National Security Inspectorate Sentinel House, 5 Reform Road Maidenhead SL6 8BY Website: nsi.org.uk Page 1 of 29 © NSI 2016 Quality Schedule SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 6 April 2016 SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 2 of 29 6 April 2016 © NSI 2016 Compliance with BS EN ISO 9001:2015, the British, European and International Standard for Quality Management Systems, is mandatory for any UKAS Accredited Quality Management Systems (QMS) Certification. The Standard can be applied to virtually any organization whether they are manufacturing a product or supplying a service. NSI ARC Gold approval is for organizations that operate Alarm Receiving Centres (ARCs) providing monitoring services including intruder and hold-up alarms, fire alarms, social alarms, CCTV systems, activations from lone worker devices and Thatcham category 5 after theft systems with vehicle immobilization for vehicle recovery. NSI ARC Gold is UKAS Accredited for both QMS and Product Certification (PC). Consequently organizations holding ARC Gold approval must demonstrate they operate a QMS effective in supplying monitoring services compliant with the relevant British, European or International Product Standards required by end users and other stakeholders including the police and the insurers. This Quality Schedule provides guidance and clarification on the application of BS EN ISO 9001 in relation to the relevant Product Standards and the fact the services are provided in a security environment. Consequently compliance with BS EN ISO 9001 and this Quality Schedule is a condition of any ARC Gold approval. Issue 8 of this Quality Schedule has been issued to reflect changes that have taken place with the introduction of BS EN ISO 9001:2015. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 3 of 29 6 April 2016 © NSI 2016 1 Introduction 1.1 The 2015 standard is based on the quality management principles described in ISO 9000, which are customer focus, leadership, engagement of people, process approach, improvement, evidence-based decision making and relationship management. There is a stronger focus on leadership and commitment to the quality management system (see BS EN ISO 9001:2015 Clause 5). The concept of risk-based thinking has been implicit in previous editions of ISO 9001. However the risk-based thinking applied to the 2015 edition has enabled greater flexibility to be applied to the requirements for processes, documented information and organizational responsibilities. 1.2 The requirements for maintaining six documented procedures has been removed and is replaced with a requirement to maintain documented information required by the Standard and retain documented information determined to be necessary to ensure the effectiveness of the quality management system (see BS EN ISO 9001:2015 Clause 7.5). 1.3 The terms ‘documented procedure’ and ‘record’ have been replaced throughout by the term, ‘documented information’. Where BS EN ISO 9001:2008 would have referred t o the requirement for ‘documented procedures’ , this is now expr essed as the requirement to ‘maintain’ documented information. Where BS EN ISO 9001:2008 would have referred to ‘records’ this is now expressed as the requirement to ‘retain’ documented information. Documented information required by the 2015 standard includes: (1) the scope of the quality management system, (2) information necessary to support the operation of processes, which will probably require maintained information (documented procedures) and retained information (records), (3) the quality policy and (4) where appropriate organizational knowledge. More detailed information on the structure, terminology and concepts introduced by the new standard can be found in BS EN ISO 9001:2015 Annex A. This Quality Schedule has been produced to clarify and supplement the requirements of BS EN ISO 9001:2015 and provide an agreed basis for audit to ensure that: a) the ARC/RVRC/SOC is operated by competent and security screened personnel to the appropriate Product Standards and contractual service agreements are fulfilled; Product Standards for ARCs include BS 5979, or BS 8591 (including the BS EN 50518 series), BS 8243, BS 8418 requirements for “Remote Video Response Centres” (RVRCs), BS 8473, BS 8484, DD 263, Thatcham Category 5 requirements for “Systems SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 4 of 29 6 April 2016 © NSI 2016 Operating Ce ntres” (SOCs), and other relevant standards and codes of practice called up under NSI ARC Gold. b) there is a commitment to client (contracted party) and customer (end user) satisfaction and continual business improvement derived from the implementation of a QMS designed specifically to meet the needs of the fire and security industries, such needs having been agreed in consultation with insurers, police (NPCC and Police Scotland), fire and rescue services (CFOA), ARCs, trade associations and professional institutions. 1.4 The scope of the organization’s approval is detailed on the NSI Certificate of Appro val, and is referenced to this Quality Schedule. 2 Scope 2.1 Compliance with this Quality Schedule is a condition of ARC Gold approval. 2.2 This Quality Schedule sets out the criteria for auditing the QMS of organizations operating ARCs and does not in any way diminish “the NSI Rules of ARC Gold”. 2.3 The full requirements of BS EN ISO 9001:2015 apply and, additionally, you must adhere to the requirements of this Quality Schedule. 2.4 In common with previous practice, this Quality Schedule retains the alignment with the main clause numbers of the BS EN ISO 9001 standard. Certain requirements are included from the ISO standard for emphasis and they do not detract from the need for you to comply with all of the requirements of the ISO standard. Where there are no additional requirements this is stated. 2.5 Requirements of this Quality Schedule you must satisfy are shown in normal text and are further emphasised by the use of “shall” or “must”. Where additional guidance is given it is reproduced in italics and often further emphasised by the use of “may” or “can” within the text. 3 Definitions In addition to the definitions in BS EN ISO 9000:2015 the following definitions apply: 3.1 Client means person or organization with whom the alarm receiving centre has entered into a contract to provide alarm monitoring services (typically an alarm company) 3.2 Customer means person or organization utilizing the services of an alarm company (typically the end user) 3.3 Security screened means having been adjudged suitable for working in the security systems industry, following completion of security screening See BS 7858 regarding completion of limited security screening, pending completion of full security screening. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 5 of 29 6 April 2016 © NSI 2016 3.4 Sub-contractor means an individual or company external to the organization that enters into an agreement or contract with the organization to supply processes, products and/or services This definition applies, irrespective of the contractual arrangements or parties involved, to all individuals performing work for your organization who are not staff personnel. BS EN ISO 9001 (see clause 8.4) uses the term “external provider” and this includes “sub – contractors” . 