ISO 9001:2015

- nothing to panic about?!

David Wilson

18 March 2015 Australian Organisation for Quality

Tonights Caf Quality Specials
ISO 9001:2015 Quality management systemsrequirements
A brief summary of changes, some opportunities missed
Demise of the Management Representative (at last!)
Preventive action is re-born!
Changes to the design and development process
Why the rush?
Why you should know and understand ISO 19011:2011
and ISO/IEC 17021:2011

18 Mar 2015 2
Something to ponder tonight and beyond
A Google search on:
quality yields ~4,020,000,000 results (0.30s)
quality management yields ~209,000,000 results
(0.39s)
ISO 9001 yields about ~71,900,000 results (0.28s)
Project failure yields ~ 38,000,00 results (0.28s)

Conclusion:
there must be lots of ways you can effectively manage quality
no one has all of the answers/they are occasionally forgotten
The numbers vary from search to search

18 Mar 2015 3
The eight seven Quality Management Principles
QM Principles (ISO 9000:2006) QM Principles (ISO/DIS 9001)1
Customer focus Customer focus
Leadership Leadership
Involvement of people Engagement of people
Process approach Process approach2
Systems approach to management
Continual improvement Improvement
Factual approach to decision making Evidence-based decision making
Mutually beneficial supplier Relationship management
relationships

1 Risk-based thinking is not explicitly mentioned; uncertainty, subjective, unintended consequences, objectivity and confidence are terms used in QMP7
Evidence-based decision making. QMP5 Improvement references change and opportunities
2 Process approach incorporates the current Systems approach to management
18 Mar 2015 4
The eight seven Quality Management Principles
QM Principles (ISO/DIS 9001)
Customer focus
Leadership
Engagement of people
Process approach
Improvement
Evidence-based decision making
Relationship management
ISO/DIS 9001
4.1, 4.2, 5.3, 7.4, 8.2, 8.3.2, 8.5.3,
8.5.5, 8.6, 9.1.2 (ISO 10003, 100004,
10005)
5, 6, 7.1, 7.4, 9.3
5, 7.1, 7.2, 7.3, 7.4 (ISO 10015, 10018)
4, 5.1, 5.3, 6, 8
4.4, 9, 10
4.4, 8.4, 9, 10
4.2, 5.1.2, 7.4, 8.2, 8.3.2, 8.3.4, 8.4,
9.1.2,

18 Mar 2015 5
The big and not so big changes
Change of the format to conform with ISO/IEC Directives
Part 1, Annex SL, Appendix 2 (consistent structure, common core text and terminology)
Risk-based thinking1, as a systemic approach to risk, has
been added to the Process approach and the Plan-Do-
Check-Act cycle as core methodologies underpinning the
new edition
Context of the organisation (cl 4.1 and cl 4.2) needs to
be considered and this will help inform the scope of the
quality management system
ISO 31000:20092, cl 4.3 and cl 5.3, SA/SNZ HB 436:20133 can
provide additional guidance

1 ISO/TC 176/SC2, Document N1222, July 2014, Risk in ISO 9001:2015

2 Risk managementPrinciples and guidelines
3 Risk management guidelines Companion to AS/NZS ISO 31000:2009
18 Mar 2015 6
The big and not so big changes
Change of product to products and services1
services was considered essential to enhanced relevance of
ISO 9001:2015 to the services sector (despite section 3 of ISO 9001:2008 and
clause 3.4.2 of ISO 9000:2006)

Broadening the focus from customer to customer and

interested parties (aka stakeholders)
the definition of interested party/stakeholder is the same as
stakeholder in ISO 31000: 2009 (Risk managementPrinciples and guidelines)

Performance-based approach has replaced explicit

requirements-based approach
Explicit reference to the process approach in section 4
2 This enhanced relevance has influenced other changes in the document to make it less prescriptive

18 Mar 2015 7
The big and not so big changes
The Quality Manual is no longer required.
however, documented information requirements in various
clauses need to be considered

Documents and records are now documented

information
The six mandatory documented procedures are gone
Organisational knowledge requirements have been
incorporated
the concept of corporate vs. personal knowledge needs to be
addressed and risks identified/managed

18 Mar 2015 8
The big and not so big changes
The explicit role of Management representative has
been replaced with assignment, by top management, of
responsibility and authority for:
ensuring the QMS complies with ISO 9001:2015
ensuring processes are delivering intended outputs
reporting on QMS performance, especially to top management
(performance, opportunities for improvement, need for change/innovation)
promotion of customer focus internally
integrity of the QMS when changes are planned/implemented

This responsibility and authority could be discharged by

process owners consistent with cl 5.5.1 d)

18 Mar 2015 9
Opportunity missed
A real driver for improvement that demonstrates value to
the whole organisation, such as cost of quality aligned to
organisational (quality) objectives1
Expansion of the process owner concept of cl 5.5.1.d)
into cl 4.4 Quality management system and its
processes.
5.5.1 d) ensuring the integration of the quality management
system requirements into the organizations business processes
ISO 9001:2015
Business management systemquality requirements?

What if?

1 BS 6143-1:1992 Guide to the economics of quality Part 1: Process cost model; BS 6143-2:1990 Guide to the economics of quality Part 2: Prevention,
appraisal and failure model
18 Mar 2015 10
Preventive action re-born!
ISO 31000:2009 Figure 3 Risk management process

Establishing the context (5.3)

Risk assessment (5.4)

Risk identification (5.4.2)

Communication and Monitoring and review

Risk analysis (5.4.3)
consultation (5.2) (5.6)

Risk evaluation (5.4.4)

Risk treatment (5.4.4)

18 Mar 2015 11
Preventive action re-born!
Consequence or impact
ISO 31000:2009 Figure 3 Risk management process
Likelihood 1 (insignificant) 2 (minor) 3 (moderate) 4 (major) 5 (severe)

A (almost certain) H H E E E
Establishing the context (5.3)
B (likely) M H H E E

C (possible) Risk assessment

M (5.4) M H H E

D (unlikely) L Risk identification

L (5.4.2)
M H H

E (rare) L L M M H

CommunicationLegend:
and Monitoring and review
Risk analysis (5.4.3)
consultation (5.2)
E extreme risk. Top management attention is required. Action plans need to be developed and top (5.6)
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
H high risk Top management attention is required. Action plans need to be developed and
Risk evaluation (5.4.4)
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
M moderate risk Top management ensure that appropriate procedures and controls are available,
deployed and implemented. Monitor key performance indicators routinely and initiate
Risk
corrective action when treatment
planned (5.4.4)
results are not achieved.
L low risk Top management ensure that appropriate procedures and controls are in place. Risk is
managed by existing procedures and controls. Generally does not require specific
additional resources.

18 Mar 2015 12
Preventive action re-born!
ISO 9001:2008 Clause 8.5.3 Preventive action, et al

Communication Monitoring and

and Management responsibility (5.1, 5.2, 5.3, 5.4) review
consultation
Risk assessment

Potential nonconformity and causes (8.5.3 a)) Records of results

of action (8.5.3 d))
Management
Reviewing
commitment (5.1)
effectiveness of
Responsibility, Evaluating need for action (8.5.3 b))
action taken
authority and
(8.5.3e))
communication (5.5)
Management
Determining action needed (8.5.3c)) review (5.6)

Implementing action needed (8.5.3c))

18 Mar 2015 13
Preventive action re-born!
ISO/DIS 9001 (2015)

Communication Monitoring and

and Context of an organisation (4) review
consultation
Risk assessment (?)
QMS and its processes (4.4), Customer focus
(5.1.2)

Leadership (5), Performance

Actions to address risk & opportunity (6.1),
Awareness (7.3), evaluation (9)
Planning of changes (6.3), Operation (8)
Communication (7.4) Improvement (10)

Actions to address risk & opportunity (6.1),

Planning of changes (6.3), Operation (8)

Operation (8)

18 Mar 2015 14
Changes to the design and development process
Design = Design and development in ISO 9001:2008

Design review

Design Design Product /

User needs Design input
activity output Service

Design Verification

Design Validation

Design planning, resource provision, change management

Inherent risk and opportunity management system

manages risk of unintended consequences (ineffective communication, human
error, inappropriate use of materials, sub-optimal resource use)

focuses on opportunity (re-use, innovation, efficiency, schedule optimisation)

18 Mar 2015 15
Changes to the design and development process
Design1 planning (8.3.2) incorporates consideration of:
involvement of customers and user groups in the design process
necessary documentation to confirm design and development
requirements have been met

Design inputs (8.3.3) incorporates:

standards and codes of practice committed to be implemented
external and internal resources needs
potential consequences of failure relative to the nature of
product/services
level of control of the design process expected by customers and
other interested parties

1 Design means Design and development

2 ISO/DIS 9001, Annex A, clause A.1
18 Mar 2015 16
Changes to the design and development process
Design controls (8.3.4) does not include the essential
objectives for design review:1, 2
to evaluate the designs capability to fulfil the specified/design and
development requirements,
to identify any problems (actual or potential deficiencies), and
to propose necessary action/enhancements

Design review

Design Design Product /

User needs Design input
activity output Service
Design Verification
Design Validation
1 ISO 9001:2008, clause 7.3.4
2 IEC 61160:2005, Terms and definitions, 3.4 Design review
18 Mar 2015 17
Why the rush?
If your management system currently reflects the ISO
9001:2008 philosophy and requirements then changes
should be 2nd/3rd order
You have three years to implement the new edition of the
standard from its publication date (September 2015)1
certificates from certification/recertification to ISO 9001:2008 need
to have an expiry date corresponding to the end of the three year
transition period

There is no need to adopt the structure or the terminology

of the new edition2

1 IAF Informative Document, IAF ID 9:2015, January 2015

2 ISO/DIS 9001, Annex A, clause A.1
18 Mar 2015 18
Why the rush?
Apply the P-D-C-A process to your existing management
system using ISO 9001:2015 as the criteria for
determining what may need to change
use the Correlation matrices1 published on the www.iso.org
website (public documents)
involve key stakeholders in your organisation in the P-D-C-A
process (note that ISO 14001 is also due for release in 2015)
Your management system is how you manage your
business
ISO 9001:2015 is a tool to show how you address the
requirements outlined in the Scope section of the standard

1 ISO/TC 176/SC2, Document N1224, July 2014, Correlation matrices between ISO 9001:2008 and ISO/DIS 9001 (updates post publication?)

18 Mar 2015 19
You and ISO 19011:2011 ISO/IEC 17021:2011
If you manage a quality, OHS/WHS, environmental or
other management system that is audited internally and
by customers:
you need to know ISO 19011:2011 (Guidelines for auditing management systems)

If you manage a third party certified management

system:
you need to know ISO/IEC 17021:2011 (Conformity assessment Requirements
for bodies providing audit and certification of management systems)

18 Mar 2015 20
 ISO 19011:2011
Introduction
The relationship between this second edition of this International Standard and ISO/IEC
17021:2011 is shown in Table 1.

Table 1 Scope of this International Standard and its relationship with ISO/IEC 17021:2011
Internal auditing External auditing

Supplier auditing Third party auditing

For legal, regulatory and similar

purposes
Sometimes called first party audit Sometimes called second party audit
For certification (see also the
requirements of ISO/IEC 17021:2011)

This International Standard does not state requirements, but provides guidance on the
management of an audit programme, on the planning and conduction of an audit of the
management system, as well as on the competence and evaluation of an auditor and an audit
team.
 ISO 19011:2011
6.4.7 Generating audit findings (last sentence of the second paragraph)
Every attempt should be made to resolve any diverging opinions concerning the audit
evidence or findings, and any unresolved points should be recorded.

6.4.9 Conducting the closing meeting (second to last sentence)

Any diverging opinions regarding the audit findings or conclusions between the audit team
and the auditee should be discussed and, if possible, resolved. If not resolved, this should
be recorded.

6.5.1 Preparing the audit report (6th dash point related to the audit report)
The audit report can also include or refer to the following, as appropriate:
- any unresolved diverging opinions between the audit team and the auditee;
 ISO/IEC 17021:2011
Introduction (last sentence)
In this International Standard, the word shall indicates a requirements and the word
should indicates a recommendation

9.1.9.6 Identifying and recording findings

9.1.9.6.4 The audit team leader shall attempt to resolve any diverging opinions between the
audit team and the client concerning the audit evidence or findings, and any unresolved
points shall be recorded.

9.1.9.8 Conducting the closing meeting

9.1.9.8.3 The client shall be given opportunity for questions. Any diverging opinions
regarding the audit findings or conclusions between the audit team and the client shall be
discussed and resolved where possible. Any diverging opinions that are not resolved shall
be recorded and referred to the certification body.
 ISO/IEC 17021:2011
9.1.10 Audit report
9.1.10.2 j) The audit report shall provide an accurate, concise and clear record of the
audit to enable an informed certification decision to be made and shall include or refer to the
following:
j) any unresolved issues, if identified.
ISO 9001:2015 - nothing to panic about?!

25
 ISO 9001:2015
- nothing to panic about?!

18 Mar 2015 Australian Organisation for Quality

Opportunity missed what if?
4.4 Quality management system and its processes
4.4 g)1 the method of monitoring, measuring and evaluating
processes and, if needed, changing processes to ensure they
achieve their intended results output performance consistent
with planned input and resource requirements
9.1.3 Analysis and evaluation
9.1.3 e)1 assess the performance of processes including taking
account of data from the monitoring and evaluation of 4.4.g)

Back

1 Presenters modification of 4.4.g) and 9.1.3 e)

18 Mar 2015 27