ISO 9001:2015 - How will it affect you?
For years industry has followed ISO 9001. It has made ISO 9001 standard popular by adopting it as a benchmark to evaluate its suppliers. ISO has a project underway to update the popular ISO 9001 standard. The effect of these changes is anticipated to be much more significant than that which occurred in the 2008 update.
Why ISO:9001 Changing
The changes basically fall into 2 categories – those resulting from the ISO strategy for a common approach, and those that more directly relate to quality management. The main reasons for changes may be described as follows:
- To better facilitate integration with other management system standards.
- To improve relevance to service industries.
- To improve relevance to diverse business models (e.g. online business, virtual offices etc.)
- To address increasing complexity of business environment.
A new high-level clause structure – common to that being introduced across all management system standards.
With the increasing trend towards integrated management systems that address multiple standards, it makes a lot of sense for them to adopt a common structure (in terms of major clause numbering and titles), and terminology. Examples of the high-level clause numbering and titles are:
- Normative references
- Terms and definitions
- Performance evaluation
While this change would not have much effect on an organisation seeking single certification, it would have some benefit for an organisation seeking several, and a standardised approach would also be welcomed by consultants and auditors.
Changes to terminology – This is again part of the ‘standardisation of standards’.
- ‘Product realization’ becomes ‘Operations’.
- ‘Product’ becomes ‘Products and services’.
- “Management commitment”’ becomes “Leadership”.
- “Documents”, “Documentation” and “Records” are combined to become “Documented information”.
- “Supplier” becomes “External provider”.
- “Purchasing” and “Purchased product” become “Externally provided products and services”.
Some of these changes in terminology are indicative of wider changes that may have considerable significance to your management system, and are described further below.
New clauses relating to understanding the context of the organisation.
These requirements put focus on the organisation’s reason for being, consideration of just who are “interested parties” (which now seems to be the preferred term to “stakeholders”), and what are their ‘needs and expectations’. The wording suggests that some leeway may be given to an organisation deciding which “interested parties” are “relevant”, and when they are deemed as so, which of their “needs and expectations” are also considered ‘relevant’.
Expanded requirements for quality objectives.
- Requires objectives to be set for relevant processes – this requirement previously just referred to functions and levels throughout the organisation.
- Requires progress to be monitored.
“Management responsibility” expanded to “Leadership”.
The new standard requires top management to “demonstrate leadership and commitment”. There is an emphasis on integration of the QMS into the organisation’s strategic direction and business processes, and on the involvement of top management. Where terminology like “promoting”, “taking”, “engaging” or “supporting” is used, the inference is that these activities must be undertaken by top management themselves, rather than delegating to others.
The requirement for a Management Representative has been removed.
The duties previously assigned to that role may now be assigned to any role or split across several roles (notwithstanding previous comments about the greater role of top management). Of course, you may still choose to have a management representative.
More explicit requirements for the process approach to quality management.
Although the process approach has been part of ISO 9001 since the 2000 version, requirements have not previously been so clearly spelt out. The new standard clearly specifies what is expected in the process approach e.g. identifying required processes, their sequence, the inputs required to them, the outputs expected from them, how they are controlled, the resources needed for them, responsibilities for them, and so on. While most of these requirements could be inferred from various parts of the previous standard, the concentration of them in a list in a single clause suggests something more. As a general observation, the standard as a whole seems to be less prescriptive than its predecessor in how various requirements will be met – but this clause seems to run contrary to that trend by being more prescriptive. This may lead to wider use of process mapping and process planning tools to describe the listed requirements.
No specific Preventive action clause.
The Preventive action clause has always been widely misunderstood and very unevenly applied. Of course, one of the fundamental problems has been that a large part of any quality management system is aimed at preventing things from going wrong, and could therefore come within the scope of a Preventive action procedure. There has also been widespread confusion over the meaning of the terms “corrective action” and “preventive action”, and the two are often lumped together in many systems. The principle of preventing nonconformity has not gone away, but is dealt with elsewhere in the standard. The welcome removal of this clause is directly related to the next item.
Risk-based thinking: Consideration of risk and opportunities.
