NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 1 of 14 Dated: 28 th November 2008 To: All NSI Gold Approved Organizations and Applicants for NSI Gold Approval where the scheme requires a Quality management systems standard to be implemented and maintained that is compliant with BS EN ISO 9001. TECHNICAL BULLETIN No. 0011 Guidance and clarification of NSI requirements for the implementation of BS EN ISO 9001:2008, the British, European and International Standard for Quality management systems – Requirements (Supersedes BS EN ISO 9001:2000) BS EN ISO 9001:2008 shows a publication date of the 15 th November 2008 and is now available through licensed outlets including NSI who can supply copies at a discounted rate. The 2008 edition will now be applied to all NSI Gold schemes where the scheme criteria requires compliance with BS EN ISO 9001 as a condition of NSI approval. The Standard will be applied with immediate effect, subject to the additional clarifications and guidance within this Technical Bulletin. Implementation timescale for new Applicants With immediate effect new Applicants will be audited against the 2008 Edition and any Improvement Needs recorded against clauses of the Standard will have to be satisfactorily addressed before approval can be granted. Existing certificates issued against BS EN ISO 9001:2000 will be valid for a maximum period of 24 months from the date of issue of the 2008 edition i.e. they will cease to be valid after the 14 th November 2010. Implementation timescale for existing Approved Organizations Organizations already approved by NSI to the 2000 edition will be expected to update to the 2008 edition by the time of their three-yearly re-certification audit, provided the due date for the re-certification audit is within the maximum transition period of 24 months i.e. the transition period ends on the 14 th November 2010. Where the next three-yearly re-certification date falls after the 14 th November 2010, NSI approved companies will be required to update to the 2008 edition by the time of their last scheduled surveillance audit before the 14 th November 2010. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 2 of 14 Note: Although the International guidance for transition to the 2008 edition of BS EN ISO 9001 does allow BS EN ISO 9001:2000 certificates to be re-issued for up to 12 months after the date of issue of the 2008 edition, they will only be valid until the 14 th November 2010. It is not envisaged that any company would wish to receive a new certificate referencing BS EN ISO 9001:2000 as this would highlight that the company has not updated, particularly as there are no fundamental changes to the Standard. Certificates for existing NSI Approved Organizations will be updated as and when compliance with the new edition is demonstrated. If Improvement Needs are raised against BS EN ISO 9001:2008 on the re-certification audit or the last surveillance audit prior to the end of the transition period, new certificates shall only be issued when it is verified that suitable corrective and preventive action has been taken and the Improvement Need has been eliminated or reduced to an Improvement Observation. SUMMARY OF KEY CHANGES (Highlighted under the clauses of the new Standard) Comments under each clause of BS EN ISO 9001:2008 consist of a summary of the changes when compared with the corresponding clause within BS EN ISO 9001:2000 and where relevant specific NSI requirements are also detailed. Where the actual wording is quoted it is reproduced in bold text. Where it is considered relevant to further clarify the specified requirement, additional guidance is included in italics. It is not, however, the intent of NSI to only impose its own recommended methods of compliance with specified requirements and the NSI will give full consideration to any alternative methods of achieving compliance with specified requirements. FOREWORD This section makes it clear that the Standard has been amended to clarify points in the original text and to enhance its compatibility with BS EN ISO 14001:2004 the Environmental management systems standard. As the re-issued Standard has introduced no fundamentally new requirements an annex B is referenced and included which details all the text amendments. It is not therefore the intent of this Technical Bulletin to further highlight all text changes but concentrate upon those that impact most on auditing practice and the structure and composition of a QMS (Quality Management System) designed to demonstrate compliance with BS EN ISO 9001. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 3 of 14 INTRODUCTION 0.1 GENERAL In light of the intent to enhance the compatibility with BS EN ISO 14001:2004, the factors that can influence an organization’s QMS now includes: “ its organizational environment, changes in that environment and the risks associated with that environment ”. The statement “that it is not the intent of the Standard to imply uniformity in the structure of quality management systems or uniformity of documentation”, is given more emphasis as a new paragraph. NSI shall continue to accept any format or structure of QMS provided that it can be demonstrated that it addresses all requirements of the Standard. In this respect if a QMS is not directly aligned with the clauses of the Standard, the Quality Representative shall maintain a matrix showing where each clause of the