource planning (ERP) system, the decision to
outsourcing the design and development process, growth due to new business opportunities
market, organizational restructuring, a merger or acquisition; This responsibility is assigned
typically to the people responsible for ensuring that the quality management system is maintained,
and who have the ability to ensure that changes are not planned without taking into account their impacts
potentials.
In some organizations there may be a limited number of people available with the necessary competence to carry
out the required tasks; It might be helpful to plan for shared roles and responsibilities. Such plans are valuable
during vacations, when managers are not on site, or in cases of accident or illness.
Top management should determine how relevant roles, responsibilities and authorities are communicated. This
could be done by using relevant documented information, for example, job descriptions, work instructions,
statements of duties, organizational charts, manuals, procedures.
6. Planning
6.1.1 The intent of this section is to ensure that when quality management system processes are planned, the
organization determines its risks and opportunities and plans actions to address them. Its purpose is to prevent
nonconformities, including nonconforming results, and to determine opportunities that could improve customer
satisfaction or achieve the organization's quality objectives.
When determining the risks and opportunities of the quality management system, external and internal issues
should be taken into account (see section 4.1 of ISO 9001:2015) as well as the requirements of relevant interested
parties (see section 4.2 of the ISO 9001:2015 Standard). Examples of the risks of the quality management system
not achieving its objectives include that processes, products and services will not meet its requirements, or that the
organization will not achieve customer satisfaction.
Examples of opportunities include the potential to identify new customers, to determine the need for new products
or services and bring them to market, or to determine the need to revise or replace a process by introducing new
technology in order to make it more efficient.
When examining its opportunities, the organization should first determine and evaluate the potential quality
management system risks associated with them; The results should be used when making decisions about whether
to implement them or not.
For points a) to d) of section 6.1.1 of ISO 9001:2015, when determining its risks and opportunities the organization
should focus on:
a) provide confidence that the quality management system can achieve its intended results;
b) improve desirable effects, and in the creation of new possibilities (improving the efficiency of its
activities, developing or applying new technologies, etc.);
d) achieve improvements to ensure the conformity of products and services and increase customer satisfaction.
customer.
This is adopting a risk-based thinking approach and the organization should consider the
Applying this approach to the processes required for your quality management system.
There are no requirements in ISO 9001 for the use of formal risk management (as in ISO 31000) in determining
and addressing risks and opportunities. The organization can choose the methods that suit its needs. The IEC
31010 Standard provides a list of risk assessment tools and techniques that can be taken into account,
depending on the context of the organization.
When determining risks and opportunities, the organization may consider using the outputs of techniques such
as Weaknesses, Threats, Strengths and Opportunities analysis or Political, Economic, Social, Technological,
Legal and Ecological analysis. Other approaches may include techniques such as Failure Mode and Effects
Analysis; Failure Modal Analysis, Effects and Criticality; or Hazard Analysis and Critical Control Points. It is up
to the organization to decide what methods or tools it should use. Simpler approaches include techniques such
as brainstorming, structured “what if” questioning, and more.
(Structured What If Technique, SWIFT) and consequences/probability matrices.
Applying risk-based thinking can also help the organization develop a proactive and preventive culture focused
on doing things better and improving the way it works overall.
There are several situations in which risks and opportunities should be considered, for example, in strategic
meetings, management review, internal audits, different types of quality meetings, meetings to establish quality
objectives, phases of planning for the design and development of new products and services, and the planning
phases of production processes.
6.1.2 The intention of this section is to ensure that the organization plans actions to address the determined
risks and opportunities (see section 6.1.1 of ISO 9001:2015), implements the actions, analyzes and evaluates
the effectiveness of the actions taken. Actions should be based on the potential impact on product and service
conformity or customer satisfaction, and need to be incorporated into both the quality management system and
its processes, as appropriate. For example, if the organization has a single source supplier for a critical raw
material, then it should consider investing in developing a new source.
The actions the organization can take to address risks depend on the nature of the risk, for example:
a) avoid the risk, ceasing to carry out the process in which the risk may be found;
b) eliminate the risk, for example by using documented procedures to help people in the
organization with less experience;
c) taking the risk of pursuing an opportunity, such as investing in new capital equipment to
launching a product line where the return on investment is unknown;
EXAMPLE Examples of actions to address opportunities include adopting new technologies and seeking new
customers or markets.
d) share the risk, for example, working with the client to facilitate the advance purchase of
e) take no action, when the organization accepts its own risk, based on its effect
potential or in the cost of necessary actions.
The organization may take into account the need for documented information on risks and opportunities,
both for its quality management system and for its processes (see section 4.4.1 of ISO 9001:2015).
6.2.1 The intention of this section is to ensure that the organization establishes quality objectives and plans
appropriate actions to achieve them.
Quality objectives should be established at relevant functions, levels and processes, as appropriate, to
ensure the effective deployment of the organization's strategic direction and its quality policy. For example,
quality objectives could be established at an operational level, for the purchasing function or the design
process.
For points a) to g) of section 6.2.1 of ISO 9001:2015, the quality objectives should:
a) be consistent with the quality policy, that is, by establishing quality objectives, the organization
you need to use the quality policy as input; For example, if the organization has established in its
quality policy exceed customer expectations, then you could have a quality objective that
relates to on-time delivery or customer complaints;
b) be measurable, for example, specifying a period or a defined quantity that needs to be achieved; he
Quality objective can be measured using not only quantitative but also qualitative methods (e.g.
example, performance levels for a service);
d) be relevant to the conformity of products and services and improve customer satisfaction; by
For example, specifying the functionality or performance needed for a product such as
delivery on time and complete (On Time and In Full, OTIF), or defining a service level agreement;
e) be subject to monitoring and/or review with respect to the progress made in achieving the objectives
of quality; This could be carried out in any suitable way, including progress reports,
customer feedback or management reviews, among others;
g) updated as appropriate; it is necessary to take into account potential or actual changes that may
impact the ability to achieve quality objectives, and take action as necessary
to ensure that new issues or requirements are addressed.
Quality objectives should be established and measured using appropriate techniques, such as SMART
(i.e., establishing quality objectives that are Specific, Measurable, Attainable, Relevant and Time-bound),
balanced scorecards, or dashboards; Quality objectives should be updated or added as necessary to reflect
any changes implemented.
When setting quality objectives, the organization should also take into account factors such as its capabilities
and constraints, customer feedback, and other market issues.
EXAMPLE At the service delivery/customer interface or on the production line, quality objectives can be very simple
and direct, e.g.
— a transportation organization that operates a bus service could establish a target for the percentage of buses that
will operate on the scheduled schedule within the limits;
— at a production site, the target output per hour can be set with the maximum acceptable rejection level;
— in a hair salon, at a time when all staff are busy, a person can be assigned to greet new clients; The goal here may
be that "within one minute customers are welcomed and their requirements determined."
The organization needs to maintain documented information about quality objectives. Examples of places
where an organization may choose to keep information documented include, but are not limited to, business
plans, balanced scorecards, dashboards, intranets, and communication dashboards.
6.2.2 The intention of this section is to plan actions so that the organization achieves its quality objectives.
b) ensure that sufficient resources are made available (see Chapter 7 of the ISO Standard
9001:2015);
c) determine who is responsible for achieving specific quality objectives (this may be a team or
department instead of a single person);
d) decide when an action will be completed;
The evaluation of results (see section 9.1.3 of ISO 9001:2015) on the achievement of specific quality
objectives may be part of management review, performance appraisals, or carried out by others. means
such as project management with proposed delivery timelines, KPIs, or ongoing reviews or feedback
meetings.
The intent of this section is to determine the need for changes to the organization's quality management
system in order to adapt to changes in the business environment, as well as to ensure that any proposed
changes are planned, introduced and implemented appropriately. a controlled manner.
Planning a change appropriately can help avoid negative consequences such as rework, or cancellation or
postponement of a service; It can also lead to positive consequences such as reducing non-compliant
outputs, or reducing incidents due to human error. The purpose of planning changes is to maintain the
integrity of the quality management system and the organization's ability to continue providing conforming
products and services during the change. The organization should consider actions that could reduce the
potential for negative impacts of the change, such as beginning by testing the change before full
implementation, or determining what actions to take if the change is not successfully implemented.
Applying risk-based thinking can help determine the actions necessary to plan changes to the quality
management system. The organization should take into account the
availability of resources and the assignment or reassignment of responsibilities necessary for any change.
This could be done by assigning people to a team to manage the change, or by delaying the change until the
appropriate resources are available.
The need for changes to the quality management system can be determined in many different ways, for
example, as part of management review of audit results, reviews of non-conformities, analysis of complaints,
analysis of process performance, changes in context, or the changing needs of customers or other relevant
stakeholders.
The need for change may arise, for example, from the transfer of production lines from one location to another,
from changing process methods to improve trends in non-conforming outputs, from using new information and
communications technologies ( ICT) for a service or process, outsourcing important processes, people in key
roles leaving the organization (due to retirement or medical reasons), or moving to online order management.
The organization should evaluate the impact of these changes on the quality management system, and take
necessary actions to prevent undesired effects. This can range from applying project management approaches
to establishing performance trials and validation of new processes and systems as pilots before they are
implemented. The level of planning and action required will vary depending on the potential consequences of
the change.
