18 March 2015 © Australian Organisation for Quality
ISO 9001:2015
- nothing to panic about?!
David Wilson
Tonight’s Café Quality Specials
ISO 9001:2015 Quality management systems―requirements
A brief summary of changes, some opportunities missed
Demise of the Management Representative (at last!)
‘Preventive action’ is re-born!
Changes to the design and development process
Why the rush?
Why you should know and understand ISO 19011:2011
and ISO/IEC 17021:2011
2 18 Mar 2015
Something to ponder tonight and beyond
A Google search† on:
‘quality’ yields ~4,020,000,000 results (0.30s)
‘quality management’ yields ~209,000,000 results
(0.39s)
‘ISO 9001’ yields about ~71,900,000 results (0.28s)
‘Project failure’ yields ~ 38,000,00 results (0.28s)
Conclusion:
there must be lots of ways you can effectively manage ‘quality’
no one has all of the answers/they are occasionally forgotten
3 18 Mar 2015
† The numbers vary from search to search
The eight seven Quality Management Principles
QM Principles (ISO 9000:2006)
Customer focus
Leadership
Involvement of people
Process approach
Systems approach to management
Continual improvement
Factual approach to decision making
Mutually beneficial supplier
relationships
4 18 Mar 2015
QM Principles (ISO/DIS 9001)1
Customer focus
Leadership
Engagement of people
Process approach2
Improvement
Evidence-based decision making
Relationship management
1 Risk-based thinking is not explicitly mentioned; ‘uncertainty’, ‘subjective’, ‘unintended consequences’, objectivity’ and ‘confidence’ are terms used in QMP7
‘Evidence-based decision making’. QMP5 ‘Improvement’ references ‘change’ and ‘opportunities’
2 ‘Process approach’ incorporates the current ‘Systems approach to management’
The eight seven Quality Management Principles
QM Principles (ISO/DIS 9001)
Customer focus
Leadership
Engagement of people
Process approach
Improvement
Evidence-based decision making
Relationship management
5 18 Mar 2015
ISO/DIS 9001
4.1, 4.2, 5.3, 7.4, 8.2, 8.3.2, 8.5.3,
8.5.5, 8.6, 9.1.2 (ISO 10003, 100004,
10005)
5, 6, 7.1, 7.4, 9.3
5, 7.1, 7.2, 7.3, 7.4 (ISO 10015, 10018)
4, 5.1, 5.3, 6, 8
4.4, 9, 10
4.4, 8.4, 9, 10
4.2, 5.1.2, 7.4, 8.2, 8.3.2, 8.3.4, 8.4,
9.1.2,
The big and not so big changes
Change of the format to conform with ISO/IEC Directives
Part 1, Annex SL, Appendix 2 (consistent structure, common core text and terminology)
‘Risk-based thinking’1, as a systemic approach to risk, has
been added to the ‘Process approach’ and the ‘Plan-Do-
Check-Act’ cycle as core methodologies underpinning the
new edition
‘Context of the organisation’ (cl 4.1 and cl 4.2) needs to
be considered and this will help inform the scope of the
quality management system
ISO 31000:20092, cl 4.3 and cl 5.3, SA/SNZ HB 436:20133 can
provide additional guidance
6 18 Mar 2015
1 ISO/TC 176/SC2, Document N1222, July 2014, “Risk” in ISO 9001:2015
2 Risk management―Principles and guidelines
3 Risk management guidelines― Companion to AS/NZS ISO 31000:2009
The big and not so big changes
Change of ‘product’ to ‘products and services’1
‘services’ was considered essential to enhanced relevance of
ISO 9001:2015 to the services sector (despite section 3 of ISO 9001:2008 and
clause 3.4.2 of ISO 9000:2006)
Broadening the focus from ‘customer’ to ‘customer and
interested parties’ (aka ‘stakeholders’)
the definition of ‘interested party’/’stakeholder’ is the same as
‘stakeholder’ in ISO 31000: 2009 (Risk management―Principles and guidelines)
Performance-based approach has replaced explicit
requirements-based approach
Explicit reference to the ‘process approach’ in section 4
7 18 Mar 2015
2 This ‘enhanced relevance’ has influenced other changes in the document to make it less prescriptive
The big and not so big changes
The Quality Manual is no longer required.
however, ‘documented information’ requirements in various
clauses need to be considered
‘Documents’ and ‘records’ are now ‘documented
information’
The six mandatory documented procedures are gone
‘Organisational knowledge’ requirements have been
incorporated
the concept of corporate vs. personal knowledge needs to be
addressed and risks identified/managed
8 18 Mar 2015
The big and not so big changes
The explicit role of ‘Management representative’ has
been replaced with assignment, by top management, of
responsibility and authority for:
ensuring the QMS complies with ISO 9001:2015
ensuring processes are delivering intended outputs
reporting on QMS performance, especially to top management (performance, opportunities for improvement, need for change/innovation)
promotion of customer focus internally
integrity of the QMS when changes are planned/implemented
This responsibility and authority could be discharged by
‘process owners’ consistent with cl 5.5.1 d)
9 18 Mar 2015
Opportunity missed
A real driver for improvement that demonstrates value to
the whole organisation, such as cost of quality aligned to
organisational (quality) objectives1
Expansion of the ‘process owner’ concept of cl 5.5.1.d)
into cl 4.4 ‘Quality management system and its
processes’.
