RINA IMPLEMENTATION OF ISO 9001:2008 PARTICULAR ASPECTS 1 SCOPE AND PURPOSE This document defines the RINA criteria for the verification of implementation of ISO 9001:2008 in relation to some particular aspects, taking into account the ISO documents ISO 9000 Introduction and Support Package module issued by ISO/TC 176 / SC2. These modules regard some particular aspects of the 9001:2008 Standard. In this document, where the number of the paragraphs is indicated, they are the same as those in ISO 9001:2008. In this document, where QMS is indicated, Quality Management System is meant. 2 REFERENCES - ISO 9001:2008 Quality management systems - Requirements - ISO 9000:2005 Quality management systems Fundamentals and vocabulary - ISO/TR 10013 Guidelines for quality management system documentation - ISO 9000 Introduction and Support Package. 3 IMPLEMENTATION OF ISO 9001:2008 As recommended by the standard itself, in the paragraph relevant to the application of the quality management system (QMS) (1.2), all the ISO 9001:2008 requirements are generic and are intended to be applicable to all organisations regardless of type, size and product provided. Nevertheless, in some cases, some exclusions of ISO 9001:2008 application are allowed. Considering the importance of the matter, a particular instruction to technicians Criteria for assessing the admissibility of exclusions of ISO 9001:2008 standard requirements has been developed. 4 DOCUMENTATION REQUIREMENTS The ISO 9001:2008 standard allows an organisation to develop a minimum amount of documentation needed to demonstrate the effective planning, operation and control of its processes and the implementation and continual improvement of its QMS, stressing that the standard requires a Documented quality system and not a system of documents. Some of the main objectives of QMS documentation are: a) Communication and information - The type and extent of the documentation will depend on the nature of the organisation s product and processes, the degree of formality of the communication system and the level of communication skill within the organisation and the organisation s culture. b) Evidence of conformity - Provision of evidence that what was planned has actually been done. Rev. 6.0 Page 1 of 5
c) Knowledge sharing - To disseminate and preserve the organisation s experience (e.g.: a technical specification). The documents may be in any form or type of medium. The definition of document in ISO 9000:2005 (3.7.2) gives the following examples: - paper; - magnetic; - electronic or optical computer disc; - photograph; - master sample. ISO 9001:2008 requires (4.2.1) the quality management system documentation to include: a) a documented statement of the quality policy and quality objectives; b) a quality manual; c) documented procedures required by this international standard; e) records required by this international standard. All the documents that form part of the QMS have to be controlled (see 4.2.3 and 4.2.4). a) Documented statement of the quality policy and quality objectives Requirements for the quality policy are defined in clause 5.3. The requirements for quality objectives are defined in clause 5.4.1. b) Quality Manual The minimum contents of the Quality Manual are defined in clause 4.2.2. The format and structure of the manual are chosen by the organisation. Some organisations may choose to use the quality manual for other purposes besides that of QMS documentation. For small or medium organisations, a single manual may be appropriate whereas for large, multinational organisations, several manuals with different form and complexity may be appropriate. c) Documented procedures Documented procedures have to be available for the following six activities: (4.2.3) Control of documents (4.2.4) Control of records (8.2.2) Internal audits (8.3) Control of non conforming products (8.5.2) Corrective actions (8.5.3) Preventive actions. Some organisations may find it convenient to combine the procedures for several activities into a single documented procedure (i.e. Corrective and preventive actions) while others may choose to document a given activity by using more than one documented procedure (i.e. Internal audit). Both are acceptable. Rev. 6.0 Page 2 of 5
d) Documents needed to ensure effective process planning, operation and control To demonstrate effective QMS implementation, it may be necessary for an organisation to develop documents other than the documented procedures, as for instance: - Process flow-chart - Organisation charts - Specifications - Work and/or test instructions - Internal communications - Production schedules - Approved suppliers lists - Test and inspection plans - Quality Plans that, however, are not specifically required by ISO 9001:2008. If prepared, these documents have to be controlled (4.2.3 and 4.2.4, as applicable). e) Records Examples of records specifically required by the ISO 9001:2008 standard are: Clause 5.6.1 Management review 6.2.2 e) Education, training and skill experience Record required 7.1 d) Evidence that the realization processes and resulting product fulfil the requirements 7.2.2 Results of the review of requirement related to the products and action arising from the review 7.3.2 Design and development inputs 7.3.4 / 5 / 6 Results of design and development verification, reviews and validation 7.3.7 Results of the review and development changes, if any 7.4.1 Results of supplier evaluations 7.5.2 d) Validation of the processes where the resulting output cannot be verified by subsequent monitoring or measurement 7.5.3 The unique identification of the product, where traceability is a requirement 7.5.4 Customer property that is lost, damaged or otherwise found to be unsuitable for use 7.6 a) Basis used for calibration or verification of measuring equipment where no international or national measurement standard exists 7.6 Validity of the previous measuring results, when the measuring equipment is found not to conform to requirements 7.6 Results of calibration and verification of measurement equipment 8.2.2 Internal audit results and follow-up actions 8.2.4 Indication of the persons authorizing release of product Rev. 6.0 Page 3 of 5