Standard is addressed. Use of the Standard now includes assessment of an organization’s ability to meet “statutory requirements applicable to the product” (expressed as legal requirements in the scope of the Standard – section 1.1). NSI, as a UKAS (United Kingdom Accreditation Service) Accredited Certification Body should not recommend approval to BS EN ISO 9001 if there are known breaches of legal requirements that directly relate to the product or service supplied. For example it would not be appropriate to certificate a Guarding Company if its security guards were not licensed with the SIA (Security Industry Authority). For Environmental Management Systems Certification to BS EN ISO 14001:2004 it is a specific requirement to maintain a register of applicable legislation and evaluate compliance with the same. Although this is not a specific requirement of BS EN ISO 9001:2008, NSI now strongly recommend that a similar approach is followed. We also expect that compliance to legal requirements is added to the agenda for management review. 0.2 PROCESS APPROACH In the seco nd paragraph the term “identify” has now been replaced by the term “determine”. Also the standard refers now to a possibility to also have a “set of activities” as distinct from only “an activity”. The description of the process approach now includes “pro duce the desired outcome”. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 4 of 14 0.3 RELATIONSHIP WITH ISO 9004 The first paragraph does not now refer to ISO 9001 and ISO 9004 being “a consistent pair” and makes it clear that although they have been designed to compliment each other, they can be used independently. The third paragraph has been reworded and reads now: “At the time of publication of this International Standard, ISO 9004 is under revision. The revised edition of ISO 9004 will provide guidance to management for achieving sustained success for any organization in a complex, demanding and ever changing, environment. ISO 9004 provides a wider focus on quality management than ISO 9001; it addresses the needs and expectations of all interested parties and their satisfaction, by the systematic and continual improvement of the organization’s performance. However, it is not intended for certification, regulatory or contractual use. 0.4 COMPATIBILITY WITH OTHER MANAGEMENT SYSTEMS The first paragraph has been reworded and now reads: “During the dev elopment of this Internal Standard, due consideration has been taken of the provisions of ISO 14001:2004 to enhance the compatibility of the two standards for the benefit of the user community. Annex A shows the correspondence between ISO 9001:2008 and ISO 14001:2004” 1. SCOPE Note 1 in relation to the term product now includes item: b) any intended output resulting from the product realization processes. The above inclusion makes it clearer that a product can also be a service supplied. Note 2 has been added and now reads: Statutory and regulatory requirements may be expressed as legal requirements. 1.2 Application No change. 2. NORMATIVE REFERENCE The reference to ISO 9000 Quality Management Systems – Fundamentals and vocabulary has been updated to reflect the 2005 edition. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 5 of 14 3. TERMS and DEFINITIONS The self explanatory supply chain reference has been deleted and the section now simply states: “For the purposes of this document, the terms and definitions given in ISO 9000 apply.” 4 QUALITY MANAGEMENT SYSTEMS 4.1 General requirements “Where applicable” is added to clause e) the requirement to monitor, measure and analyse the processes needed for the QMS and “analysis and improvement” is now included in note 1 as a required process. Whether processes need to be constantly, measured or monitored has always been a judgement to be made by the organization and the NSI Inspector. For example it would be deemed necessary to actively monitor and measure the effectiveness of a security screening process when this is carried out by a central department in a large organization that has a fairly constant turnover of staff. Whereas for example in a small family run security systems business that only recruits one or two individuals a year, it will be sufficient to just periodically internally audit the process. There has always been a requirement to analyse data and strive for continual improvement but it is now more clearly referenced as a required process. Organizations sometimes state that their improvements arise solely from the identity of nonconformity and the resultant corrective and preventive action. However there may be opportunities to further improve the effectiveness of the QMS by considering the data obtained from the methods used to measure and monitor the process even if conformity is indicated on internal and external audit etc. NSI Inspectors will therefore continue to look for evidence that the management review process has some focus on continual improvement not just as a consequence of actions taken against identified non-conformity. Two new notes have been added with respect to “outsourced processes ” as follows: Note 2 An outsourced process” is a process that the organization needs for its quality management system and which the organization chooses to have performed by an external party. Note 3 Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements. The type and nature of control to be applied to