Randall D’Amico
Published: Wednesday, August 5, 2015 - 12:29 Story update 8/6/2015: Paragraph 14 of this article stated "many organizations are ill-equipped to develop an effective risk management assessment process," implying, to some, that a risk management system is required, which as stated in paragraph 8 of this article, it is not (nor was that the author's intent). Paragraph 14 has been updated to avoid confusion. --Editor The anticipated release later this year of the revised version of ISO 9001:2015—“Quality management systems—Requirements,” has many organizations asking what the revision will mean for them. Specifically, what are the key changes required for existing ISO 9001-compliant quality management systems (QMS) to achieve compliance with the revised standard? Also, what areas are likely to present the greatest challenges for avoiding nonconformities during the certification audit?
In this article, we’ll attempt to answer these and other questions to help you transition to ISO 9001:2015 smoothly and successfully. The current review and revision process for ISO 9001 is a routine part of the ISO’s efforts to ensure that the requirements of its internationally accepted standards keep pace with changes in technology and remain relevant to the market. At the same time, ISO Technical Committee 176 (TC 176), the committee responsible for the ISO 9001 revision also wanted to reorganize the standard to better align with the overall structure of other management systems standards, such as ISO 14001 (environmental management systems) and ISO 27001 (information security management systems). By adopting a common framework, ISO TC 176 hopes to make ISO 9001 more compatible with other management systems standards, and make it easier and more efficient for organizations to concurrently maintain and manage multiple management systems. A draft version of the revised standard, ISO/DIS 9001:2015, was originally distributed in May 2014 for review and comment to ISO member country representatives. This initial draft elicited about 3,000 separate comments, but the draft was ultimately approved by 80 percent of voting members during a preliminary vote. On July 9, 2015, ISO TC 176 released the final draft international standard (FDIS) for a final vote and approval. If all goes as planned, the final version of ISO 9001:2015 is scheduled to be released by the end of September 2015 with no further technical changes incorporated. ISO 9001:2015 includes a number of significant changes that must be considered by organizations certified to the current version of the standard. Those changes include: • The importance of stakeholders. The revised standard adopts a stakeholder approach to quality management, and focuses on stakeholder relationship management (SRM). As such, organizations are required to identify the issues and requirements of relevant stakeholders when developing their QMS. The concept of SRM can extend beyond customers to include employees, suppliers, partners, and even regulatory authorities. • Expanded role for leadership. By expanding the scope of what it terms “management responsibilities,” the revised standard clearly places overall responsibility and accountability for an organization’s QMS with senior leadership. While leadership may appoint a representative to manage quality system-related activities, they retain ultimate responsibility for implementation consistent with the standard’s requirements. • A risk-based approach to quality. ISO 9001:2015 adopts a risk-based approach to various requirements throughout the standard. However, it doesn’t require the application of a standardized risk management approach, and contains no clauses that detail specific requirements for preventive measures. • An increased emphasis on process. ISO 9001:2015 strengthens the importance of applying a process approach in developing, implementing, and improving the effectiveness of an organization’s QMS. As such, organizations will now be required to define inputs and expected outputs of each process, and to identify key performance indicators. • Greater documentation flexibility. The terms “documents” and “records” are being replaced with the term “documented information.” This change is intended to provide organizations with greater flexibility in describing their QMS. In addition, the current requirement for documented procedures will no longer be mandatory. Organizations currently certified to the 2008 version of ISO 9001 will have up to three years to modify their current QMS to comply with the requirements of the revised standard and to achieve recertification. However, adopting to the changes in the revised standard is likely to pose a number of specific challenges, including the following: • Getting leadership involved. The requirement for increased leadership oversight and accountability for an organization’s quality management system may well represent the biggest challenge. Meeting the threshold of this requirement involves the full engagement of leadership team members, as well as an understanding of the role that a commitment to quality plays in achieving organizational goals, and training on the particulars of an effective QMS. • Addressing root cause issues. The increased emphasis on process requires a significant effort to identify and investigate root cause issues that affect performance and require corrective actions. However, most organizations aren’t sufficiently trained in root cause analysis, and may struggle to develop and implement processes that uncover the underlying basis for nonconformities that are identified. • Implementing risk management practices. The revised standard requires organizations to adopt a risk-based approach to quality, but provides few details on how to achieve this. Some organizations may need to look more closely at how they address risk in order to be in compliance. • Documentation and recordkeeping. The revised documentation requirements are actually likely to impose a different kind of recordkeeping burden on organizations. Although there will be greater flexibility in the types of documentation that are permitted, that flexibility will be offset by the need to provide evidence of a robust recordkeeping system that provides a thorough history of all quality management activities. According to the International Accreditation Forum (IAF), there are a number of recommended actions that organizations can take to successfully transition to the new requirements of ISO 9001:2015. These include: • Conduct a gap analysis. Identifying the gaps between current practices and the new requirements is the most effective way to evaluate the changes that are required in your current QMS. • Develop an implementation plan and timetable. A formal implementation plan and schedule will help your organization address the required changes within the anticipated three-year transition period. • Provide appropriate training for all parties. Ongoing education and training for all relevant personnel are critical to achieving the goals of your transition plan. More important, educated stakeholders are vital in ensuring ongoing compliance once the transition is complete. • Update existing QMS documentation. As noted above, clear and thorough documentation is essential to demonstrate compliance with the requirements of the revised standard and to help reduce the risk of nonconformities. • Involve your certification partner early in the process. An experienced certification body can provide invaluable assistance in the process of transitioning to the requirements of ISO 9001:2015. Its early involvement can help your organization save time and money. TÜV SÜD America, in cooperation with Quality Digest, will host a free webinar, “ISO 9001:2015—Avoiding Nonconformities During Transition,” live on Tues., Aug. 11, 2015, at 2 p.m. Eastern. Intended for organizations currently holding ISO 9001 certification, as well as those contemplating certification, the webinar will discuss the transition to ISO 9001:2015, and provide guidance for complying with the new requirements. For more information, or to register, go to (include link here). TÜV SÜD has also launched an online resource page dedicated to the 2015 revision of ISO 9001. Access it here. For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?” Randall D’Amico is a management system auditor for TÜV SÜD America, and is a certified lead auditor for ISO 9001, ISO 14001 and ISO 13485. He has more than 20 years of experience with ISO management system certifications. He can be reached at rdamico@tuvam.com.
