According to a joint announcement by the ISO (International Organization for Standardization) and the IAF (International Accreditation Forum), the two organizations have agreed to an implementation plan for a smooth migration to the 2008 version of the ISO 9001 quality management system.
1) Certification will only be issued after publication and after a routine surveillance audit or re-certification audit against the latest standard.
2) One year after publication, all certifications issued (new certifications and re-certifications) must be to the latest standard.
3) Two years after publication, existing certifications will not be valid.
This plan is possible because ISO and IAF have agreed that ISO 9001:2008 introduces no new requirements. The revised standard only introduces clarifications to the existing requirements with minor revisions to improve consistency with ISO 14001:2004, the environmental standard.
The revisions to ISO 9001 quality management system standard are described below - deleted text is indicated by strikethroughs - new text is underlined and shown in standard font - text from the standard is shown in italic font to distinguish them from our comments. Most of the text in ISO 9001:2000 has not been affected by ISO 9001:2008.
You can purchase the standard at:
In this section of the Introduction, the standard adds "business environment" to the list of factors that influence the design and implementation of a program.
The design and implementation of an organization's management program is influenced by
- its business environment, changes in that environment, or risks associated with that environment,
- its varying needs,
- its particular objectives,
- the products it provides
provided, - the processes it employs employed, and
the size and organizational structure of the organization.
ISO 9001:2008 changes "regulatory" to "statutory and regulatory" and clarifies that the Customer, statutory and regulatory requirements are those applicable to the product.
This International Standard can be used by internal and external parties, including certification bodies, to assess the organization's ability to meet customer, statutory, and regulatory requirements applicable to the product, and the organization's own requirements.
0.2 Process Approach
ISO 9001:2008 focuses on "determine" linked activities rather than "identify" linked activities to clarify that a Process can be an activity or set of activities.
For an organization to function effectively, it has to
identify determine and manage numerous linked activities. An activity or set of activities using resources, and managed in order to enable the transformation of inputs into outputs, can be considered as a process.
The definition of Process Approach has been clarified by adding text:
The application of a system of processes within an organization, together with the identification and interactions of these processes, and their managementto produce the desired outcome, can be referred to as the "process approach".
0.3 Relationship with ISO 9004
The revision to ISO 9004:2000 is expected by summer of 2009 with extensive changes, including a new clause structure that no longer matches ISO 9001 quality management system; as a result, ISO 9001:2008 no longer indicates "similar structures in order to assist their application as a consistent pair". The title of the revised ISO 9004 is expected to be, 'Managing for the Sustained Success of an Organization - A Quality Management Approach'.
The present editions of ISO 9001 and ISO 9004 have been developed as a consistent pair of are management system standards that have been designed to complement each other, but can also be used independently. Although the two International Standards have different scopes, they have similar structures in order to assist their application as a consistent pair.
ISO 9001:2008 adds a Note about the upcoming revision to ISO 9004.
NOTE: At the time of the publication of this International Standard, ISO 9004 is under revision.
0.4 Compatibility with Other Management Programs
This section refers to ISO 14001:2004 instead of ISO 14001:1996 and refers to the appendix that compares the clauses of ISO 9001:2008 to the clauses of ISO 14001:2004.
This International Standard has been aligned with ISO 14001:1996 in order During the development of this International Standard, due consideration was given to the provisions of ISO 14001:2004 to enhance the compatibility of the two standards for the benefit of the user community. Annex A shows the correspondence between ISO 9001:2008 and ISO 14001:2004.
This section refers to the product as meeting Customer and applicable 'regulatory' requirements as well as enhancing Customer satisfaction by assuring conformity to Customer and applicable 'regulatory' requirements. ISO 9001 quality management system has expanded the uses of "regulatory" to "statutory and regulatory".
a) needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements, and
b) aims to enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.
ISO 9001:2008 has expanded Product to include any intended output resulting from the product realization processes.
NOTE 1: In this International Standard, the term 'product' only applies
the product intended for, or required by, a customer
- any intended output resulting from the product realization processes.
A second Note has been added to explain that statutory and regulatory requirements can be expressed as legal requirements.
NOTE 2: Statutory and regulatory requirements can be expressed as legal requirements.
ISO 9001:2008 replaces "regulatory" with "statutory and regulatory".
Where exclusions are made, claims of conformity to this International Standard are not acceptable unless these exclusions are limited to requirements within Clause 7, and such exclusions do not affect the organization's ability, or responsibility, to provide product that meets customer and applicablestatutory and regulatory requirements.
2. Normative Reference
The key change here is to refer to ISO 9000:2005 instead of ISO 9000:2000.
