Sunday, 20 December 2015

ISO 9001:2015 Understanding ISO 9001:2015

ISO 9001:2015

Understanding ISO 9001:2015

ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. It is the most popular standard in the ISO 9000 series and the only standard in the series to which organizations can certify. Successful businesses understand the value of an effective Quality Management System that ensures the organization is focussed on meeting customer requirements and they are satisfied with the products and services that they receive. ISO 9001 is the world’s most recognized management system standard and is used by over a million organizations across the world. The new version has been written to maintain its relevance in today’s marketplace and to continue to offer organizations improved performance and business benefits.ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an international agency composed of the national standards bodies of more than 160 countries. The current version of ISO 9001 was released in September 2015.  ISO 9001:2015 applies to any organization, regardless of size or industry. More than one million organizations from more than 160 countries have applied the ISO 9001 standard requirements to their quality management systems.  Organizations of all types and sizes find that using the ISO 9001 standard helps them organize processes, improve the efficiency of processes and continually improve.With the 2015 version of ISO 9001 you can have an integrated approach with other management system standards. Bring quality and continual improvement into the heart of the organization. Increase involvement of the leadership team. Introduce risk and opportunity management. It’s much less prescriptive than the 2008 version and can be used as a more agile business improvement tool. This means that you can make it relevant to the requirements of your own organization to gain sustainable business improvements. One of the major changes to ISO 9001 is that it brings quality management and continual improvement into the heart of an organization. This means that the new standard is an opportunity for organizations to align their strategic direction with their quality management system. The starting point of the new version of ISO 9001 is to identify internal and external parties who support the QMS. This means that it can be used to help enhance and monitor the performance of an organization.The new standard will help you become a more consistent competitor in the marketplace. It will provide better quality management that helps you to meet present and identify future customer needs. it increases efficiency that will save you time, money and resources. It  Improves operational performance that will cut errors and improves profits. It will motivate, engage and involve staff with more efficient internal processes. It will help you win more high value customers, and achieve improved customer retention with better customer service. It will broaden business opportunities by demonstrating compliance
All ISO management system standards are subject to a regular review under the rules by which they are written. Following a substantial user survey the committee decided that a review was appropriate and created the following objectives to maintain its relevance in today’s marketplace:
  • Integrate with other management systems
  • Provide an integrated approach to organizational management
  • Provide a consistent foundation for the next 10 years
  • Reflect the increasingly complex environments in which organizations’ operate
  • Ensure the new standard reflects the needs of all potential user groups
  • Enhance an organization’s ability to satisfy its customersProcess approach 2015
1. Structure and terminology
The most significant change we will see in ISO 9001:2015 is the new structure. ISO 9001:2015 is based on Annex SL – the new high level structure. This is a common framework for all ISO management systems. This helps to keep consistency, align different management system standards, offer matching sub-clauses against the top level structure and apply common language across all standards. It will be
easier for organizations to incorporate their QMS into core business processes and get more involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all processes and to the quality management system as a whole.The reason for the change is to adopt the common approach outlined in Annex SL, the new document that all ISO management system standards, including ISO 9001, ISO 14001 and the recently released ISO 27001, must follow. Currently, ISO 9001 contains 8 sections, of which four attempt to approximate “plan, do, check, act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “plan, do, check, act.” All new management system standards will have this common structure. Here is the new structure:PDCA in HLS
  1. Scope

    This section describes the scope of the management system standard and will be unique to the individual standard. Clause 1 details the scope of the standard and there has been very little change to this clause from ISO 9001:2008.
  2. Normative References

    This section references other relevant standards, which are indispensable for the application of the document and will also be unique.ISO 9000, Quality Management System – Fundamental and vocabulary is referenced and provides valuable guidance.
  3. Terms and Definitions

    Section three contains definitions, and while some of these are common terms related to Annex SL, other definitions will be unique to the management system standard. All the terms and definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and vocabulary.
  4. Context of the Organization

