What’s Really Cool About ISO 9001:2015

Benefits and enhancements in the new revision

Published: Tuesday, August 25, 2015 - 14:09

OK, so “cool” probably isn't the precise term—unless you happen to be a standards uber-geek. But there are definitely some enhancements to the 2015 revision of ISO 9001 that are worth getting a little excited about.

The final draft international standard (FDIS) is finally out for ballot, so most of the changes that may transpire after the vote and before the ultimate publication should not be of any major consequence. It’s getting to be an increasingly safer bet to anticipate what will be in the published version.

That said, we can now take a look at what’s new, improved, and likely to result in benefits for organizations. After almost three years of angst, we all deserve some good news. And, there are some things that do warrant positive press.

Here’s a sampling.

Preventive action

The term “preventive action” no longer appears in the standard. It has been incorporated into the much more holistic concept of risk-based thinking. Preventive action deals with the potentiality of something going wrong—which is actually the essence of risk. Unfortunately, in many organizations preventive action had been perceived as a nuisance requirement with minimal significance. The manner in which the concept of risk is treated in ISO 9001:2015 makes it easier for organizations to implement the requirement and take appropriate action at relevant junctures.

This creates the opportunity to foster a culture in which thinking about the consequences of change permeates all aspects of the QMS. Everyone is affected by some kind of change, and conversely, has the opportunity to have an effect on what is changing. Changes can result from the addition of a product line, the departure of key personnel, the loss of a major supplier, the breakdown of a piece of equipment, a revised regulatory requirement, an increase in sales, or many other events. They can be as small as the revision to a process or replacement of a tool, or as massive as a relocation a thousand miles away.

Regardless of the nature or the scope, a predictable set of actions should ensue: an inquiry into the nature of the change, assessment of the risk, and a decision on what action, if any, to take.

The other really neat thing about risk-based thinking as opposed to the old preventive action is options. The 2008 version of ISO 9001 was pretty straight-laced. Take action to prevent occurrence of potential problems. It was all or nothing. With the 2015 revision, there’s an opportunity to consider options such as decreasing likelihood of occurrence or mitigating frequency. There’s language in a note about sharing risk. And the implication is also clear that an organization may decide to accept the risk and do nothing at all. 

The next addition to the standard has enormous influence on the implementation of risk-mitigating activities.

The context of the organization

It’s a bit misleading to think of context as a new concept. This requirement requires organizations to identify the internal and external issues that affect them. It also requires them to understand the needs and expectations of relevant interested parties.

The language and the need to fulfill requirements in relation to these factors may be new, but the underlying principles have already been implemented to varying degrees in most organizations. What ISO 9001 now does is require organizations to bring some structure to their deliberations and ensuing actions around the factors. It directs organizations to determine what issues are relevant to their purpose and, through guidance notes, gives examples of some of the tools and practices that may facilitate this process.

So, the standard drives organizations to do a better job of thinking of all the things that can affect their ability to serve their customers, and to consider, among other things, risks (as we’ve just discussed) that are associated with these factors. Bringing consistency to what in the past has probably been haphazardly applied and poorly documented is the big benefit of actualizing this requirement. Through consistency and control, organizations get a better opportunity to identify all relevant factors, from the ultra-critical to the humdrum. The same applies to interested parties. It creates the potential, through vigilance, to mitigate instances in which interested parties inadvertently wreak havoc on your company.

The last piece to this is the requirement to monitor and review information about internal and external issues as well as the relevant interested parties because things change. This ties directly to another new requirement relating to changes.

Planning for changes

Planning of changes is again not an entirely new concept. The 2008 version of ISO 9001 mentions the need to maintain the integrity of the system when changes are planned. What is added in 2015 is the prescriptive addition of text relative to planning and controlling the change.

Change in and of itself isn’t positive or negative. What makes it either a risk or an opportunity is the effect that it has on planned results or intended outputs. The degree to which the output of the change can be planned, with appropriate consideration of internal and external issues, will determine whether the change results in an unforeseen problem or in an actualized opportunity. The standard clearly directs the organization to consider the purpose of the change, the potential consequences, availability of resources, and the authority and responsibility for the change.

Although there is one clause relating specifically to planning changes to the QMS, the concept of change is not relegated to that single clause of the standard, but permeates multiple sections. ISO 9001 comes pretty close to giving companies a blueprint for handling change: decide what’s to be done, determine who’s in charge, delegate authority, provide resources, execute the plan, and then check the results—all the while watching for internal and external issues that could mess with your plan, or for interested parties who might be affected by what you do.

Quality objectives

Quality objectives are definitely not new. What ISO 9001:2015 brings is long overdue guidance on the need to take action to achieve the objectives. Specifically, it requires the organization to determine what needs to be done as well as resources, responsibility, completion time, and the method of evaluating results.

This has the very positive effect of moving quality objectives from stagnant pronouncements to actionable goals: “This is our current status. That’s where we want to be. This is what we will do to get there.” It moves objectives from vague potentiality to achievable possibility. It now puts some teeth into requirements to communicate the objectives, making it almost impossible not to get people involved. The more engaged people are, the better shot you have of moving the needle on the monitors in the desired direction.

Documented information

To the extent that any of this is cool, this is very cool. I had a lot of angst over this one, until I saw the light. You know the test software, the purchase orders embedded in your ERP software—along with min/max levels and inventory control, the Crystal Reports, Gerber files, Solid Works files, EDI transactions, machine profiles, e-commerce sales, service contracts, electronic routers, email concessions from customers, digital photos, and other sundry nontraditional methods you use to manage your company? You know all the things you utilize daily that don’t fit into the tight, clear little paradigm of documents and records? All that stuff is documented information. You now have more flexibility in how you manage your information. You no longer have to keep mashing the square pegs into round holes to make an auditor happy. (Actually, except for the old mandated six documented procedures, you’ve had the flexibility for a while. It’s just that the standard wasn’t particularly helpful on the subject. Remember, the last big revision came before most of the stuff we mentioned had gone mainstream).

The distinction between documents and records hasn’t been completely abandoned. The standard provides one giant helpful hint. Anything that would have been previously defined as a document is said to be “maintained.” Whereas, any documented information that would come under the previous heading of records is now said to be “retained.” Simply put, documents are those items that currently describe what you do, and records are what has already happened. For example, a procedure is a living document that must be updated as the situation warrants, that is, “maintained.” But purchase orders or sales orders are records of something that has already occurred; they’re over and done and must be “retained.” It’s also pretty safe to say that today’s documents eventually become tomorrow’s records; e.g., an old procedure would be archived and become a record of how you used to do something.

I think that these changes and enhancements can be of great benefit to organizations. Will they require some effort to make them workable? Of course. The thing is to get beyond the nuisance of having to manage the change so that you can start enjoying some of the good stuff it holds in store. Almost like cracking the Tootsie Roll Pop to get at the chocolaty center—well, maybe not that cool.

For more information about the ISO 9001 standard, see the Quality Digest knowledge guide, “What Is ISO 9001:2015?”

About The Author

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.