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
2005, Quality management systems - Fundamentals and vocabulary
3. Terms and Definitions
Old definitions from this section were removed and the only text remaining is shown below:
For the purposes of this document
International Standard, the terms and definitions given in ISO 9000 apply. Throughout the text of this International Standard, wherever the term 'product' occurs, it can also mean 'service'.
4. ISO 9001 Quality Management System
4.1 General Requirements
Sub-clause (a), the word "Identify" has been replaced with "Determine".
IdentifyDetermine the processes needed for the management program and their application throughout the organization (see 1.2),
Although similar, the words "Identify" and "Determine" used above have slightly different meanings. We recognize or establish something as being a particular thing when we identify but we apply reason and reach a decision when we determine - to determine the process implies more analysis and judgment.
e) monitor, measure(where applicable), and analyze these processes, and ...
Processes are monitored but may not need to be measured; therefore, the requirement change above indicates processes are only measured where applicable.
Where an organization chooses to outsource any process that affects product conformity
withto requirements, the organization shall ensure control over such processes. Control of such The type and extent of control to be applied to these outsourced processes shall be identified defined within the ISO 9001 quality management program.
This addition clarifies that specific controls are to be defined and applied, not just identified.
The current Note under clause 4.1 has been expanded and two new Notes have been added:
Processes needed for the management program referred to above
should include processes for management activities, provision of resources, product realization, and measurement, analysis, and improvement.
The text above expands from "measurement" to "measurement, analysis, and improvement" to match the title for clause 8 to clearly state that these processes are included rather than should be included.
The new Note below provides an explanation of what is considered an outsourced process.
NOTE 2: An outsourced process is identified as one being needed for the organization's management program, but chosen to be performed by a party external to the organization.
The new Note below identifies the factors influencing the control of an outsourced process.
NOTE 3: Ensuring control over outsourced processes does not absolve the organization of the responsibility of conformity to all Customer, statutory, and regulatory requirements. The type and extent of control to be applied to the outsourced process can be influenced by factors such as
a) the potential impact of the outsourced process on the organization's capability to provide product that conforms to requirements,
b) the degree to which the control for the process is shared;
c) the capability of achieving the necessary control through the application of clause 7.4.
Outsourcing a process to another organization typically involves the purchase of those services; as a result, the requirements of clause 7.4, including the controls mentioned in 7.4.1, apply equally to the supplier selected to perform the outsourced process.
4.2 Documentation Requirements
Sub-clauses c), d) and e) have been restructured.
c) documented procedures and records required by this International Standard, and
d) documents, including records,
needed determined by the organization to be necessary to ensure the effective planning, operation and control of its processes, and e) records required by this International Standard (see 4.2.4).
You can see that adding "records" to sub-clause (c) allowed sub-clause (e) to be dropped. Sub-clause (d) has been expanded to include the necessary records.
The first Note for clause 4.2.1 has added two more sentences:
A single document may include the requirements for one or more procedures.
A requirement for a documented procedure may be covered by more than one document.
Using the first sentence you could combine documented procedures in 8.5.2, Corrective Action and 8.5.3, Preventive Action, in one Corrective and Preventive Action procedure, which we've always done in our kits. Using the second sentence you could split the required procedure for the Control of Documents into two separate documented procedures, which we've always done in our kits.
4.2.2 Quality Manual
4.2.3 Control of Documents
The only revision to clause 4.2.3 is shown below:
f) to ensure that documents of external origin determined by the organization to be necessary for the planning and operation of the management program are identified and their distribution controlled, and
The change in sub-clause (f) clarifies that not all external documents should be identified and controlled - only those needed for the planning and operation of the ISO 9001 management program.
4.2.4 Control of Records
Clause 4.2.4 has expanded from records being "maintained" to having them "controlled". Maintaining a record keeps it in good condition - controlling records regulates their use.
shall be established and maintained to provide evidence of conformity to requirements and of the effective operation of the management system shall be controlled.
Records shall remain legible, readily identifiable and retrievable.
The organization shall establish a documented procedure
shall be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.
Records shall remain legible, readily identifiable, and retrievable.
The requirement for a documented Record Control procedure has been rewritten and is now a separate paragraph for emphasis and moved up in the section.
Retention time has been reduced to "retention" and this requirement is now a separate paragraph and moved to the end of clause 4.2.4.
5. Management Responsibility
5.1 Management Commitment
5.2 Customer Focus
5.3 Quality Policy
No changes for clauses 5.1 through 5.4.