    This part is about understanding the organization’s purpose, the management system and who the stakeholders are. It describes how to set up the management system and is similar in some respects to the old section 4 except that it explicitly requires a broader understanding of the situation and needs of the business. This is a new clause that establishes the context of the QMS and how the business strategy supports this. The ‘context of the organization’ is the clause that underpins the rest of the new standard. It gives an organization the opportunity to identify and understand the factors and parties in their environment that support the quality management system. Firstly, the organization will need to determine external and internal issues that are relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact on what the organization does, or that would affect its ability to achieve the intended outcome(s) of its management system. It should be noted that the term “issue” covers not only problems which would have been the subject of preventive action in previous standards, but also important topics for the management system to address, such as any market assurance and governance goals that the organization might set. Secondly an organization will also need to identify the “interested parties” that are relevant to their QMS. These groups could include shareholders, employees, customers, suppliers, and even pressure groups and regulatory bodies. Each organization will identify their own unique set of “interested parties” and over time these may change in line with the strategic direction of the organization. Next the scope of the QMS must be determined. This could include the whole of the organization or specific identified functions. Any outsourced functions or processes will also need to be considered in the organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to establish, implement, maintain and continually improve the QMS in accordance with the requirements of the standard. This requires the adoption of a process approach and although every organization will be different, documented information such as process diagrams or written procedures could be used to support this
    4.1 Understanding the organization and its context.
    A new requirement; One of several that might suggest a greater union between the QMS and wider business planning activities. Requires organisations to ascertain, monitor and review both internal and external issues that are relevant to its purpose and strategic direction, and have the ability to impact the QMS and its intended results.
    4.2 Understanding the needs and expectations of interested parties.
    A broadening of scope beyond just customers. Requires the organisation to determine “the relevant requirements” of “relevant interested parties” e.g. a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity.
    4.3 Determining the scope of the QMS.
    The scope statement must state the products and services covered.
    4.4 The QMS and its processes.
    A major change that specifies a number of factors to be considered when planning the processes that make up the QMS. Although a process-planning approach has been previously expressed in earlier standards, this greatly reinforces the requirement.
  5. Leadership

    This section provides requirements for commitment, policy and responsibilities. This section is similar to the old section 5 on Management but the emphasis is perhaps more on leadership than just management.  This clause places requirements on “top management” which is the person or group of people who directs and controls the organization at the highest level. It is no longer the responsibility of an individual or to have a “Management Representative” who is responsible for the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. Top management now have greater involvement in the management system and must ensure that the requirements of it are integrated into the organization’s processes and that the policy and objectives are compatible with the strategic direction of the organization. The quality policy should be a living document, at the heart of the organization. To ensure this, top management are accountable and have a responsibility to ensure the QMS is made available, communicated,  maintained and understood by all parties. There is also a greater focus on top management to enhance customer satisfaction by identifying and addressing risks and opportunities that could affect this. Top management need to demonstrate consistent customer focus by showing how they meet customer requirements, regulatory and statutory requirements, and also how the organization maintains enhanced customer  satisfaction. In the same context, they need to have a grasp of the organization’s internal strengths and weaknesses and how these could have an impact to deliver products or services. This will strengthen the concept of business process management. In addition, top management need to demonstrate an understanding of the key risks associated with each process and the approach taken to manage, reduce or transfer the risk. Finally, the clause places requirements on top management to assign QMS relevant responsibilities and authorities , but must
    remain accountable for the effectiveness of the QMS.
    5.1 Leadership and commitment.
    Greater emphasis is placed on the role of top management. Requires top management to “demonstrate leadership and commitment”, and suggests that a more hands-on approach is expected.
    5.2  Policy.
    Policy requirements are enhanced. A requirement is introduced that the quality policy is appropriate to the context of the organization, and that it is applied throughout the organization.
    5.3 Organizational roles, responsibilities and authorities.
    The requirement for a Management representative is no longer specified. The duties previously assigned to that role may now be assigned to any role or split across several roles.
  6. Planning