the outsourced process can be influenced by factors such as: NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 6 of 14 a) the potential impact of the outsourced process on the organization’s capability to provide product that conforms to requirements; b) the degree to which the control for the process is shared; c) the capability of achieving the necessary control through the application of 7.4 Outsourcing of processes (or subcontracting as it is often referred to) is still an integral part of the new standard but it is now clearly spelt out that it does not absolve the organization of the responsibility of conformity to all customer, statutory and regulatory requirements. Note 3 references some useful pointers when deciding what level of control to exercise over the outsourced process. Organizations also need to be conscious of the individual scheme requirements, for example on the NACOSS Gold scheme, outsourcing of maintenance is not permitted in order to satisfy ACPO (Association of Chief Police Officers) requirements. 4.2 Documentation requirements 4.2.1 General Documents and records have always been required as part of the QMS but the text has been modified to improve the clarity. An interesting note is then added to indicate that “A single document may address the requirements for on e or more procedures. A requirement for a documented procedure may be covered by more than one document.” There have been cases in the past where Inspectors have taken a view that a separate documented procedure is required for clause 8.3 Control of nonconforming product and clause 8.5.2 Corrective action but the revised text makes it much clearer that this was never the intent of the Standard and a combined procedure is perfectly acceptable provided it still effectively addresses both clauses. 4.2.2 Quality Manual No change. 4.2.3 Control of documents Item f) has been re-worded in order to clarify the documents of external origin that need to be controlled and now reads “to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the quality management system are identified and their distribution controlled.” This obviously includes the prime standards that an organization is audited against and the documented procedure that is still required, shall give details to show how the organization keeps abreast of revisions/amendments to the required external standards or documents. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 7 of 14 4.2.4 Control of records This clause has been slightly reworded but there is no change to the actual requirements. 5. MANAGEMENT RESPONSIBILITY No change to sub-paragraphs 5.1 to 5.5.1 Inclusive 5.5.2 Management representative The first paragraph has been reworded to make it clearer that the management representative appointed by top management must be a member of the organization’s management. This makes it much clearer that it is not normally acceptable to appoint a subcontract quality consultant as the management representative unless there is a clear on-going contract which gives him/her the necessary responsibilities and authorities required by clause 5.5.2 and for all practical purposes they are almost regarded as a part-time employee. There would however be no problem in utilising a consultant for say internal auditing, provided a member of the organization’s management retains the overall responsibility. The definition as to who is top management often requires clarification particularly in relation to the management review process in large PLC’s. Each case has to be reviewed on its own merits and provided issues are clearly cascaded up to director level and decisions cascaded down, it may not always be necessary for all Directors to be present at the management review meetings. If Directors with ultimate responsibility for certain key processes do not actively participate in management review meetings then when interviewed on an actual audit, they should demonstrate awareness of significant issues raised at the management review meetings. 5.5.3 Internal communication No changes. 5.6 Management review 5.6.1 General No change but see comments under the above clause 5.5.2. 5.6.2 Review Input No change. 5.6.3 Review Output No change. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 8 of 14 6. RESOURCE MANAGEMENT 6.1 Provision of resources No change. 6.2 Human Resources 6.2.1 General In the first paragrap h the term “ product quality ” has now been replaced by the term “ conformity to product requirements ” and a note added that reads: “Conformity to product requirements may be affected directly or indirectly by personnel performing any task within the quality management system.” This is perhaps a useful reminder that ultimate customer satisfaction and compliance may still be affected by personnel who are not involved directly with the product or services supplied and are part of the company’s infrastructure. 