“5.5.1 d) ensuring the integration of the quality management
system requirements into the organization’s business processes”
ISO 9001:2015
Business management system―quality requirements?
10 18 Mar 2015
What if?
1 BS 6143-1:1992 Guide to the economics of quality ― Part 1: Process cost model; BS 6143-2:1990 Guide to the economics of quality ― Part 2: Prevention,
appraisal and failure model
Preventive action re-born!
ISO 31000:2009 Figure 3 ― Risk management process
11 18 Mar 2015
Communication and
consultation (5.2)
Monitoring and review
(5.6)
Establishing the context (5.3)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.4.4)
Risk assessment (5.4)
Preventive action re-born!
ISO 31000:2009 Figure 3 ― Risk management process
12 18 Mar 2015
Communication and
consultation (5.2)
Monitoring and review
(5.6)
Establishing the context (5.3)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.4.4)
Risk assessment (5.4)
Consequence or impact
Likelihood 1 (insignificant) 2 (minor) 3 (moderate) 4 (major) 5 (severe)
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) M M H H E
D (unlikely) L L M H H
E (rare) L L M M H
Legend:
E – extreme risk. Top management attention is required. Action plans need to be developed and top
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
H – high risk Top management attention is required. Action plans need to be developed and
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
M – moderate risk Top management ensure that appropriate procedures and controls are available,
deployed and implemented. Monitor key performance indicators routinely and initiate
corrective action when planned results are not achieved.
L – low risk Top management ensure that appropriate procedures and controls are in place. Risk is
managed by existing procedures and controls. Generally does not require specific
additional resources.
Preventive action re-born!
ISO 9001:2008 Clause 8.5.3 Preventive action, et al
13 18 Mar 2015
Management
commitment (5.1)
Responsibility,
authority and
communication (5.5)
• Records of results
of action (8.5.3 d))
• Reviewing
effectiveness of
action taken
(8.5.3e))
• Management
review (5.6)
Management responsibility (5.1, 5.2, 5.3, 5.4)
Potential nonconformity and causes (8.5.3 a))
Evaluating need for action (8.5.3 b))
Determining action needed (8.5.3c))
Implementing action needed (8.5.3c))
Risk assessment
Communication
and
consultation
Monitoring and
review
Preventive action re-born!
ISO/DIS 9001 (2015)
14 18 Mar 2015
Leadership (5),
Awareness (7.3),
Communication (7.4)
Performance
evaluation (9)
Improvement (10)
Context of an organisation (4)
QMS and its processes (4.4), Customer focus
(5.1.2)
Actions to address risk & opportunity (6.1),
Planning of changes (6.3), Operation (8)
Actions to address risk & opportunity (6.1),
Planning of changes (6.3), Operation (8)
Operation (8)
Risk assessment (?)
Communication
and
consultation
Monitoring and
review
Changes to the design and development process
15 18 Mar 2015
‘Design’ = ‘Design and development’ in ISO 9001:2008
Inherent risk and opportunity management system
manages risk of unintended consequences (ineffective communication, human
error, inappropriate use of materials, sub-optimal resource use)
focuses on opportunity (re-use, innovation, efficiency, schedule optimisation)
Design review
Design Validation
Design Verification
User needs Design input Design
activity
Design
output
Product /
Service
Design planning, resource provision, change management
Changes to the design and development process
Design1 planning (8.3.2) incorporates consideration of:
involvement of customers and user groups in the design process
necessary documentation to confirm design and development
requirements have been met
Design inputs (8.3.3) incorporates:
standards and codes of practice committed to be implemented
external and internal resources needs
potential consequences of failure relative to the nature of
product/services
level of control of the design process expected by customers and
other interested parties
16 18 Mar 2015
1 ‘Design’ means ‘Design and development’
2 ISO/DIS 9001, Annex A, clause A.1
Changes to the design and development process
Design controls (8.3.4) does not include the essential
objectives for design review:1, 2
to evaluate the design’s capability to fulfil the specified/design and
development requirements,
to identify any problems (actual or potential deficiencies), and
to propose necessary action/enhancements
17 18 Mar 2015
1 ISO 9001:2008, clause 7.3.4
2 IEC 61160:2005, Terms and definitions, 3.4 Design review
Design review
Design Validation
Design Verification
User needs Design input Design
activity
Design
output
Product /
Service
Why the rush?