3.5 Staff personnel means the managing partners of the organization, the sole-proprietor of the organization, or (in the case of a limited company) the directors of the organization and employees from whose remuneration the organization deducts Income Tax and National Insurance contributions. 4 Context of the organization 4.1 Understanding the organization and its context No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.2 Understanding the needs and expectations of interested parties No additional requirements apply to this clause of BS EN ISO 9001:2015. 4.3 Determining the scope of the quality management system Whilst there is no requirement in BS EN ISO 9001:2015 to hold a quality manual there is a requirement to maintain documented information that describes the scope of the QMS. When determining the scope the following must be considered: a) the internal and external issues affecting the QMS (clause 4.1), Issues to consider are for example, changes in technology, the introduction or changes to standards, new legislation and personnel changes. b) the requirements of any relevant interested parties affecting the QMS (clause 4.2), Interested parties may include shareholders, trade bodies, certification bodies, police forces and insurers. c) the organization’s products and services affected by the QMS, and d) any justifications where the organization has determined that requirements of the standard are not applicable to the scope of the QMS (clause 4.3). When determining the scope of the QMS to meet the requirements of BS EN ISO 9001:2015 organizations may omit ANY requirement, which is not applicable to the determined scope of the quality management system and does not affect the organization’s ability or responsibility to ensure the conformity of it s products and services and the enhancement of customer satisfaction. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 6 of 29 6 April 2016 © NSI 2016 Where an organization determines that a specific requirement does not apply to the scope of their QMS the justification is to be included within the scope of the QMS. However clause 8.3 of this Quality Schedule does not allow certain aspects of design and development to be excluded. 4.4 Quality management system and its processes No additional requirements apply to this clause of BS EN ISO 9001:2015. 5 Leadership 5.1 Leadership and commitment 5.1.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.1.2 Customer focus No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.2 Policy 5.2.1 Establishing the quality policy In addition to the requirements of this clause of BS EN ISO 9001:2015, your Quality Policy must include a commitment to comply with this Quality Schedule, with industry agreed Product Standards including Codes of Practice, police force policies on response to security systems (NPCC and Police Scotland) and applicable legal requirements. Accredited Certification Bodies (CBs) for any management systems certification must comply with UKAS requirements to withhold or withdraw approval from companies if any breaches of applicable legislation are found. This is reflected in BS EN ISO 9001:2015 where an organization is required to identify and comply with all relevant statutory requirements applicable to product(s) and/or service(s) provided (also expressed as legal requirements). NSI, as a United Kingdom Accreditation Service (UKAS) accredited CB, does not recommend approval (or continued approval) to BS EN ISO 9001 if there are known breaches of legal requirements that relate directly to the product or service provided. You must include a commitment in your Quality Policy that it is your intention to comply with applicable legal requirements and periodically to evaluate compliance with the same as an input to management review. Appropriate management must also demonstrate they are generally aware of the prime legislation that impinges on their area of responsibility and authority. For example if an ARC manager had no understanding of the legislation relating to data protection and was not aware of their obligations under the Data Protection Act then it SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 7 of 29 6 April 2016 © NSI 2016 could hardly be argued they are competent to perform their duties. This would not only be an issue in terms of the potential for legal nonconformity, but also in terms of compliance with clause 7.2 Competence. 5.2.2 Communicating the quality policy No additional requirements apply to this clause of BS EN ISO 9001:2015. 5.3 Organizational roles, responsibilities and authorities As detailed within the ISO 9001 Standard, you must ensure that responsibilities and authorities for relevant roles within your organization are assigned, communicated and understood within the organization. The size and complexity of an organization has a bearing on how such responsibilities and authorities are assigned and communicated. In large organizations with various departmental interfaces it may be necessary to create job descriptions, schedules of key personal responsibilities and/or to include this within other documented information to ensure responsibilities and authorities are effectively communicated. In smaller organizations, provided management and staff can demonstrate on interview a common understanding of everyone’s prime responsibilities and authorities, it may not be necessary to have them fully documented. Notwithstanding the above, ARC Gold specifically requires certain responsibilities for nominated designers to be clearly assigned. See clause 8.3 on design and development of products and services. BS EN ISO 9001:2008 required that an individual from within the orga nization’s management team be nominated to act as the Quality Management Representative (QMR). The 2015 revision does not make the appointment of a QMR a specific requirement but there remains a need for top management to assign the responsibility and authority for maintaining the quality management. Whilst this does not forbid the organization from appointing a sub-contracted quality consultant into this role, top management within the organization must consider the risks associated with managing the appointment in this way and identify the means to mitigate the potential impact. 6 Planning 6.1 Actions to address risks and opportunities No additional requirements apply to this clause of BS EN ISO 9001:2015. 6.2 Quality objectives and planning to achieve them No additional requirements apply to this clause of BS EN ISO 9001:2015. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 8 of 29 6 April 2016 © NSI 2016 Examples of Quality Objectives to be considered include: reduce customer complaints improve complaint handling times increase customer satisfaction improve alarm handling response times improve effectiveness of corrective actions 6.3 Planning of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. However, the following are examples of situations where changes to the quality management system should be considered: acquisitions and joint ventures introduction of new technologies organizational restructuring use of sub-contractors 7 Support 7.1 Resources 7.1.1 General Whilst you must maintain adequate security screened and competent resources, you may not always be able to provide a complete service using your staff personnel and may have to use sub-contractors. Clause 8.4.1 of BS EN ISO 9001:2015 requires you to be able to demonstrate you have established criteria for selection, evaluation and re- evaluation of suppliers of both product and services including sub-contractors. 