Featured Video
This Week in Quality Digest Live
Standards Features
Miriam Boudreaux
This certificate smells fishy!
William A. Levinson
A risk assessment should clearly account for the frequency of exposure
Chad Kymal
How to meet interested party expectations and the mission/vision/values of your organization
Mike Richman
Report from Hexagon Live 2017 and two great guests
John Flaig
Doing the math right but getting the answer wrong

More Features

Standards News
More than seven billion lives may depend on it
BYK-Gardner’s byko-spectra lite
Nominations accepted through June 30, 2017
The FDA’s RMAT designation goes live
Learn the same methods and techniques used by examiners; network with examiners and Baldrige staff members
New service addresses challenges of working with emerging smart grid standards
Offerings help organizations navigate requirements of multiple information security standards

More News

William A. Levinson


Using a Conformity Matrix to Align Processes to ISO 9001:2015

No need to rewrite procedures; simply demonstrate how they meet the standard’s provisions

Published: Monday, November 21, 2016 - 12:27

Sept. 22, 2018, is the deadline for registration to ISO 9001:2015, and this seems to allow organizations plenty of time to make the transition to the new standard. The good news is that, despite the radical changes to the standard’s structure, the underlying requirements are not particularly different. This means that no extensive overhaul of existing documents and processes is necessary. The bad news is that the transition must be performed well before the deadline, and ISO 9001:2015 is therefore closer than we think.

ISO 9001:2008 requires internal audits and management reviews of the quality management system, and it therefore comes as no surprise that ISO 9001:2015 also requires them. The catch is that, to qualify for registration to ISO 9001:2015, the internal audit and management review must meet the requirements of the new rather than the old standard.

It is therefore better to begin early, and discover and eliminate any gaps between the QMS and the standard’s new requirements, than to begin late and not complete the required internal audit and management review in time for a third-party audit in 2018. On the other hand, the organization does not need an entirely new set of procedures and processes. It needs to ensure only that the ones it has employ the new standard’s requirements.

Use a conformity matrix to align processes to ISO 9001:2015

If your QMS meets the requirements of ISO 9001:2008, it already meets most of the requirements of ISO 9001:2015. This means there is no need to rewrite procedures and work instructions for the sole purpose of restructuring. All that is necessary is to demonstrate how they meet the provisions of the new standard.

While ISO 9001:2015 does not require a quality manual, my personal position would be to retain one, if for no other reason than to cross-reference procedures with the current version of the standard. The conformity matrix is a useful tool for doing this, and also to identify any gaps between what the organization has and what the new standard requires.

A conformity matrix is simply a matrix whose rows are the clauses of the standard, and whose columns are the organization’s procedures and processes. An X or other mark is placed at the column and row intersection when a procedure or process meets or supports the corresponding element of the standard. A row in which no X appears is an immediate visual indicator of a gap between the QMS and the standard, and a procedure must be written or revised to eliminate the gap.

It is possible to enhance the conformity matrix by using the L-Type Matrix in which some kind of weighting symbol, rather than just an X or other check mark, is placed at a row and column intersection. In the book CQE Primer (Quality Council of Indiana, 2006) Bill Wortman and his coauthors use three different symbols for “strong relationship,” “relationship,” and “possible relationship.” We can similarly use different symbols for primary, secondary, and supporting relationships.

Suppose for example that an organization has a procedure for document control, which includes a provision for review and approval of document changes, distribution of the current document, and removal of obsolete documents. This procedure would have a primary relationship with ISO 9001:2015 clause 7.5, “Documented information.” That is, the procedure’s express purpose is to meet the documented information requirements of the standard.

A procedure for calibration and measurement systems analysis (MSA) would similarly have a primary relationship with 7.1.5, “Monitoring and measuring resources,” while a procedure for control of quality records would have only a supporting relationship with this requirement. Calibration and MSA would certainly generate quality records that must be retained, made readily available, and protected from loss, but the procedure for quality records cannot possibly fulfill the requirements for 7.1.5 by itself. It can only support 7.1.5 by preserving the quality records that show that gauges and instruments were in fact calibrated, and that required gauge reproducibility and repeatability analysis were in fact performed. This means that, if we are using the conformity matrix to identify gaps between the QMS and the standard, a supporting relationship alone does not meet the requirements.

Figure 1 shows a sample conformity matrix with general procedures and processes versus a portion of ISO 9001:2015. The cells at the right are programmed to add the Xs, which reflect a process or procedure that meets the requirements of the standard, and use conditional formatting to turn them red if no X appears. S (for support) does not count. As an example, the Quality Records procedure supports 7.2 (“Competence”) by retaining records of training, but it doesn’t make the training happen. Only when we add the Training procedure’s effect (item 9) do we get an X in the row for 7.2 and thereby meet the requirement. This procedure would almost certainly require the organization to retain a record of the employee’s training with the record retention period specified in the Quality Records procedure.

Figure 1: A conformity matrix as a visual control. Click here for larger image.