6.2.2 Competence, training and awareness In item a) the term “product quality” has been replaced by the term “conformity to product requirements” The significant change however relates to item b) which now reads “where applicable, provide training or take other actions to achieve the necessary competence”. The above reworded clause makes it much clearer that competency is not simply achieved by providing some training. The fact that someone receives training does not and never has been a guarantee that they have fully absorbed all the training and that thereafter they will demonstrate complete competency in carrying out the relevant tasks. The whole issue of competency is now finally been given more focus in terms of any accredited certification and management systems requirements whatever the discipline. Organizations should think in terms of requirements for initial competence for new recruits or personnel assigned to a new role and on-going competence thereafter. For new recruits it makes sense to have a defined process for achieving competence that links to the successful completion of any probationary period and for existing staff it will be provided through inputs from monitoring and measurement, internal audit, normal supervision, satisfactory completion of training etc which are often brought to a conclusion in conjunction with a system of periodic employee appraisal. One of the better ways to deal with the whole issue of competency is first of all to develop job descriptions that reference or include a person specification for every NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 9 of 14 identified role or function in the organization. New recruits can then be matched against the person specification that ideally should include the qualifications and experience required but also the specific skills or attributes that the individual would normally require. Any mismatch can then highlight any further required training. Training given can be external or internal (on-the-job or in a classroom environment) but in each case organizations should not loose sight of the need to assess competence. For external courses it may be partial achieved by successfully passing a particular examination and for aspects that are mainly covered by on-the-job training it may be achieved by the supervisor sitting down with the individual and witnessing relevant tasks carried out. Either way it is important to have some record to show how competency was determined. Do not however assume that specific training is required for all tasks carried out; some may be so straightforward and the process so self explanatory that simply recruiting someone at the right level of academic achievement or experience may be all that is necessary. The key factor here would be ‘is the lack of any formal training having any adverse impact on the p rocess or the ultimate product quality’. 6.3 Infrastructure The item c) now includes information systems as part of supporting systems that may need considering as part of the organization’s infrastructure. 6.4 Work environment A note has been added to clarify the term work environment as follows: The term “work environment” relates to conditions under which work is performed including physical, environmental and other factors (such as noise, temperature, humidity, lighting, or weather). A useful clarification and perhaps a reminder that employers have a duty of care to provide a safe work place and where appropriate minimise any risk by applying suitable control measures and where relevant issuing PPE (Personnel Protective Equipment). Organizations should also be aware that working in abnormal conditions may be counterproductive in terms of product or service quality. 7. PRODUCT REALIZATION 7.1 Planning of product realization No significant change but the term “measurement” is now included in item c) and in item d) the term “meet requirements” replaces “criteria for product acceptance”. 7.2 Customer-related processes NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 10 of 14 7.2.1 Determination of requirements related to the product No significant change to the requirements that organization’s shall de termine except that there is a new note on post delivery activities, as follows: “Post delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as re cycling or final disposal.” On some NSI schemes e.g. NACOSS Gold and Systems Silver; approved organizations provide both an installation and maintenance service and there are already specific requirements that must be satisfied for the maintenance activities. The note is a useful reminder on other schemes that maintenance activities carried out as part of the contract or as a separate contract should be included in the QMS. The reference to recycling or final disposal is useful pointer to the increasing raft of environmental legislation that applies to organisations whether or not they choose to implement an Environmental Management System. For example electronic and electrical equipment can no longer be dumped to landfill (the WEEE regulations apply) and manufacturers of certain types of equipment are obliged to have or participate in a take back scheme for the old equipment. 7.2.2 Review of requirements related to the product No change. 7.2.3 Customer communication No change. 7.3 Design and development 7.3.1 Design and development planning No change except for the addition of the following self explanatory note: “Design and development review, verification and validation have distinct purposes. They can be conducted and recorded separately or in any combination as suitable for the product and the organization.” 7.3.2 Design and development inputs No significant change. 7.3.3 Design and development outputs No significant change but a new note has been added as follows: “Information for producti on and service provision may include details for the preservation of product” NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 11 of 14 7.3.4/5/6 Design and development review, verification and validation No change. 