The 2008 version of the standard did not explicitly mention risk, although its Preventive action clause could be addressed by assessing risk and taking appropriate action to eliminate or minimise it (otherwise known as risk management). The 2015 version is a bit more forthcoming on the topic. There is a requirement to ‘determine external and internal issues that may affect the ability to achieve intended outcomes’. Those acquainted with the risk management approach will recognise those words as describing the step of hazard identification. Alongside the earlier bullet point that mentions ‘the context of the organisation’, a very familiar risk management pattern is developing here. Indeed, the R-word itself makes no less than 43 appearances in the new standard – such as in clause 4.1 which requires the organisation to ‘determine the risks and opportunities to be addressed’. So, the concept of preventive action is essentially still covered by the new ‘risk’ clauses, and is also expanded upon.
Reduced requirement for documents.
As mentioned above, the terms ‘document’, ‘documentation’ and ‘record’ are replaced throughout by the term ‘Documented information’. While the full implications of this change in terminology are worked through, one thing is very clear: For the first time in ISO 9001, there are no requirements for a ‘Quality Manual’ or ‘Documented procedures’. There are plenty of requirements to ‘maintain documented information’ as evidence. These are what are currently known as records.
Control of external provision of products and services.
The 2008 standard has its purchasing clause which covers the purchasing process, purchasing information, and verification of purchased product. The existing general requirements also state that where an organisation outsources any process that affects conformity to requirements, the organisation shall ensure control over that process. Outsourcing is defined as a process which the organisation chooses to have performed by an external party. Organisations are required to take a risk-based approach to the required controls.
One interesting difference is the new reference to external provision extends beyond traditional suppliers and subcontractors to including ‘an arrangement with an associate company’. That may be quite significant for organisations that are part of a larger group and rely to some degree on head office or another site for certain functions. Although the draft standard specifically mentions ‘associate company’, the same principle should presumably be applied to organisations in the public and NGO sectors, and we may well see the term modified to ‘associate organisation’ in later drafts and the final release of the standard.
Care of property belonging to others.
The clause in the 2008 standard referring to customer property is expanded to include property belonging to external providers. As property can include intellectual property and data, this requirement may lead to more widespread information security measures being implemented to protect external providers’ IP and ensure confidentiality.
Expanded requirements for Monitoring, measurement, analysis and evaluation
- Expands on requirements for organisations to consider what should be measured, how and when. These now include: New requirement to monitor the quality performance and effectiveness of the organisation’s quality management system.
- New requirement to obtain information relating to customer views and opinions of the organisation. This may be interpreted as enforcing pro-active information gathering and widens the scope beyond just whether the organisation has met the customer’s requirements.
Consideration of exclusions.
There are changes in how exclusions to applicability are considered. Whereas in the 2008 standard, an organisation could decide to exclude the requirements of clause 7 from its QMS, the new standard does not seem to allow exactly the same leeway. An organisation can only decide that a requirement is non-applicable if it CANNOT be applied, and providing the non-applicability does not result in the nonconformity of products or services, or failure to meet the aim of enhancing customer satisfaction.
|ISO 9001:2008||ISO 9001:2015|
|Normative References||Normative References|
|Terms and Definitions||Terms and Definitions|
|Quality Management System||Context of the Organization|
|Measurement, Analysis and Improvement||Operations|
There is a 3 year transition period from the 2008 to the 2015 editions. This means that no certification to ISO 9001:2008 will be valid after September 2015. It is understanding that new certifications/re-certifications may still be made to the older 2008 standard, may still be granted up until March 2017 (18 months into the transition period), but will need to be converted by the final date. This information is based on material published by ISO in late 2013, and is subject to change. Readers are recommended to write to us directly for clarifications.
Organisations with an existing, certified QMS will need to:
- Perform a gap analysis of existing arrangements against the new requirements.
- Develop an implementation strategy.
- Provide appropriate training and awareness briefings.
- Update the existing QMS.
- Perform internal audits.
- Liaise with their certification body for transition arrangements.
Readers should also be aware that there may be further changes in the final draft and then the actual international standard. However, the principal changes – the common structure and terminology, more defined process approach, and consideration of risk – will remain.