Standards ISO 9001:2015: Avoiding Nonconformities During the Transition
A summary of key changes and challenges
Background
A summary of the key changes
Potential nonconformities and other challenges
Recommendations
Conclusion
About The Author
Randall D’Amico
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.
Comments
ISO 9001:2015: Avoiding Nonconformities During the Transition
Your article states, " The revised standard adopts a stakeholder approach to quality management, and focuses on what it calls “stakeholder relationship management” (SRM).". Really? Where are the words "stakeholder" and "SRM"? If there is a newer, revised version from the FDIS ISO-9001:2015 (E) that includes "Stakeholder Relationship Management", when was it issued? A text search of the document returns no occurrences of "stakeholder", "stakeholder relastionship management", or "SRM". Let's not imply terminology and methods that are not actually inlcuded. I get the concept of "SRM", but that is your interpretation of the requirement for, "The organization shall monitor and review information about these interested parties and their relevant requirements", and other related text.
ISO 9001:2015: Avoiding Nonconformities During the Transition
I think he's knitting together the concept of "interested parties" with the management principle of "relationship management." That's presumably defined in greater detail in ISO 9000 (not 9001).
That's fine, but all this knitting under the banner of "nonconformities" if you don't agree is particularly problematic.
LARGER than what is implied...
Its good to have webinar and CB's pitching in to help in the gap analysis. But making this new standard look like a mountain and adding own words to risk is not called for.
This standard is sure a tough call to the auditors. The CB must take it upon them to train and upgrade their auditors to the new standard requirements, and not make such rules based on which the standard is preached and then auditors go on that trail.
Who ever is making it look larger that what it is are taking the gullible on the ride ~~~~~
No risk management in 9001... can we stop saying so?
The author gets it wrong again, saying:
The revised standard requires organizations to adopt a risk-based approach to quality but provides few details on how to achieve this. Again, many organizations are ill-equipped to develop an effective risk management assessment process that will fulfill the requirements of the standard.
If the standard "provides few details" on how to achieve risk-based approach, then how did TUV come up with the idea that "risk management assessment practices will fulfill requirements of the standard"?
What requirements? The first part of the paragraph was right ... there aren't any. The second part was the typical CB auditor "I dreamt it so it must be true" approach to auditing. And of course, given the headline, the CB auditor uses the threat of "nonconformity" if you disagree with his fantasy, and instead rely on what is actually printed in the standard.
What is printed there? The standard is very clear that NO formal "risk management" is required by 9001:2015:
Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.
So TUV clients should have this paragraph ready for when their auditors show up, demanding a "risk management assessment process."
PDCA message - Please Don't Change Anything advice
I agree with Chris, and have other views on the TUV 'advice' drawing from IAF. IAF, is not the ISO entity or what ISO FDIS 9001:2015 says around TUV's "Update existing QMS documentation demonstrate compliance with the requirements of the revised standard and to help reduce the risk of nonconformities".
ISO FDIS 9001:2015 requires orgaizations to plan their transition to the requirements by the 'process-approach' (Originally raised in ISO 9000.1:1994) which means for those supplier org's that have so documented their QMS, EMS and other ISO standards by the clauses, you have three years to 'transition' to meet this specific requirement.
This is contrary to what TUV and IAF would be in my opinion, advising. To extract this specific requirement ". “It is not the intent of ISO FDIS 9001:2015 to imply the need for:
• Uniformity in the structure of different quality management systems; • Alignment of documentation to the clause structure provided by Annex SL; • The use of the specific terminology within the organization”
So for many companies, they cannot adopt the PDCA or 'Please Don't Change Anything' strategy in their current QMS claused-based design but need to adopt Dr Deming's changed method from PDCA to PDSA as the Ford Motor Coy requested the Good Doctor ('Quality or Else', Dobyns and Crawford-Mason,1990) - perhaps PDSA could be in this Context, 'Please Deliver Standardized Activities' across your processes with procedures and activities for them and not as is common, for ISO 9001 Clauses.
Bob Newhart TV show skit comes to mind as the Therapist where he said to his to his anxious client 'I have two words for you, do you have a pen' (She gets her pen and notepad) Bob then says 'STOP IT'. Likewise for Clause-based ISO management systems and some Certification/Registration Bodies morphing into Consulting and Advisory function, STOP It now. Conduct 'CPR' on your QMS clause framework (the APQC - PCF is a reasonable start), to use CPR the analogy, to resucitate their QMS to the revised ISO FDIS 9001:2015 "Context-Process-Risk'.
If ever the 'B Process R' approach was aptly named and useful in ISO QMS, EMS and other ISO Standard based design, it is now. The standardization with Annex SL/High Level Structures helps understand their commonalities of 'clauses' and requirements (PAS 99 went some way) but it does not mean the Documentation should be as simply updating the 2008 to the 2015 clauses.