iso 9001:2015 - australian organisation for quality...

18 March 2015 © Australian Organisation for Quality

ISO 9001:2015

- nothing to panic about?!

David Wilson

Tonight’s Café Quality Specials

ISO 9001:2015 Quality management systems―requirements

A brief summary of changes, some opportunities missed

Demise of the Management Representative (at last!)

‘Preventive action’ is re-born!

Changes to the design and development process

Why the rush?

Why you should know and understand ISO 19011:2011

and ISO/IEC 17021:2011

2 18 Mar 2015

Something to ponder tonight and beyond

A Google search† on:

‘quality’ yields ~4,020,000,000 results (0.30s)

‘quality management’ yields ~209,000,000 results

(0.39s)

‘ISO 9001’ yields about ~71,900,000 results (0.28s)

‘Project failure’ yields ~ 38,000,00 results (0.28s)

Conclusion:

there must be lots of ways you can effectively manage ‘quality’

no one has all of the answers/they are occasionally forgotten

3 18 Mar 2015

† The numbers vary from search to search

The eight seven Quality Management Principles

QM Principles (ISO 9000:2006)

Customer focus

Leadership

Involvement of people

Process approach

Systems approach to management

Continual improvement

Factual approach to decision making

Mutually beneficial supplier

relationships

4 18 Mar 2015

QM Principles (ISO/DIS 9001)1

Customer focus

Leadership

Engagement of people

Process approach2

Improvement

Evidence-based decision making

Relationship management

1 Risk-based thinking is not explicitly mentioned; ‘uncertainty’, ‘subjective’, ‘unintended consequences’, objectivity’ and ‘confidence’ are terms used in QMP7

‘Evidence-based decision making’. QMP5 ‘Improvement’ references ‘change’ and ‘opportunities’

2 ‘Process approach’ incorporates the current ‘Systems approach to management’

The eight seven Quality Management Principles

QM Principles (ISO/DIS 9001)

Customer focus

Leadership

Engagement of people

Process approach

Improvement

Evidence-based decision making

Relationship management

5 18 Mar 2015

ISO/DIS 9001

4.1, 4.2, 5.3, 7.4, 8.2, 8.3.2, 8.5.3,

8.5.5, 8.6, 9.1.2 (ISO 10003, 100004,

10005)

5, 6, 7.1, 7.4, 9.3

5, 7.1, 7.2, 7.3, 7.4 (ISO 10015, 10018)

4, 5.1, 5.3, 6, 8

4.4, 9, 10

4.4, 8.4, 9, 10

4.2, 5.1.2, 7.4, 8.2, 8.3.2, 8.3.4, 8.4,

9.1.2,

The big and not so big changes

Change of the format to conform with ISO/IEC Directives

Part 1, Annex SL, Appendix 2 (consistent structure, common core text and terminology)

‘Risk-based thinking’1, as a systemic approach to risk, has

been added to the ‘Process approach’ and the ‘Plan-Do-

Check-Act’ cycle as core methodologies underpinning the

new edition

‘Context of the organisation’ (cl 4.1 and cl 4.2) needs to

be considered and this will help inform the scope of the

quality management system

ISO 31000:20092, cl 4.3 and cl 5.3, SA/SNZ HB 436:20133 can

provide additional guidance

6 18 Mar 2015

1 ISO/TC 176/SC2, Document N1222, July 2014, “Risk” in ISO 9001:2015

2 Risk management―Principles and guidelines

3 Risk management guidelines― Companion to AS/NZS ISO 31000:2009


Change of ‘product’ to ‘products and services’1

‘services’ was considered essential to enhanced relevance of

ISO 9001:2015 to the services sector (despite section 3 of ISO 9001:2008 and

clause 3.4.2 of ISO 9000:2006)

Broadening the focus from ‘customer’ to ‘customer and

interested parties’ (aka ‘stakeholders’)

the definition of ‘interested party’/’stakeholder’ is the same as

‘stakeholder’ in ISO 31000: 2009 (Risk management―Principles and guidelines)

Performance-based approach has replaced explicit

requirements-based approach

Explicit reference to the ‘process approach’ in section 4

7 18 Mar 2015

2 This ‘enhanced relevance’ has influenced other changes in the document to make it less prescriptive


The Quality Manual is no longer required.

however, ‘documented information’ requirements in various

clauses need to be considered

‘Documents’ and ‘records’ are now ‘documented

information’

The six mandatory documented procedures are gone

‘Organisational knowledge’ requirements have been

incorporated

the concept of corporate vs. personal knowledge needs to be

addressed and risks identified/managed

8 18 Mar 2015


The explicit role of ‘Management representative’ has

been replaced with assignment, by top management, of

responsibility and authority for:

ensuring the QMS complies with ISO 9001:2015

ensuring processes are delivering intended outputs

reporting on QMS performance, especially to top management (performance, opportunities for improvement, need for change/innovation)

promotion of customer focus internally

integrity of the QMS when changes are planned/implemented

This responsibility and authority could be discharged by

‘process owners’ consistent with cl 5.5.1 d)

9 18 Mar 2015

Opportunity missed

A real driver for improvement that demonstrates value to

the whole organisation, such as cost of quality aligned to

organisational (quality) objectives1

Expansion of the ‘process owner’ concept of cl 5.5.1.d)

into cl 4.4 ‘Quality management system and its

processes’.

