ISO 9001 revision focuses on reducing risk and applying the process approach. Things we’ve come to expect in our international standards are missing in the version of ISO 9001 currently under development.
Based on the committee draft (CD), ISO 9001:2015 is significantly different from ISO 9001:2008. Requirements for a quality manual and for documented procedures are absent, as is the preventive action clause.
One sentence in section 7.5.1 tells you what documents are required: "The organization’s quality management system (QMS) shall include documented information required by this international standard and documented information determined by the organization as being necessary for the effectiveness of the QMS."
While the ISO 9001:2015 CD was released June 3, 2013, changes are still probable. The foreword of the draft says the transfer from 2008 to the new standard is expected during a three-year period, giving organizations plenty of transition time.
ISO 9001:2015 requires that an organization determine its strategic direction. This is the opening to the requirements of the standard. While the goal of the new standard is that it becomes more applicable to service industries, this requirement, if embraced, will prompt any organization to examine itself and determine "its strategic direction and what is affecting its ability to achieve the intended outcome(s) of its QMS."1 Most organizations have addressed this, but it has not been a requirement in the past.
The 2015 standard also introduces a new term, "documented information," to describe the requirements for physical evidence (electronic or hard-copy media). Documented information is defined as "information required to be controlled and maintained by an organization and the medium on which it is contained." The 21 documented information requirements are listed in Table 1.2
ISO 9001:2015 was redrafted to be more generic and easily applicable to service industries. The term "product" is replaced by "goods and services," meaning deliverables for the customer. Note, this proposed change is currently being reviewed and might not be made.
According to the introduction to the draft, the prescriptive nature of the standard is reduced in the revision. Some requirements, such as control of monitoring and measuring devices, are less prescriptive, while others are more prescriptive, such as the requirement, "determining the scope of the QMS." The 2015 version defines what must be included in the scope.
Two new clauses have been introduced relating to the context of an organization: Clause 4.1—Understanding the organization and its context, andClause 4.2—Understanding the needs and expectations of interested parties. The intent of these two clauses is to require an organization to determine the issues and requirements that can affect the planning of a QMS and can be used as an input into developing a QMS. Note that a discussion is continuing among those writing the standard regarding the renumbering of the clauses and requirements, as well as the use of the words "interested parties."
The process approach was promoted in ISO 9001:2008. The proposed revision makes the process approach more explicit. Clause 4.4.2—Process approach specifies requirements.
The term "preventive" is not in the 2015 revision. The reason is that the key purpose of a formal management system is to act as a preventive tool, and determining risks is preventive. Clause 4.1 requires determining the risks and opportunities that must be addressed to ensure a QMS can achieve its intended outcome. Clause 6.1 requires prevention or reduction of undesired effects and achievement of improvement. These two clauses cover the concept of preventive action and expand the view to consider risks and opportunities.
Documented information requirements replace document and record requirements, affording more flexibility in how requirements are met.
External provision of goods and services, addressed in clause 8.6, combines previous requirements for outsourced processes and purchasing in the 2008 version. A risk-based approach is required to determine what must be done to ensure externally provided goods and services meet requirements.
In ISO 9001:2015, the words "continual improvement" are replaced by "improvement." Improvement is never finished and is a pursuit, making the word "continual" unnecessary. Found only once in the 2008 version, "nature" is used often in the 2015 revision. References to nature include:
• Clause 8.5.1.a: "The nature, duration and complexity of the development activities."
• Clause 8.5.1.e: "The nature of the goods and services to be developed and potential consequences of failure."
• Clause 8.6.5: "The nature and intended lifetime of goods and services."
• Clause 8.2: "Nature of the nonconformity and its effects."
• Clause 8.8: "Nature of nonconformities and any subsequent actions."
• Clause 10.1: "Nature of nonconformities and any subsequent actions."
While it’s referenced, nature is not defined in the draft of ISO 9001:2015. The Merriam-Webster Online Dictionary defines nature as "the inherent character or basic constitution of a person or thing."3
To meet the requirements of 2015, significant changes for most management systems will be to establish a process to reduce risk and to formally apply the process approach.