5.5 Responsibility, Authority, and Communication
5.5.1 Responsibility and Authority
5.5.2 Management Representative
Some companies outsource the role of Management Representative to someone in a different organization or to a contract consultant, which was inappropriate:
Top management shall appoint a member of the organization's management who, irrespective of other responsibilities, shall have responsibility and authority that includes:
5.5.3 Internal Communication
5.6 Management Review
6. Resource Management
6.1 Provision of Resources
6.2 Human Resources
Work affecting "product quality" is changed to work affecting "conformity to product requirements". Product quality is conformity to product requirements so this clarification should not be considered a change.
Personnel performing work affecting conformity to product
quality requirements shall be competent on the basis of appropriate education, training, skills and experience.
A new Note has been added to 6.2.1 to explain that anyone performing, verifying or managing work within the scope of the system, including supporting services, can affect conformity to product requirements.
NOTE: Conformity to product requirements may be affected directly or indirectly by personnel performing any task within the system.
6.2.2 Competence, Training, and Awareness
, and Training
This clause title is the first to change from "Competence, Awareness, and Training" to "Competence, Training, and Awareness".
The change in 6.2.1 from 'product quality' to 'product requirements caused a change in the sub-clause of 6.2.2:
a) determine the necessary competence for personnel performing work affecting conformity to product
Adding the phrase "where applicable" to the following sub-clause recognizes that training or other actions may not be necessary since individuals may already have the necessary competence - since "these needs" could be taken out of context, the requirement has been revised to specifically mention competence.
b) where applicable, provide training or take other actions to
satisfy these needsachieve the necessary competence,
Added "information systems" as an example of a supporting service.
c) supporting services (such as transport,
or communication, or information systems).
6.4 Work Environment
Add a Note to explain the term 'work environment' by giving examples of work environment conditions for achieving conformity to product requirements.
NOTE: The term "work environment" relates to conditions under which work is performed including physical, environmental, and other factors such as noise, temperature, humidity, lighting, or weather).
7. Product Realization
7.1 Planning of Product Realization
Addition of "measurement" as one of the required activities to be determined during the planning of product realization.
In planning product realization, the organization shall determine the following, as appropriate:
b) the need to establish processes, and documents, and to provide resources specific to the product;
c) required verification, validation, monitoring, measurement, inspection and test activities specific to the product and the criteria for product acceptance;
7.2 Customer-Related Processes
7.2.1 Determination of Requirements Related to the Product
The change from "related" to "applicable" emphasizes that requirements are those that are relevant and can be applied to the product rather than those that are simply associated with the product.
The organization shall determine:
c) statutory and regulatory requirements
related applicable to the product, and
The following text clarifies that additional requirements "considered necessary" must be determined.
d) any additional requirements
determined considered necessary by the organization.
Some organizations didn't consider important post-delivery activities as described by the new Note below.
NOTE: Post delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and Supplementary services such as recycling or final disposal.
7.2.2 Review of Requirements Related to the Product
7.2.3 Customer Communication
7.3 Design and Development
7.3.1 Design and Development Planning
The new Note below explains that functions can be carried out separately or in any combination for review, verification and validation of design and development.
NOTE: Design and development review, verification and validation have distinct purposes. They can be conducted and recorded separately or in any combination, as suitable for the product and the organization.
7.3.2 Design and Development Inputs
The revision only changes "These inputs" to "The inputs".
These The inputs shall be reviewed for adequacy. Requirements shall be complete, unambiguous and not in conflict with each other.
7.3.3 Design and Development Outputs
To enable is to make it possible, which can't be verified, but to be suitable means it is meant for use, which can be verified.
The outputs of design and development shall be
provided in a form that enablessuitable for verification against the design and development input and shall be approved prior to release.
The new Note below is a reminder that the design output should consider product packaging.
NOTE: Information for production and service provision can include details for the preservation of product.
7.3.4 Design and Development Review
7.3.5 Design and Development verification
7.3.6 Design and Development Validation
7.3.7 Control of Design and Development Changes
No changes for clauses 7.3.4 through 7.3.7.
7.5 Production and Service Provision
7.5.1 Control of Production and Service Provision
The title of clause 7.6 has been changed to refer to the control of monitoring and measuring 'equipment' instead of 'devices'; therefore, the terminology has been changed below:
d) the availability and use of monitoring and measuring
The change below clarifies that the implementation activities are those related to the 'product'.
f) the implementation of product release, delivery, and post-delivery activities.
7.5.2 Validation of Processes for Production and Service Provision
Any process output that can't be verified could result in deficiencies becoming known only after the product is in use or the service has been delivered.
The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement
. This includes any processes where and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered.
7.5.3 Identification and Traceability
Some organizations thought that identification only applied to the final product but identification applies from received product to in-process and final product.
