ISO has recently updated the popular ISO 9001 standard. This update includes some very significant changes to the structure and requirements, and will affect all organistions intending to maintain a certified QMS or IMS. This article describes significant changes, timeframes, transition arrangements, and steps that you might consider next.
As you may be aware, ISO recently updated the popular ISO 9001 standard. There are a number of changes which tighten up or expand existing requirements, plus a major restructure, and change of emphasis. The combined effect of these changes is anticipated to be much more significant than that which occurred in the 2008 update. Indeed, some would say that this is the most significant update there has ever been to the standard.
One important background element to the 2015 update is the ISO strategy to create a common approach to management system standards. This common approach will apply to all Type A (certification) standards, and many Type B (guidance) standards. The aim is to enhance the consistency and alignment of ISO management system standards by providing:
- A common high-level structure
- Identical core text
- Common terms and core definitions
Individual standards may add additional discipline-specific requirements as required. ISO believes that this common approach will increase the value of such standards to users. It will be particularly useful for those organisations that implement an integrated management system to address the requirements of two or more standards. The common approach is described in detail in an annex to an internal ISO directive. It is perhaps surprising that an organisation that is all about setting standards, has itself not previously had a standard method of doing so.
Why has ISO 9001 changed?
The changes basically fall into 2 categories – those resulting from the ISO strategy for a common approach (as referred to above), and those that more directly relate to quality management. The main reasons for changes may be described as follows:
- To better facilitate integration with other management system standards
- To improve relevance to service industries
- To improve relevance to diverse business models (e.g. online business, virtual offices etc.)
- To address increasing complexity of business environment
The following bullet points list the most significant changes, and include some initial thoughts on them:
A new high-level clause structure – common to that being introduced across all management system standards.
Since the original ISO 9001 quality management standard was released back in 1987, there has been a plethora of management system standards that address topics from the environment to business continuity. With the increasing trend towards integrated management systems that address multiple standards, it makes a lot of sense for them to adopt a common structure (in terms of major clause numbering and titles), and terminology. Examples of the high-level clause numbering and titles are:
2. Normative references
3. Terms and definitions
4. Context of the organization
9. Performance evaluation
While this change would not have much effect on an organization seeking certification for a single subject, it would have considerable benefit for one seeking certification for several, and a standardised approach would also be welcomed by consultants and auditors..
Changes to terminology - This is again part of the ‘standardisation of standards’.
- The rather clumsy ‘Product realization’ becomes ‘Operations’.
- ‘Product’ becomes ‘Products and services’.
The above changes are a long-overdue recognition that a high proportion of organisations with an ISO 9001-based QMS are not manufacturers, but provide some form of service. They should lead to improvements in awareness of relevance and general understanding.
- "Management commitment"’ becomes "Leadership".
- “Documents”, “Documentation” and “Records” are combined to become “Documented information”.
- “Supplier” becomes “External provider”.
- "Purchasing” and “Purchased product” become “Externally provided products and services”.
Some of these changes in terminology are indicative of wider changes that may have considerable significance to your management system, and are described further below.
New clauses relating to understanding the context of the organisation.
These requirements put focus on the organisation’s reason for being, consideration of just who are "interested parties" (which now seems to be the preferred term to "stakeholders"), and what are their ‘needs and expectations’. The wording suggests that some leeway may be given to an organisation deciding which "interested parties" are "relevant", and when they are deemed as so, which of their "needs and expectations" are also considered ‘relevant’.
Expanded requirements for quality objectives.
- Requires objectives to be set for relevant processes – this requirement previously just referred to functions and levels throughout the organisation.
- Requires progress to be monitored.
“Management responsibility” expanded to “Leadership”.
The new standard requires top management to “demonstrate leadership and commitment”. There is an emphasis on integration of the QMS into the organisation’s strategic direction and business processes, and on the involvement of top management. Where terminology like “promoting”, “taking”, “engaging” or “supporting” is used, the inference is that these activities must be undertaken by top management themselves, rather than delegating to others.
The requirement for a Management Representative has been removed.
The duties previously assigned to that role may now be assigned to any role or split across several roles (notwithstanding previous comments about the greater role of top management). Of course, you may still choose to have a management representative.
More explicit requirements for the process approach to quality management.
Although the process approach has been part of ISO 9001 since the 2000 version, requirements have not previously been so clearly spelt out. The new standard clearly specifies what is expected in the process approach e.g. identifying required processes, their sequence, the inputs required to them, the outputs expected from them, how they are controlled, the resources needed for them, responsibilities for them, and so on. While most of these requirements could be inferred from various parts of the previous standard, the concentration of them in a list in a single clause suggests something more. As a general observation, the standard as a whole seems to be less prescriptive than its predecessor in how various requirements will be met – but this clause seems to run contrary to that trend by being more prescriptive. This may lead to wider use of process mapping and process planning tools to describe the listed requirements.
No specific Preventive action clause.
The Preventive action clause has always been widely misunderstood and very unevenly applied. Of course, one of the fundamental problems has been that a large part of any quality management system is aimed at preventing things from going wrong, and could therefore come within the scope of a Preventive action procedure. There has also been widespread confusion over the meaning of the terms “corrective action” and “preventive action”, and the two are often lumped together in many systems. The principle of preventing nonconformity has not gone away, but is dealt with elsewhere in the standard. The welcome removal of this clause is directly related to the next item.
Risk-based thinking: Consideration of risk and opportunities.
The 2008 version of the standard did not explicitly mention risk, although its Preventive action clause could be addressed by assessing risk and taking appropriate action to eliminate or minimise it (otherwise known as risk management). The 2015 version is a bit more forthcoming on the topic. There is a requirement to ‘determine external and internal issues that may affect the ability to achieve intended outcomes’. Those acquainted with the risk management approach will recognise those words as describing the step of hazard identification. Alongside the earlier bullet point that mentions ‘the context of the organisation’, a very familiar risk management pattern is developing here. Indeed, the R-word itself makes no less than 43 appearances in the new standard - such as in clause 4.1 which requires the organisation to ‘determine the risks and opportunities to be addressed’. So, the concept of preventive action is essentially still covered by the new ‘risk’ clauses, and is also expanded upon.
Reduced requirement for documents.
As mentioned above, the terms ‘document’, ‘documentation’ and ‘record’ are replaced throughout by the term ‘Documented information’. While the full implications of this change in terminology are worked through, one thing is very clear: For the first time in ISO 9001, there are no requirements for a ‘Quality Manual’ or ‘Documented procedures’. There are plenty of requirements to ‘maintain documented information’ as evidence. These are what are currently known as records.
Control of external provision of products and services.
The 2008 standard has its purchasing clause which covers the purchasing process, purchasing information, and verification of purchased product. The existing general requirements also state that where an organisation outsources any process that affects conformity to requirements, the organisation shall ensure control over that process. Outsourcing is defined as a process which the organisation chooses to have performed by an external party. So, what are the significant changes for the new standard? Well, once again the R-word comes into play. Organisations are required to take a risk-based approach to the required controls. You may be forgiven for thinking that is not such a significant change. Wouldn’t organisations have done that anyway?
One interesting difference is the new reference to external provision extends beyond traditional suppliers and subcontractors to including ‘an arrangement with an associate company’. That may be quite significant for organisations that are part of a larger group and rely to some degree on head office or another site for certain functions.
Care of property belonging to others.
The clause in the 2008 standard referring to customer property is expanded to include property belonging to external providers. This seems very sensible. As property can include intellectual property and data, this requirement may lead to more widespread information security measures being implemented to protect external providers’ IP and ensure confidentiality.
Expanded requirements for Monitoring, measurement, analysis and evaluation
Expands on requirements for organisations to consider what should be measured, how and when. These now include:
- New requirement to monitor the quality performance and effectiveness of the organisation’s quality management system.
- New requirement to obtain information relating to customer views and opinions of the organisation. This may be interpreted as enforcing pro-active information gathering and widens the scope beyond just whether the organisation has met the customer’s requirements.
Consideration of exclusions.
There are some subtle (but perhaps important for some) changes in how exclusions to applicability are considered. Whereas in the 2008 standard, an organisation could decide to exclude the requirements of clause 7 from its QMS, the new standard does not seem to allow exactly the same leeway. An organisation can only decide that a requirement is non-applicable if it CANNOT be applied, and providing the non-applicability does not result in the nonconformity of products or services, or failure to meet the aim of enhancing customer satisfaction.
Structure - 2008 v 2015
|ISO 9001:2008||ISO 9001:2015|
|0. Introduction||0. Introduction|
|1. Scope||1. Scope|
|2. Normative References||2. Normative References|
|3. Terms and Definitions||3. Terms and Definitions|
|4. Quality Management System||4. Context of the Organization|
|5. Management Responsibility||5. Leadership|
|6. Resource Management||6. Planning|
|7. Product Realization||7. Support|
|8. Measurement, Analysis and Improvement||8. Operations|
|9. Performance Evaluations|
There is a 3 year transition period from the 2008 to the 2015 editions. This means that no certification to ISO 9001:2008 will be valid after September 2015. It is understanding that new certifications / re-certifications may still be made to the older 2008 standard may still be granted up until March 2017 (18 months into the transition period), but will need to be converted by the final date. Certification bodies may also apply their own rules regarding for how long they are prepared to offer new certifications to ISO 9001:2008. Information from some is that they will cease offering new certifications to ISO 9001:2008 from September 2016. Readers are recommended to check with their certification body.
Organisations with an existing, certified QMS will need to:
- Perform a gap analysis of existing arrangements against the new requirements.
- Develop an implementation strategy.
- Provide appropriate training and awareness briefings.
- Update the existing QMS.
- Perform internal audits.
- Liaise with their certification body for transition arrangements.
At this stage, that is our perception of the most significant changes, along with our initial thoughts on them. There are, of course, many other changes of varying degrees of significance, and others may well have a different view on them.
Qudos will provide further information on ISO 9001, quality management, and related topic via our regular newsletters. You may sign up for our newsletter by clicking on the link at our web site www.qudos-software.com.
The online resource library for compliance and risk management is constantly being updated with new content. Over the coming weeks and months, this will include articles, guidance material, planning tools, sample policies, documents, and other resources for the new standards. To join or for members login, go to www.qudosclub.com
Qudos 3 software
Users of Qudos 3 software may access information and resources for the new standards via its Resource Centre (on the Help menu), or in the Quality Manager, Safety manager, and Enviro Manager Toolkits.
For those looking for a great start to updating and modernising an existing QMS, Qudos can offer a Gap analysis and strategy plan service. This will be provided by a qualified auditor, with certified training to the new standard. Low-cost 1 and 2 day options are available to suit your needs. Management system coaching, training and system development / maintenance services are also available from Qudos and its partners.To find out more, just complete a Contact Us form. Note: Mobile users can find the form at Menu item 'Contact us'.