To help plan for change, examples of actions the organization can take include:
a) with the introduction of new programs for order management, the organization could plan
performance and validation tests, and run both the old and new systems together
for a limited time to ensure that the new system operates as intended before
adopt it fully;
b) when deciding to establish a new office for the provision of services in a new geographical area, the
organization might choose to apply formal project management techniques.
7. Support
7.1. Resources
7.1.1. Generalities
The intention of this section is to ensure that the organization provides the necessary resources for the
establishment, implementation, maintenance and continuous improvement of the quality management system,
and for its effective operation.
When determining what resources need to be provided, the organization should consider the current
capabilities of its internal resources (e.g., people, team capacity, organizational knowledge) and any potential
constraints (e.g., budget, number of resources, schedule). .
During resource determination, the organization may consider a cost versus benefit analysis for the provision
of these resources, using risk-based thinking. A decision should then be made about the resources needed,
including those contracted externally, and the necessary actions taken to ensure that the necessary resources
are provided; This applies to sections 7.1.1 to 7.1.6 of ISO 9001:2015.
7.1.2. People
The intention of this section is to ensure that the organization has the adequate human resources needed for the
operation and control of its processes and the effective implementation of the quality management system. The
current workload and competence of relevant persons to carry out functions and roles in the quality management
system (e.g. operational activities, audits, inspections, testing, investigation of complaints) should be taken into
account.
When determining the people needed, the organization should use “risk-based thinking” and take into account the
responsibilities and authorities that have been designated for specific processes.
The organization may decide to recruit additional people or use an external provider, in which case the organization
should consider factors such as the need for additional training, the establishment of service level agreements, or
audits of service providers to ensure that the necessary performance. Full consideration should be given to
competency requirements (see section 7.2 of ISO 9001:2015).
7.1.3. Infrastructure
The intention of this section is to ensure that the organization has the necessary facilities, equipment and services
to consistently provide its customers with compliant products and services on a consistent basis.
The actions of “determine,” “provide,” and “maintain” refer to three different activities that could be performed by
different organizational processes or functions. For example, those responsible for a particular process might
determine specific infrastructure requirements, the purchasing process will acquire and provide the infrastructure,
and activities will need to be established to maintain it (such as equipment maintenance, housekeeping, or IT
upgrades). information, periodic testing of information and communications systems, or periodic inspections of
facilities and equipment).
Infrastructure can have a critical effect on achieving product and service compliance.
The organization is required to:
a) determine the infrastructure necessary for the effective operation of its processes and to achieve its objectives.
expected results;
— resources to manage the noise level in a factory so that operators can hear the noise
The intention of this section is to ensure that the organization determines and provides the necessary
environment for the operation of its processes, to facilitate the provision of compliant products and services.
When determining the environment for the operation of processes, input from interested parties should be
taken into account. For example, a regulatory authority might have established specific requirements for
cleaning the work environment to prevent contamination.
Requirements for the process environment can vary greatly depending on the type of product and service
supplied. In some cases the process environment only needs to address physical issues such as temperature,
lighting, hygiene, ventilation, noise, etc. In other circumstances, physical issues such as cleanliness may be a
critical factor, for example in the manufacturing of computer circuits, which requires clean room environments.
In some cases, human factors may be critical in the process, and should therefore be taken into account when
determining the environment for the operation of the processes, for example, avoiding high workloads and
stress (to prevent potential errors, mental exhaustion , or workplace harassment) for employees, and providing
information (for example, about waiting times for service areas) for customers.
Other factors may also need consideration, such as social and psychological issues. For example, human
factors such as fostering a learning environment in a preschool educational institution; maintain a mediation
service in an appropriate environment in order to avoid confrontations; allow sufficient rest time to prevent
accidents, for example by limiting the number of flying hours of pilots or limiting the driving hours of those
involved in providing transport and distribution services.
It is not intended that an occupational health and safety management system or an environmental management
system will be formally implemented to meet the requirements of section 7.1.4 of ISO 9001:2015 unless they
are appropriate.
Once determined, the environment for the operation of the processes should be adequately maintained and
controlled as necessary.
7.1.5.1. Generalities
The intent of this section is to ensure that the organization determines and provides appropriate resources to
ensure valid and reliable monitoring and measurement results when assessing the conformity of the
organization's products and services.
The necessary monitoring and measurement resources change greatly depending on the types of products
and services provided by the organization and the processes established for the quality management system.
In some cases, a simple check or trace will be enough to determine the status. In other cases a measurement
will be necessary, and this may require measuring equipment that needs to be verified and/or calibrated.
Monitoring involves critical observation, supervision and verifications to determine the quantitative or qualitative
status (or both) of an activity, process, product or service. It can be a simple check to ensure that the correct
quantity is there or that the order is complete; a meter that indicates that something is correct; listening to a
conversation between the customer and the call center (“your call may be tracked for quality purposes”), or
asking questions during the call
provision of a service, such as a waiter asking the customer if they are satisfied with the food and the
service provided.
Measurement takes into account the determination of quantity, magnitude, or dimension using appropriate
measurement resources. This may include the use of calibrated or verified equipment that is traceable to a
national or international measurement standard. For services, it may include the use of known and validated
models for service feedback, for example, social services models.
The organization needs to consider how critical monitoring and measurement is when determining the
conformity of its products and services.
When determining the criticality of monitoring and measurement to ensure valid results, the organization
should determine what needs to be monitored and/or measured for its processes, products and services.
The organization should then determine the resources necessary for this monitoring and measurement,
ensuring their suitability for what is required.
Documented information should be available to demonstrate the fitness for purpose of the selected
monitoring and measurement resources. This may include schedules outlining the frequency with which
verifications are necessary to ensure valid results, or information demonstrating traceability to a national
standard or any alternative basis used.
In some cases an expert may be required to assess whether products and services are being provided
correctly, for example a chef in a restaurant, or a social worker to assess the provision of foster care, or a
medical professional for health services. In some cases it is necessary to develop a tool that is used to
confirm compliance with requirements, such as a rubric or marking scheme used to score an exam.
The intent of this section is to ensure that the organization provides traceability measures when a
requirement or when the organization determines that it is necessary to have confidence in the validity of
the measurement results.
If measuring equipment is used to verify conformity to requirements and provide confidence in the validity
of measurement results, the organization should take into account the way in which the measuring
equipment is verified and/or calibrated, controlled, stored , use and maintain.
The calibration/verification status should be identified (e.g. whether the measuring equipment has been
calibrated/verified, and if so, to what extent and until when it can be used). This identification could be on
the measuring equipment itself, in its container, or done through other administrative means such as the
use of a unique identifier for the equipment that can be cross-referenced with a database. Measuring
equipment with adjustable calibration features should be protected to prevent accidental changes in
calibration status. This can be done with an anchor or by covering the adjustment section to prevent
disturbance by fingers or tools.
In situations where the calibration status could be affected due to vibration or shock, the equipment should
be protected by methods such as custom enclosure or packaging.
Measurement systems may also include the combination of computer programs and other devices, such as
fuel pumps or signals to control process parameters. In these cases, the organization should consider the
fitness for purpose of the entire measurement system.
The establishment of calibration schedules and maintenance checks for measuring equipment should be
considered based on the risks and criticality of the measurements when determining the conformity of
products and services.
If the measurement equipment is found to be unfit for its intended purpose, the potential impact on
compliance with measurement requirements should be reviewed and appropriate action taken.
Actions may include checking a sample of the affected product to determine if it meets the
criteria of acceptance.
The results of such a review may also indicate that no action is required, or, alternatively, that a service needs to be
provided again, that stocked products need to be investigated, or that relevant customers need to be informed, or
even that withdraw a product.
The level of actions required depends on the conformity of the products and services.
The intention of this section is to maintain the knowledge that the organization determines is necessary for the
operation of its processes and achieve the conformity of its products and services, as well as to promote the
acquisition of the necessary knowledge based on changes in needs and trends.
Organizational knowledge is the specific knowledge of the organization that derives from its collective experience or
the individual experience of its people. This knowledge is used or can be used to achieve the organization's quality
objectives or its intended results.
The organization should consider how it determines and manages the organizational knowledge required to meet its
present and future needs. The people in the organization and their experience are the basis of organizational
knowledge. Capturing and sharing such experience and knowledge can generate synergies that lead to the creation
of new organizational knowledge or its updating.
A complex organization might choose to implement a formal “knowledge management” system, while a less complex
organization might choose to use simpler methods, such as keeping record books on design decisions or on the
properties and performance of chemical compounds it uses. have been developed and tested.
When determining, maintaining and making available organizational knowledge, the organization may consider:
c) capture the knowledge that exists within the organization, for example, through training programs
mentors, succession plans;
7.2. Competence
The intent of this section is to determine the competency required for positions or activities in the organization that
may affect the conformity of products and services or customer satisfaction, and to ensure that the people who hold
those positions or carry out those activities (e.g. directors, existing employees, temporary employees, subcontractors,
externally hired personnel) are competent to perform them.
People's competence can be based on their level of education, training and experience. Those who are able to
demonstrate their competence are sometimes referred to as being qualified.
The organization should determine the competency requirements for an activity or role/job. Certain tasks may require
a specific level of competence before they can be performed adequately or safely (for example, internal quality audits,
welding, or non-destructive testing): It may be necessary for people to be qualified for some tasks (for example (for
example, driving forklifts or trucks, or conducting surveys). The requirements of
Competency can be determined in different ways, such as through defining job description specifications,
or by carrying out job evaluation exercises, where a job is analyzed.