The organization shall identify the product status with respect to monitoring and measurement requirements throughout product realization.
The requirement has expanded from recording product identification to keeping any type of record associated with product traceability.
Where traceability is a requirement, the organization shall control
and record the unique identification of the product and maintain records (see 4.2.4).
7.5.4 Customer Property
The Note now includes "personal data" as an example of Customer property, broadening its applicability to service organizations.
If any customer property is lost, damaged, or otherwise found to be unsuitable for use,
this shall be reported the organization shall report this to the customer and records maintained maintain records (see 4.2.4).
NOTE: Customer property can include intellectual property and personal data.
7.5.5 Preservation of product
"Conformity to requirements" is better than "conformity of product".
The organization shall preserve the
conformity of product during internal processing and delivery to the intended destination in order to maintain conformity to requirements.
The change below allows product preservation to be applied as applicable rather than mandate inclusion of all provisions.
This As applicable, preservation shall include identification, handling, packaging, storage, and protection. Preservation shall also apply to the constituent parts of a product.
7.6 Control of Monitoring and Measuring
The clause title is the second to change.
The organization shall determine the monitoring and measurement to be undertaken and the monitoring and measuring
devices equipment needed to provide evidence of conformity of product to determined requirements (see 7.2.1).
This requirement clarifies equipment might be calibrated and/or verified, which we have always stated in our calibration procedure.
Where necessary to ensure valid results, measuring equipment shall:
a) be calibrated or verified, or both, at specified intervals, or prior to use, against measurement standards traceable to international or national measurement standards; where no such standards exist, the basis used for calibration or verification shall be recorded (see 4.2.4);
Measuring equipment may come with the identification already in place but you'll still need to add a label if verification is used to assure accuracy before and after use.
be identifiedhave identification to enable in order to determine the its calibration status to be determined;
The text below was moved to a standalone sentence for emphasis.
Records of the results of calibration and verification shall be maintained (see 4.2.4).
A new Note was added to explain that confirmation of software includes verification and configuration management.
When used in the monitoring and measurement of specified requirements, the ability of computer software to satisfy the intended application shall be confirmed. This shall be undertaken prior to initial use and reconfirmed as necessary.
NOTE: Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.
NOTE: See ISO 10012-1 and ISO 10012-2 for guidance.
8. Measurement, Analysis, and Improvement
Conformity of the product has been revised to "conformity to product requirements"
The organization shall plan and implement the monitoring, measurement, analysis, and improvement processes needed
a) to demonstrate conformity
of the to product requirements,
8.2.1 Customer Satisfaction
Examples of monitoring Customer perceptions has been added to this clause.
NOTE: Monitoring customer perception can include obtaining input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, warranty claims, dealer reports.
8.2.2 Internal Audit
Emphasis was given to a "documented procedure" and "establishing records" was moved ahead of "reporting results" because records are being produced during audits and should be reviewed before reporting results.
A documented procedure shall be established to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results.
The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.2.4) shall be defined in a documented procedure.
Records of the audits and their results shall be maintained (see 4.2.4).
An immediate correction might be needed before determining the cause of the nonconformity and taking corrective action to prevent its recurrence.
The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes.
ISO 10011, Guidelines for Auditing Quality Systems, has been replaced with a reference to ISO 19011, Guidelines for Quality and/or Environmental Management Systems Auditing.
NOTE: See ISO 10011-1, ISO 10011-2 and ISO 10011-3 ISO 19011 for guidance.
8.2.3 Monitoring and Measurement of Processes
For some supporting processes, monitoring and measuring processes are only indirectly related to product conformity; therefore, the reference to product conformity was removed.
When planned results are not achieved, correction and corrective action shall be taken, as appropriate
, to ensure conformity of the product.
When determining what is a "suitable" method for monitoring and measuring processes, the organization should consider the impact of the process on conformity to product requirements and system effectiveness.
NOTE: When determining suitable methods, it is advisable that the organization consider the type and extent of monitoring or measurement appropriate to each of its processes in relation to their impact on the conformity to product requirements and on the effectiveness of the system.
8.2.4 Monitoring and Measurement of Product
The requirement to maintain evidence of conformity with acceptance criteria has been moved and release of product means delivery to the Customer.
The organization shall monitor and measure the characteristics of the product to verify that product requirements have been met. This shall be carried out at appropriate stages of the product realization process in accordance with the planned arrangements (see 7.1). Evidence of conformity with the acceptance criteria shall be maintained.
Evidence of conformity with the acceptance criteria shall be maintained. Records shall indicate the person(s) authorizing release of product for delivery to the customer (see 4.2.4).