    Planning is now a section on its own. Planning was always covered by the current standard in sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which is now a clear requirement) and opportunities, the setting of goals and objectives to achieve plans, and resources. Interestingly, risk was introduced in AS9100 (the aerospace version of ISO 9001) in a similarly limited manner. In the latest version of AS9100, however, risk was expanded and defines a number of specific requirements/activities for a risk process. It will be interesting to see whether ISO will leave the requirement for risk as a general requirement as defined in Annex SL or whether it will take AS’s lead and expand it. This planning section also requires a greater application of goals and objectives to integrate with the management system’s planning and operation to generally facilitate success of the organization.Planning has always been a familiar element of ISO 9001, but now there is an increased focus on ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2 ‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is concerned with risk treatment. When determining actions to identify risks and opportunities these need to be proportionate to the potential impact they may have on the conformity of products and services. Opportunities could for example include new product launches, geographical expansion, new  partnerships, or new technologies. The organization will need to plan actions to address both risks and opportunities, how to integrate and implement the actions into its management system processes and evaluate the effectiveness of these actions. Actions must be monitored, managed and communicated across the organization. Another key element of this clause is the need to establish measurable quality objectives. This clause retains some of the requirements contained in Clause 5.4 of the 2008 version but is more specific. Quality objectives now need to be consistent with the quality policy, relevant to the conformity of products and services as well as enhancing customer satisfaction. The last part of the clause considers planning of changes which must be done in a planned and systemic manner. There is a need to identify the potential consequences of changes, determine who is involved, when changes are to take place, what resource needs to be allocated.
    6.1 Actions to address risks and opportunities.
    A major change introduced to require a risk-based approach. In addition to this clause, reference to the terms ‘risk’ and ‘opportunity’ are made throughout the standard.
    6.2 Quality objectives and planning to achieve them.
    Requirements for objective planning are tightened up. An objective should include a description of who is responsible, what is the target, when is it planned to be achieved. Progress must be monitored. Also, requires objectives to be set for relevant processes.
    6.3 Planning of changes.
    The clause lists items to be considered in change management.
  7. Support

    The support section includes most of the expected support processes that exist in an organization and which are covered in the current ISO standard. Clause 7 ensures there are the right resources, people and infrastructure to meet the organizational goals. It requires an organization to determine and provide the necessary resources to establish, implement, maintain and continually improve the QMS. Simply expressed, this is a very powerful requirement covering all QMS resource needs and now covers both internal and external resources. Clause 7.1 builds on Clauses 6.1, 6.2, 6.3 and 7.6 from 2008 and splits into 5 sub-clauses. There are additional requirements to meet applicable statutory and regulatory requirements. The sub-clauses continues to cover requirements for infrastructure and environment for the operation of processes. Monitoring and measuring has been changed to include resources, such as personnel or training. Organizational knowledge is a new requirement which deals with with requirements for competence, awareness, and communication of the QMS. Personnel must not only be aware of the quality policy, but they must also understand how they contribute to it and what the implications of not conforming are. There is a key requirement to maintain the knowledge held by an organization to ensure conformity of products and services. This could include the knowledge held by an individual as well as for example, the intellectual property of an organization. Organizations are required to examine whether the current knowledge they have is sufficient when planning changes and whether any additional knowledge is required. Finally there are the requirements for “documented information”. This is a new term, which replaces the references in the 2008 standard to “documents” and “records”. Organizations need to determine the level of documented information necessary to control the QMS. This will differ between organizations due to size and complexity. In line with the increased importance of information security in organizations, there is also greater emphasis on controlling access to documented information such as use of passwords. Organizations should also have systems in place to provide a back-up should IT systems crash. Human resources is renamed as “competence”, and communication, which will require a new approach in most organizations, is given its own section rather than a mention as a management responsibility. Finally, document control has been renamed “documented information.” It now covers both procedure/document control and records control.
    7.1 Resources.
    7.2 Competence.
    7.3 Awareness.
    There is an expansion of application from “personnel” to “persons doing work under the organization’s control”.
    7.4 Communication.
    Now includes external communication about the QMS.
    7.5 Documented information.
    New requirement to determine, make available, and maintain knowledge. No requirement for quality manual or procedures. “Documents”, “Documentation” and “Records” are combined to become “Documented information”.
    Requirements are expanded to mention issues such as confidentiality, access, and (data) integrity. This suggests an adoption of information security considerations in recognition of the increasing use of electronic documents/data.
  8. Operation