A person's competence should be confirmed by reviewing whether they have the appropriate level of
education, training or experience. This could be done through job interviews, reviewing resumes, by
observation, through documented information on training or degrees.
When an individual in an organization does not or no longer meets competency requirements, then action
should be taken; These actions include, but are not limited to, mentoring the employee, providing training,
streamlining the process so the individual can complete it satisfactorily, or reassigning the employee to
another position.
The organization should also evaluate the effectiveness of any action taken. For example, the organization
could ask people who have received training whether they believe they have achieved the necessary
competence to do their job. This can also be assessed in a variety of ways, including direct observation of
your performance or examining the results of tasks and projects.
When a person working under the control of the organization is from an external supplier, additional controls
and monitoring may be required, such as audits of externally provided processes, inspection of products
and services, or establishing contracts and service level agreements that specify the competency
requirements. The organization is responsible for determining the actions to take, which will vary depending
on how critical the competency is to ensure compliance with the requirements.
The organization should retain appropriate documented information that provides evidence of an employee's
competency, for example, titles, licenses, resumes, and completion of training and performance reviews.
When employees have officially certified training (for example, a university degree), such certification can
be used to demonstrate that they have acquired some, or all, of the knowledge required to perform their
job, but not necessarily that they are able to apply that knowledge. knowledge. Other more vocational forms
of training (such as nursing, or apprenticeship as a mechanic) may also include the ability to apply
knowledge and skills.
7.3. awareness
The intention of this section is to ensure that relevant persons working under the control of the organization
are aware of the quality policy, the relevant quality objectives, their contribution to the effectiveness of the
quality management system and of the implications of non-conformities with the requirements of the quality
management system.
Awareness is achieved when people understand their responsibilities and authorities, and how their actions
contribute to the achievement of the organization's quality objectives. Many organizations raise awareness
through communication (see section 7.4 of ISO 9001:2015).
People working under the control of the organization can demonstrate conscientiousness in day-to-day
activities by distinguishing between what is acceptable and what is not, and by taking appropriate action
when processes, products and services do not meet agreed specifications. . These people should
understand what nonconformities in the quality management system entail (e.g., rework, waste, customer
dissatisfaction, legal implications). Depending on the nature of the work that people perform, actions to
raise awareness may vary.
The organization should ensure that people in the organization understand how they contribute to the
effectiveness of the quality management system by performing work processes that achieve
d) clearly communicating how complaints are handled and the steps to escalate them internally
in case of non-compliant outputs.
Communication of all kinds is important to ensure awareness, and may include regular review meetings,
meetings with clients and external suppliers, collecting feedback and ensuring that feedback is made known
to the relevant people.
7.4. Communication
The intention of this section is to ensure that the organization establishes the internal and external
communications that are needed and that are relevant to the quality management system.
The organization should determine what it needs to communicate. This could be different for internal and
external parts. For example, the organization could communicate the status of the quality management
system to people in the organization, but communicate new terms and conditions on purchase orders to
external suppliers.
The organization should determine the relevant internal and external parties with which it needs to
communicate to ensure the effective operation of the quality management system. This may include relevant
people within the organization at all levels, and relevant stakeholders (such as customers, external suppliers
used as a source of products and services, or regulatory bodies).
Different communication methods are often required for different situations. More formal communications,
such as reports, specifications, invoices or service level agreements, may be required for relevant external
stakeholders. For internal communications, methods such as daily contact, regular department meetings,
briefings, email or an intranet can be used. More formal methods of internal communications, such as
written reports or job specifications, may also be required, depending on the nature of the information and
how critical the issues need to be communicated.
The organization should also determine the people who will make the communication. This will depend on
the nature of the communication and the people with whom the organization communicates. For example,
senior management could communicate with people in the organization while the owner of the purchasing
process could communicate with external suppliers.
To be effective, the organization's communication processes should provide the organization and its people
with the ability to:
— quickly transmit, receive and act on information;
7.5.1. Generalities
The intention of this section is to ensure that the organization controls the documented information necessary
to comply with ISO 9001, as well as the documented information that has been determined necessary for the
effectiveness of its quality management system (see section 4.4 .2 of ISO 9001:2015).
When ISO 9001 refers to “maintaining documented information”, it means ensuring that the information is kept
up to date; For example, information contained in documented procedures, manuals, forms and checklists,
information that could be stored in the cloud and downloaded to a smartphone or other electronic device, and
other documented information (such as the quality policy and quality objectives).
When ISO 9001 refers to “preserving documented information”, it means ensuring that the information used to
provide evidence as to whether a requirement has been met or not is protected from any deterioration or
unauthorized change (which should not occur, unless an agreed correction has to be made).
In general, ISO 9001 is not prescriptive in terms of the extent of documented information required. This will
vary from organization to organization depending on the size and complexity of operations and processes;
customer, legal and regulatory requirements; and the competence of the people involved. For example, the
documented information needed for a small bakery will be simpler and less extensive than that needed for an
automobile parts manufacturer that has very specific customer (legal and regulatory) requirements, including
externally sourced documented information, to incorporate. To the system.
The intent of this section is to ensure that when the organization creates and updates documented information,
the appropriate identification, format and medium are used, and that the documented information is reviewed
and approved.
Documented information should include an identification and description. There are many methods to do this,
such as defining a title, date, author, or reference number (or a combination of two or more of these methods)
that the organization can use to determine the information and its status.
The organization should establish the format for documented information. The organization may use a paper
copy, electronic copy, or both to provide the documented information. The version of the software to be used
should also be considered, as not all users may have access to the same version. Some organizations may
need to consider providing documented information in more than one language, based on the culture of the
organization.
The organization should have established methods for the review and approval of its documented information,
for example, having an identified person with the authority to approve the documented information.
7.5.3.1 The intention of this section is to ensure that documented information is available in a suitable medium
wherever it is needed, and that it is adequately protected.
Once the documented information necessary for the quality management system has been decided, the
organization should ensure that it is available to all areas, departments, process owners, etc. relevant.
Consideration should also be given to providing documented information
relevant to relevant external stakeholders when products and services have an external origin. Documented
information should also be in the appropriate format for its intended use, for example, a written service
level agreement for an external service provider, or process parameter information in electronic format that
can be downloaded to the interface. of process.
The organization should consider the level of control necessary to ensure that documented information is
adequately controlled, taking into account the environment in which it is located. Control includes availability,
distribution and protection, for example, against data loss, confidentiality, misuse or inadvertent changes.
The organization should ensure that the necessary controls are established as part of the documented
information and communication system, and that it is protected against loss, misuse and inadvertent
changes. This can be done in many ways, including electronic systems with read-only access and specific
permissions for access at different levels, password-protected entries, or IDs. The level of control may vary
depending on where the documented information is made available; for example, increased access
restrictions for external parties. Data security and backup issues should also be considered.
7.5.3.2 The intent of this section is to ensure that control of documented information addresses distribution,
access, retrieval and use, storage and preservation, change control, retention and deletion. This also
applies to documented information of external origin when the organization determines that it is necessary
for the planning and operation of the quality management system. The distribution of documented
information can be controlled in several ways.
Having established a system to control the distribution and access to documented information, the
organization should then consider how it is stored, maintained, and disposed of as necessary over time.
Documented information can change and develop as the organization improves its processes and quality
management system.
There is also the need to consider the way in which historical documented information is maintained, stored
and retrieved as necessary for later use.
Version control should be considered, where the organization determines some means of identifying current
versus obsolete documented information, and establishes controls to ensure that only current documented
information is used.
When the organization determines that some documented information of external origin is necessary for
the planning and operation of the quality management system, it should be appropriately identified and
controlled in the same manner as other documented information. This may include documented information
from a customer or external supplier such as drawings, specific test methods, sampling plans, standards,
or calibration reports. Particular care should be taken with the control of sensitive data.
Where documented information is retained as evidence of compliance, it should be protected from inadvertent changes.
The organization should only allow controlled access to such information, for example, with authorized access for relevant
individuals working on behalf of the organization, or restricted electronic access to “read only”, as appropriate.
8. Operation
The intention of this section is to ensure that the organization plans, implements and controls the processes necessary
for the provision of products and services, including any externally provided processes (see section 8.4 of ISO 9001:2015).
The risks and opportunities and quality objectives determined during planning (see Chapter 6 of ISO 9001:2015), including
potential changes, are key inputs to be taken into account when planning and controlling operations and establishing
criteria for processes and acceptance of products and services.
Based on the nature and complexity of the processes for providing products and services, the organization will need to
determine what resources are necessary and whether current resources are sufficient.
Effective controls are needed to:
The criteria and their associated supporting documented information are outputs of this planning.
The outputs from this planning will need to be used as inputs into operations within the organization. Third-party customers
or suppliers may also need to use them. They should be maintained in formats and media suitable for those who need to
use them.
When planning its operations and control criteria, the organization should take into account both planned changes and
potential involuntary changes, and how these changes may affect its operations.
When planning processes for supplying products and services, outsourced processes need to be under the control of the
organization if they are relevant to its quality management system. Control has to be ensured by applying the requirements
for the control of processes, products and services provided externally (see section 8.4 of ISO 9001:2015).
