ISO 9001: 2008 Transition

1. ISO 9001:2008
Impact Assessment &
Transition planning
Govind Ramu, P.Eng,
ASQ CQMgr, CQE, CSSBB, CQA, CSQE, CRE,
ASQ Fellow,
QMS 2000 Principal Auditor IRCA (UK)
Past Section Chair Ottawa Valley- ASQ Canada
http://www.asq.org/sixsigma/about/govind.html

2. ISO 9001:2008 – Why this amendment?
ISO 9000 series standards periodically go through continual
review to keep standards up to date.
The review process involve:
– A global user questionnaire/survey
– A market Justification Study
– Suggestions arising from the interpretation process
– Opportunities for increased compatibility with ISO 14001
– The need for greater clarity, ease of use, and improved translation
Current trends:
Keeping up with recent developments in management
system practices. (e.g. outsourcing)
“ISO 9001:2008 does not introduce additional requirements
nor does it change the intent of the ISO 9001:2000
standard”.

3. ISO 9001:2008 – What to do?
FACT: There are NO NEW requirements. The transition should be
accomplished with minimal effort and should be smooth.
REALITY: This does not mean organizations sit back and receive an ISO
9001:2008 certificate from the registrars with no effort!
I believe organizations should perform due diligence in reviewing the
amendments to the standard and assess the impact- effort.
The very reason, ISO has taken the effort to clarify requirements in over 60
instances within the standard tells us that there has been inconsistencies
and opportunities for misinterpretation of the requirements.
This is why:
What if a small organization had their consultant as Quality Management
representative?
What if an organization thus far only trained employees who work on
product quality?
What if an outsourced process did not have adequate controls in relation to
risk?

4. ISO 9001:2008 – How to go about?
Planning Communication Execution
Purchase copies of ISO Let your management Changes to Quality Manual, related
9001:2008. (Check your know of the change to documentation.
external document the standard and impact.
distribution list to see the
number of copies to be
Let your employees Where applicable, revise internal
purchased).
know of the change to audit checklists.
the standard.
Read and understand
transition guidance Changes summary Training material
Let your registrar know
documents from the ISO for auditors and appropriate
of your intent to transition
website. employees.
to new standard in the
next planned audit.
Compare the changes to
2000 Standard and Address changes to QMS in the
create change analysis management review, perform internal
If contractually required,
audits using new standard.
let your customers know
that you are planning for
What does these
this transition.
changes mean in terms Get your registration audit completed
of impact ? Perform to the new standard.
Impact assessment
Let your supplier Quality Make any required changes to
Review the impact function find out if your Intranet, Internet posting, marketing,
assessment with your suppliers are aware of promotional materials, etc (after
internal auditors and this amendment and are receipt of new ISO 9001:2008
extended QMS team. planning to transition. registration certificate)

5. ISO 9001:2008 – What should auditors do?
Understand
The organization's activities and processes and appropriately audit
against the requirements of the ISO 9001 in relation to the
organization's objectives.
The requirements of the ISO 9001:2008.
The concepts and terminology of the ISO 9000:2005.
The eight Quality Management Principles
ISO 9004 (general understanding)
Familiarity with the auditing guidance standard ISO 19011
Key differences between 2000 and 2008 version.
The implications of these differences for effective auditing.
Attend 2 hours of professional development training. This may be
achieved by:
Reading relevant materials (items mentioned above)
On the job training, in house training
Conference, seminar, etc e.g. section program event.

6. Graphical Summary of Changes
See attachment for detailed item by item change analysis
Requirement Change does Minor Impact? – No –
not mean NEW requirement. does not automatically mean
This standard has NO new Major impact.
requirement. Hence this is This depends on the current
called amendment. maturity of the organization.

7. ISO 9001:2008
Key changes & guidance

8. 4.1 on Outsourced process
ISO 9001:2008 clause 4.1 states:
“Where an organization chooses to outsource2 any
process that affects product conformity to
requirements, the organization shall ensure control
over such processes. The type and extent of
control3 to be applied to these outsourced
processes shall be defined within the quality
management system.
Note 2: about Outsourced process
Note 3: guideline for type and extent of control

9. 4.1 Outsourced Process (some background)
An “outsourced process” is a process that the organization
needs for its quality management system and which the
organization chooses to have performed by an external
party. (E.g. contract manufacturing, subcontracting,
consulting, calibration, maintenance, etc)
An outsourced process can be performed by a supplier that
is totally independent from the organization.
An outsourced process can be performed by part of the
same parent organization (e.g. a separate department or
division that is not subject to the same quality management
system)
Outsourced process may be provided within the physical
premises or work environment of the organization, at an
independent site, or in some other manner. (e.g. virtually)

