ISO 9001:2015 Revision OverviewPresented by Katie Freeman, Quality Management Systems Specialist, of the Iowa Quality Center

Key Perspectives

ISO 9001 needs to change in order to: Adapt to a changing world Enhance an organization’s ability to satisfy its customers Provide a consistent foundation for the future Reflect the increasingly complex environments in which organizations

operate Ensure the new standard reflects the needs of all interested parties (the

variation of the organizations who now use ISO 9001 such as service, government, and education system)

Integrate with other management systems

Benefits of the changes in 9001

Engaging with a wider range of organizations Employs the language of the user of the standard Leadership involvement Customer requirements focus Efficiency of a common structure Risk-based thinking Supply chain management

What are the benefits to the user? Increased risk control Better cost control Improved morale and motivation Customer retention and loyalty Interested party messaging Improved image and reputation Credibility Ability to respond quickly Improved customer satisfaction Improvement

Conceptual ChangesEmphasis on: Greater focus on the customer Risk-based thinking Aligning QMS policy and objectives with the strategy of an

organization Greater flexibility with documentation

Conceptual Changes: Broken down

Quality Principles – slight change High level structure (HLS) and terms/definitions More compatible with services Clearer understanding of the organization’s context is required, “one size

doesn’t fit all” Introduction of “interested parties” Process approach strengthened/more explicit Concept of preventive action now addressed throughout the standard by risk

and opportunity identification (risk-based thinking) The term documented information replaces the terms document and record Control of externally provided products and services replaces

purchasing/outsourcing

Quality Management Principles

There were 8 principles There are now 7Customer focus Customer focusLeadership LeadershipInvolvement of people Engagement of peopleProcess approach Process approachSystem approach to management (Included in the process approach)Continual improvement ImprovementFactual approach to decision making

Evidence based decision making

Mutually beneficial supplier relationships

Relationship management

7 Quality Management

Principles

Leadership

Engagement of People

Customer Focus

Process Approach

Relationship Management

Evidence-based

Decision Making

Improvement

Key Points: ISO 9001 & ISO 9004 are based on 7 quality management principles: Customer Focus: The primary focus of quality management is to meet customer requirements

and to strive to exceed customer expectations. Leadership: Leaders at all levels establish unity of purpose and direction and create conditions

in which people are engaged in achieving the organization’s quality objectives. Engagement of People: Competent, empowered and engaged people at all levels throughout

the organization are essential to enhance the organization’s capability to create and deliver value.

Process Approach: Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.

Improvement: Successful organizations have an ongoing focus on improvement. Evidence-based Decision Making: Decisions based on the analysis and evaluation of data and

information are more likely to produce desired results. Relationship Management: For sustained success, organizations manage their relationships

with relevant interested parties, such as providers (suppliers).

High Level Structure (HLS)

A new common format has been developed: All ISO management systems standards will look the same

structurally More efficient to address multiple management system

requirements Facilitate the option of having one integrated management system Standardized core definitions

High Level Structure (HLS)ISO 9001:2015 Summary of Requirements

4.0 Context of the organization

• Need to define the organization’s “purpose, scope, environment, systems and interested parties”

• Expect the QMS to focus on “risks and threats”

5.0 Leadership

• “Roles and responsibilities” need defining• “Policies and objectives” need to be established• Similar to current Section 5 (ISO 9001:2008) but no “management representative”

6.0Planning

• Focus on how to address “risks” and “opportunities”• Included are “structured planning processes”, planning for change, and clear planning

objectives”7.0 Support

• Includes sections on “infrastructure, work environment, and control of monitoring and measuring equipment.”

• Includes terms focused on “competence, awareness, communication” and a new concept called “knowledge”

• “Documented information” is in this section; “quality manual” and “documented procedures” are not specified.

8.0 Operation

• This is the current (9001:2008) clause 7.0 Product Realization plus non-conforming product (8.3)• Clause 8.5 is a new version of the current 7.3 (Design and Development)

9.0Performance evaluation

• This clause includes “monitoring, measuring, analysis and evaluation”• “Internal audits, management review and customer satisfaction perception” are in this section

10.0Improvement

• Focus on the improvement of “suitability, adequacy, and effectiveness”• “Corrective action” identified• “Preventative action” and the term “continual improvement” is not in the CD draft

A deeper look at Risk in 9001:2015What is “risk-based thinking”?

Risk-based thinking is something we all do automatically and often subconsciously to get the best result

The concept of risk has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole management system

Risk-based thinking ensures risk is considered from the beginning and throughout the process approach

Risk-based thinking makes preventive action part of strategic planning 3.7.9 risk - effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information (3.8.2) related to,

understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009,

3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including

changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences.

Key points: The organization shall identify external and internal issues (factors):• That affect an organization’s ability to achieve intended results • That are relevant to an organization’s purpose and strategic direction

The context may take into account several attributes, for example:1. Market sector where products or services are provided2. Business environment, including competition3. Internal factors4. External factors5. Business conditions6. Customers served

Those things that can have an effect on a business’ approach to its products, services, investments, interested parties, goals, strategies, risks, opportunities, etc.

