Cafe Quality – ISO 9001

ISO 9001:2015
- nothing to panic about?!
David Wilson
18 March 2015
© Australian Organisation for Quality
Tonight’s Café Quality Specials
ISO 9001:2015 Quality management systems―requirements

A brief summary of changes, some opportunities missed

Demise of the Management Representative (at last!)

‘Preventive action’ is re-born!

Changes to the design and development process

Why the rush?

Why you should know and understand ISO 19011:2011
and ISO/IEC 17021:2011
18 Mar 2015
2
Something to ponder tonight and beyond
A Google search† on:

‘quality’ yields ~4,020,000,000 results (0.30s)

‘quality management’ yields ~209,000,000 results
(0.39s)

‘ISO 9001’ yields about ~71,900,000 results (0.28s)

‘Project failure’ yields ~ 38,000,00 results (0.28s)

Conclusion:
†

there must be lots of ways you can effectively manage ‘quality’

no one has all of the answers/they are occasionally forgotten
The numbers vary from search to search
18 Mar 2015
3
The eight seven Quality Management Principles
QM Principles (ISO 9000:2006)
QM Principles (ISO/DIS 9001)1

Customer focus

Customer focus

Leadership

Leadership

Involvement of people

Engagement of people

Process approach

Process approach2

Systems approach to management

Continual improvement

Improvement

Factual approach to decision making

Evidence-based decision making

Mutually beneficial supplier
relationships

Relationship management
1 Risk-based thinking is not explicitly mentioned; ‘uncertainty’, ‘subjective’, ‘unintended consequences’, objectivity’ and ‘confidence’ are terms used in QMP7
‘Evidence-based decision making’. QMP5 ‘Improvement’ references ‘change’ and ‘opportunities’
2 ‘Process approach’ incorporates the current ‘Systems approach to management’
18 Mar 2015
4
The eight seven Quality Management Principles
QM Principles (ISO/DIS 9001)
ISO/DIS 9001

Customer focus

4.1, 4.2, 5.3, 7.4, 8.2, 8.3.2, 8.5.3,
8.5.5, 8.6, 9.1.2 (ISO 10003, 100004,
10005)

Leadership

5, 6, 7.1, 7.4, 9.3

Engagement of people

5, 7.1, 7.2, 7.3, 7.4 (ISO 10015, 10018)

Process approach

4, 5.1, 5.3, 6, 8

Improvement

4.4, 9, 10

Evidence-based decision making

4.4, 8.4, 9, 10

Relationship management

4.2, 5.1.2, 7.4, 8.2, 8.3.2, 8.3.4, 8.4,
9.1.2,
18 Mar 2015
5
The big and not so big changes

Change of the format to conform with ISO/IEC Directives
Part 1, Annex SL, Appendix 2 (consistent structure, common core text and terminology)

‘Risk-based thinking’1, as a systemic approach to risk, has
been added to the ‘Process approach’ and the ‘Plan-DoCheck-Act’ cycle as core methodologies underpinning the
new edition

‘Context of the organisation’ (cl 4.1 and cl 4.2) needs to
be considered and this will help inform the scope of the
quality management system

ISO 31000:20092, cl 4.3 and cl 5.3, SA/SNZ HB 436:20133 can
provide additional guidance
1 ISO/TC 176/SC2, Document N1222, July 2014, “Risk” in ISO 9001:2015
2 Risk management―Principles and guidelines
3 Risk management guidelines― Companion to AS/NZS ISO 31000:2009
18 Mar 2015
6
The big and not so big changes

Change of ‘product’ to ‘products and services’1

‘services’ was considered essential to enhanced relevance of
ISO 9001:2015 to the services sector (despite section 3 of ISO 9001:2008 and
clause 3.4.2 of ISO 9000:2006)

Broadening the focus from ‘customer’ to ‘customer and
interested parties’ (aka ‘stakeholders’)

the definition of ‘interested party’/’stakeholder’ is the same as
‘stakeholder’ in ISO 31000: 2009 (Risk management―Principles and guidelines)

Performance-based approach has replaced explicit
requirements-based approach

Explicit reference to the ‘process approach’ in section 4
2 This ‘enhanced relevance’ has influenced other changes in the document to make it less prescriptive
18 Mar 2015
7
The big and not so big changes

The Quality Manual is no longer required.

however, ‘documented information’ requirements in various
clauses need to be considered

‘Documents’ and ‘records’ are now ‘documented
information’

The six mandatory documented procedures are gone

‘Organisational knowledge’ requirements have been
incorporated

the concept of corporate vs. personal knowledge needs to be
addressed and risks identified/managed
18 Mar 2015
8
The big and not so big changes

The explicit role of ‘Management representative’ has
been replaced with assignment, by top management, of
responsibility and authority for:

ensuring the QMS complies with ISO 9001:2015

ensuring processes are delivering intended outputs
reporting on QMS performance, especially to top management

(performance, opportunities for improvement, need for change/innovation)

promotion of customer focus internally

integrity of the QMS when changes are planned/implemented
This responsibility and authority could be discharged by
‘process owners’ consistent with cl 5.5.1 d)
18 Mar 2015
9
Opportunity missed

A real driver for improvement that demonstrates value to
the whole organisation, such as cost of quality aligned to
organisational (quality) objectives1

Expansion of the ‘process owner’ concept of cl 5.5.1.d)
into cl 4.4 ‘Quality management system and its
processes’.