7.1.2 People A condition of approval under ARC Gold is that all personnel (directors and staff and so on) in “relevant employment” (as per the definition in BS 7858) are security screened in accordance with BS 7858. Personnel who have been recruited prior to 1 January 2007 and who have been security screened to earlier editions of BS 7858 will not necessarily have always been subjected to a financial history or criminality check. This is acceptable and it is not our policy that organizations should subject existing security screened staff to the additional checks, unless information is received that suggests there are reasons to do so. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 9 of 29 6 April 2016 © NSI 2016 You must not allow any sub-contractors or agency staff in relevant employment to have access to confidential information about a customer, their premises, their property, or about any security system, until they have been security screened. Where limited security screening of an individual in accordance with BS 7858 has been completed sufficient for commencement of conditional employment, and full security screening is in progress but is not yet completed, such an individual may be treated for the purposes of this Quality Schedule as having been security screened. However this temporary concession on employment must not extend beyond the limited time period allowed in BS 7858 for completion of full security screening. Where you allow a third party company to have access to customer details (for example to maintain your software and/or databases) you do not need to security screen the people in these third party companies provided you have a robust non-disclosure agreement in place with safeguards to ensure the Data Protection Act is complied with. However you retain responsibility for your decision to allow the exception to security screening being used. Licensing requirements We draw your attention to Security Industry Authority (SIA) and Private Security Authority (PSA) licensing requirements in relation to ARCs and other monitoring centres. 7.1.3 Infrastructure You must ensure the infrastructure is maintained in accordance with BS 5979 or BS 8591 (including the BS EN 50518 series) and all other standards and codes of practice applicable to the monitoring services provided. 7.1.4 Environment for the operation of processes You must ensure the work environment is maintained in accordance with BS 5979 or BS 8591 (including the BS EN 50518 series) and all other standards and codes of practice applicable to the monitoring services provided. We draw your attention to the following note in BS EN ISO 9001:2015: Note: A suitable environment can be a combination of human and physical factors, such as: a) social (e.g. non-discriminatory, calm, non-confrontational); b) psychological (e.g. stress-reducing, burnout prevention, emotionally protective); c) physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise). These factors can differ substantially depending on the products and services provided. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 10 of 29 6 April 2016 © NSI 2016 7.1.5 Monitoring and measuring resource As part of the equipment checks given in BS 5979 and BS 8591 (including the BS EN 50518 series), timing devices essential for monitoring services (for example clocks in timing recording and logging equipment) must be calibrated daily. The “Speaking Clock” may be used as the time source, though other time reference devices may be used provided calibration is traceable to a National Standard. If you engage sub-contractors to maintain equipment you must make sure all measuring devices are and remain appropriately calibrated and be able to provide us with evidence this is so. 7.1.6 Organizational knowledge No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.2 Competence The requirements for competency in clause 7.2 of BS EN ISO 9001:2015 states “T he organization shall determine the necessary competence of person(s) doing work under its control that affects its quality performance” . It is not our intention to be too prescriptive regarding how such competency should be demonstrated, but this and the following clause suggest it is useful in most organizations to develop job descriptions for each identified role and include them in a person or job specification which can detail the required level of qualifications, experience, skills, attributes and so on that an ideal job holder should have. Reviewing candidates against the person or job specification then enables an organization to demonstrate it does endeavour to recruit the right people for each identified role in the organization. BS EN ISO 9001:2015 states “T he organization shall ensure that these persons are competent on the basis of appropriate education, training or experience”. The above text makes it much clearer that competency is not achieved just by providing training. The fact someone receives training does not guarantee they will be competent in carrying out their duties and therefore there has to be a system for confirming competency. Again it is not our intention to be too prescriptive, but we suggest you should consider a probationary period for all new employees and review their competency formally before granting confirmed employment. The objective here is to identify and address any areas where competency is not immediately indicated and which could indicate a need for further training and/or development in the role. Thereafter, you should have a process of verifying on-going competency which could include feedback from internal and external audit, formal staff appraisal/evaluation and so on. BS EN ISO 9001:2015 states “The organization shall, where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken” SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 11 of 29 6 April 2016 © NSI 2016 and “The organization shall retain app ropriate documented information as evidence of competence”. You must retain appropriate documented information to evidence the competence of your people. In determining and being able to demonstrate the availability of the necessary competence within your organization a training programme must be established that includes, where relevant: a minimum period of training for all ARC operators (see BS 5979 and BS 8591) to ensure competence to carry out specified duties new equipment and procedures emergency (including contingency plan) procedures quality procedures and/or documentation appropriate to business processes company standards for quality and, in particular, control over requirements internal auditing skills It is not mandatory for personnel to attend external training courses. However, we recommend that selected personnel should attend such courses if the organization does not possess the necessary skills in a given area. Additionally you must carry out performance assessments for all staff engaged in the operation of the ARC to identify training needs and to verify their competency on an on- going basis. You must be able to demonstrate the effective operation of the training and performance assessment programme and provide assurance as to who attended the training and what training needs were identified. 7.3 Awareness No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.4 Communication No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.5 Documented information 7.5.