10. 4.1 Outsourced Process (criteria for controls)
ISO 9001:2008 Clauses 7.4 and 4.1 are applicable.
The organization has to demonstrate that it exercises
sufficient control.
The nature of this control will depend on
– the importance of the outsourced process,
– the risk involved (the potential impact), and
– the competence of the supplier to meet the process requirements.
Ensuring control over outsourced processes does not
absolve the organization of the responsibility of conformity
to all customer, statutory and regulatory requirements.
For special processes- Ensure that the control over the
outsourced process includes process validation in
accordance with ISO 9001:2008 clause 7.5.2.(e.g. ion
implantation, wire bonding, epoxy joint, etc)

11. 4.1 Outsourced Process- Scenarios
When an organization has the competence and ability to carry out
a process, but chooses to outsource that process (for commercial
or other reasons).
– Defined process control criteria. (e.g. Procurement specifications,
control plan, quality plan, etc)
– Criteria transposed into requirements for the supplier of the
outsourced process. (if necessary) (e.g. service level agreements,
contracts, etc.)
When the organization does not have the competence to carry out
the process itself, and chooses to outsource it.
– Ensure that the controls proposed by the supplier of the outsourced
process are adequate.
– involve external specialists in making this evaluation (where
essential)

12. 4.2.1 Documentation requirements (General)
to ensure that documents of external origin determined by
the organization to be necessary for the planning and
operation of the quality management system are identified
and their distribution controlled, and
The amendment provides clarity on external documents.
– identify and control the distribution of only those external
documents that are needed to plan and operate our
QMS.
– In other words, only relevant external QMS documents
need to be controlled, not all of them. (ISO 9000 series
standards, ISO 19011, ANSI/ASQ Z1.4, Z1.9, Telcordia,
product safety standards, etc are examples of relevant
external QMS document)

13. 6.2.1 Human resources - Competency
Personnel performing work affecting conformity to product
quality requirements shall be competent on the basis of
appropriate education, training, skills and experience.
– Note: Conformity to product requirements can be affected directly or
indirectly by personnel performing any task within the quality
management system.
– Product quality requirement changed to product requirements.
– This opens up the requirement- any task within the QMS may
directly or indirectly affect the organization’s ability or
willingness to meet product requirements.
– competence of anyone who carries out any task related to
Quality Management System needs verification.

14. 7.6 control of monitoring and measuring equipment
Notes: Confirmation of the ability of computer software to
satisfy the intended application would typically include its
verification and configuration management to maintain its
suitability for use.
This is not a requirement change but important clarification.
Complex measurement test system that uses hardware
(also firmware), software, integration to provide output will
require verification (testing against a set of software
requirements) and controlling the configuration (version
control)
Changes to configuration may have impact on intended
application, performance, calibration, etc.

15. 8.5.2,3 Corrective and preventive action
reviewing effectiveness of the corrective action taken.
reviewing effectiveness of the preventive action taken.
Effectiveness: Extent to which planned corrective/
preventive actions are realized and planned results
achieved.
– CA Effectiveness: Monitoring the process for defect
trending using trend chart, PAYNTER charts, use of
sampling methods will reveal if there are any recurrence.
– PA Effectiveness verification require monitoring across
the organization for any recurrence. This may involve
effective communication, centralized knowledge
management and consolidated systemic effort.

16. Other changes
4.2.1- QMS documentation includes not only the records required by the standard but also
the records that your organization needs to have in order to be able to plan, operate, and
control its QMS processes.
4.2.1 makes it clear that a single document may contain several procedures or several
documents may be used to describe a single procedure.
5.5.2 Standard now makes it clear that the management representative must be a
member of the organization’s own management. (Consultants, outsiders are no longer
allowed to be QMR)
6.3.c infrastructure that includes support services like quot;communicationsquot; can also mean
information systems.- Consider, Information Security
7.2.1 Note: post delivery requirements include things like warranty provisions, contractual
obligations (such as maintenance), and supplementary services (such as recycling and
final disposal).
7.3.1. Note: development review, verification, and validation activities serves a different
purpose. However, standard makes it clear that these three activities can be carried out
and recorded separately or in any combination
7.3.3. Note: design and development outputs could include information that explains how
products can be preserved during production and service provision.
Red fonts- Items to ponder

17. Reference:
ISO 9001:2008 standard.
ISO 9000:2005 standard
ISO9001:2008 Introduction and support package
Downloads from IRCA UK Requirements for QMS
auditor
http://www.praxiom.com/iso-new.htm