“5.5.1 d) ensuring the integration of the quality management
system requirements into the organization’s business processes”

ISO 9001:2015
Business management system―quality requirements?
What if?
1 BS 6143-1:1992 Guide to the economics of quality ― Part 1: Process cost model; BS 6143-2:1990 Guide to the economics of quality ― Part 2: Prevention,
appraisal and failure model
18 Mar 2015
10
Preventive action re-born!
ISO 31000:2009 Figure 3 ― Risk management process
Establishing the context (5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Communication and
consultation (5.2)
Risk analysis (5.4.3)
Monitoring and review
(5.6)
Risk evaluation (5.4.4)
Risk treatment (5.4.4)
18 Mar 2015
11
Preventive action re-born!
Consequence or impact
ISO 31000:2009 Figure 3 ― Risk management process
Likelihood
1 (insignificant)
2 (minor)
3 (moderate)
4 (major)
5 (severe)
A (almost certain)
H
H
E
E
E
B (likely)
M
C (possible)
Risk assessment
(5.4)
M
D (unlikely)
L
E (rare)
L
CommunicationLegend:
and
consultation (5.2)
E – extreme risk.
H – high risk
Establishing the context (5.3)
H
H
E
E
M
H
H
E
H
H
M
H
Risk identification
(5.4.2)
L
M
L
M
Monitoring and review
(5.6)
Action plans need to be developed and top
Risk analysis (5.4.3)
Top management attention is required.
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
Top management attention is required. Action plans need to be developed and
Risk evaluation (5.4.4)
management responsibility for implementation assigned. Action plans are monitored
periodically to assess progress and achievement of planned objectives.
M – moderate risk Top management ensure that appropriate procedures and controls are available,
deployed and implemented. Monitor key performance indicators routinely and initiate
Risk
treatment
(5.4.4)
corrective action when
planned
results are
not achieved.
L – low risk
18 Mar 2015
Top management ensure that appropriate procedures and controls are in place. Risk is
managed by existing procedures and controls. Generally does not require specific
additional resources.
12
Preventive action re-born!
ISO 9001:2008 Clause 8.5.3 Preventive action, et al
Communication
and
consultation
Management responsibility (5.1, 5.2, 5.3, 5.4)
Monitoring and
review
Risk assessment
Potential nonconformity and causes (8.5.3 a))
Management
commitment (5.1)
Responsibility,
authority and
communication (5.5)
Evaluating need for action (8.5.3 b))
Determining action needed (8.5.3c))
• Records of results
of action (8.5.3 d))
• Reviewing
effectiveness of
action taken
(8.5.3e))
• Management
review (5.6)
Implementing action needed (8.5.3c))
18 Mar 2015
13
Preventive action re-born!
ISO/DIS 9001 (2015)
Communication
and
consultation
Context of an organisation (4)
Monitoring and
review
Risk assessment (?)
QMS and its processes (4.4), Customer focus
(5.1.2)
Leadership (5),
Awareness (7.3),
Communication (7.4)
Actions to address risk & opportunity (6.1),
Planning of changes (6.3), Operation (8)
Performance
evaluation (9)
Improvement (10)
Actions to address risk & opportunity (6.1),
Planning of changes (6.3), Operation (8)
Operation (8)
18 Mar 2015
14
Changes to the design and development process
‘Design’ = ‘Design and development’ in ISO 9001:2008
Design review
User needs
Design input
Design
activity
Design
output
Product /
Service
Design Verification
Design Validation
Design planning, resource provision, change management

Inherent risk and opportunity management system

manages risk of unintended consequences (ineffective communication, human
error, inappropriate use of materials, sub-optimal resource use)

focuses on opportunity (re-use, innovation, efficiency, schedule optimisation)
18 Mar 2015
15
Changes to the design and development process

Design1 planning (8.3.2) incorporates consideration of:



involvement of customers and user groups in the design process
necessary documentation to confirm design and development
requirements have been met
Design inputs (8.3.3) incorporates:




standards and codes of practice committed to be implemented
external and internal resources needs
potential consequences of failure relative to the nature of
product/services
level of control of the design process expected by customers and
other interested parties
1 ‘Design’ means ‘Design and development’
2 ISO/DIS 9001, Annex A, clause A.1
18 Mar 2015
16
Changes to the design and development process

Design controls (8.3.4) does not include the essential
objectives for design review:1, 2

to evaluate the design’s capability to fulfil the specified/design and
development requirements,

to identify any problems (actual or potential deficiencies), and
to propose necessary action/enhancements

Design review
User needs
Design input
Design
activity
Design
output
Product /
Service
Design Verification
Design Validation
1 ISO 9001:2008, clause 7.3.4
2 IEC 61160:2005, Terms and definitions, 3.4 Design review
18 Mar 2015
17
Why the rush?