    This is a relatively short section, which essentially says “Do a good job” at whatever your management system is trying for. This clause deals with the execution of the plans and processes that enable the organization to meet customer requirements and design products and services. It includes much of what was previously referred to in Clause 7 of the 2008 version, but there is greater emphasis on the control of processes especially planned changes and review of the consequences of unintended changes, and mitigating any adverse effects as necessary. The revised version of the standard acknowledges the trend towards greater use of subcontractors and outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the performance of these parties in addition to keeping records used to establish selection criteria. The Clauses continue to cover ‘Requirements for products and services’ which remains largely unchanged from the 2008 version. However, it now requires communication with regards to contingency actions where required and also the treatment of customer property. A new requirement for communicating with ‘potential’ customers is also included, useful for bringing new offerings or solutions to the market. There are more explicit requirements in terms of the standards or codes of practice that the organization has committed to implement; internal and external resource needs for the design and development of products and services and finally the potential consequences of failure due to the nature of products and services. There is also a new clause which covers post-delivery activities. This could include activities such as maintenance programmes or work carried out under warranty, and activities covering final disposal or recycling of the product. When determining the extent of these activities organizations must consider the risks associated with a product or service, customer requirements, customer feedback, and any statutory requirements. In a welcome change of terminology, the rather clumsy ‘Product realization’ becomes ‘Operations’
    8.1 Operational planning and control.
    8.2 Requirements for products and services.
    8.3 Design and development of products and services.
    This may be interpreted that more organizations do some form of design and development.
    8.4 Control of externally provided  processes, products and services.
    An expansion of scope – from just suppliers to also include other external providers of products and services. Purchasing” and “Purchased product” become “Externally provided products and services”.
    8.5 Production and service provision.
    An expansion on previous requirements e.g. documented information to specify intended results, and to determine the nature and extent of any post-delivery (after-sales) activities.
    8.6 Release of products and services.
    8.7 Control of nonconforming outputs.
  9. Performance Evaluation

    The section on evaluation includes monitoring, measurement and analysis, internal audits and management review. All familiar topics with some subtle changes.Performance evaluation covers many of the areas previously featured in Clause 8 of the 2008 version. Requirements for monitoring, measurement, analysis and evaluation are covered and you will need to consider what needs to be measured, methods employed, when data should be analysed and reported on and at what intervals. Documented information that provides evidence of this must be retained. There is now an emphasis on directly seeking out information that relates to how customers view the organization. Organizations must actively seek out information on customer perception. This can be achieved in a number of ways including satisfaction surveys, analysis of market share, and through complaints logged. There is now an explicit requirement that organizations must show how the analysis and evaluation of this data is used, especially with regards to the need for improvements to the QMS. Internal audits must also be conducted and this is largely unchanged from those in the 2008 version. There are additional requirements relating to defining the ‘audit criteria’ and ensuring the results of the audits are reported to ‘relevant’ management’. Management reviews are still required but there are additional requirements including the consideration of changes in external and internal issues that are relevant to the QMS. Documented information must be retained as evidence of management reviews.
    9.1 Monitoring, measurement, analysis and evaluation.
    There is a new requirement to obtain information relating to customer views and opinions of the organisation.
    9.2 Internal audit.
    Audit schedule must take customer feedback into account.
    9.3 Management review.
    Expanded requirements for management review inputs or agenda.
  10. Improvement

    Improvement covers nonconformity and corrective action, as well as continual improvement, all of which are outlined in section 8 of the current standard. There is no preventive action section any more as effectively it is replaced by “risk” under planning – improvement is now defined as a proactive planning activity.This clause starts with a new section that organizations should determine and identify opportunities for improvement such as improved processes to enhance customer satisfaction. There is also a need to actively look for opportunities to improve processes, products and services, and the QMS, especially with future customer requirements in mind. Due to the new way of handling preventive actions, there are no preventive action requirements in this clause. However, there are some new corrective action requirements. The first is to react to the nonconformities and take action, as applicable, to control and
    correct the nonconformities and deal with the consequences. The
    second is to determine whether similar nonconformities exists or
    could potentially occur. The requirement for continual improvement has been extended to cover the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how an organization achieves this.
    10.1 General.
    10.2 Nonconformity and corrective action.
    Specific reference to preventive action is removed.
    Now includes an additional requirement to record the nature of nonconformities.
    On discovering a nonconformity, an explicit requirement is introduced for organisations to determine whether other similar nonconformities actually exist, or could potentially exist.
    10.3 Continual improvement.