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 7.5.2 Creating and updating No additional requirements apply to this clause of BS EN ISO 9001:2015. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 12 of 29 6 April 2016 © NSI 2016 7.5.3 Control of documented information Within the general practices of controlling documented information: a) you must make provision to list the issue status of external documents including those called up in the Rules of ARC Gold, Police Force Policies (NPCC and Police Scotland), Fire & Rescue Service Policies (including CFOA) and other applicable standards and regulations. b) you must make provision to list the issue status of internal documents pertinent to your QMS, including procedures, process maps and so on. c) if documents and records are held electronically, you must observe the following safeguards and protocols: 1) Where a document includes a customer signature, the document must be held electronically as a facsimile copy, including a facsimile copy of the signature. Alternatively, traceability from a customer signature on a hard copy to an electronically held document will be acceptable. Where documents held electronically require authorization (say customer specification) then issue status must be allocated and access rights controlled by password entry at appropriate levels of authorization. If you introduce other arrangements, you must demonstrate that the above principles of authorization and agreement are upheld. It is your responsibility to determine whether specific contractual documents are required legally to be originals. 2) You must have robust and secure backup arrangements and you must keep to these arrangements. 3) You must hold backups of retained information securely (preferably in a fire- resistant container or at a secure off-site location). We draw your attention to the Data Protection Act (DPA). For companies considering the use of cloud computing services we draw your attention to the Information Commissioner’s Office (ICO) guidance on the use of cloud computing in relation to compliance with the DPA. 4) You must have ready access to all documentation and records for the purposes of our ARC Gold inspections/audits/surveillance visits and so on. We draw your attention to sub-clause 6.2 of BS 5979: 2007 and Annex B of BS 5979: 2007 regarding remote access to ARC computer systems and data, which call for such access to be restricted and controlled by strict security disciplines. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 13 of 29 6 April 2016 © NSI 2016 5) If your approval is to BS 8591 and/or the BS EN 50518 series you must comply with sub-clause 6.2 and Annex B of BS 5979:2007 in respect of remote access to ARC computer systems and data. Control of retained documents You must include information security policies for the protection of retained information held on portable electronic devices (such as laptops, tablets, PDAs, memory sticks) and you must ensure your personnel, including any sub-contractors, keep to these policies. For example devices should be password protected and/or have their hard drives encrypted. Also there should be restrictions on leaving devices unattended in vehicles and/or in premises that are not alarmed. Contract information You must maintain a system of uniquely identifying contracts and related documentation to minimise the potential for misfiling and ensure documentation in relation to each contract and the QMS can be readily retrieved. You must hold records in respect of contracts (including written contracts, written agreements with each client specifying actions to be taken on receipt of alarms, faults or other signals including mis-operation signals and including any reports so on) for the life of the contract plus a minimum of two (2) years, except where permitted otherwise in the relevant Product Standard. Certain documents may need to be kept longer to satisfy legal requirements (for example HM Revenue and Customs). We draw your attention to 6.3.1.3 of BS 5979:2007 regarding contracts with clients. If your approval is to BS 8591 and/or the BS EN 50518 series you must also comply with sub-clause 6.3.1.3 of BS 5979:2007. Complaint information You must retain information regarding complaints for the life of the contract plus a minimum of two years and you must ensure this information is readily available to our auditors. Training information See BS EN ISO 9001:2015 clause 7.2 for training information. Security screening information For security screening information see clause 7.1.2 of this schedule. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 14 of 29 6 April 2016 © NSI 2016 8 Operation 8.1 Operational planning and control You must develop processes for the monitoring of fire and security systems to take account of the need for the QMS to incorporate all the product and regulatory requirements of the industry. The extent and form of documentation required must take account of the need to provide evidence: a) that contractual obligations are agreed and understood by all parties b) any regional requirements are covered (for example NPCC, CFOA, Police Scotland, local police force, local fire & rescue service) c) ARC actions are consistent with industry standards (including BS 5979 or BS 8591 (including the BS EN 50518 series)), NSI ARC Gold Codes of Practice, and other standards and codes of practice) d) ARC commissioning processes are in tune with client’s requirements to comply with standard and codes of practice for system installations e) reports and other agreed information are provided in a timely manner f) managers and staff are competent in all relevant activities g) ARC equipment and facilities are able to meet the technical requirements of the industry, including recovery from equipment failures h) there are contingency plans for incidents involving loss of monitoring services and that these plans are rehearsed For the purpose of the contingency plan, a back-up centre to BS 8591 Category II (including the BS EN 50518 series) is acceptable for an ARC to BS 5979 Category II, and vice versa. i) where applicable (for example in relation to monitoring services for intruder alarms complying with BS 7042), there is the ability to sustain monitoring at an alternative wholly independent centre which meets the recommendations for Category II, without interruption of service. For the purpose of sustaining monitoring at a Category II centre without interruption of service, an alternative wholly independent centre meeting BS 8591 Category II (including the BS EN 50518 series) is acceptable for an ARC to BS 5979 Category II. The extent and form of documentation required must take account of the need to provide evidence of support services (where provided) in accordance with contractual agreements for client companies including: an alarm service technician call-out facility SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 15 of 29 6 April 2016 © NSI 2016 a keyholding and response service and other support services as agreed with clients. ARC/RVRC/SOC monitoring services need to be consistent with the specified industry requirements for the types of system being monitored and also with contractual agreements with clients. As well as BS 5979 or BS 8591 (including the BS EN 50518 series), typical documents that can apply to monitoring services are: For intruder and hold-up alarms: BS 8243, BS 8473 and DD 263 For alarm transmission systems and equipment: BS EN 50136 series For social alarms: DD CLC/TS 50134-7 For lone worker devices: BS 8484 For after-theft systems with vehicle immobilization for vehicle recovery: Thatcham SOC requirements and BS EN 15213 series For detector activated CCTV systems: BS 8418 For management and operation of CCTV systems: BS 7958 We draw your attention to: The Information Commissioner’s Office (ICO) data protection code of practice for surveillance cameras and personal information The Home Office Surveillance Camera Code of Practice (POFA Code) issued in relation to the Protection of Freedoms Act 2012 BSI BIP 0008 series regarding the legal admissibility and evidential weight of information stored electronically. 