The release of product
release and delivery of service delivery to the customer shall not proceed until the planned arrangements (see 7.1) have been satisfactorily completed, unless otherwise approved by a relevant authority and, where applicable, by the customer.
8.3 Control of Nonconforming Product
The sentence below now begins with the requirement for a documented procedure.
A documented procedure shall be established to define
Tthe controls and related responsibilities and authorities for dealing with nonconforming product. shall be defined in a documented procedure.
The added phrase "where applicable" means where relevant and suitable to disposition nonconforming product and a new method was added to the list.
Tthe organization shall deal with nonconforming product by one or more of the following ways:
d) by taking action appropriate to the effects, or potential effects, of the nonconformity when nonconforming product is detected after delivery or use has started.
The deleted text below was moved from paragraph 3 to paragraph 4.
Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4).
The text below was moved from paragraph 4 to become paragraph 3, which includes rework to eliminate the detected nonconformity.
When nonconforming product is corrected it shall be subject to re-verification to demonstrate conformity to the requirements.
The requirement in paragraph 4 below is from paragraph 3 - no changes were made since it includes 'subsequent actions' such as re-verification.
Records of the nature of nonconformities and any subsequent actions taken, including concessions obtained, shall be maintained (see 4.2.4)
The deleted text below was moved to entry (d).
When nonconforming product is detected after delivery or use has started, the organization shall take action appropriate to the effects, or potential effects, of the nonconformity.
8.4 Analysis of Data
The changes below were to revise a reference (from 7.2.1 to 8.2.4) and to add new references (8.2.3, 8.2.4, and 7.4).
The analysis of data shall provide information relating to
a) customer satisfaction (see 8.2.1)
b) conformity to product requirements
(see 7.2.1) (see 8.2.4),
c) characteristics and trends of processes and products, including opportunities for preventive action (see 8.2.3 and 8.2.4), and
d) suppliers (see 7.4).
8.5.1 Continual Improvement
8.5.2 Corrective Action
The requirement below was made to be consistent with a similar sentence in 8.5.3, Preventive Action.
The organization shall take action to eliminate the
cause causes of nonconformities in order to prevent recurrence.
Some organizations interpreted reviewing as checking that an action was taken instead of determining the effectiveness of the action.
f) reviewing the effectiveness of the corrective action taken.
8.5.3 Preventive Action
This clause was changed to match 8.5.2.
e) reviewing the effectiveness of the preventive action taken.
Table A.1 in the Annex was revised to show the correspondence of ISO 9001:2008 clauses with ISO 14001:2004 (instead of ISO 14001:1996). Table .2 shows the reverse correspondence from ISO 14001:2004 clauses to ISO 9001:2008 clauses.
The old Annex B that showed the correspondence of ISO 9001:2000 and ISO 9001:1994 clauses has been replaced since the clause structure of ISO 9001:2000 and ISO 9001:2008 are the same. The new Annex B (Table B.1) identifies the text changes from 2000 to 2008.
The Bibliography for ISO 9001:2008 has been updated to reflect new standards, new editions of standards and withdrawn standards since the publication of ISO 9001:2000.
ISO 10001:2007, Customer satisfaction - Guidelines for codes of conduct for organizations
ISO 10002:2004, Customer satisfaction - Guidelines for complaints handling in organizations
ISO 10003:2007, Customer satisfaction - Guidelines for dispute resolution external to organizations
ISO 10019:2005, Guidelines for the selection of consultants and use of their services
ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing
IEC 61160:2006, Design review
ISO 90003:2004, Software engineering - Guidelines for the application of ISO 9001:2000 to computer software
ISO 9004:200x, Managing for the sustained success of an organization - A quality management approach
ISO 10005:2005, Quality management systems - Guidelines for quality plans ISO 10006:2003, Quality management systems - Guidelines for quality management in projects
ISO 10007:2003, Quality management systems - Guidelines for configuration management
ISO 10012:2003, Requirements for measurement processes and measuring equipment
ISO/TR 10013:2001, Guidelines for quality management system documentation
ISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefits
ISO/TR 10017:2003, Guidance on statistical techniques for ISO 9001:2000
ISO 14001:2004, Environmental management systems - Requirements with guidance for use
IEC 60300-1:2003, Dependability management - Part 1: Dependability management systems
ISO 9000-3:1997 (replaced by ISO 90003:2004)
ISO 10011-1: 1990 (replaced by ISO 19011:2002)
ISO 10011-2: 1991 (replaced by ISO 19011:2002)
ISO 10011-3:1991 (replaced by ISO 19011:2002)
ISO 10012-1:1992 (replaced by ISO 10012:2003)
ISO 10012-2:1997 (replaced by ISO 10012:2003)