The intention of this section is to ensure that there is clear communication between the organization and its customers
when determining the requirements for the products and services that are provided.
a) communicate the details of the product or service to be provided, so that the client understands what is being provided.
offers; This information can be communicated through meetings, brochures, websites, by telephone, or by
any other suitable means;
b) make clear:
— the way in which the customer can contact the organization to ask questions or request products or
services;
— the way in which the organization will inform the client of any related changes;
c) establish the appropriate means to obtain information from the client regarding questions, doubts,
complaints, positive and negative feedback; methods include but are not limited to: emails
o direct phone calls, online surveys, customer service channels, face-to-face meetings;
d) ensure that the client is informed about the way in which the organization manages and controls the
client properties, where appropriate;
e) ensure that you are proactive in communicating with the client about possible contingency actions
that can be taken, if the need arises, to avoid having a detrimental effect on compliance with the
Customer requirements; This could include situations such as natural disasters, weather conditions,
labor conflicts, shortage of raw materials or support from external suppliers.
This communication allows the customer to understand what the organization can or intends to provide, and
allows the organization to understand or confirm the customer's needs and expectations.
The intent of this section is to ensure that the organization determines the requirements for its products and
services. These requirements can be determined taking into account:
F) the purpose of the product or service;
i) those requirements that the organization considers necessary (for example, the numbering of parts,
or file naming, for traceability within the organization).
The organization needs to ensure that it lives up to its claims about the products and services it offers. A
declaration is a statement by the organization about the products and services and their benefits and
characteristics that it can provide to the customer. For example, an Internet service provider ( ISP) might make
claims about its download speed on its website; a laptop manufacturer might make claims about battery life in a
brochure; an automaker might make fuel economy claims in an advertisement; or an insurance company states
that it provides a 24-hour claims service.
— skills;
- the capacity;
— delivery times.
ISO 10001 provides advice on codes of conduct, which are related to the presentation of declarations.
8.2.3.1 The intention of this section is to ensure that the organization reviews the commitments it has made to a
client, and that it has the capacity to meet these commitments. The review allows the organization to reduce the
risk of issues arising during operations and after delivery.
For points a) to e) of section 8.2.3.1 of ISO 9001:2015, the organization should review: a) the need for actions
during delivery and after delivery, such as transportation, training
to the user, on-site installation , guarantees, repairs, customer service;
b) whether the implicit requirements can be met, that is, whether the product or service should be capable of
meet customer expectations (for example, a hotel room is expected to be clean and
provide basic facilities, and staff are expected to be polite and helpful; or is it expected that
bottled water is drinkable);
c) the additional requirements that the organization chooses to meet to exceed customer expectations,
improve customer satisfaction or comply with internal policies;
d) whether legal and regulatory requirements have been taken into account and addressed where applicable.
applicable;
If there is a difference between the requirements defined above and those stated in the contract or order, the
organization will need to communicate with the customer and resolve such differences.
If a customer does not provide a documented statement of their requirements, for example, when placing an order
over the telephone or by verbal instructions, the requirements will need to be confirmed with the customer before
providing the product or service (for example, in a restaurant to the customer). you can repeat the order).
8.2.3.2 The intention of this section is to ensure that documented information is retained to demonstrate the final
agreement with the client, including all corrections or changes, and showing that the requirements can be met.
b) if the review identifies an additional requirement or a change in requirements, it should be updated or added
documented information to ensure that the new requirement is captured (for example, should
an email conversation that changes an order or resolves a misunderstanding).
This documented information can provide a basis for future similar agreements with new or existing clients.
The intention of this section is to ensure that relevant persons (both inside and outside the
organization) are aware of any changes in product and service requirements. The organization should choose
an appropriate communication method and retain documented information, such as communication emails,
meeting minutes, or corrections to orders.
8.3. Design and development of products and services
8.3.1. Generalities
The intention of this section is to ensure that the organization establishes, implements and maintains a design
and development process, in order to ensure that its products and services meet the requirements, which
defines the characteristics of the products and services. The organization should take into account the context
of the organization, including relevant stakeholders, when determining the scope of the quality management
system (see section 4.3 of ISO 9001:2015), since this scope determines the application of the requirements of
section 8.3 of the ISO 9001:2015 Standard.
Some organizations may need to consider all design and development requirements, while other organizations
may only need to consider some of the requirements, such as those for changes to design and development
or for communicating with the customer.
For example, an organization that manufactures its own range of bicycles needs to consider the design and
development requirements for a new or modified product. An organization that manufactures a product tailored
to a customer's needs needs to consider design and development requirements only if the customer makes
changes to the design or if there are communications about a change to the product.
Similarly, a franchised coffee shop may need to meet fewer design and development requirements than an
independent coffee shop that makes its own product, décor and marketing decisions.
In some cases, the organization may decide to apply design and development requirements to its operational
processes, whether based on the scope of the quality management system, customer requirements, legal and
regulatory requirements, or best practices. business practices.
EXAMPLE Examples where design and development are necessary include:
— a tailor who receives a request from a customer to add a piece of fabric to a dress or suit;
— a small business that has a specification for a pneumatic clutch, and a customer requests a change in fitment that
will require customization of the clutch;
— the advisor of a financial organization who designs and develops the services it offers to its clients in relation to the
management of their securities portfolio;
The intent of this section is to ensure that the organization carries out design and development planning to
determine its necessary design and development activities and tasks. This planning could include taking into
account actions that have been determined necessary (see Chapter 6 and section 8.1 of ISO 9001:2015) that
may have an effect on the performance of planned activities, resource requirements, as well as as a clear
definition of roles and responsibilities.
The requirements in this section provide a set of key elements to consider during design and development
planning. For points a) to j) of section 8.3.2 of the ISO 9001:2015 Standard:
a) the complexity of the products and services (for example, a repeated design, a new design, the
purpose of the product and service, physical characteristics such as the expected duration and scope of a service)
and factors such as delivery requirements;
b) the necessary stages, including applicable design and development reviews (e.g., design
basic, detailed design), as well as verifications (for example, whether all dimensions have been
appropriately specified in a technical design) and validations (e.g. trial production or
tests of a service);
c) verification activities necessary to ensure that outputs meet the requirements of
inputs, and validation activities necessary to ensure that products and services
resulting products meet the requirements for the specified application or intended use;
d) the people who are going to do it, that is, determine the necessary responsibilities and authorities
involved in the design and development process;
e) the necessary internal and external resources (for example, organizational knowledge, equipment,
technology, competition, support from external customers or suppliers, temporary workers, codes or
standards that provide technical information);
f) communications between people involved in the design and development process, taking into account
Consider the number of people involved and the most effective ways to share information, such as
meetings, telecommunications, minutes;
g) the potential participation of customers and users in design and development activities (e.g.
on-site monitoring of a customer, customer trials, customer studies, or consumer experience);
h) what is necessary for the people in the organization to provide the product or provide
the service (e.g. drawings, controls, raw materials, acceptance criteria);
i) the expected levels of control determined by the client or other interested parties over the process
(for example, security checks for medical devices or aircraft); when clients or
end users do not determine explicit controls, the organization should determine the controls that
are necessary, taking into account the nature of the products and services;
j) the documented information necessary to demonstrate whether the design requirements have been met and
development, and whether the process has been carried out appropriately in the review, verification and
validation; such as project plans, meeting minutes, realization of action points,
test reports, drawings, work instructions, or process flow diagrams.
The intent of this section is to ensure that the organization determines inputs for design and development projects
as one of its activities during design and development planning. These entries need to be unambiguous, complete,
and consistent with the requirements that define the characteristics of the product or service. For points a) to e) of
section 8.3.3 of ISO 9001:2015, the organization should take into account:
b) information from similar previous design and development activities, such as project files,
drawings, specifications, or lessons learned, which can improve effectiveness and enable the
organization take advantage of good practices or avoid mistakes;
c) legal and regulatory requirements directly related to the product or service (e.g.
example, safety regulations, food hygiene laws) or the provision of that product or service
(for example, handling of chemicals that are part of the final product; transportation or other
delivery mechanisms; the use of gloves when providing health services; hygiene requirements for a
restaurant);
d) the standards or codes of practice to which the organization has committed (for example, codes
industry, or health and safety standards);
e) the potential consequences of failure due to the nature of the products and services; this can go
from potentially fatal (for example, in an event there is poor road safety planning, which
can lead to accidents) to issues that can result in loss of customer satisfaction
(for example, unstable dyes in fabrics, leading to color loss or fading).
Applicable inputs for design and development should be retained as documented information.
These entries could be a reference to a specific code or specification listed in the project schedule.
When input requirements are conflicting, or are difficult to address or achieve, the organization should implement
activities to resolve these issues.
The intention of this section is to ensure that, once inputs have been determined, design and development activities
and controls are implemented in accordance with planning, to ensure that the process is effective.
Review, verification and validation activities are essential to control the design and development process, and need
to be implemented effectively. Review, verification, and validation can be completed as a single process or as
separate activities. For points a) to f) of section 8.3.4 of ISO 9001:2015, the organization should ensure that: a) all
persons involved in the design and development activities are aware of, and
understand
completely, the customer or end-user requirements, and the planned final outputs; It is necessary to have
take into account deviations from requirements, for example, when planning to improve performance
of a product, versus factors such as cost or ease of use;
b) reviews of the design and development planning stages and stage outputs are established
to confirm compliance with input requirements, determine problems, and develop solutions;
people who are not involved in a specific stage of the design and development process can participate
in its review, including those who participate in producing the product or service and, where appropriate, clients,
end users and relevant third-party suppliers; for different levels of complexity:
— a complex design could be reviewed in a formal meeting, and the minutes of such meeting would constitute the
record;
— a review for a simple design could be less formal and the record could consist of a notation on the plan indicating
that the review has been carried out, signed by the reviewer and dated;
d) validation is carried out to ensure that the final product or service will meet the needs
from the customer or end user for a specific or intended use; examples of validation activities can
include:
— marketing trials;
— operational tests;
— partial tests or simulations (for example, to simulate the ability of a building to withstand an earthquake);
e) if the review, verification and validation activities uncover problems, they should be determined
actions to resolve them; The evaluation of the effectiveness of these actions should be part of the following
revision;
f) what documented information from review, verification and validation activities is retained as
evidence that design and development activities were carried out as planned; the examples
They may include meeting minutes, inspection and test reports, and customer approval.