8.2 Requirements for products and services 8.2.1 Customer communications The following requirements apply in addition to the requirements of this clause of BS EN ISO 9001:2015. Management of complaints You must deal promptly with all complaints and in an appropriate manner including sending the complainant an acknowledgment the matter is receiving timely attention. You must have a suitable register of complaints, which must include the date of receipt, complainant details, summary of the complaint, and a complaint reference number or code. You must register all complaints promptly and then investigate and action them at an appropriate level of seniority. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 16 of 29 6 April 2016 © NSI 2016 You must find the root causes of complaints so that corrective actions are effective in preventing further occurrences. The decision on the appropriate course of action (or actions) must be documented. When all reasonable steps have been taken to restore confidence, complaints must be closed down by entering a date of closure in the complaint register. Complaints must be included in the review of nonconformities (see 9.3.2) and consequently clauses 10.1 and 10.2 of BS EN ISO 9001:2015. We draw your attention to the guidelines in BS ISO 10002:2014 – Quality management – Customer satisfaction – Guidelines for complaints handling in organizations, including guidance for small businesses given in Annex A of BS ISO 10002:2014. BS ISO 10002 defines “complaint” as “expression of dissatisfaction made to an organization, related to its products, or the complaints-handling process itself, where a response or resolution is ex plicitly or implicitly expected”. Such expressions of dissatisfaction could be made in a number of different ways for example in writing, including email, or orally on the telephone. We draw your attention to the guiding principles given in clause 4 of BS ISO 10002:2014, which are recommended for effective handling of complaints: visibility (well publicised information about where to complain) accessibility (easily accessible to all complainants) responsiveness (immediate acknowledgement and addressed promptly) objectivity (equitable, objective and unbiased) charges (free of charge) confidentiality (protected from disclosure except where consented) customer-focused approach (open to feedback and commitment to resolve) accountability (for and reporting on the organization’s actions and decisions) continual improvement (permanent objective of the organization) 8.2.2 Determining the requirements related to products and services The following requirements apply in addition to the requirements of this clause of BS EN ISO 9001:2015. Legislation affecting the quality management system Clause 8.2.2 of BS EN ISO 9001:2015 makes it clear that statutory and regulatory requirements shall be determined. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 17 of 29 6 April 2016 © NSI 2016 With any accredited management system certification there is increasing recognition that certification ought to give a level of assurance that the approved organization is aware of relevant legislation and is essentially compliant. We recommend you should maintain a consolidated list of the legislation you believe is relevant to your organization (see clause 7.5.1). The Note in Clause 8.5.5 of BS EN ISO 9001:2015 references that supplementary services such as recycling or final disposal are post-delivery activities and must also be considered. Standards and codes of practice affecting the quality management system You must determine the requirements in accordance with BS 5979 or BS 8591 (including the BS EN 50518 series) and any other applicable standards and codes of practice. Policy in relation to keyholders You must: determine the minimum time period that a keyholder’s telephone is allowed to ring before deeming they are unavailable. determine the time interval before any subsequent call is made, how many attempts are to be made and the time period during which attempts are to be made. define a documented procedure which operators are to follow where keyholders are deemed to be unavailable. Leaving a message on a telephone answering machine or with a radio-paging service operator should not be regarded as sufficient. You should normally leave the message, but continue in attempts to contact the keyholder until either contact with a keyholder has been made, or the procedure is exhausted and the keyholder deemed unavailable. Some customers may wish to nominate different keyholders for non-security alerts (for example freezer alarms). It is recommended that your procedures should make provision for this possibility. You may wish to include in your procedures provision for the giving of security code words or numbers, so as to protect against certain keyholders being maliciously called out and then subjected to duress. You must: indicate the actions to be taken if a call is answered by a person other than the named keyholder, for example, by domestic helper or a child. indicate what actions are to be taken if a telephone line is found to be “engaged”, particularly if an engaged tone is received repeatedly over a significant period of time. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 18 of 29 6 April 2016 © NSI 2016 notify your clients in writing of your policies regarding the calling of keyholders. ensure your clients are made fully aware of the keyholding responsibilities for the system being monitored. Specific keyholder requirements for alarm systems which have an emergency response are specified in the relevant emergency service policy (for example the NPCC policy). Alarm systems taken off emergency service response You must document your procedure for dealing with alarm systems taken off emergency service response including the frequency of checks to validate whether they remain off response. Typically alarm systems taken off police response by the police have a maximum of 6 months to regain police response. However alarm systems may be taken off emergency service response for other reasons including fault investigation. 8.2.3 Review of requirements related to products and services The following requirements related to contract review apply in addition to the requirements of this clause of BS EN ISO 9001:2015. a) General The identity of the persons allocated responsibility and authority to carry out contract reviews must be clearly defined and communicated within the organization (clause 5.3 of BS EN ISO 9001:2015 refers). b) Review Reviews must be undertaken: 1) Before submission of any tender or quotation, to confirm the requirements are adequately defined and documented and your organization has the capability and resources to meet the requirements including any statutory and regulatory requirements. For example we draw your attention to Security Industry Authority (SIA) licensing regulations in the United Kingdom and to Private Security Authority (PSA) licensing regulations in the Republic of Ireland. 