“5.5.1 d) ensuring the integration of the quality management

system requirements into the organization’s business processes”

ISO 9001:2015

Business management system―quality requirements?

10 18 Mar 2015

What if?

1 BS 6143-1:1992 Guide to the economics of quality ― Part 1: Process cost model; BS 6143-2:1990 Guide to the economics of quality ― Part 2: Prevention,

appraisal and failure model

Preventive action re-born!

ISO 31000:2009 Figure 3 ― Risk management process

11 18 Mar 2015

Communication and

consultation (5.2)

Monitoring and review

(5.6)

Establishing the context (5.3)

Risk identification (5.4.2)

Risk analysis (5.4.3)

Risk evaluation (5.4.4)

Risk treatment (5.4.4)

Risk assessment (5.4)


ISO 31000:2009 Figure 3 ― Risk management process

12 18 Mar 2015

Communication and

consultation (5.2)

Monitoring and review

(5.6)

Establishing the context (5.3)

Risk identification (5.4.2)

Risk analysis (5.4.3)

Risk evaluation (5.4.4)

Risk treatment (5.4.4)

Risk assessment (5.4)

Consequence or impact

Likelihood 1 (insignificant) 2 (minor) 3 (moderate) 4 (major) 5 (severe)

A (almost certain) H H E E E

B (likely) M H H E E

C (possible) M M H H E

D (unlikely) L L M H H

E (rare) L L M M H

Legend:

E – extreme risk. Top management attention is required. Action plans need to be developed and top

management responsibility for implementation assigned. Action plans are monitored

periodically to assess progress and achievement of planned objectives.

H – high risk Top management attention is required. Action plans need to be developed and

management responsibility for implementation assigned. Action plans are monitored

periodically to assess progress and achievement of planned objectives.

M – moderate risk Top management ensure that appropriate procedures and controls are available,

deployed and implemented. Monitor key performance indicators routinely and initiate

corrective action when planned results are not achieved.

L – low risk Top management ensure that appropriate procedures and controls are in place. Risk is

managed by existing procedures and controls. Generally does not require specific

additional resources.


ISO 9001:2008 Clause 8.5.3 Preventive action, et al

13 18 Mar 2015

Management

commitment (5.1)

Responsibility,

authority and

communication (5.5)

• Records of results

of action (8.5.3 d))

• Reviewing

effectiveness of

action taken

(8.5.3e))

• Management

review (5.6)

Management responsibility (5.1, 5.2, 5.3, 5.4)

Potential nonconformity and causes (8.5.3 a))

Evaluating need for action (8.5.3 b))

Determining action needed (8.5.3c))

Implementing action needed (8.5.3c))

Risk assessment

Communication

and

consultation

Monitoring and

review


ISO/DIS 9001 (2015)

14 18 Mar 2015

Leadership (5),

Awareness (7.3),

Communication (7.4)

Performance

evaluation (9)

Improvement (10)

Context of an organisation (4)

QMS and its processes (4.4), Customer focus

(5.1.2)

Actions to address risk & opportunity (6.1),

Planning of changes (6.3), Operation (8)

Actions to address risk & opportunity (6.1),

Planning of changes (6.3), Operation (8)

Operation (8)

Risk assessment (?)

Communication

and

consultation

Monitoring and

review


15 18 Mar 2015

‘Design’ = ‘Design and development’ in ISO 9001:2008

Inherent risk and opportunity management system

manages risk of unintended consequences (ineffective communication, human

error, inappropriate use of materials, sub-optimal resource use)

focuses on opportunity (re-use, innovation, efficiency, schedule optimisation)

Design review

Design Validation

Design Verification

User needs Design input Design

activity

Design

output

Product /

Service

Design planning, resource provision, change management


Design1 planning (8.3.2) incorporates consideration of:

involvement of customers and user groups in the design process

necessary documentation to confirm design and development

requirements have been met

Design inputs (8.3.3) incorporates:

standards and codes of practice committed to be implemented

external and internal resources needs

potential consequences of failure relative to the nature of

product/services

level of control of the design process expected by customers and

other interested parties

16 18 Mar 2015

1 ‘Design’ means ‘Design and development’

2 ISO/DIS 9001, Annex A, clause A.1


Design controls (8.3.4) does not include the essential

objectives for design review:1, 2

to evaluate the design’s capability to fulfil the specified/design and

development requirements,

to identify any problems (actual or potential deficiencies), and

to propose necessary action/enhancements

17 18 Mar 2015

1 ISO 9001:2008, clause 7.3.4

2 IEC 61160:2005, Terms and definitions, 3.4 Design review

Design review

Design Validation

Design Verification

User needs Design input Design

activity

Design

output

Product /

Service

Why the rush?