The intent of this section is to ensure that design and development outputs provide the necessary information to all
processes required to provide the intended products and services (including purchasing, production, and post-
delivery activities); In addition, the outputs should be clear enough to ensure that the people involved understand
what actions need to be taken and in what order.
Design and development outputs will vary depending on the nature of the design and development process and the
requirements for the products and services. The outputs of design and development will be key inputs to the product
and service provision processes (see section 8.5 of ISO 9001:2015).
For points a) to d) of section 8.3.5 of ISO 9001:2015, these outputs should:
a) be consistent with the input requirements defined in accordance with section 8.3.3 of the Standard
ISO 9001:2015;
b) be sufficient to ensure that all necessary subsequent processes can be carried out
to provide the products and services, taking into account who will use the outlets and in what
circumstances;
d) provide essential information about the characteristics of products and services, to ensure
that the products can be provided or that the service can be provided in a safe and secure manner.
appropriate, also detailing the way in which the product or service is to be used (for example,
instructions for the use of a medicine, for the storage of food, or on how to
clean a product).
In some cases, design outputs may be the final product of the organization, for example, this may occur in the activities of
architects, design engineers or graphic artists.
Design outputs should be retained as documented information, including but not limited to:
— drawings, product specifications (including conservation details), material specifications, testing requirements,
quality plans, control plans;
— a fashion design for clothing defined by sketches and a specification related to materials
to use;
— a graphic arts design that provides the form of a particular layout for use in a publication;
The intention of this section is for the organization to determine, review and control changes made during the design and
development process or afterwards. The organization should consider as part of the design and development process how
interactions with other processes or stakeholders (for example, customers or external suppliers) will be implemented, and take
these into account when determining changes to the design and development.
Changes may arise from any activity within the quality management system and at any stage, including but not limited to:
b) after the release and approval of the design and development outputs;
Documented information to be retained relating to changes in design and development may include the results of evaluating
the effects of the changes on constituent parts or on a product or service already delivered to prevent adverse impacts. The
review, verification and validation processes
They can often result in documented information detailing design and development changes. The
Documented information can also detail actions taken by subsequent affected processes
(for example, purchasing, production, provision of the product or service) and the way in which they have been
release.
The documented information should indicate the person authorizing the change. In some cases, this authorization
is required by the customer or a regulatory agency. Documented information may include an approved change
request or an electronic approval of the change.
8.4.1. Generalities
The intention of this section is to control processes, products and services provided by an external provider.
External suppliers could include the organization's corporate headquarters, associated companies, suppliers, or
someone with whom the organization has contracted externally.
process.
The organization is responsible for ensuring that externally provided processes, products and services meet
requirements (for example, by inspecting incoming products, or monitoring an externally contracted service
provider).
The organization should determine:
a) the internal processes that interact with externally provided processes, and the effect that this
provision has on operational performance;
b) the externally provided materials, components or services that form part of the product or
final service, or that are critical to the provision of the product or service;
c) the specific requirements and controls to apply for the external provision, depending on the effect that
may have on the operation and performance of the organization.
—maintenance activities provided by a partner company are carried out by persons with certain competence
using specific safety equipment;
—an associated company (such as a sister plant that provides component parts for assembly) carries
out verifications.
The organization needs to determine and apply criteria for the evaluation, selection, performance monitoring,
and reevaluation of external suppliers. Implementing such a process allows the organization to have a clear
understanding of the current capabilities of external providers, determine gaps in what is needed, and determine
solutions to resolve these issues.
In situations where a parent company or customer requires the use of a specific third-party supplier, this could
be the criteria that is established; However, monitoring the performance of this type of external suppliers is still
required.
The intention of this section is to establish controls for external suppliers, so that the organization has confidence
that the products and services to be provided will meet the requirements.
The type and scope of control is based on the potential impact that the externally provided process, product or
service may have on the organization's ability to consistently provide compliant products and services.
EXAMPLE In a printing organization, paper quality could be critical. However, in a travel agency, plain and commercial
paper can be used without the need for any quality-related purchasing controls. The printing organization needs to
closely monitor the performance of its paper suppliers to ensure that the quality of its printed products remains at the
expected level.
The organization should determine the controls that an external supplier must implement, or those that must be implemented for the
external supplier. The intent of these controls is to ensure that the delivery of the product or service will be carried out according to
planned arrangements and that the product or service will meet requirements.
The organization needs to ensure that processes provided by an external provider that is within the control of the organization's
quality management system meet the applicable requirements of ISO 9001.
a) the qualification of the people who receive the calls and the implementation of the call system
information and communications at the beginning of a shift, for a contracted customer service center
externally;
c) a checklist used when verifying that all planned activities were carried out to
a bathroom cleaning service in a hotel or office.
Verification activities that could be considered include, but are not limited to: — receiving inspections (for
example, the inspection of office supplies may simply be a verification that the ordered quantity was delivered, where a delivery
record, signed by an employee, could include all the documented information required);
— testing (for example, an organization may choose to inspect a batch of samples or perform some type of testing to verify conformity
with requirements, or it may be equally effective and more efficient to review certificates of analysis or test results submitted by the
external provider);
The intent of this section is to ensure that the organization clearly communicates to external suppliers the requirements and controls
it needs for processes, services or products provided externally, in order to avoid negative effects on its operations or customer
satisfaction.
The organization should ensure that its requirements are complete, clear, and address any potential sources of ambiguity or
confusion; both parties should agree on what is required. It is essential that all relevant details are clearly set out at the time of
ordering; This may include, for example, drawings, catalog or model numbers, response times, and the date and location required
for delivery.
The information to be sent to the external supplier (for example, a written purchase order) should be verified before shipment. In a
small organization, this will probably be the person who makes the purchase
which verifies its suitability. This could involve simply reading and reconfirming the order over the phone.
Purchasing information should provide details regarding any methods, processes and equipment that
should be used, for example, certain welding techniques, the use of specific calibrated equipment, or
employee uniforms. Other factors that need to be clearly established could relate, for example, to packaging,
labeling, certificates of analysis or test results. Although it is essential to fully describe what is needed,
unnecessary details can lead to misunderstandings and incorrect provision.
The information should specify any competency requirements necessary for individuals from the third-party
provider, such as a certified welder or specialized lawyer.
Requirements should be included for how the external provider is to communicate with the organization,
such as a set of planned meetings to review progress, or identifying the person in the organization who will
be the primary point of contact.
It is necessary to monitor the performance of external suppliers. The type and frequency of monitoring that
the organization will use should be included in the information. This could specify the level of performance
that the external provider must meet, or provide information related to the way in which the results of the
organization's performance evaluations will be communicated.
Sometimes the organization or its customer may need to perform verifications or validations at the third-
party provider's facilities. This could be due to the size of the product, the nature of the service, or due to
time constraints for delivery.
EXAMPLE An interior decorator may need to visit a manufacturer to view curtain fabrics that have been ordered, or
the training facility may need to track employees while they receive training.
In these cases, the organization should provide information on these preparations, such as the schedule
for verification and validation and any other provisions (such as office space, administrative support, or
testing facilities) required from the external provider.
The intent of this section is for the organization to establish controls to provide products and services that
ensure that intended results are achieved, reducing the potential for non-conforming outputs.
The organization should establish conditions to control the provision of the product and service to ensure
that the criteria determined in section 8.1 of ISO 9001:2015 are met.
The organization should consider the entire production and service delivery cycle when determining what
needs to be controlled, including requirements for post-delivery activities (such as installations, warranties,
or complaints handling). For points a) to h) of section 8.5.1 of ISO 9001:2015, all applicable aspects of the
following should be considered:
a) the availability of documented information that defines the characteristics of the products to be
produce, the services to be provided, or the activities to be performed; the organization should provide
documented information that is understandable to those involved in the activity or process, such as
specifications or work instructions, and that helps ensure that products and services are
conform to the specified requirements (ISO 9001 does not require the organization to produce
documented information containing all the details that a competent operator should know);
EXAMPLE 1 It is usually not necessary to describe to a trained forklift operator how to operate a forklift; however, work
instructions may be necessary to detail storage arrangements, handling restrictions, and routine maintenance.
b) any necessary monitoring and measurement resources; could be identified by measuring the equipment that
has been calibrated to make a particular measurement or method prescribed for use in the provision of
a service;
c) any monitoring and measurement activities necessary to ensure that the outputs meet the
requirements of the product or service, such as inspection of a product at certain stages, or monitoring
from calls to customer service;
d) any criteria necessary for the infrastructure (see section 7.1.3 of the ISO Standard
9001:2015) or the process environment (see section 7.1.4 of ISO 9001:2015);
e) the need to ensure the competence of the people carrying out the work (see section 7.2
of ISO 9001:2015), including consideration of any necessary qualifications, such as
of non-destructive inspectors, or licenses for medical practice;
g) the organization should take actions to prevent human errors, such as: limiting work hours
excessive work, establish appropriate measures to promote an adequate work environment,
provide appropriate training and instructions, automate processes, require electronic entry
double for critical information, make devices available to avoid the use of tools
incorrect settings, avoiding distractions for people (such as personal electronic devices), rotating
positions, require completing all information before sending it;
EXAMPLE 2 Spot welding equipment will only continue to produce good welds if there is periodic maintenance of the
condition of the electrodes.