Comparison between ISO 9001:2015 and ISO 9001:2008

ISO  9001:2015  ISO 9001:2008
4 Context of the organization 1.0 Scope
4.1 Understanding the organization and its context 1.1 General
4.2 Understanding the needs and expectations of interested parties 1.1 General
4.3 Determining the scope of the quality management system 1.2 Application
4.2.2 Quality manual
4.4 Quality management system and its processes  4 Quality management system
4.1 General requirements
5 Leadership  5 Management responsibility
5.1 Leadership and commitment  5.1 Management commitment
5.1.1 General  5.1 Management commitment
5.1.2 Customer focus 5.2 Customer focus
5.2 Policy
5.2.1 Developing the quality policy
5.2.2 Communicating the quality policy
5.3 Quality policy
5.3 Organizational roles, responsibilities and authorities 5.5.1 Responsibility and authority
5.5.2 Management representative
6 Planning  5.4.2 Quality management system planning
6.1 Actions to address risks and opportunities 5.4.2 Quality management system planning
8.5.3 Preventive action
6.2 Quality objectives and planning to achieve them 5.4.1 Quality objectives
6.3 Planning of changes  5.4.2 Quality management system planning
7 Support  6 Resource management
7.1 Resources  6 Resource management
7.1.1 General  6.1 Provision of resources
7.1.2 People  6.1 Provision of resources
7.1.3 Infrastructure  6.3 Infrastructure
7.1.4 Environment for the operation of processes 6.4 Work environment
7.1.5 Monitoring and measuring resources 7.6 Control of monitoring and measuring equipment
7.1.6 Organizational knowledge New
7.2 Competence 6.2.1 General
6.2.2 Competence, training and awareness
7.3 Awareness 6.2.2 Competence, training and awareness
7.4 Communication 5.5.3 Internal communication
7.5 Documented information 4.2 Documentation requirements
7.5.1 General 4.2.1 General
7.5.2 Creating and updating 4.2.3 Control of documents
4.2.4 Control of records
7.5.3 Control of documented Information 4.2.3 Control of documents
4.2.4 Control of records
8 Operation 7 Product realization
8.1 Operational planning and control 7.1 Planning of product realization
8.2 Requirements for products and services 7.2 Customer-related processes
8.2.1 Customer communication 7.2.3 Customer communication
8.2.2 Determination of requirements related to products and services 7.2.1 Determination of requirements related to the product
8.2.3 Review of requirements related to the products and services 7.2.2 Review of requirements related to the product
8.2.4 Changes to requirements for product and services
8.3 Design and development of products and services
7.3 Design and development
8.3.1 General New
8.3.2 Design and development planning 7.3.1 Design and development planning
8.3.3 Design and development inputs 7.3.2 Design and development inputs
8.3.4 Design and development controls 7.3.4 Design and development review
7.3.5 Design and development verification
7.3.6 Design and development validation
8.3.5 Design and development outputs 7.3.3 Design and development outputs
8.3.6 Design and development changes 7.3.7 Control of design and development changes
8.4 Control of externally provided processes, products 7.4.1 Purchasing process and services
8.4.1 General 7.4.1 Purchasing process
8.4.2 Type and extent of control 7.4.1 Purchasing process
7.4.3 Verification of purchased product
8.4.3 Information for external providers 7.4.2 Purchasing information
8.5 Production and service provision 7.5 Production and service provision
8.5.1 Control of production and service provision 7.5.1 Control of production and service provision
8.5.2 Identification and traceability 7.5.3 Identification and traceability
8.5.3 Property belonging to customers or external providers 7.5.4 Customer property
8.5.4 Preservation 7.5.5 Preservation of product
8.5.5 Post-delivery activities 7.5.1 Control of production and service provision
8.5.6 Control of changes 7.3.7 Control of design and development changes
8.6 Release of products and services 8.2.4 Monitoring and measurement of processes
7.4.3 Verification of purchased product
8.7 Control of nonconforming outputs 8.3 Control of nonconforming product
9 Performance evaluation New
9.1 Monitoring, measurement, analysis and evaluation 8 Measurement, analysis and improvement
9.1.1 General 8.1 General
9.1.2 Customer satisfaction 8.2.1 Customer satisfaction
9.1.3 Analysis and evaluation 8.4 Analysis of data
9.2 Internal audit 8.2.2 Internal audit
9.3 Management review 5.6 Management review
9.3.1 General 5.6.1 General
9.3.2 Management review inputs 5.6.2 Review inputs
9.3.3 Management review outputs 5.6.3 Review outputs
10 Improvement 8.5 Improvement
10.1 General 8.5.1 Continual improvement
10.2 Nonconformity and corrective action 8.3 Control of nonconforming product
8.5.2 Corrective action
10.3 Continual Improvement 8.5.1 Continual improvement
The structure is based on the mandate that Annex SL from the ISO Directives be applied to management system standards.The clause structure and some of the terminology in ISO 9001:2015 is different than ISO 9001:2008 to improve alignment with other management system standards.The structure is to provide a presentation of requirements. It is not a model for document for documenting the organization’s policies, objectives and processes.There is no requirement for the structure of an organization’s quality management system documentation to mirror that of this International Standard.