If your management system currently reflects the ISO

9001:2008 philosophy and requirements then changes

should be 2nd/3rd order

You have three years to implement the new edition of the

standard from its publication date (September 2015)1

certificates from certification/recertification to ISO 9001:2008 need

to have an expiry date corresponding to the end of the three year

transition period

There is no need to adopt the structure or the terminology

of the new edition2

18 18 Mar 2015

1 IAF Informative Document, IAF ID 9:2015, January 2015

2 ISO/DIS 9001, Annex A, clause A.1

Why the rush?

Apply the P-D-C-A process to your existing management

system using ISO 9001:2015 as the criteria for

determining what may need to change

use the Correlation matrices1 published on the www.iso.org

website (public documents)

involve key stakeholders in your organisation in the P-D-C-A

process (note that ISO 14001 is also due for release in 2015)

Your management system is how you manage your

business

ISO 9001:2015 is a tool to show how you address the

requirements outlined in the Scope section of the standard

19 18 Mar 2015

1 ISO/TC 176/SC2, Document N1224, July 2014, Correlation matrices between ISO 9001:2008 and ISO/DIS 9001 (updates post publication?)

http://www.iso.org/

You and ISO 19011:2011 │ ISO/IEC 17021:2011

If you manage a quality, OHS/WHS, environmental or

other management system that is audited internally and

by customers:

you need to know ISO 19011:2011 (Guidelines for auditing management systems)

If you manage a third party certified management

system:

you need to know ISO/IEC 17021:2011 (Conformity assessment ― Requirements

for bodies providing audit and certification of management systems)

20 18 Mar 2015

Introduction

“The relationship between this second edition of this International Standard and ISO/IEC

17021:2011 is shown in Table 1.

Table 1 ― Scope of this International Standard and its relationship with ISO/IEC 17021:2011

This International Standard does not state requirements, but provides guidance on the

management of an audit programme, on the planning and conduction of an audit of the

management system, as well as on the competence and evaluation of an auditor and an audit

team.”

Internal auditing External auditing

Supplier auditing Third party auditing

Sometimes called first party audit Sometimes called second party audit

For legal, regulatory and similar purposes

For certification (see also the requirements of ISO/IEC 17021:2011)

ISO 19011:2011

6.4.7 Generating audit findings (last sentence of the second paragraph)

“Every attempt should be made to resolve any diverging opinions concerning the audit

evidence or findings, and any unresolved points should be recorded.”

6.4.9 Conducting the closing meeting (second to last sentence)

“Any diverging opinions regarding the audit findings or conclusions between the audit team

and the auditee should be discussed and, if possible, resolved. If not resolved, this should

be recorded.”

6.5.1 Preparing the audit report (6th dash point related to the audit report)

“The audit report can also include or refer to the following, as appropriate:

- any unresolved diverging opinions between the audit team and the auditee;”

ISO 19011:2011

Introduction (last sentence)

“In this International Standard, the word “shall’ indicates a requirements and the word

“should” indicates a recommendation”

9.1.9.6 Identifying and recording findings

“9.1.9.6.4 The audit team leader shall attempt to resolve any diverging opinions between the

audit team and the client concerning the audit evidence or findings, and any unresolved

points shall be recorded.”

9.1.9.8 Conducting the closing meeting

“9.1.9.8.3 The client shall be given opportunity for questions. Any diverging opinions

regarding the audit findings or conclusions between the audit team and the client shall be

discussed and resolved where possible. Any diverging opinions that are not resolved shall

be recorded and referred to the certification body.”

ISO/IEC 17021:2011

9.1.10 Audit report

“9.1.10.2 j) … The audit report shall provide an accurate, concise and clear record of the

audit to enable an informed certification decision to be made and shall include or refer to the

following:

j) any unresolved issues, if identified.”

ISO/IEC 17021:2011

ISO 9001:2015 - nothing to panic about?!

25

Opportunity missed – what if?

4.4 Quality management system and its processes

“4.4 g)1 the method of monitoring, measuring and evaluating

processes and, if needed, changing processes to ensure they

achieve their intended results output performance consistent

with planned input and resource requirements”

9.1.3 Analysis and evaluation

“9.1.3 e)1 assess the performance of processes including taking

account of data from the monitoring and evaluation of 4.4.g)”

27 18 Mar 2015

1 Presenter’s modification of 4.4.g) and 9.1.3 e)

Back