The good thing about the conformity matrix is that it eliminates the need to write a new quality manual every time ISO 9001 is revised. It’s only necessary to create a new conformity matrix that reflects the new standard’s requirements, and cross-reference the existing QMS accordingly. The procedures and processes can also be hyperlinked to the actual document so any auditor, or anybody else, can see the document and verify that it does, in fact, meet the indicated clauses of the standard. This turns the conformity matrix into a visual control that makes gaps immediately visible and also directs the user to the necessary information without making them search for it. The only caveat is that any change to a documented process or procedure requires a review to reflect any change in that process’ or procedure’s role in reference to the standard.

Note also that a comment can be added to any cell by right-clicking on it, e.g. to provide a small amount of detail on how the process or procedure deploys the ISO clause.

The stakeholder matrix

Another useful tool is the stakeholder matrix, which ties in directly with clause 4.2—“Understanding the needs and expectations of interested parties.” This clause requires the organization to determine the requirements of interested parties that are relevant to the quality management system. Not all interested parties are relevant, and the stakeholder matrix makes this emphatically clear. When stakeholders (or interested parties) of “little or no importance” exercise “significant influence,” we have a highly dysfunctional situation in which the tail is allowed to wag the dog. A commentator on Sun Tzu’s Art of War (Oxford University Press, 1963) described this situation as follows. “And it is said one must consult the Army Supervisor in these matters! This is as if in building a house beside the road one took advice from those who pass by. Of course the work would never be completed!” The Victoria State Government reference defines similarly the high influence but low importance stakeholders as “a source of significant risk.”


The bad news is that the real deadline for ISO 9001:2015 is much sooner than Sept. 22, 2018, because the organization must complete an internal audit and management review prior to an audit by a registrar. The good news is that few real changes need to be made to existing quality systems to align them with the new standard, but “now” is not too soon to begin.


About The Author

William A. Levinson’s picture

William A. Levinson

William A. Levinson, P.E., is the principal of Levinson Productivity Systems P.C. He is an ASQ-certified quality engineer, quality auditor, quality manager, reliability engineer, and Six Sigma Black Belt, and the author of the book The Expanded and Annotated My Life and Work: Henry Ford's Universal Code for World-Class Success.



use of a Conformity matrix

With due regards to William, the use of conformity matrix as recommended will not add any value to the organization.

To take full advantage of the changes to the standard, the organization should start again on a clean slate. This will make the management and the team unbiased (though partly only) and they may be able to appreciate the changes made specially for top maangement and risk estimation. Everything REPEAT everything must be repeated.

A conformity matrix, on the other hand, may give the result that only 30 % is not complying and the management, may as well tell the previous Management representative to fill up the gaps fast (somehow) and make it ready for an audit.

For an organization with the objective of taking advantage of the QMS, this will be just maintaining the status quo.



Conformity Matrix

Clauses 4.4.1 and 5.1 state in ISO 9001:2015 that the organization must integrate the quality management requirements into the organizations processes. The "process" mentioned in the Conformity Matrix are extracts of some 'requirements' and a few automotive type ones. They are NOT the organizations processes - more so, being procedures.

The Conformity Matrix is okay but not required. I do agree it is helpful to show where such ISO 9001:2015 Requirements have indeed been integrated within the procedures of the selected process.

By way of example - take the 12 Processes of say the APQC PCF into the Y axis of a list of processes and then on the x axis place the Clauses of ISO 9001 (clearly any other ISO MSS or non-ISO MSS can be used) and then place a make where that requirement has been considered and used to control that process. This is not control of clause of a clause. 

If I may - this is one extract of a Certification Body perpetuating no real change to a ISO 9001:2008 Clause-by-Clause documented QMS. Just update the Clauses (yes, I agree a Quality Manual is likely to be kept and useful) and add say Risk Based thinking, Context stuff as per "Note 2 and 3' for SWOT and PESTEL, some Risks and Opportunities, say reference the use of PFMEAs and so on, seems that's it, recertification by 2018! 

See LRQA extract from their website being atypical of most 3rd Party Bodies: 

“If your QMS manual is written around and references the clauses of the current ISO 9001 then, if you decide to keep your quality manual, the numbers will need to be updated to match the new clause numbering.” 

So, for these topics, the existing processes within your current QMS may well already address the new requirements since they have largely only been re-arranged to fit in with the Annex SL structure.

In preparation for the changes, LRQA can perform a Gap Analysis on your current system to determine how much work you need to do to bring it into line with the new standard.”

So, what this Conformity Matrix article communicates is contrary to ISO 9001:2015 Clauses 4.4.1 and 5.1 and likewise to all HLS based ISO MSS. The HLS itself is to be ONLY used for ISO MS Standard writers and not for organizations to then document their QMS or other discipline-specific MSS, or integrated management system.

Likewise, nor should PAS 99 or CQI's MSS 1000 be used as a basis to document an Integrated Management System by their respective clauses. Granted they do help consolidate such multidiscipline system requirements and then useful to then embed within the organizations processes. The 'Quality' or IMS Policy Manual contents page should then reflect the Core, Management/Leadership and Systems Support Processes - not the ISO MSS Clauses.

Michael W McLean. Convener - ISO/JTCG/TM/TF5 for the Integrated Use of Management System Standards and ISO WG2 ISO 10005 and QR-008 (ISO 9000/1) Member