Major differences in terminology between ISO 9001:2008  and ISO 9001:2015

ISO 9001:2008
ISO 9001:2015 
Products Products and services
Exclusions Applications
Documentation, records Documented information
Work Environment Environment for the operation of processes
Purchased Product Externally provided products and services
Supplier External provider

2. Products and services

ISO 9001:2008 used product to include all output categories such as products, services, processed materials, and hardware. In ISO 9001:2015 the term product have been replaced by term product and services and includes all output categories such as hardware, services, software and processed materials. The term services is to highlight the difference between products and services in the application of some requirements. In most cases, the terms are used together.In some cases, the word product is only used to specify a certain requirement.

3. Context of the organization

An organization’s context involves its “operating environment.” The context must be determined both within the organization and external to the organization.To establish the context means to define the external and internal factors that the organizations must consider when they manage risks. An organization’s external context includes its outside stakeholders, its local operating environment, as well as any external factors that influence the selection of its objectives (goals and targets) or its ability to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to governance, its contractual relationships with its customers, and its capabilities and culture.
The internal context may include, but is not limited to:
  • Product and service offerings
  • Governance, organizational structure, roles, and accountability.
  • Regulatory requirements
  • Policies and goals, and the strategies that are in place to achieve them.
  • Assets like facilities, property, equipment and technology
  • Capabilities, understood in terms of resources and knowledge like capital, time, people, processes, systems, and technologies.
  • Information systems, information flows, and decision-making processes (both formal and informal).
  • Relationships of the staff/volunteers/members and the perceptions and values of their internal stakeholders including suppliers and partners.
  • Organization’s culture.
  • Standards, guidelines, and models adopted by the organization and
  • Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and how they affect its performance and decision-making. Some of the micro-environmental context factors
  • Customers – Organizations must attract and retain customers by offering products services that meet their needs along with providing excellent customer service
  • Employees/Members/Volunteers – There must be availability of people with the motivation to remain as contributing members of the organization and develop the skills necessary to provide a competitive edge
  • Suppliers – Suppliers provide organizations with the resources they need to carry out their activities. If a supplier provides bad service, this affects the way the organization operates. Close supplier relationships are an effective way to remain competitive and secure the resources needed
  • Investors – All organizations require investment to grow. They may borrow the money from a bank or have people invest in their work. Relationships with investors need to be managed carefully as problems can detrimentally affect the long term success of the organization
  • Media – Positive media attention can bring success to the organization by maintaining its reputational strength. Managing the media (including the presence in social media) is a challenge.
  • Competitors – Members of the organization need to have a sense of belonging. Can the organization offer benefits that are better than those offered by the competitors? Is there a strong value proposition? Competitor analysis and monitoring is crucial if an organization is to maintain or improve its position in the competitive landscape of the community. The organization must always be aware of its competitor’s activities. The landscape can change quickly.
There are two new clauses relating to the context of the organization, 4.1 Understanding the organization and its context and 4.2 Understanding the needs and expectations of interested parties. Together these clauses require the organization to determine the issues and requirements that can impact on the planning of the quality management system.Interested parties cannot go beyond the scope of ISO 9001.There is no requirement to go beyond interested parties that are relevant to the quality management system.Consider impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction.Organizations can go beyond the minimum requirements to determine additional needs and expectations for interested parties that would not be “relevant” at the discretion of organization and should be clear in quality management system.