The intent of this section is to ensure that the organization uses identification and traceability in order to be able
to determine the processes, products and services that could be affected by potentially non-conforming outputs
throughout the production and service delivery processes. Organizations should use different methods to identify
outputs depending on the nature of the product or service. When selecting an identification method, the
organization should consider:
a) the reason why the output needs to be identified, such as legal and regulatory requirements (e.g.
in the aerospace or food industry);
b) in what stages of the process the identification is made, and the way in which it is done.
EXAMPLE 1 In the apparel industry, materials from the same dye lot are usually processed as one batch to avoid color
incompatibility problems; In a courier service, it is necessary to keep records of items that are picked up and delivered
to maintain delivery commitments and schedules; In manufacturing, there may be a need for all raw materials to be
lead-free or for components to be traceable to their origin.
In some industries, identification and traceability are requirements specified by regulations or contracts.
EXAMPLE 2 In pressure vessel manufacturing, it is common for the identification of a given material to be recorded
and traced through all stages of manufacturing, so that the final component can be traced back to the original material.
Identification methods will vary depending on the nature of the outputs, e.g.
—a code, title, or combination of both may be used to identify a contract or purchase order;
—a visible physical sign indicating the provision of a service, such as housekeeping in a hotel;
Where there is a requirement to be able to trace outputs, the organization should ensure that relevant
documented information about the identified process outputs is retained and maintained. This might be
necessary, for example, in the case of a product recall; when the measuring equipment is found to be out of
calibration (see section 7.1.5.2 of ISO 9001:2015); in the investigation of non-conformities in a process,
product or service, or as a result of legal or regulatory requirements (for example, who has administered a
certain controlled drug in a hospital).
The intent of this section is to ensure that property that does not belong to the organization but is under
the control of the organization is protected.
Customer property is property that is incorporated into or used in the production of products or the provision
of a service. Third-party vendor property is property that is provided to the organization to be used for a
purpose (for example, equipment used for packaging, or personal data).
Property may be tangible or intangible (for example, materials, tools, customer facilities, intellectual
property, or personal data).
EXAMPLE 1 Examples of where a customer might provide material, equipment, knowledge or data for use in
production or service provision include:
— financial and personal data provided to a credit card company or to make purchases on the Internet.
The actions the organization should take to protect it will depend on the type of property).
The owner of the property should be clearly identified and made known within the organization, as applicable.
This could be done through identification on the product or by keeping customer property in a separate area, or
by limiting access to intellectual property.
EXAMPLE 2 Examples of measures that can be taken to protect the client's intellectual property or personal data
include:
— provide a specific location to store the client's intellectual data, including product drawings, patent information,
performance and sales graphs;
— have a procedure that requires customer specifications and data to be deleted at the end of a project;
It is important to verify ownership when the organization takes control over it (e.g. physical condition or
condition, accuracy of personal data). This verification will vary depending on the requirements of the
customer or external suppliers.
The reason documented information is required in this section is to ensure that the relevant information can be
used to ensure that the customer or third party supplier is accurately informed if the property is lost, damaged,
or otherwise discovered to be is not suitable for use or cannot be used.
8.5.4. Preservation
The intention of this section is to ensure that outputs and products and services are preserved at all stages
during production and service provision.
The organization should determine outputs that may deteriorate or degrade and affect the conformity of the
product or service, and implement appropriate preservation methods.
For example,
a) in the service industry, the need for preservation could imply:
— an ICT company that ensures the preservation of data integrity by making regular backups and
using antivirus protection;
Depending on the nature of the operations, it may be necessary to determine preservation methods for any
part or component that is to be incorporated into the final product (for example, for manufacturing or
assembly) or for equipment or information critical to the provision of a service ( for example, data necessary
for technical support, after delivery to the customer of a personal computer).
There are a number of areas where problems that may affect the quality of the product or service are addressed.
EXAMPLE 1 Some examples are found in the following areas:
— most copper-based metals (e.g. copper, brass and bronze) are susceptible to corrosion from finger marks; — liquid
transport tanks
need to be cleaned or decontaminated before filling with a different liquid; — medical specimens need to be handled
with
special instruments to prevent infection.
The intent of this section is to ensure that the organization meets relevant requirements after a product or
service is delivered, recognizing that the organization's responsibility does not necessarily end with delivery.
When determining post-delivery activities, the organization should consider known requirements (for
example, legal and regulatory requirements or customer requirements) and also take into account the
possibility that the product or service may not perform as expected and additional actions may be required.
The risk of customer dissatisfaction or loss of a potential opportunity increases if the organization does not
take into account the activities
potential and established after delivery.
d) customer access to online information related to the delivery of a product or service, for example
example, flight status; frequently asked questions ( FAQ);
e) product authentication;
The intention of this section is to ensure that the organization reviews and controls changes that occur
during production and service provision, in line with the provisions determined during the planning of the
quality management system (see section 6.3 of the Standard ISO 9001:2015). Actions determined to
address such changes should focus on ensuring that outputs, products and services will continue to meet
applicable requirements.
This section deals with the changes that occur during the production and provision of the service that affect
compliance with the requirements. The organization should ensure that the integrity of production and service
delivery is maintained by monitoring these changes and reviewing the actions taken and how this affects the controls
implemented in accordance with section 8.5.1 of the Standard. ISO 9001:2015.
Proposed changes should be reviewed at all stages of the operation before being introduced.
The reasons for a change may vary; For example, the need for a change may be initiated by an external supplier
(e.g. delivery delays or quality issues), an internal issue (e.g. failure of critical equipment, recurring non-conforming
outputs), or an external issue (e.g. for example, new or modified customer or legal and regulatory requirements).
In some cases, the results of the change implementation can become an input to design and development activities
(see sections 8.3.1 and 8.3.6 of ISO 9001:2015).
The organization should determine the documented information to be retained and the format in which it should be
stored; Examples include: a) minutes
of review activities;
d) details of the persons authorizing the change (considering the client as necessary).
The intention of this section is to ensure that products and services comply with all applicable requirements before
being delivered to the customer (see section 8.1 of ISO 9001:2015).
The organization should obtain approval from a relevant authority when planned arrangements have not been met;
In some cases, this authority could be the client. The organization should consider establishing criteria for situations
where it is necessary to obtain customer approval. In these cases, the requirements for non-compliant outputs may
apply (see section 8.7 of ISO 9001:2015).
The people who authorize the final release of the product or service should be appropriately defined by, for example,
their job description or authority level, and should be traceable. This can be achieved by retaining documented
information that, for example,
a) provide the signature of the person who authorizes it;
b)detail a global authorization for automatic release of products upon completion of certain criteria
(for example, automatic electronic payment authorizations for an online sale).
8.7.1 The intention of this section is to prevent involuntary delivery or use of non-conforming outputs (at all stages of
production and service provision).
When determining a nonconforming output, the organization should take appropriate actions based on its effect on
the conformity of the product and service. Actions will vary depending on the nature of the non-conforming output,
such as notifying the customer when a safety or functionality issue is determined, versus a minor issue that is
determined during production that can be corrected before delivery.
There are several ways to deal with non-compliant outputs. For points a) to d) of section 8.7.1 of ISO 9001:2015,
the organization could use an approach that applies more than one of the following methods:
a) correct the nonconformity by reprocessing or repairing, or in the case, for example, of a restaurant that
determines that the wrong dish has been prepared, preparing the correct one before delivery;
b) separate, confine, return or suspend the supply of products and services; the organizations
should ensure that products and services are clearly identified in order to prevent
inadvertently provide non-compliant output to the customer; This could include some type of
label or physical location;
c) inform the customer according to the severity of the non-conformity of the output or the customer's requirements;
This could be done so that the customer can take action if the non-compliant output has already occurred.
delivered, or to direct the organization on the actions that are required; examples of actions
to take with clients include:
— recalls (for example, due to safety issues, such as incorrect composition of a medicine);
— suspension or withdrawal of the affected products or services (for example, due to incorrect labeling of a food
product with respect to its durability or incorrect price marking in a catalog or the inability to provide a service as
described);
— process it again;
d) on some occasions it may be required to obtain an authorization under a concession (said concession
it could be given by an authorized person in the organization, such as an engineer or supervisor, or the customer);
If such controls are not possible, depending on the nature of the non-conformity, a
agreement with the customer to allow the use of the non-conforming product or service (in this situation it should
authorization from the appropriate persons, or where relevant, from the client).
When non-compliant outputs are corrected after detection, they should be verified. This may include inspection of
a corrected product or verification of performance after a correction has been made to a service delivery process.
In the case of service provision processes that directly involve the customer, non-compliant outputs could be
detected only during the provision of the service, or immediately after. The intent of the requirement to take
appropriate action still applies, for example, providing the service again, correcting unexpected results, or
compensating the customer. An example might involve an airline providing assistance, food and/or accommodation
as a result of a flight delay, until the flight is able to depart or until passengers have been reassigned to another
flight.