7.3.7 Control of design and development changes No significant change but paragraphs have been merged. 7.4 Purchasing No changes to any of the sub-clauses. 7.5 Production and service provisions 7.5.1 Control of production and service provision No significant change. 7.5.2 Validation of processes for production and service provision Minor rewording but no significant change. 7.5.3 Identification and traceability No significant change but the need to “ maintain records ” is given more emphasis. 7.5.4 Customer property The only significant change is that “personal data” is now included as relevant customer property. 7.5.5 Preservation of product Some minor rewording but no significant change. 7.6 Control of monitoring and measuring equipment The term “devices” has been replaced by the term “ equipment ” in the first paragraph. Item a) now states that measuring equipment shall be calibrated or verified, or both. Item c) has been reworded (although the meaning has not changed) and now reads “ have identification in order to determine its calibration status ;” A note has also been added as follows: NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 12 of 14 “ Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use ” 8. MEASUREMENT, ANALYSIS AND IMPROVEMENT 8.1 General No significant change. 8.2 Monitoring and measurement 8.2.1 Customer satisfaction A self explanatory note has been added to provide examples of how customer satisfaction data could be collected and reads as follows: “Monitoring customer perception can include obtaining input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, warranty claims and dealer reports.” 8.2.2 Internal Audit Although editorial changes have been made the requirements are essentially unchanged for this activity. UKAS rules for Accredited Certification indicate that any organization approved to BS EN ISO 9001 should be capable of identifying for itself its own nonconformity. This emphasises the importance of conducting in-depth and effective audits in accordance with a detailed documented procedure. 8.2.3 Monitoring and measurement of processes “ As appropriate ” has been added to the end of the paragraph on correction and corrective action, when planned results are not achieved. A note has also been added as follows: “When determining suitable methods, the organization should consider the type and extent of monitoring or measurement appropriate to each of its processes in relation to their impact on the conformity to product requirements and on the effectiveness of the quality management system.” Clause 4.2.2 of the Standard requires a description of the interaction between the processes of the QMS to be produced and it has previously been recommended that an overall process flowchart be produced that distinguishes between core and support processes. By definition some of the support processes may not have the NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 13 of 14 same impact on conformity to product requirements or the overall effectiveness of the QMS. Distinguishing between core and support processes may assist with the deliberations as to the necessary level of monitoring and measurement. For example purchasing in an organization supplying door supervisors would be far less important than purchasing in an organization that designs, installs and commissions complete security systems. 8.2.4 Monitoring and measurement of product The third paragraph has now been slightly reworded and now reads: “The release of product and deliv ery of service to the customer shall not proceed until the planned arrangements (see 7.1) have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.” Normally the relevant authority will be the nominated person within the organization who has the defined responsibility to confirm that the product or service meets all the specified requirements. . 8.3 Control of nonconforming product “Where practicable” has changed to “where applicable ” i n terms of the listed ways of dealing with nonconformity and the requirements relating to discovery of nonconformity after delivery or use has been brought forward as item d) which reads as follows: “ by taking action appropriate to the effects, or potential effects, of the nonconformity when nonconforming product is detected after delivery or use has started ” Identification of nonconformity after delivery or use has started, could be detected as part of subsequent maintenance commitments or supervisory visits or as a result of a customer communication or complaint. Regardless of how the subsequent nonconformity is highlighted the appropriate investigation and corrective and preventive action should be taken as required by clauses 8.5.2 and 8.5.3. 8.4 Analysis of data No significant change. 8.5 Improvement 8.5.1 Continual Improvement No change. NSI Technical Bulletin 0011 Guidance on the implementation of BS EN ISO 9001:2008, the British Standard for Quality management systems 14 of 14 8.5.2 Corrective action The item f) now emphasizes that “the effectiveness of the corrective action ” needs to be reviewed as opposed to only reviewing the corrective action. 8.5.3 Preventive action The item e) now emphasizes that “the effectiveness of the preventive action ” needs to be reviewed as opposed to reviewing preventive action only.