Clause 4.1 Understanding the Organization and its context
The organization should determine external and internal issues for the organization relevant to its purpose, strategic planning and which affect the organization’s ability to achieve its objectives . The Organization should monitor and review the information about external and internal issues.Management Review required the monitoring of external and internal issues. The organization must consider issues related to values, culture knowledge and performance of the organization for understanding of internal issues. The organization must consider issues related to arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local for understanding of external context.
Clause 4.2 Understanding the needs and expectations of interested parties
The organization shall determine relevant interested parties and requirements of relevant interested parties. Interested parties include Customers, Partners,Persons in the organization, External providers. Relevant interested parties to be considered are those that potentially could impact the organization’s ability to provide products and services that meet requirements. Monitor and review information related to interested parties and relevant requirements.Management Review requires the monitoring of relevant interested parties.
Clause 4.3 Determining the scope of the quality management system
The organization must establish scope of the quality management system by determining the boundaries and applicability of the quality management system. While determining the scope the organization must consider the internal and external issues determined in 4.1.,the requirements of relevant interested parties in 4.2. and the products and services of the organization.
Requirements that can be applied by the organization shall be applied. Requirements that cannot be applied cannot affect the organization’s ability to provide product and services that meet requirements. The organization must maintain scope as documented information. stating the Products and services covered by the QMS and any Justification where a requirement cannot be applied.
Any interested party which is not relevant to the quality management system need not be considered and similarly any requirement of the interested party need not be considered. Determining what is relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization can decide to determine additional needs and expectations that will meet its quality objectives. However, it is at the organization’s discretion whether or not to accept additional requirements to satisfy interested parties beyond what is required by this Standard.

4. Risk-based approach

The main objectives of ISO 9001 is to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services and to enhance customer satisfaction. The concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives. This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. Organizations can implement a formal risk management program such as 31000, but there is no requirement to do so. The concept of risk has always been implicit in ISO 9001 , this revision makes it more explicit and builds it into the whole management system. Risk-based thinking is already part of the process approach. Risk-based thinking makes preventive action part of the routine. Risk-based thinking can also help to identify opportunities. Organizations are required to understand the context of the organization and any external and internal issues (clause 4.1).Risks and opportunities are determined in clause 6.1.One of the key purposes of a quality management system is to act as a preventive tool.ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive action is controlled through risk-based thinking and managing risks and opportunities identified in clause 6.1
Clause 6.1 Actions to address risks and opportunities
Consider the issues determined in clause 4.1 and consider the requirements for relevant interested. The organization should determine risks and opportunities to assure that that the quality management system can achieve its objective, prevent or reduce undesired effects, and for continual improvement. Intended results cannot be achieved.Organization shall plan actions to address risks and opportunities which should be appropriate to the potential impact. The action of risk and opportunities must be integrated and implemented into the QMS processes. The effectiveness of these action must be evaluated.
NOTE: No formal risk management program is required.