If your management system currently reflects the ISO
9001:2008 philosophy and requirements then changes
should be 2nd/3rd order

You have three years to implement the new edition of the
standard from its publication date (September 2015)1


certificates from certification/recertification to ISO 9001:2008 need
to have an expiry date corresponding to the end of the three year
transition period
There is no need to adopt the structure or the terminology
of the new edition2
1 IAF Informative Document, IAF ID 9:2015, January 2015
2 ISO/DIS 9001, Annex A, clause A.1
18 Mar 2015
18
Why the rush?

Apply the P-D-C-A process to your existing management
system using ISO 9001:2015 as the criteria for
determining what may need to change



use the Correlation matrices1 published on the www.iso.org
website (public documents)
involve key stakeholders in your organisation in the P-D-C-A
process (note that ISO 14001 is also due for release in 2015)
Your management system is how you manage your
business

ISO 9001:2015 is a tool to show how you address the
requirements outlined in the Scope section of the standard
1 ISO/TC 176/SC2, Document N1224, July 2014, Correlation matrices between ISO 9001:2008 and ISO/DIS 9001 (updates post publication?)
18 Mar 2015
19
You and ISO 19011:2011 │ ISO/IEC 17021:2011

If you manage a quality, OHS/WHS, environmental or
other management system that is audited internally and
by customers:


you need to know ISO 19011:2011 (Guidelines for auditing management systems)
If you manage a third party certified management
system:

you need to know ISO/IEC 17021:2011 (Conformity assessment ― Requirements
for bodies providing audit and certification of management systems)
18 Mar 2015
20
ISO 19011:2011
Introduction
“The relationship between this second edition of this International Standard and ISO/IEC
17021:2011 is shown in Table 1.
Table 1 ― Scope of this International Standard and its relationship with ISO/IEC 17021:2011
Internal auditing
External auditing
Supplier auditing
Sometimes called first party audit
Sometimes called second party audit
Third party auditing
For legal, regulatory and similar
purposes
For certification (see also the
requirements of ISO/IEC 17021:2011)
This International Standard does not state requirements, but provides guidance on the
management of an audit programme, on the planning and conduction of an audit of the
management system, as well as on the competence and evaluation of an auditor and an audit
team.”
ISO 19011:2011
6.4.7 Generating audit findings (last sentence of the second paragraph)
“Every attempt should be made to resolve any diverging opinions concerning the audit
evidence or findings, and any unresolved points should be recorded.”
6.4.9 Conducting the closing meeting (second to last sentence)
“Any diverging opinions regarding the audit findings or conclusions between the audit team
and the auditee should be discussed and, if possible, resolved. If not resolved, this should
be recorded.”
6.5.1 Preparing the audit report (6th dash point related to the audit report)
“The audit report can also include or refer to the following, as appropriate:
- any unresolved diverging opinions between the audit team and the auditee;”
ISO/IEC 17021:2011
Introduction (last sentence)
“In this International Standard, the word “shall’ indicates a requirements and the word
“should” indicates a recommendation”
9.1.9.6 Identifying and recording findings
“9.1.9.6.4 The audit team leader shall attempt to resolve any diverging opinions between the
audit team and the client concerning the audit evidence or findings, and any unresolved
points shall be recorded.”
9.1.9.8 Conducting the closing meeting
“9.1.9.8.3 The client shall be given opportunity for questions. Any diverging opinions
regarding the audit findings or conclusions between the audit team and the client shall be
discussed and resolved where possible. Any diverging opinions that are not resolved shall
be recorded and referred to the certification body.”
ISO/IEC 17021:2011
9.1.10 Audit report
“9.1.10.2 j) … The audit report shall provide an accurate, concise and clear record of the
audit to enable an informed certification decision to be made and shall include or refer to the
following:
j) any unresolved issues, if identified.”
ISO 9001:2015 - nothing to panic about?!
25
ISO 9001:2015
- nothing to panic about?!
18 Mar 2015
© Australian Organisation for Quality
Opportunity missed – what if?

4.4 Quality management system and its processes


“4.4 g)1 the method of monitoring, measuring and evaluating
processes and, if needed, changing processes to ensure they
achieve their intended results output performance consistent
with planned input and resource requirements”
9.1.3 Analysis and evaluation

“9.1.3 e)1 assess the performance of processes including taking
account of data from the monitoring and evaluation of 4.4.g)”
Back
1 Presenter’s modification of 4.4.g) and 9.1.3 e)
18 Mar 2015
27