If your management system currently reflects the ISO
9001:2008 philosophy and requirements then changes
should be 2nd/3rd order
You have three years to implement the new edition of the
standard from its publication date (September 2015)1
certificates from certification/recertification to ISO 9001:2008 need
to have an expiry date corresponding to the end of the three year
transition period
There is no need to adopt the structure or the terminology
of the new edition2
18 18 Mar 2015
1 IAF Informative Document, IAF ID 9:2015, January 2015
2 ISO/DIS 9001, Annex A, clause A.1
Why the rush?
Apply the P-D-C-A process to your existing management
system using ISO 9001:2015 as the criteria for
determining what may need to change
use the Correlation matrices1 published on the www.iso.org
website (public documents)
involve key stakeholders in your organisation in the P-D-C-A
process (note that ISO 14001 is also due for release in 2015)
Your management system is how you manage your
business
ISO 9001:2015 is a tool to show how you address the
requirements outlined in the Scope section of the standard
19 18 Mar 2015
1 ISO/TC 176/SC2, Document N1224, July 2014, Correlation matrices between ISO 9001:2008 and ISO/DIS 9001 (updates post publication?)
You and ISO 19011:2011 │ ISO/IEC 17021:2011
If you manage a quality, OHS/WHS, environmental or
other management system that is audited internally and
by customers:
you need to know ISO 19011:2011 (Guidelines for auditing management systems)
If you manage a third party certified management
system:
you need to know ISO/IEC 17021:2011 (Conformity assessment ― Requirements
for bodies providing audit and certification of management systems)
20 18 Mar 2015
Introduction
“The relationship between this second edition of this International Standard and ISO/IEC
17021:2011 is shown in Table 1.
Table 1 ― Scope of this International Standard and its relationship with ISO/IEC 17021:2011
This International Standard does not state requirements, but provides guidance on the
management of an audit programme, on the planning and conduction of an audit of the
management system, as well as on the competence and evaluation of an auditor and an audit
team.”
Internal auditing External auditing
Supplier auditing Third party auditing
Sometimes called first party audit Sometimes called second party audit
For legal, regulatory and similar purposes
For certification (see also the requirements of ISO/IEC 17021:2011)
ISO 19011:2011
6.4.7 Generating audit findings (last sentence of the second paragraph)
“Every attempt should be made to resolve any diverging opinions concerning the audit
evidence or findings, and any unresolved points should be recorded.”
6.4.9 Conducting the closing meeting (second to last sentence)
“Any diverging opinions regarding the audit findings or conclusions between the audit team
and the auditee should be discussed and, if possible, resolved. If not resolved, this should
be recorded.”
6.5.1 Preparing the audit report (6th dash point related to the audit report)
“The audit report can also include or refer to the following, as appropriate:
- any unresolved diverging opinions between the audit team and the auditee;”
ISO 19011:2011
Introduction (last sentence)
“In this International Standard, the word “shall’ indicates a requirements and the word
“should” indicates a recommendation”
9.1.9.6 Identifying and recording findings
“9.1.9.6.4 The audit team leader shall attempt to resolve any diverging opinions between the
audit team and the client concerning the audit evidence or findings, and any unresolved
points shall be recorded.”
9.1.9.8 Conducting the closing meeting
“9.1.9.8.3 The client shall be given opportunity for questions. Any diverging opinions
regarding the audit findings or conclusions between the audit team and the client shall be
discussed and resolved where possible. Any diverging opinions that are not resolved shall
be recorded and referred to the certification body.”
ISO/IEC 17021:2011
9.1.10 Audit report
“9.1.10.2 j) … The audit report shall provide an accurate, concise and clear record of the
audit to enable an informed certification decision to be made and shall include or refer to the
following:
j) any unresolved issues, if identified.”
ISO/IEC 17021:2011
ISO 9001:2015 - nothing to panic about?!
25
18 Mar 2015 © Australian Organisation for Quality
ISO 9001:2015
- nothing to panic about?!
Opportunity missed – what if?
4.4 Quality management system and its processes
“4.4 g)1 the method of monitoring, measuring and evaluating
processes and, if needed, changing processes to ensure they
achieve their intended results output performance consistent
with planned input and resource requirements”
9.1.3 Analysis and evaluation
“9.1.3 e)1 assess the performance of processes including taking
account of data from the monitoring and evaluation of 4.4.g)”
27 18 Mar 2015
1 Presenter’s modification of 4.4.g) and 9.1.3 e)
Back