Clause

Control of:

Meaning

The net effect is that there is no change in the actual requirements, except where noted below.

This section is concerned with how your organisation plans its monitoring and measurement activities. It also requires that you consider the need for any statistical techniques.

In addition, you must consider the process by which you seek to continually improve your system.

This section requires that you consider how you monitor information relating to Customer perception of how you meet their requirements. This information is then one of the inputs of the Management Reviews, described above.

A new note has been added to ISO9001:2008 for clarification purposes.

A full explanation of how to conduct your own Quality Audits (with step-by-step guidance, plus example audits and audit report forms and checklists, etc) is given in our CD.

The standard requires that you perform internal quality audits, so as to ensure that your system meets the requirements of ISO 9001:2000.

The audits should be performed by someone who is competent to perform the task. Whilst there is no necessity to use the services of an outside person (an external internal auditor!), it may be best. The Auditor should be:

• independent (i.e. audits must not be conducted by the person who conducts the activity, nor who is responsible for the activity).

• competent to audit in the area (i.e. be aware of what should happen and what might go wrong and the consequences)

• impartial (i.e. not afraid to tell the Boss that he is doing something wrong, nor have any hidden agenda to disgrace another person within the organisation)

• able to make objective decisions based upon the findings of the audit.

Inevitably, the best person to do this is someone who has a lot of practice. This is where an external Consultant can be very useful. As an Internal Auditor, there is little or no problem with the auditor suggesting improvements that can be made.

The running order of some of the sentences in this clause has been altered in ISO9001:2008, but the meaning is unchanged.

The clause now refers t ISO19011 for guidance, instead of the now obsolete ISO10011 referred to by ISO9001:2000.

You must have a procedure to control these activities

This section requires that you have "suitable" methods for ensuring that your processes for producing your goods or services are suitable and continue to be suitable. This could be confirmed by a periodic review of failure rates, Customer returns, etc, as well as other methods.

An new note has been added to this clause, for clarification purposes.

This section requires that you measure and monitor the goods or services that you produce at "appropriate stages" (this replaces the ISO 9000:1994 requirements for In-process and Final Inspection stages).

Your records of such tests and inspections must record the identity of the person who released the goods or services (e.g. to the Customer or to another department or Vendor for further processing, etc).

You must ensure that you do not release product until all of the required activities have been conducted (this includes completion of paperwork, etc).

The running order of some of the sentences in this clause has been altered in ISO9001:2008, but the meaning is unchanged.

Where faulty items are found, you must recheck them after you have fixed them. If you fond that items are faulty at a later stage (for example after some have already been delivered), you must take "appropriate" action. These actions should be recorded.

The running order of some of the sentences in this clause has been altered in ISO9001:2008, but the meaning is unchanged.

You must have a procedure to control these activities

You must act upon the results of the analysis (e.g. produce plans to make improvements, etc)

You must ensure that you take corrective and preventive actions, which ensure that problems are fixed, prevented and that your system improves wherever possible.

This section is concerned with how you improve your management system (Note: not necessarily your product or service). For example, you could consider how you can use information relating to:

• the analysis of nonconformances, including audit reports (internal and external) and determination of consequential actions

• use and review of quality objectives

• analysis and review of levels of Customer satisfaction

• Management Review of nonconformances, identification of external changes and planning of additional or alternative resources

You should add any other methods which you think could help you to improve your system.

Fixing the results of the problem is a small part of this process. The emphasis of this requirement if that you must consider whether or not you need to take actions to fix the underlying cause of the problem. You must have a record of the consideration (e.g. stating "This was a one-off problem, so no further action is necessary at present"), or if you decide to take action, you must keep a record of the actions taken and how effectively it worked.

You are now required to review the effectiveness of corrective actions. In ISO9001:2000 you were only required to review the action.

You must have a procedure to control these activities

As far as possible, you should consider things that might affect the quality of your product and take steps to prevent them.

Your procedure should address:

• determining potential problems,
• evaluating the need for any required actions,
• implementing the actions,
• reviewing their effectiveness

What are examples of preventive actions?

• When you receive an order from a Customer, you review it and consider what could go wrong (do you have the required components to build on it on time? Do you have sufficient spare capacity to schedule it for production on time? Do you have the right people who know what to do?
• When you select a new supplier, are they likely to send what you want, when you want it? Are their products likely to work as you require?

These are examples of Preventive Actions. You should have a procedure which describes the actions that you take and the records that you keep. (You could have a single procedure for Preventive Actions with references to your Sales Order procedure and your Supplier Selection Procedure, for example).

You must also describe how you review the effectiveness of the actions that you take (e.g. a supplier review, buying review or some other review process) and you must keep records of those reviews.

At a less pedantic level, you could also have periodic reviews of your products and services, at which ideas can be presented. ("brainstorming" events). You could include this in your management review process (see clause 5.6).

You are now required to review the effectiveness of corrective actions. In ISO9001:2000 you were only required to review the action.

You must have a procedure to control these activities