Risk identification and mitigation
Risk identification and mitigation requires a systematic, methodical approach to determining risks and incorporating methods to address them. Our understanding of addressing risk management is governed by a family of standards, including:
• ANSI/ASSE Z690.1-2011—Vocabulary for risk management (U.S. adoption of ISO Guide 73:2009).4,5
• ANSI/ASSE Z690.2-2011—Risk management principles and guidelines(U.S. adoption of ISO 31000:2009).6,7
• ANSI/ASSE Z690.3-2011—Risk assessment techniques (U.S. adoption of ISO/IEC 31010:2009).8,9
The requirements for applying the process approach have moved from being hidden in the shadows of ISO 9001:2008, clause 4.1, to being a key emphasis in ISO 9001:2015. ISO 9001:2008, Clause 4.1—General requirements was often not seriously addressed by organizations. The 2015 revision emphasizes the process approach in clause 4.4.2, and it cannot be overlooked.
ISO 9001:2015, Clause 4.4.2—Process approach requires determining the inputs required and outputs expected, risks of conformity of goods and services, and customer satisfaction if unintended outputs are delivered or process interaction is ineffective. It requires organizations to assign responsibilities and authorities. ISO 9001:2015 replaces "monitor, measure and analyze" with "monitor, analyze and change."
Eight clauses of ISO 9001:2008 are replaced by 10 clauses in ISO 9001:2015, per the CD. ISO 9001:2008’s eight clauses are:
2. Normative references.
3. Terms and definitions.
4. QMS (documentation requirements for the QMS).
5. Management responsibilities.
6. Resource management.
7. Product realization.
8. Measurement, analysis and improvement.
The change to 10 clauses doesn’t mean the revised standard adds categories, as you might expect. Instead, it mostly reorders and categorizes its content differently by separating and expanding existing clauses. The 10 clauses in ISO 9001:2015 are:
Clause 1—Scope; Clause 2—Normative references; and Clause 3—Terms and definitions. Beginning clauses of the new standard reflect little change, the only one being removal of the word "continual" from continual improvement.
Clause 4—Context of the organization. This clause requires examination of the organization and its context, including thinking of the needs and expectations of interested parties, determining the scope of the QMS and requiring the process approach.
Clause 5—Leadership. A first in an ISO 9001 standard, ISO 9001:2015 charges top management with accountability in the section for organizational roles, responsibilities and authorities. The CD states: "Top management shall be accountable for the effectiveness of the QMS."
Clause 6—Planning. Organizations are required to plan to address risks and to achieve quality objectives. This is the first time a quality management standard has ever addressed risk. This will require some learning for organizations and auditors unfamiliar with risk-based management systems.
Planning of changes is also a new concept for those unfamiliar with standards. ISO 9001:2015 requires an organization to plan and manage change in a systematic manner, identifying risks and opportunities while reviewing the potential consequences of the change.
Clause 7—Support. Clause 7 reminds organizations that support is essential for success and must be managed. Infrastructure, process environment, monitoring and measuring devices, and knowledge needs must be determined, provided and maintained.
Knowledge is necessary for the operation of the QMS and its processes to ensure conformity of goods and services, and customer satisfaction. An assessment by the organization is required to determine what knowledge is needed. Knowledge must be maintained, protected and made available as necessary. The draft includes a requirement that organizations ensure the necessary additional knowledge needs are considered during change management.
Other requirements addressed in the support clause are competence, awareness, communication and documented information. In the 2008 version, a required record is necessary for education, experience, skills and training. In the 2015 revision, the documented information is "evidence of competence."
Awareness relates to people doing work under the organization’s control. It’s required that they are aware of the quality policy, objectives, their contributions to the effectiveness of the QMS and the implications of nonconformance to requirements.
It is left open for the organization to determine the need for internal and external communication relevant to its QMS.
Documented information is addressed in subsection requirements for creating and updating, and in requirements for controlling documented information.
Clause 8—Operation. Operation planning and control emphasizes control of functions or processes of external providers. Previously referred to as outsourced processes, different words are used to describe requirements for determining customer requirements. The 2015 standard describes them as "determination of market needs and interactions with customers." Determination and review of requirements follow similar requirements found in ISO 9001:2008, clauses 7.2.1 and 7.2.2.
Operational planning has its own subsection. The planning process requires "actions to identify and address risks related to achieving conformity of goods and services to requirements." The note at the end of the section reminds organizations this is a quality plan.
Control of external provision of goods and services replaces the purchasing requirements. Development of goods and services replaces the design and development section in 2008. "Production of goods and provision of services" was the familiar "product realization" in 2008. Remember, that was a new term in 2000.
Few changes are made for production with the exception of some minor rearranging in the order of requirements. One new requirement is the need for "documented information that describes the characteristics of the goods and services" and "documented information that describes the activities to be performed and the results achieved." These have never been spelled out in this manner before. Eventually, this will probably be a welcome addition.