Where additional actions are needed (for example, to respond to complaints and prevent recurrence), corrective
action requirements should apply (see section 10.2 of ISO 9001:2015).
8.7.2 The intention of this section is to ensure that the organization retains documented information relating to:
c) the people who have the responsibility of approving the release of products or services do not
compliant.
Maintaining documented information can help ensure that: processes are improved and optimized; corrected work instructions,
processes and procedures are detailed for future use; The information is communicated to relevant persons both within the organization
and externally (see section 8.2.1 of ISO 9001:2015). This documented information can also be used as a basis for trend analysis in
nonconformities.
The organization should ensure that the documented information held includes details of the non-conformity, of actions taken to
correct, mitigate or communicate it, of any concessions obtained (for example, agreements with the customer that the product or
service can be used despite of the nonconformity) and the person who authorizes the actions taken.
—the production system that maintains information about the supply of products and services;
—a mobile application.
9. Performance evaluation
9.1. Monitoring, measurement, analysis and evaluation
9.1.1. Generalities
The intention of this section is to ensure that the organization carries out monitoring, measurement, analysis and evaluation, to allow
the organization to determine whether the intended results are being achieved.
ISO 9001 requires the organization to determine what it needs to monitor and measure, and the methods used to analyze and evaluate
the performance and effectiveness of the quality management system. When considering the performance and effectiveness of a
quality management system, “performance” is the measurable results of the organization, and “effectiveness” is the degree to which
planned activities are carried out and to which objectives are achieved. planned results.
When determining what needs to be monitored and/or measured, the organization should take into account the actions required in
other sections, such as actions to establish the quality management system and its processes (see section 4.4 of ISO 9001:2015),
quality objectives (see section 6.2.1 of ISO 9001:2015), operational planning and control (see section 8.1 of ISO 9001:2015), customer
satisfaction (see section 9.1.2 of ISO 9001:2015), analysis and evaluation (see section 9.1.3 of ISO 9001:2015), internal audits (see
section 9.2 of the Standard ISO 9001:2015) and management review (see section 9.3 of ISO 9001:2015). The organization should
then determine how monitoring, measurement, analysis and evaluation will be carried out, and the resources (see section 7.1.5 of ISO
9001:2015) that will be required.
The organization should also decide what documented information will need to be retained as evidence of the results of monitoring,
measurement, analysis and evaluation. This documented information is usually the same documented information that is required in
other sections of ISO 9001:2015, such as management review.
The intent of this section is to focus on monitoring customer feedback to evaluate customer satisfaction and
to determine opportunities for improvement. It provides an approach to understanding customers' perceptions
of the organization's products and services, and whether needs and expectations have been met.
Organizations should consider different methods for obtaining information based on customer type (e.g.,
surveys, organization-to-organization, organization-to-customer, public service, government, e-commerce).
Organizations will need to determine the methods they wish to use, depending on the nature of their
operations. These methods may include, but are not limited to:
a) opinion surveys;
e) congratulations;
f) complaints;
g) warranty claims;
h) distributor reports;
j) invoice inquiries;
The organization should determine which customers it wants to solicit feedback on customer satisfaction
from, and how it will track the information. The organization may choose to solicit feedback from each
customer upon completion of a transaction or use a representative sample based on a target number of
sales, customers with repeat orders, or new customers. This can be done continuously or at a frequency
established by the organization.
The organization should be able to determine the level of customer satisfaction after analyzing and evaluating
the results, and take action based on this information. This information should be input to management review
and used to determine if actions are necessary to improve customer satisfaction.
The intent of this section is for the organization to analyze and evaluate data and information from monitoring
and measurement results to determine whether processes, products and services meet requirements, and to
determine any necessary actions and opportunities for improvement.
The organization should determine the appropriate data to review. The selection of data should ensure that
the results of the analysis and evaluation can be established to evaluate the performance and effectiveness
of the quality management system and determine the need for any improvements.
Examples of data sources may include but are not limited to:
The organization should consider how frequently it will analyze and evaluate data that will help determine
areas for improvement. This may depend on the organization's ability to retrieve information electronically
versus manually preparing the data. The organization should ensure that the methods and quality of data
(e.g. representative, unbiased, complete, accurate, useful) provide useful information for management
decisions. Statistical techniques can be useful tools for analysis and evaluation processes.
The outputs of analysis and evaluation often take the form of documented information such as trend
analysis or reports, balanced scorecards, dashboards, and become an input for management review or for
meetings that consider that output. For this reason, it should be in a format that allows you to determine if
actions need to be taken to improve the quality management system. Although analysis and evaluation are
often associated with management review, the organization should determine the appropriate frequency
for evaluating and analyzing information. Some organizations may choose to conduct this analysis more
often, such as through daily meetings.
9.2.1 The intention of this section is to obtain information through internal audits on the performance and
effectiveness of the quality management system from an impartial point of view, to ensure that the planned
provisions have been completed and that the management system of quality has been implemented
effectively and is maintained.
Internal audits can be used to determine whether the quality management system is in compliance with the
requirements of ISO 9001 and the requirements of the organization. Audit methods should include direct
observation of the process, interviews with relevant persons, and examination of documented information
(such as internal procedures, drawings, specifications, standards; customer requirements; legal and
regulatory requirements; and in business management systems ). Although the organization should always
seek to ensure that its quality management system complies with all the requirements of ISO 9001, there
is not a requirement for each section of ISO 9001, or process in the quality management system. quality,
to be evaluated in each audit.
9.2.2 The intention of this section is to ensure that the organization establishes, implements and maintains
an audit program. In some cases, when the organization has multiple locations, the organization may
establish an audit program for each specific location. The audit program establishes provisions for a set of
one or more audits planned for a specific time interval and should be aimed at ensuring the performance
and effectiveness of the quality management system.
The audit program should indicate the frequency with which the organization will conduct audits (for
example, monthly, quarterly, annually, or according to a schedule that is different for areas or processes
throughout the year). When determining frequency, the organization should apply risk-based thinking and
take into account how frequently the process performs, how mature or complex the process is, any changes
to the process, and the objectives of the audit program. . For example, more mature processes may require
less frequent internal audits. More complex processes may require more frequent internal audits. A list of
inputs to consider when planning internal audits includes, but is not limited to: a) importance of processes;
b) management priorities;
c) process performance;
The organization's internal audit programs should also define the methods to be used in audits; These
methods may include interviews, observations, sampling, and data reviews. As a best practice, the
organization should plan and perform audits in accordance with the requirements of its quality management
system, by project or process, rather than by the specific sections of ISO 9001.
When assigning people to perform audits, the organization should ensure the objectivity and impartiality of
the audit process. In some cases, specifically in smaller organizations or in areas of the organization where
job-specific knowledge is required, it may be
It is necessary for a person to audit their own work. In this situation, the organization could make the
internal auditor work with a colleague, or have a peer or manager review their results, to
ensure that the results are unbiased. The organization may also consider obtaining
resources from an external provider, such as a university, external auditor, or other organization.
EXAMPLE A plumber and an electrician may audit each other or assist each other, or a cleaning company might
require its administrative staff to audit the cleaning process since they are not directly involved in that particular task.
As part of the planning activity, the organization should determine the criteria and scope of internal audits.
Audit criteria may be defined by specific standards or requirements, and the scope of the audit may include
specific departments, product lines, processes, or facilities.
If the organization has implemented a management system that addresses more than one management
system standard with similar requirements, it may be useful for the organization to perform combined audits
(for example, for an integrated or combined management system) to reduce the redundancy. This
information is typically presented in an audit plan (i.e., the detailed plan for performing a specific audit).
After completing the internal audit, the results should be presented in a report to the relevant management.
Based on the results, appropriate corrections and corrective actions may be necessary. The organization
may choose to establish criteria for when corrective action is required, based on factors such as the severity
of a nonconformity. Typically, the organization establishes a time to respond to and correct nonconformities
and take corrective actions, to ensure that they are implemented effectively and on time.
To add value during internal audits, it may be possible to observe conditions that meet the requirements, but
could represent a potential weakness in the quality management system; Alternatively, opportunities for
improvement could be determined based on experiences from other audits and internal practices observed in
other processes or locations. In such cases, if the organization includes this information in the audit report, it can
provide management with the information to decide whether it is appropriate to initiate action for improvement.
The organization is required to retain documented information to provide evidence that the audit program is being
implemented and the results of the audit. Examples of audit results may include audit reports, evidence of
corrections or corrective actions taken (e.g., training, updated documented information). The results of the internal
audit are required as input for management review.
The intent of this section is to ensure that senior management conducts management reviews. This is an activity
that senior management should perform in line with the strategic direction of the organization.
Its purpose is to review information about the performance of the quality management system in order to
determine whether it is:
Management review should be done at planned intervals; This could be daily, weekly, monthly, quarterly, semi-
annually or annually. Some management review activities can be performed at various levels of the organization,
as long as the results are made available to senior management. All management review entries are not required
to be addressed at the same time, but may be addressed during sequential management reviews; The
organization should address how it will ensure that all management review requirements of ISO 9001 are met.
The organization may conduct management reviews as a stand-alone activity or in combination with related
activities (e.g. meetings). , reports).