8.3 Nature of the product nonconformities and any subsequent actions taken, including concession obtained 8.5.2 Results of corrective actions 8.5.3 Results of preventive actions Records have to be controlled as foreseen by point 4.2.4. 5 DEMONSTRATING CONFORMITY WITH ISO 9001:2008 To demonstrate conformity with ISO 9001:2008: - an organisation must be able to demonstrate conformity without the need for extensive documentation; - an organisation has to be able to provide objective evidence of the effectiveness of its QMS processes; - objective evidence does not necessarily depend on the existence of documented procedures, records or other documents, except where specifically mentioned in ISO 9001:2008. In some cases, it is up to the organisation to determine what records are necessary in order to provide this objective evidence; - where an organisation has no specific internal procedure for a particular activity, and this is not required by the ISO 9001:2008 standard (i.e. Management review), it is acceptable to conduct this activity using as a basis the relevant clause of ISO 9001:2008 for conformity assessment purposes. 6 PROCESS APPROACH Clause 0.2 of the ISO 9001:2008 standard requires that: the application of a system of processes within an organisation, together with the identification and interactions of these processes, and their management to produce the desired outcome, can be referred to as the Process approach. The purpose of the process approach is to improve the quality of efficiency and efficacy of an organisation to reach its objectives. A process is defined as an activity or set of activities using resources, and managed in order to enable the transformation of inputs in outputs. One of the main advantages of the process approach, when compared to other approaches, is the management and control of the interaction between these processes and the interfaces between the functional hierarchies of the organisation. Inputs and outputs may be tangible (i.e. equipment, materials or components) or intangible (i.e. energy, information). Outputs can also be unintended (i.e. waste, pollution). Each process has a customer and other interested parties, with needs and expectations about the process, who define the required output of the process. All processes should be aligned with the objectives, scope and complexity of the organisation, and should be designed to add value to the organisation. In clause 4.1 the ISO 9001: 2008 standard requires an organisation to determine the processes needed for the quality management system and their application, giving some indication on how to correctly manage the processes. Some typical processes that can be identified are: processes for the management of an organisation These include processes relating to strategic planning, establishing policies, setting objectives, ensuring communication, ensuring availability of the data for management review. Rev. 6.0 Page 4 of 5
processes for managing resources These include all the processes that are necessary to provide the resources needed for the organisation s quality objectives and desired outcome. realization processes These include all processes that provide the desired outcomes of the organisation. measurement, analysis and improvement processes These include the processes needed to measure and gather data for performance analysis and improvement of effectiveness and efficiency. Measurement processes are often documented as an integral part of the management, resource and realization processes; whereas analysis and improvement processes are treated frequently as autonomous processes that interact with other processes, receive inputs from measurement results and send outputs for the improvement of those processes. Organisations are often structured into a hierarchy of functional units and are usually managed vertically, with responsibility for the intended outputs being divided among the functional units. The end customer, or other interested parties, is not always visible to all involved. Consequently, problems that occur at the interface boundaries are often given less priority than the short term goals of the units, leading to little or no improvement as the actions are usually focused on the functions, rather than on the intended output. The process approach introduces horizontal management, crossing the barriers between different functional units and unifying their focus on the main goal of the organisation. 7 OUTSOURCED PROCESSES Clause 4.1 (note 2) of ISO 9001:2008 states that an outsourced process is a process that an organisation needs for its Quality Management System and which the organisation chooses to have performed by an external party. The intent of clause 4.1 is to emphasize that when an organisation chooses to outsource a process, it cannot simply ignore this process, nor exclude it from the QMS. The organisation has to demonstrate that it exercises sufficient control to ensure that this process is performed according to the relevant requirements of ISO 9001:2008, and any other requirements of the organisation s Quality Management System. The nature of this control will depend on the importance of the process, the risk involved and the competency of the supplier. The outsourced organisation does not need to have a certified Quality Management System, but it has to demonstrate the capability to perform this process according to the requirements. There are two situations that frequently need to be considered when deciding the appropriate level of control of an outsourced process: a) when an organisation has the competence and ability to carry out a process but chooses to outsource that process. In this situation, the process control criteria should already have been defined and can be transposed into requirements for the supplier of the outsourced processes, if necessary b) When the organisation does not have the competence or ability to carry out the process and chooses to outsource it. In this situation, the organisation has to ensure that the controls proposed by the supplier of the outsourced process are adequate. In some cases, it may be necessary to involve external specialists to make this evaluation. It may be convenient, or even necessary, to define some or all of the methods used to control the outsourced process in a contract between the organisation and the supplier. Ensuring control over outsourced processes does not absolve the organisation of the responsibility of conformity of all customer, statutory and regulatory requirements. If it is not possible to verify the output from the outsourced process by subsequent monitoring or measurement, the organisation needs to ensure that control over the outsourced process includes process validation in accordance with clause 7.5.2 of ISO 9001:2008. Rev. 6.0 Page 5 of 5