Quality: ISO 9001

Finally, some useful guidance documents for the ISO 9001:2015 version! See several of them in the post ISO 9001:2015 guidance documents have been issued.

What is new in the 2015 version? Major differences include:

  • Context of the organization. The ISO 9001 Auditing Practices Group Guidance document on Context describes a need for the organization to understand its status, what it wants to achieve, and how it wants to achieve the wants (strategy).  Many tools are listed with which to establish this understanding; business plan is at the top of the list.  That is because most business planning tools include the listing of
    • Issues that can impact the organization’s plans, both internal such as many upcoming employee retirements, and external such as new or updates in existing regulations.  Issues may be something we can control or influence, such as employee morale, or not – such as the local, national and/or global economies that can influence customers’ purchasing decisions.
      • Clue: Pay attention to the NOTES listed below the standard’s requirements. They provide insight and guidance, though they are not auditable “shalls.”
    • Stakeholders (interested parties), both internal such as employees and external such as regulators.  Business plan tools have been including Stakeholder needs and expectations as a first step to understanding the organization.
    • The  management system Scope is documented based on the above factors.  It is the boundary of the management system.  The scope lists the types of products and/or services the organization provides, and a statement citing the results of 4.1 and 4.2 analysis.
      • The 2015 version of ISO 9001 does not allow exclusions. The scope statement justifies the portions of the standard that do not apply.
  • Risks and opportunities. Listed in each of the clause groups, this requirement is generating a lot of confusion.  The ISO Technical Committee 176 published a guidance document, Risk-Based Thinking in ISO 9001:2015, that describes the intent of the requirements.
    • Risk is “the effect of uncertainty on a desired outcome.” Unless we go about our days in a completely random manner, we are already using risk-based thinking most every day.
    • According to the Risk Based Thinking paper, opportunity is NOT the positive side of risk.  It is “a set of circumstances which makes it possible to do something. Taking or not taking an opportunity then presents different levels of risk.”
    • ISO 9001:2015 does not list any required method for addressing risk. Despite what some are saying, FMEA, formal risk management programs, risk registers etc. are not required and cannot be requested by registrars.
  • Leadership and commitment. The Management Representative is no longer cited as a specific appointment or having defined responsibilities. Clause 5.1 lists the responsibilities to Top management in actionable terms and auditable “shalls.”
  • Communication now requires a defined process.  Note that this clause does not require a documented procedure.  The procedure can be demonstrated.
  • Documented information. The documented Quality Manual and six (6) required documented procedures are no longer required.  Instead, the 2015 version calls for documented information, recognizing this could include, among other controlled information sources:
    • Controlled procedures and forms
    • Databases
    • Recipes in computer programmed equipment
    • Flip charts, signage and other process-related graphics
    • Training materials
  • Retained documented information. This term replaces records and represents requirements to maintain records in media beyond the paper form previously assumed. Examples of retained documented information can now include, among others:
    • Paper
    • Databases, including SAP and MS Access
    • Electronic copies of documents, spreadsheets, presentations etc.
  • Management review inputs now require effectiveness data for support processes as well as key production processes. The requirement for “Information on the performance and effectiveness of the management system, including trends in” means, among other things, that the Internal Audit process’s effectiveness is no longer adequately quantified in terms of “Number of audits performed/number of audits scheduled.”

Leave a Reply