The timing of management reviews can be arranged to coincide with other business activities (e.g., strategic
planning, business planning, annual meetings, operational meetings, other management system standards
reviews) to add value and to avoid multiple redundant meetings.
EXAMPLE A travel agency decides to do a management review the day before its semiannual strategy meeting to
obtain all the input necessary to plan the budget and to ensure that quality objectives are aligned with the agency's
strategic direction.
The intention of this section is to establish the inputs that an organization needs to consider when evaluating the
performance and effectiveness of its quality management system.
Management review inputs are directly related to the requirements of other sections of ISO 9001; This includes
the analysis and evaluation of data (see section 9.1.3 of ISO 9001:2015). The inputs should be used to determine
trends in order to make decisions and take actions related to the quality management system. For points a) to f)
of the section
9.3.2 of ISO 9001:2015, the following inputs should be considered for management review:
b) changes in external and internal issues (see section 4.1 of ISO 9001:2015);
2) the degree to which the quality objectives have been met (see section 6.2 of the ISO Standard
9001:2015);
3) the performance of processes and the conformity of products and services (see sections
4.4 and 8.6 of ISO 9001:2015);
4) non-conformities and corrective actions (see section 10.2 of the ISO Standard
9001:2015);
5) the results of monitoring and measurement (see section 9.1.1 of the ISO Standard
9001:2015);
e) the effectiveness of actions taken to address risks and opportunities (see section 6.1 of the
ISO 9001:2015 Standard);
The organization may include additional elements in the management review (such as new product
introductions, financial results, new business opportunities, or relevant information about problems or
opportunities in the field or market in which the products are used or services are provided). services), in order
to determine whether the organization is and will continue to be able to achieve its intended results. The
management review can also be extended to cover other requirements of ISO 9001 for monitoring and
reviewing information (as in sections 4.1 and 4.2 of ISO 9001:2015).
The intention of this section is to ensure that the management review provides outputs and information on the
performance and effectiveness of the quality management system, and on all necessary decisions and actions.
Outputs from the management review include decisions and actions related to opportunities for improvement
(see section 10.1 of ISO 9001:2015), necessary changes to the quality management system (see section 6.3
of the ISO 9001:2015 Standard), and necessary resources (see section 7.1 of ISO 9001:2015 Standard). The
status of actions identified during the management review should be included as an input to the next
management review activity. Following up can help ensure that actions are taken in a timely manner.
The organization should retain documented information as evidence of the results of the management review. Examples
of documented information include presentations, meeting minutes, and reports.
10.Improvement
10.1. Generalities
The intention of this section is to ensure that the organization determines opportunities for improvement, in addition to
planning and actually implementing actions to achieve the expected results and to improve customer satisfaction.
Improvements can help the organization continue to meet customer requirements and expectations by improving its
products and services, correcting or preventing undesirable effects, and improving the performance and effectiveness of
the quality management system.
b) small but continuous improvement activities, carried out in processes, products and services
existing;
c) projects that can lead to significant changes in existing processes, the implementation
of new processes, products or services, or the introduction of new technologies or innovations
disruptive.
Requirements for corrective actions (see section 10.2 of ISO 9001:2015) help to determine and eliminate the causes of
nonconformities, to prevent their recurrence.
Continuous improvement (see section 10.3 of ISO 9001:2015) should be carried out to improve performance and to
implement agreed solutions that are intended to achieve positive benefits.
Improvement actions can be implemented in processes, products and services as well as in the quality management
system.
10.2.1 The intention of this section is to ensure that the organization manages nonconformities and implements corrective
actions appropriately.
When a non-conformity occurs (including those arising from a complaint; from identified non-conforming outputs [see
section 8.7 of ISO 9001:2015]; issues arising from external suppliers or other relevant interested parties; the results of
audit; or the effects of unplanned changes), the organization should take action to investigate what has gone wrong, to
correct it if possible, and to prevent similar issues from happening again in the future. The organization should seek to
permanently eliminate the causes and consequent effects of problems that could have a negative impact on its: a) results;
c) customer satisfaction.
Potential sources of nonconformities and types of nonconformities include, but are not limited to:
— findings from internal or external audits (see section 9.2 of ISO 9001:2015);
- client complaints;
— warranty claims.
The organization should take action to control or correct any nonconformities. This can be accomplished
by containing the problem while the investigation continues. For example, the organization may need to
contact customers or external suppliers to make them aware of a nonconformity and to provide information
about the potential or actual effects on the product provided or service provided.
When assessing the actions necessary for a nonconformity, the organization may consider that there may
be cases where the cause of a nonconformity cannot be eliminated, and the organization should consider
taking actions to be able to detect and minimize the effects of the nonconformity. non-conformity if it
happens again.
The organization should review and analyze the nonconformity to determine its causes and whether it
exists elsewhere, or is likely to be repeated or potentially occur in another process and/or part of the
organization. The organization should determine the scope of actions it needs to take, based on the
potential effect of the nonconformity. The organization should implement all necessary actions based on
this review. This could be achieved using various methods such as, but not limited to: root cause analysis;
the eight disciplines for problem solving (8D); the five whys method; failure modal and effects analysis
(FMEA); or cause and effect analysis diagrams.
The organization should review the effectiveness of any corrective action by confirming (through evidence)
that the actions have been implemented or that corrections have been made and as a result of this
nonconformities have not been repeated. This could be accomplished by observing process performance
or reviewing documented information. In order to ensure that effective implementation can be verified, the
organization should allow an appropriate amount of time to pass before reviewing the actions taken; This
will vary depending on the complexity and resource needs (for example, procurement of major equipment)
of the actions necessary to resolve the nonconformity.
The organization should determine whether the effects of corrective actions taken in one area could
potentially cause adverse effects in another area of the organization, and plan any necessary mitigating
actions prior to implementation.
Following the review of corrective actions, the organization should consider whether there are risks or
opportunities that have not been previously determined, or whether actions for the risks and opportunities
were not effectively addressed during planning (see ISO 6.1). 9001:2015). The planning should be updated
as necessary.
When taking action to address the causes of a nonconformity, the organization should also consider the
need for process changes within the quality management system.
10.2.2 The intent of this section is to ensure that the organization retains documented information in order
to provide evidence that the required corrections or corrective actions have been completed.
The organization should retain appropriate documented information to show the corrections or corrective
actions taken, including details related to the nonconformity (for example, the declaration of nonconformity,
the severity of the nonconformity, the root cause analysis, the corrections and planned corrective actions);
Examples include corrective action forms or databases.
The organization should also retain documented information of the results of any corrective action taken.
This could include evidence demonstrating actions such as data collection, testing, reporting, changes
made to documented information, performance and effectiveness of the quality management system.
10.3. Continuous
improvement The intention of this section is to ensure that the organization continually improves the
suitability, adequacy and effectiveness of its quality management system.
Continuous improvement can include actions to increase the consistency of outputs, products and services,
to increase the level of compliant outputs, improve process capability, and reduce process variations. This
is done to improve the organization's performance and benefit its customers and relevant stakeholders.
The organization should consider the results of the analysis and evaluation (see section 9.1.3 of ISO
9001:2015) and the management review (see section 9.3 of ISO 9001:2015) to determine whether action
is necessary. of continuous improvement. The organization should take into account those actions
necessary to improve the suitability, adequacy and effectiveness of the quality management system.
There are several methodologies and tools that the organization can consider to carry out continuous
improvement activities (kaizen). Examples may include, but are not limited to: Six Sigma methodologies;
“Lean” initiatives ; comparative studies with best practices (benchmarking), and the use of self-assessment
models.
Bibliography
[1] ISO 9004, Managing for the sustained success of an organization — Quality management approach
[2] ISO 10001, Quality management — Customer satisfaction — Guidelines for organizational codes of conduct
[3] ISO 10002, Quality management — Customer satisfaction — Guidelines for handling complaints in organizations
[4] ISO 10003, Quality management — Customer satisfaction — Guidelines for conflict resolution external to organizations
[5] ISO 10004, Quality management — Customer satisfaction — Guidelines for monitoring and measurement
[6] ISO 10005, Quality management systems — Guidelines for quality plans
[7] ISO 10006, Quality management systems — Guidelines for quality management in projects
[8] ISO 10007, Quality management systems — Guidelines for configuration management
[9] ISO 10008, Quality management — Customer satisfaction — Guidelines for business-to-consumer electronic
commerce transactions
[10] ISO 10012, Measurement management systems — Requirements for measurement processes and
measurement equipment
[11] ISO/TR 10013, Guidelines for the documentation of quality management systems
[12] ISO 10014, Quality management — Guidelines for achieving financial and economic benefits
[15] ISO 10018, Quality management — Guidelines for the active participation and competence of people
[16] ISO 10019, Guidelines for the selection of quality management system consultants and the use of their
services
[17] ISO 14001, Environmental management systems — Requirements with guidance for their use
[21] ISO/IEC 90003, Software engineering — Guidelines for the application of ISO 9001:2008 to computer software
[22] ISO/IEC/TR 90006, Information technology — Guidelines for the application of ISO 9001:2008 to IT
[24] IEC 60300-1, Reliability management — Part 1: Guidelines for its management and application
[27] Selection and use of the ISO 9000 family of standards, ISO1)
[28]ISO 9001:2015 for Small Enterprises — What to do? Advice from ISO/TC 176, ISO1)
[30]https://committee.iso.org/tc176sc2
[31]https://www.iso.org/tc176/ISO9001AuditingPracticesGroup