5. Applicability

The revised standard will focus on application and not exclusions.There are no limits to which clauses where application can be determined.Justification will be required as documented information to ensure that limited application does not affect the organization’s ability to provide for the provision of product and services. The application of requirements may vary.Where a requirement can be applied within the scope of its quality management system, the organization cannot decide that it is not applicable.Where a requirement cannot be applied (for example where the relevant process is not carried out) the organization can determine that the requirement is not applicable. However, this non-applicability cannot be allowed to result in failure to achieve conformity of products and services or to meet the organization’s aim to enhance customer satisfaction.A manufacturing organization that does not have any monitoring and measuring resources could determine requirements in 7.1.5 do not apply.Organizations that build from a customer provided design could determine requirements for design in 8.3 do not apply.Organizations could not determine that requirements such as competence are not applicable since this directly affects the ability to provide product that meets requirements.

6 Documented information

The term “documented procedure” and “record” have both been replaced by “documented information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define, control or support a process) this is now expressed as a requirement to maintain documented information. Where ISO 9001:2008 would have referred to records this is now expressed as a requirement to retain documented information.The current draft of ISO 9001 does not require a quality manual or documented procedure as Annex SL does not require documented procedures or a quality manual.The requirements in 7.5 are similar to ISO 9001:2008 – 4.2.3 Control of documents and 4.2.4 Control of Records.
As discussed earlier, documents and records now come under documented information. The requirements for documented information are spread throughout the standard. In summary they are:
  • 4.3 Scope of the QMS
  • 4.2 Support operation of its processes and needed for confidence.
  • 5.2.2 a) Quality policy
  • 6.2.1 Quality objectives
  • 7.1.5.1 Monitoring and measuring resource – fitness for purpose
  • 7.1.5.2 Basis used for calibration or verification
  • 7.2 d) Evidence of competence
  • 7.5.1 b) Documented information determined by the organization as being necessary for the effectiveness of the QMS
  • 8.1 e) Extend necessary (for confidence in processes and product/service conformity)
  • 8.2.3.2 Review of requirements related to products and services
  • 8.2.4 Amended documented information
  • 8.3.2 Design and development requirements met
  • 8.3.3 Design and development inputs
  • 8.3.4 Design and development control activities
  • 8.3.5 Design and development outputs
  • 8.3.6 Design and development changes/results of reviews etc.
  • 8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
  • 8.5.1 a) Characteristics of the products/services, activities to be performed , and result achieved.
  • 8.5.2 Maintain traceability
  • 8.5.3 Reports on what has occurred
  • 8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
  • 8.6 Release of products and services – traceability of person(s) authorizing release, evidence of conformity
  • 8.7.2 Describes nonconformity, actions taken, concessions, authority
  • 9.1.1 Evidence of the monitoring and measurement results
  • 9.2 f) Evidence of the audit programme (s) and the audit results
  • 9.3.3 Evidence of the results of management reviews
  • 10.2.2 Evidence of the results of any corrective action and the,nature of the nonconformity

7 Organisational knowledge

The organization shall determine the knowledge necessary for the operation of the QMS, ensure conformity of products and services, enhance customer satisfaction.The organization is responsible for maintaining, protecting and making sure the knowledge is available (as necessary). Knowledge is to be considered when making changes to the organization.Depending on the size and complexity of the organization,the risks and opportunities it needs to address, the need for accessibility of knowledge, the process for considering and controlling past, existing and additional knowledge needs is to be considered. As long as the conformity of products and services can be achieved,balance between knowledge held by competent people and knowledge made available by other means is at the discretion of the organization.Consideration can be given to whether competent employees have this knowledge

8 Control of externally provided products and services

The term “Supplier” and “Outsourcing” have been replaced by the term “external provider” and includes Purchasing from suppliers, Arrangement with an associate/sister company, Outsourcing of processes and functions.The term “Purchased products” has been replaced with the term “externally provided products and services”.Clause 8.4 Control of externally provided products and services addresses all forms of external provision, whether it is by purchasing from a supplier, through an arrangement with an associate company, through the outsourcing of processes and functions of the organization or by any other means.The organization is required to take a risk-based approach to determine the type and extent of controls appropriate to particular external providers and externally provided products and services.

1 comment: