Updated ISO 9001
The 2015 version was released on schedule, so as of September '15, the current version is ISO 9001: 2015. Note however, that there is always a 3-year phasing in of a new standard. So there is a 3-year window (to September 2018) before any existing certified systems must be upgraded to this version, and that for the next 2 years you can still be certified to the 2008 version.
There were two main groups of changes brought in: 1. changes in structure and 2. changes to content.
1. Changes to structure
The new structure for ISO 9001 - by far the biggest change. These are the main clauses now:
1 - Scope
2 - Normative references
3 - Terms and definitions
4 - Context of the organization
5 - Leadership
6 - Planning
7 - Support
8 - Operation
9 - Performance evaluation
10 - Improvement
You'll notice that the first 3 clauses are still the same because they're common to all ISO Standards: Scope, References, Terms & Definitions.
After that come the specific requirements: there are now 7 clauses of requirements (versus the previous 5). And there has been extensive change to where specified requirements appear, how they are grouped and even what they are called.
Clauses 4, 5 and 6 will be common to all management system standards (such as quality, environmental, information security and safety management) in line with ISO's harmonised and consistent structure for these.
Thinking of Context requires you to consider 'what is the environment we operate in, financial, economic, social, political, etc'? For example, there's a big difference between a system in the oil and gas industry and one operating in a small, relatively stable niche market. Is it a heavily regulated context, or not? What's the broader background to your organisation?
The former 'management responsibilities' clause is now replaced with Leadership. And while the requirement to have a specific role of 'management representative' for the system has gone, don't think it has been watered down. This Standard has strengthened the responsibilities and requirements for "leadership and commitment" by top management and now lists 11 of these. In this clause also are: customer focus, quality policy, as well as roles and responsibilities. There's even greater emphasis on responsibilities at executive/senior management level, including for processes, results, reporting.
Planning: This section brings together requirements to plan for the system itself, to plan the outcomes wanted (those quality objectives), plan the processes to get them and planning for change. One major change is that there is now a formal requirement to consider risk ("risk based thinking"). Thinking about risk, and taking it into account throughout your system is a new requirement. The former requirement for 'preventive action' has now been omitted (a good thing, as many people often found it excessively confusing).
Support: this section draws together all the requirements that are considered to support operations. Includes resources (human, plant/equipment etc), ensuring people are competent and aware, communications, and 'documented information' - what was formerly called 'documents' and 'records' has now simply become 'documented information'.
Operation: this is the largest section. It contains all the requirements for services or products (that awkward term 'product realisation' is gone, hooray). It covers the whole range from determining the requirements, planning the processes and controls, communicating with customers, design and development of services/products (if it applies), handling changes, controlling any outsourcing, identification & traceability (if applicable), and so forth through to delivery, supply or handover. And controlling nonconformity is now included here: ie, making sure that before release or delivery, the service or product meets requirements.
Performance and evaluation brings together formerly separated items into a set of requirements for monitoring, measurement and evaluation, customer satisfaction, internal audit and management review.
Finally, Improvement contains some general requirements on improvement, and corrective action.
If you're roughly familiar with the existing structure of the Standard, you will have already noticed how much change there is.
So what else has changed?
2. Changes to content or terms
Besides the massive changes in structure and organisation, there isn't nearly as much change to content. The most notable of the changes:
- Thinking about risk in (and preventive action out).
The new inclusion of 'Risk Based Thinking' caused much debate. I am for the idea, though a little underwhelmed by the introduction of a wholly new term and the slightly odd definition of risk as 'the effect of uncertainty on an expected result' and including positive outcomes as well (most of us think of risk as focussed on avoiding negative impacts).
As there already exists a widely used and known field of risk management, and an ISO Standard for Risk, I don't understand why the technical committee for 9001 would choose to use a different definition and an entirely new term. But if we keep in mind the basic idea that it's a Good Thing to consider risks, and factor them into the system, I'm in favour. And that's more or less what is required, rather than any formal risk management, which the Standard explicitly notes is not required.
- Context of the Organisation
Requires the organisation to consider itself and its unique context or setting, and determine the scope of its quality management system. I think it really just makes explicit what is or should be more or less obvious common sense. One view is that the intent included stopping those awful 'cut and paste' just-add-water types of instant canned "systems". In which case, hallelujah.
- Changes to requirements for documentation.
No mandatory procedures are specified now. None. And no 'quality manual' either. This may be attempting to get away from the culture of big thick hardcopy manuals etc and recognising that - especially in this electronic age - there are many ways of delivering and recording information. But still, it's quite a big change. But see next point.
- The term 'documented information' replaces both procedures and records.
Another big change. The onus is now placed firmly back onto the organisation itself to determine what 'written information' it needs and should have. Careful reading is also necessary to identify where the things-formerly-called-procedures-or-records are still required.
ISO has released a Guidance document on this, which is well worth reading. Overall, while I think the intent is good, the execution leaves a bit to be desired as it's somewhat confusing.
Services finally appear in their own right. Hooray.
The single term 'product' has now been replaced with 'products and services'. Service-based organisations no longer have to perform mental gymnastics to fit themselves into the Standard. A good idea methinks.
Some other observations
- Improvement is now just referred to as "improvement" instead of 'continual improvement'.
- PDCA (Plan, Do, Check, Act) remains central to the Standard, with its importance underlined.
- The Process Approach is embedded and strengthened.
Author: Jane Bennett