2) Before transfer of monitoring contracts from another ARC. 3) Before acquisition of monitoring contracts (for example due to takeover on another ARC). 4) After receipt of the client’s reply to any tender or quotation for monitoring service, or on receipt of purchase order, to ensure that any changes requested by the customer are resolved. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 19 of 29 6 April 2016 © NSI 2016 There must be evidence, by means such as stamp, signature or email of all reviews. You must establish controls to ensure the client is made aware of, and agrees to, the limitation (if any) of the demands of the appropriate technical standard and regulatory requirements of other interested parties (for example local authority, police, fire brigade, insurers). You must make clear in appropriate documentation whether or not your organization accepts oral confirmation of orders and, if so, your policy must require you to send a written statement to the client stating your understanding of the agreement and confirming that this will be taken as the agreement unless the client notifies otherwise in writing. c) Amendment to contract Your procedures must cover the circumstances in which day-to-day requests for changes to monitoring contracts, either written or oral, are reviewed, agreed and recorded. Examples include changes to keyholder information or to times of monitored setting and unsetting. Your procedures must cover the amendment of client records when the ARC is informed (whether by the clien t’s customer or by the emergency services) of changes in emergency service response. You must have provisions in the procedures to the effect that in all cases where such a change is made, otherwise than on the basis of written instructions from the ARC’s client, the ARC promptly notifies the client in writing, confirming the change that has been made and the reasons for the change. Clients may be notified using electronic means provided records are kept and there is ready access to the information. d) Documented information You must retain documented evidence of contract reviews for the life of the contract plus a minimum of two (2) years. Certain contract information may need to be held for a longer period to satisfy HM Revenue and Customs and VAT requirements and so on. e) Customer liaison You must maintain effective customer liaison through the life of the contract. 8.2.4 Changes to requirements for products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 20 of 29 6 April 2016 © NSI 2016 8.3 Design and development of products and services 8.3.1 General Organizations holding NSI ARC Gold approval must ensure that design and development is carried out in accordance with BS EN ISO 9001:2015. This includes, for example, the building of a new ARC as well as the other examples of design and development examples listed above. Organizations applying for NSI ARC Gold approval (which includes certification to BS EN ISO 9001: 2015) must provide evidence of having carried out a design review, including any necessary tests and checks, to show the ARC that has resulted from the designing, building and development processes meets the design brief, including compliance with BS 5979 or BS 8591 (including the BS EN 50518 series) . Examples of design and development include the following: new monitoring services (for example in response to new customer and / or external body requirements including NPCC, CFOA, Police Scotland). new equipment (hardware and / or software) designed and developed by an ARC, on its own or in association with suppliers (see 8.4 of BS EN ISO 9001:2015 with regard to outsourcing). configuration of new equipment (hardware and / or software) and the design and development of associated procedures to be applied by human resources in the use of the equipment. changes to the construction and facilities of an ARC (for example an extension to the ‘shell’ of the ARC) by an ARC, on its own or in association with suppliers (see 8.4 of BS EN ISO 9001: 2015 with regard to outsourcing). This includes any consequences for potential access to new parts of the ‘shell’ of the ARC by the general public. Changes to the contingency plan to deal with foreseeable hazards (for example choice of a new standby centre and associated standby procedures). The application of an existing monitoring service to new clients / customers, also day – to – day changes to monitoring servi ces being supplied, such as alterations to keyholde r details, set / unset times and so on , can be considered as part of contract review (see 8.2.3), not design and development. There will be periods when ARCs are not engaged in design and development. 8.3.2 Design and development planning We will consider design and development planning arrangements differing from those set out in 8.3.2 below (for any ARC wishing to adopt differing arrangements) provided there is evidence that the arrangements adopted ensure that the provisions of BS EN ISO SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 21 of 29 6 April 2016 © NSI 2016 9001:2015 and the relevant technical and other standards, codes of practice, legal requirements and so on are met. Any ARC wishing to adopt differing arrangements should write to the NSI office giving details. You must adopt controls to ensure the appropriate stages of design and development (see 8.3 of BS EN ISO 9001:2015) are followed. In discharging your responsibility (see 8.3.2 of BS EN ISO 9001:2015) to define the responsibilities and authorities for design and development, and to manage the interfaces between different groups involved in design and development: a) You must designate one or more suitably competent individual(s) as “Nominated Designer(s)”. b) Each individual you designate as a “Nominated Designer” must be c ompetent to undertake tasks that include: 1) acting as the focal point for matters relating to design and development (see 8.3 above); 2) carrying out design reviews (see 8.3 above); 3) being conversant with the products and systems specified and assessing the security factors (for example relating to adequacy of monitoring service) influencing the design and development; 4) being conversant with, and up-to-date in respect of, new technologies, technical standards, regulatory requirements, and national implementation of EU Directives and so on relevant to the design and development process; 5) ensuring the general content of contracts / written agreements with clients is consistent with the requirements of the applicable technical standards, legal requirements, and NSI Codes of Practice; 6) being conversant with monitoring service requirements such that specifications for such services are professionally compiled and finalised in a manner giving clear and unambiguous information to clients. 8.3.3 Design and development inputs No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.3.4 Design and development controls No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.3.5 Design and development outputs No additional requirements apply to this clause of BS EN ISO 9001:2015. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 22 of 29 6 April 2016 © NSI 2016 8.3.6 Design and development changes No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.4 Control of externally provided processes, products and services 8.4.1 General In accordance with clause 8.4.1 of BS EN ISO 9001:2015, you must evaluate and select suppliers (including sub-contractors and companies who provide sub-contract personnel) based on their ability to supply product or service in accordance with your requirements and the requirements of this Quality Schedule, which includes the requirements of the relevant Product Standards. You must establish criteria for selection, evaluation and re-evaluation of suppliers and retain documented results including any necessary actions arising from evaluation and re-evaluation. 8.4.2 Type and extent of control You can use sub-contractors for any part of the service subject to compliance with BS EN ISO 9001:2015 and the requirements of this Quality Schedule, which includes the requirements of the relevant Product Standards (such as BS 8243, BS 8247, DD 263 and BS EN 50136). You must: a) Maintain a register of all sub-contractors, which must clearly show the services they can supply; b) Retain documented information clearly stating the basis of selection of all sub- contractors; c) Conclude formal agreements that adequately cover the services to be provided and make it clear, where relevant, services can only be delivered by named individual sub-contractors who have been security screened and whose competency is demonstrated; d) Audit and monitor sub-contractors on the same basis as staff personnel; e) Brief sub- contractors on the organization’s policies, processes, work instructions and documented information to be completed to verify completion of assigned tasks or service delivery; f) Retain overall responsibility for all sub-contracted services; g) Allow us to have the right to audit the work carried out by sub-contractors and interview such sub-contractors to confirm their competence; h) Retain sufficient in-house expertise, if design and development is sub-contracted, to enable you to verify design specifications and requirements. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 23 of 29 6 April 2016 © NSI 2016 If you carry out component and equipment repairs, you must carry out these repairs in accordance with UK Regulations covering Electromagnetic Compatibility and then only if you are the component manufacturer, the manufacturer’s appointed repair agent, or you have a facility that has been assessed satisfactorily against BS EN ISO 9001 (or an equivalent specification) by a recognised, third-party certification body. 8.4.3 Information for external providers No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5 Production and service provision 8.5.1 Control of production and service provision In determining the statutory and regulatory requirements applicable to the organizations products and services you must also be aware of the statutory and regulatory requirements that apply to the infrastructure and environment supporting your operations. For example, within an ARC/RVRC there might be the need to control the use and storage of fuel for standby generators. A failure in these control measures, which results in an illegal discharge of fuel, may lead to prosecution under Environmental Permitting Regulations or Control of Pollution (Oil Storage) Regulations. As these are potential risks to the operation of the business they should be considered when addressing risks to the business (see BS EN ISO 9001:2015, clause 6.1.1). 8.5.2 Identification and traceability The status of all monitored events (those for which the ARC is contracted to provide monitoring services) must be identified and recorded from the time of receipt at the ARC through to the time information is passed to the appropriate recipient (emergency services, users, keyholders, clients, customers) and / or recorded. Unless clients impose special contractual conditions, your procedures must reflect the extent of traceability achieved through use of Unique Reference Numbers (URNs) and security code words or numbers used by ARC operators when making calls to emergency services, fire and security system users / keyholders and any other appropriate persons. 8.5.3 Property belonging to customers or external providers BS EN ISO 9001:2015 includes a note to remind organizations that “A customer’s or external provider’s property can include materials, components, tools and equipment, premises, intellectual property and personal data”. An example of customer property might include receiving centre equipment on hire or lease from suppliers. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 24 of 29 6 April 2016 © NSI 2016 8.5.4 Preservation It is important you should follow manufacturers’ instructions particularly in relation to the handling of electronic media and the use of electronic components sensitive to electrostatic charge. 8.5.5 Post-delivery activities No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.5.6 Control of changes No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.6 Release of products and services No additional requirements apply to this clause of BS EN ISO 9001:2015. 8.7 Control of nonconforming outputs Documented information for the control of nonconforming process outputs, product and services must provide for identification of: alarms and /or monitored events processed incorrectly defective equipment and components shortfalls in resources (people and equipment) non-compliances identified against BS 5979 or BS 8591 (and all other relevant standards) any other type of nonconforming product as determined by the organization A process should be in place to ensure customers are informed in writing of any known change to the level of response afforded to a monitored system. Means for identifying nonconforming product may be found in other parts of the QMS, for example through technical auditing of systems and through investigation of customer complaints. Corrective action forms under a corrective action processes may be used as a means for documenting the existence of nonconforming product and ensuring appropriate corrective action is taken. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 25 of 29 6 April 2016 © NSI 2016 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1.1 General You must have a process for the management of complaints (see also clause 8.2.1). This process must cover all complaints whether they are from directly contracted customers or from stakeholders including the police and the insurers. This process (or a separate one) must also cover situations where we contact you about a complaint made to us about your organization. The process for management of complaints can be included in the processes for the control of nonconforming product (see 8.7) or can be a stand-alone process. 