In clause 8.6.1.i., the last requirement is "prevention of nonconformity due to human error, such as unintentional mistakes and intentional rule violations." This requires that organizations mistake-proof production of goods and provision of services. Auditors and organizations must become knowledgeable about tools and methods to mistake-proof their processes. Absence of this is considered nonconformance.
Post delivery activities are addressed separately from production of the goods or provision of services. The note at the end of the section explains postdelivery activities, and includes warranty provisions and contractual obligations.
Control of changes, release of goods and services, and nonconforming goods and services are addressed at the end of the clause for operation. Control of changes reemphasizes and actually repeats words from the requirements for planning changes addressed in clause 6.
Clause 9—Performance evaluation. Monitoring, measurement and analysis have been grouped with a new word, "evaluation." Analysis did not apparently require evaluation. The word "evaluation" strengthens the requirements for monitoring and measurement. An organization must address requirements for what to monitor and measure, methods, when to perform, and when to analyze and evaluate. Documented information, as evidence of the results, must be retained. This brings to the forefront requirements to make the organization data driven.
Customer satisfaction is reworded to reemphasize the need for understanding customer perceptions including customer feedback, views and perceptions of the organization and its goods and services. Internal audits and management review are part of the performance evaluation clause.
Clause 10—Improvement. Nonconformity, corrective action and improvement are held for the last clause. The requirements for nonconformity are expanded. Previous versions of the quality management standards have not strongly encouraged addressing nonconformity as reactions to processes other than production processes. The 2015 version of the quality management standard uses wording to emphasize "when a nonconformity occurs, the organization shall react to the nonconformity."
A nonconformity, by definition, is a lack of meeting requirements. Should a procedure, work instruction or some other planned arrangement not be followed, a nonconformity will have occurred. ISO 9001:2015 requires organizations to address and react to this type of nonconformity. As with the 2000 and 2008 versions of ISO 9001, an evaluation can occur if further action is needed. If it is necessary to prevent reoccurrence, causes must be found.
The 2015 standard requires "changes to the QMS, if necessary."
The new version of ISO 9001 will bring positive change for management systems. It strengthens requirements that have previously been implied, such as mistake-proofing, change management, risk management and the issuance of nonconformities when planned arrangements aren’t followed. The 2015 standard is possibly more prescriptive in these areas, with less left to interpretation. The path outlined by the new standard, if embraced by an organization, will lead to a better understanding of meeting customer expectations and protecting its efforts.
It will be hard work to learn the new words and phrases. The clauses aren’t arranged in the same way. Is it an improvement over 2008? Yes, unequivocally, but change is never easy, even when it is for the better. ISO 9001:2015, nevertheless, is a step forward that should be embraced.
Not all changes are covered in the scope of this article. It is the beginning of learning what has changed. Just as ISO 9001:2008 was still revealing applications of its requirements years after being published, the 2015 version also will open eyes slowly as precepts come into the light.
Whether or not you stand in support of the 2015 standard, it is another chapter in the pursuit of excellence that drives the profession of quality management. ISO 9001:2015 is still in draft version, with many meetings still scheduled between now and the final adoption. Change is possible to anything and everything in this article, which discusses the CD, but it’s not too early to begin thinking about what might be coming.
References and notes
1. International Organization for Standardization, Committee Draft, ISO 9001:2015—Quality management systems—Requirements, June 3, 2013.
2. View a version of Table 1 that compares documented information requirements in ISO 9001:2008 with the requirements in ISO 9001:2015 at http://bit.ly/ISO9001requiredocs (case sensitive).
3. Merriam-Webster Online Dictionary, "Nature," www.merriam-webster.com/dictionary/nature.
4. American National Standards Institute and American Society of Safety Engineers, ANSI/ASSE Z690.1-2011—Vocabulary for risk management.
5. International Organization for Standardization, ISO Guide 73:2009—Risk management—Vocabulary.
6. American National Standards Institute and American Society of Safety Engineers, ANSI/ASSE Z690.2-2011—Risk management principles and guidelines.
7. International Organization for Standardization, ISO 31000:2009—Risk management—Principles and guidelines.
8. American National Standards Institute and American Society of Safety Engineers, ANSI/ASSE Z690.3-2011—Risk assessment techniques.
9. International Organization and International Electrotechnical Commission, ISO/IEC 31010:2009—Risk management—Risk assessment techniques.
Article Reference: ASQ