Understanding the Organization and its context

1. Work with your assigned group2. Develop a statement that represents the context (who you are, what you do, where

you’re going) of your organization.3. Discussion:

What is it about your organization (its context) that impacts the way you create and manage your QMS – what do you and your interested parties really need? Are your products: life-saving medical devices or plastic bottles? Other examples considered as part of context: knowledge workers vs. rote workers; large, complex organizations vs. small, simple organizations; salary personnel vs. hourly personnel; high-tech vs. low-tech organization; motivated vs. non-motivated personnel; high-risk vs. low-risk products and services.

You will have 30 minutes for this activity

Class Activity

Key points: Needs, expectations, and relevant requirements of interested parties shall be monitored and reviewed.  Definition of “interested party” – “person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity.” ISO 9001: 2015, Clause 3.2.3 ExampleExamples of interested parties: Underwriters Laboratories (UL), regulators, authorities having jurisdiction like state fire marshal or local inspector, independent sales representatives, employees, employee families, shareholders, emergency services (firefighters, police), media, suppliers and subcontractors, etc.

Understanding the needs and expectations of interested parties

A deeper look at Risk in 9001:2015The main objectives of ISO 9001

to provide confidence in the organization’s ability to consistently provide customers with conforming goods and services

to enhance customer satisfactionThe concept of “risk” in the context of ISO 9001 relates to the uncertainty of achieving such objectives

The concept of “opportunity” in the context of ISO 9001 relates to exceeding expectations and going beyond stated objectives

Risk in the clauses - Process Approach, Leadership, Planning

in the Introduction the concept of risk-based thinking is explained Definition: Effect of uncertainty on an expected result

in Clause 4 the organization is required to determine the risks and opportunities which can affect its ability to meet these objectives

The process approach (PDCA) (0.3, 0.4 & 4.4) and Systems Thinking (0.3) in Clause 5 top management are required to commit to ensuring Clause

4 is followed Enhance customer satisfaction

in Clause 6 the organization is required to take action to identify risks and opportunities

Achieve intended results, prevent/reduce undesired effects, and achieve continual improvement

Risk in Clauses – Operation, Evaluation, Improvement

Clause 8 - the organization is required to implement processes to address risks and opportunities throughout all operations processes (planning, design and development, purchasing, production, post-production)

Clause 9 the organization is required to monitor, measure, analyse and evaluate the risks and opportunities Management review to consider effectiveness of actions taken to address

risks and opportunities and internal audit program provides a check-up on the health of the QMS and of the business

In Clause 10 the organization is required to improve by responding to changes in risk

Risk in Clauses – Risk-based approach

Section A4 of Annex A describes a risk-based management approach consisting of: Requiring the organization to understand its context consisting of internal

and external issues or factors. Understanding that one of the key purposes of a management system is

to act as a preventive tool. Determining its risks and opportunities. Addressing the risks and opportunities identified

Why should I adopt “risk-based thinking”?

successful companies intuitively take a risk-based approach because it brings benefits

to improve customer confidence and satisfaction to assure consistency of quality of goods and services to establish a proactive culture of prevention and improvement

What should I do?

identify what the risks and opportunities are in your organization – it depends on context

ISO 9001:2015 does not require a formal risk assessment or specific single document

the information must be kept and available and could be electronic, audio, video, written or any other type of media

ISO 31000 (“Risk management — Principles and guidelines”) may be a useful reference for organizations which want a more formal risk process, but is not obligatory

What should I do? (continued)

analyse and prioritize the risks and opportunities in your organization what is acceptable? what is unacceptable? which opportunities should be acted on?

plan actions to address the risks and opportunities how can I avoid, eliminate or mitigate the risk? how can I realise opportunities?

implement the plan – take action check the effectiveness of the actions – does it work? learn from experience – continual improvement

PDCA

Example Single source of supply Facility Move Buying a new appliance Crossing the road

What are some things your organization already does that would be considered identifying and addressing risks and opportunities?

Key points:

Think about the following two scenarios:1. Your human resource manager asks to see an employee’s:

• Training records or Training “retained documented information”2. Your production manager asks to see:

• Inspection records or Inspection “retained documented information”

Terms from ISO 9001:2008 New Terms from ISO 9001:2015

Records = Retained Documented Information

Documented Procedures and Instructions = Maintained Documented

Information

Documented Information

Key points:

• An organization’s QMS(BMS) must include:• Documented information required by ISO 9001:2015• Any documented information determined as necessary for the effectiveness of the

business by the organization• Maintained documented information required by standard:

o Scope of organization’s QMSo Quality policyo Quality objectiveso Any necessary to support the operation of the organization’s processes

Documented Information

ISO 9001:2015 CertificationTransition Timeline

September 2015 start of 3 years transition period to September 2018 •Certifications to ISO 9001:2008 will no longer be valid after September 2018

2018201720162015

September 2015 Published International Standard

Other important Information

The revision of ISO 9001 will impact other related standards and documents. Expect changes to:- industry-specific standards - supporting documents

Resources:Katie FreemanQuality Management Systems SpecialistIowa Quality Centerwww.iowaqc.org319-398-71013375 Armar DriveMarion, Iowa 52302