9.1.2 Customer satisfaction You must monitor customer perceptions of the degree to which requirements have been met. Sources of information on customer perception could include: the outcome of customer satisfaction surveys the number of sales arising from recommendations the number of monitoring contracts the number of systems monitored number of alarms or events processed incorrectly complaints against your organization letters of commendation received from satisfied customers other sources as determined by you The maintenance of good relationships with customers is a significant factor affecting the success and growth of any business. Concern for the customer should be part of the overall business strategy. You should set out to avoid complaints. When complaints do occur, the objective should be to come out of each situation with a strengthened relationship with whoever is complaining. 9.1.3 Analysis and evaluation Your analysis of data must include provision of information relating to: – customer satisfaction (see clause 9.1.2 ) external suppliers of products and services (see clause 8.4) core business processes SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 26 of 29 6 April 2016 © NSI 2016 In relation ARC response to incoming signals, you must provide separate performance analyses in respect of fire alarms, hold-up alarms, intruder alarms, social alarms, lone worker alarms, after-theft systems for vehicle recovery, and response to CCTV events, according to the scope of ARC Gold approval held. These performance analyses must also form part of the Management Review. Where there are written agreements with clients stating procedural steps to be taken by the ARC before action is taken to establish communications with the control room of an appropriate emergency service, such clients may request particular reports of performance as detailed in contracts. In relation to customer satisfaction, you must analyse the causes of complaints. The analysis must form part of the input to management review (see clause 9.3.2). The main purpose of the analysis is to assist you in deciding on appropriate corrective action with a view to improving customer satisfaction and reducing future incidence of complaints. The following analysis of rectified complaints by ‘cause code’ is suggested: unsatisfactory service (relating to handling alarms and other signals) disputed fees failure to meet contractual requirements lack of timely response to enquiries and complaints behaviour of ARC personnel behaviour of sub-contractors (if used) accounts dispute (not emanating from one of the items listed above) other (use text) You must examine causes of complaints at appropriate intervals and make (and record) suitable decisions or recommendations regarding corrective action (for example in relation to common causes of complaint). 9.2 Internal audit As well as meeting the requirements of BS EN ISO 9001:2015 for internal auditing, ARCs are reminded that BS 5979 calls for documented audits at periods not exceeding six months. BS 8591 calls for audits of all procedures at periods not exceeding 12 months. Your capability to monitor standards of monitoring service is an auditable element of ARC Gold and you must be able to demonstrate you are capable of identifying all your own nonconformities. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 27 of 29 6 April 2016 © NSI 2016 9.3 Management review 9.3.1 General The general requirements set out in clause 9.3.1 of BS EN ISO 9001:2015 apply. We recognise there are different views as to who are the top management personnel who should carry out the management review. Each case has to be considered on its own merit, particularly in large multi- layered organizations such as PLC’s. For example it may not be practical or necessary for all Directors to be present at the management review meetings, if when interviewed on actual audit, they can demonstrate awareness of all significant issues raised at the meetings. 9.3.2 Management review inputs Top management must review the organi zation’s quality management system, which must include, but not be limited to, the following areas as appropriate to the type of security systems installed: the status of actions from previous management reviews; changes in internal and external issues that are relevant to the quality management system (including changes in legislation and emergency service policies); information on the performance and effectiveness of the quality management system, including trends in: o customer satisfaction and feedback from relevant interested parties (including the analysis of complaints); o the extent to which quality objectives have been met; o process performance and conformity of products and services (including performance and trend analysis for routine maintenance, response to emergency call outs and false alarms(where applicable); o non-conformities and corrective actions; o monitoring and measurement results; o audit results; o the performance of external providers (including suppliers and sub- contractors); o effectiveness of continual improvement initiatives adequacy of resources (including human, equipment and facilities); the effectiveness of actions taken to address risks and opportunities; opportunities for improvement (including assessment of new software, hardware and monitoring services); SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 28 of 29 6 April 2016 © NSI 2016 review adequacy of Quality Policy and Quality Objectives training needs and requirements infrastructure (when appropriate) evaluation of legal compliance 9.3.3 Management review outputs The output from the management review must include any decisions and actions related to: improvement of the effectiveness of the QMS and its processes (including the Quality Policy and the Quality Objectives) improvement of product related to customer requirements and, when applicable, related to external body requirements (for example ACPO, CFOA, Police Scotland) resource needs (including human resources, training, new equipment) security of records (including remote access to ARC computer systems and data where offered). 10 Improvement 10.1 General No additional requirements apply to this clause of BS EN ISO 9001:2015. 10.2 Nonconformity and corrective action You must have effective processes for the development and implementation of appropriate corrective actions where a nonconforming process output, product or service is identified, including false alarms, substandard installations, poor service performance and customer complaints to prevent the recurrence of the non-conformity. Clause 10.2 of BS EN ISO 9001 makes it clear the organization must take action to eliminate the causes of nonconformities in order to prevent recurrence and that nonconformities include customer complaints. You must carry out root cause analysis to find the causes of nonconformities in order to support the corrective actions taken in response to nonconformities. You must retain sufficient documentation to provide evidence of the nature of any nonconformities identified and subsequent corrective actions and you must retain evidence of the results of this corrective action. As a minimum this retained information must include evidence of the review of audit results and customer complaints. SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval SSQS 102 – The NSI Quality Schedule for the application of BS EN ISO 9001:2015 to NSI ARC Gold approval Issue 8.0 Page 29 of 29 6 April 2016 © NSI 2016 10.3 Continual improvement No additional requirements apply to this clause of BS EN ISO 9001:2015. Measures in 10.2 and 10.3 are not exhaustive. Corrective actions and opportunities for continual improvement may apply to other areas of the quality management system.