Guide To Iso 9001 2015.pdf z4p6f

This guide provides details of the High Level Structure requirements based on DIS 9001: 2014. It concentrates on the core requirements that should not change when ISO 9001: 2015 is published.

JEMO Limited 11 Willowbank, Chippenham Wiltshire SN14 6QG, United Kingdom Phone: +44 (0) 1249 447 544 Fax: +44 (0) 1249 400 200 E-mail: [email protected] www.jemo.co.uk

ISO 9001: 2015 – A Guide to Understanding and Implementing the High Level Structure (HLS) JeffMonk

Guide to ISO 9001: 2015 – the requirements that should not change Introduction ISO 9001: 2015 is nearing publication, the certification industry is gearing up with road shows, and new terminology is entering the quality language. The jury is out on whether the changes are ground breaking or just a tidy up job; whether you should get started now or wait for the “amnesty period” to expire before you get started. Two highly respected commentators - the Chartered Quality Institute (CQI) and the IRCA (the International of Certificated Auditors) in a t statement have said “This is the most important event since ISO 9001”. We consider the changes to be sufficiently significant, affecting the way your organization is run for you to make a start now. In this guide we cut to the chase and provide you in plain language an introduction to the new core requirements and a brief overview of the quality related changes. “But there could still be some changes, couldn’t there? Well – “Yes” and “No”. Some of the changes that have been made are to the core material that affects all ISO management system standards and these should not change. It is these that we concentrate on in this guide. As we are auditors working for international accredited certification bodies we also provide some opinions on how their auditors may approach the changes. Why does the standard have to change? The International Standards Organization (ISO) reviews its standards every five to seven years. It also carries out surveys and takes into from many quarters. Based on this it has decided this time to standardise as much content as possible in all of its management system standards. This has resulted in at least 60% of ISO 9001 having core content that is the same as ISO 14001 (environmental management) and other standards. This should not change. The remaining 40% is quality specific and could be subject to minor further change. A significant comment received was that the standard was biased too much to manufacturing and did not adequately take into the needs of service industries. This has been addressed in the new standard and service has the same status as product. What is standardised and what is not? The core requirements common to all ISO management system standards are known as the High Level Structure (HLS) and are derived from an IEC/ISO Directive which the standards writing teams must follow. Without going into the technical details, this is in an annex to a Directive and you may also hear these referred to as Annex SL. As we said earlier, on top of these core requirements the rest for each standard are disciplinespecific. The quality related standards such as ISO 9001, ISO 13485 and others will have different discipline specific requirements to ISO 14001, ISO 22000 (food management) and others. Will the HLS/Annex SL requirements change? This is unlikely, but you never can tell with standards not yet published. The consensus of opinion from the quality professionals such as the (CQI) is that they will not change. Which is why have recommended that you make a start now. Many of the quality discipline requirements have been developed from the existing ISO 9001: 2008 standard and our experience from previous major revisions is that the changes to these from now on will be relatively minor.

©JEMO Ltd. 2015

Page 1 of 15

Guide to ISO 9001: 2015 – the requirements that should not change What is the position with ISO 9001: 2015 at the moment? The standard is currently at Draft International Standard (DIS) status. This has been reviewed and will be issued as Final Draft International Standard (FDIS) in June this year. There should be no changes between the FDIS and the publication of ISO 9001: 2015 in September this year Caveat Whilst we have done our best to ensure the information we have provided is accurate we cannot be held responsible for any errors or omissions or actions resulting from your interpretation and implementation of this guidance.

©JEMO Ltd. 2015

Page 2 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The major changes to the core (HLS/Annex SL) requirements There are ten clauses instead of eight Whilst ISO 9001: 2008 has eight clauses, the 2015 version has ten. This would not be an issue if clauses had simply been sub-divided, but most of the clauses have new requirements. The common clause titles and sequence are shown in Table 1 with comments on the changes: Clause

Title

Comment

1

Scope

Basically as the 2008 version

2

Normative references

There are no normative references – they are now contained within the standard

3

and definitions

These are now contained within the standard

4

Context of the organization

This is a completely new requirement and is significant

5

Leadership

6

Planning

This involves top management leading the quality management system (QMS). The management representative role is now redundant – significant change This now involves risk assessment and management and is significant

7



This develops “Resources” of the 2008 version to a higher level. Significant changes in terminology

8

Operation

This develops “product realization” of the 2008 version to a higher level. Significant changes.

9

Performance evaluation

This develops several 2008 requirements for monitoring and measuring the QMS and the processes, products and services.

10

Improvement

This develops Non-conformance, Corrective action and Improvement of ISO 9001: 2008. Preventive action is dropped – the whole standard is aimed at prevention.

Table 1 The ISO 9001: 2015 clauses and sequence Changes to terminology There are some significant changes to terminology that will need to be understood by you and your auditors. As examples: 

documented procedures are not now referred to but you do need to maintain documented information – wherever you see the verb maintain this means document



records are not referred to and are embraced by documented information – wherever you see the verb retain this means record



product is replaced by products and services – emphasising that the standard is equally applicable to services

©JEMO Ltd. 2015

Page 3 of 15

Guide to ISO 9001: 2015 – the requirements that should not change 

quality manual has been dropped – it is now up to you how you describe what you do and what you call it. The standard requires integration of the quality processes with the overall business processes so Business Manual might be an appropriate title for your quality manual



quality context is a completely new term which when combined with internal and external issues and will need to be thoroughly understood



risk based approach is what it says it is – identified risks, their impacts, the chances of occurrence and the management of them.



management representative (MR) – as we have said in Table 1, this has been dropped and the roles and the MR responsibilities need to be spread around the top management team



monitoring and measuring resources – this spreads the net wider than instruments to include the people who make decisions as a result of checks they do



externally provided products and services replaces purchasing – products, services and even processes can be provided from a wide range of sources

Some old friends are still there e.g.: 

quality objectives



processes and a process approach



design and development – this was dropped in the committee draft but reinstated in DIS 9001: 2014 and will be retained in the published standard

The core HLS requirements To repeat ourselves, these should not change and you can make a start on these. We will look at them in the sequence of the standard. Clause 4 Context of the organization This has the following sub-clauses covering: 4.1 Understanding the organisation and its context 4.2 Understanding the needs and expectations of interested parties 4.3 Determining the scope of the quality management system 4.4 T he qua lit y management system and its processes The “Organization and its context” may look a little intimidating at first but what it really means is that you should clearly define what your organization does and its reason for existence. You probably already have this in place in high level strategy documents such as business and marketing plans. If so, include this in your quality system documentation. You will then need clear definition of the issues that can affect what you are there to achieve. These can be many and varied and include those from within your organization (such as cultural issues) and external issues (such as the ability to raise credit in a tough financial market). There may be many more issues and it may take some time to identify them all. They should be regularly reviewed as circumstances and the issues change.

©JEMO Ltd. 2015

Page 4 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The other influences on what you achieve can be from stakeholders in your business. The standard now calls these interested parties and they can be more than customers. You will need a good idea of who they are, their interests and any risks to your business that they present. If you have an ISO 9001: 2008 compliant system you should already have a well-defined scope of your quality management system stating what is included and what is not. We suggest you examine this to see if it is still appropriate to the issues identified and the needs and expectations of all interested parties. Finally for this clause your quality management system should be centred on your key processes and be continually developed and improved to cope with changing circumstances. You are probably already doing this. We will look at this further when we get to Clause 6 which covers planning and Clause 10 which covers improvement. The quality related requirements. Most of this clause is HLS/Annex SL and there are no significant quality related requirements How auditors may approach this This can make an auditor’s job easier. When they approach an organization for the first time they may have only a limited idea of what you do and the issues you face. They may only glean a proportion of this from studying websites and questionnaire returns. You should now be able to provide a profile and an insight into your business goals, objectives and influencing factors. Of course expect them to challenge this if it is not transparent, over-biased in your favour or conflicts with what their experience of similar organizations suggests. Clause 5 Leadership This has the following sub-clauses: 5.1 Leadership and commitment to the quality management system 5.2 Quality Policy 5.3 Organisational roles, responsibilities and authorities

The qualifier Quality differs with other management system standards. For example ISO 14001 will have Environmental Policy. There are sub-sub clauses that are quality specific and listed later. At first glance this appears to be much like Clause 5 (management responsibility) of ISO 9001: 2008. Look closer and you will see it has some significant changes. In many organizations top management do not lead the QMS and leave this to “Mr or Ms Quality” – the management representative (MR). In these organizations this must change because the quality management representative role has disappeared. Much of what ISO 9001: 2008 required the MR to do have been transferred to the top management team, although they can delegate some of this. If you are the management representative we suggest you closely examine what you do now. Re-position your role as an internal consultant to your top management team to provide them with the assistance they need to make the transition and to be on hand when needed afterwards. Top management now have to accept genuine ability and “hands on” commitment to the quality management system and be able to demonstrate this.

©JEMO Ltd. 2015

Page 5 of 15

Guide to ISO 9001: 2015 – the requirements that should not change They have to ensure the quality management system is integrated into the business and is not a bolton extra. The general purpose of this is to spread the involvement in the QMS to the wider management team and involve people in a “quality culture”. This is one good reason for starting now – culture changes can take substantial time to introduce. The quality policy has been strengthened and developed and now includes a commitment to meet all applicable requirements and to be improved. It must be understood by everyone who works under your organization’s control and who can affect the quality of what you deliver. This includes other interested parties and providers and you should make the policy available to them. The quality related requirements. There are quality related requirements in sub-clauses to 5.1 and also in Organizational roles, responsibilities and authorities (5.3) but as we are concentrating on the HLS/Annex SL requirements in this briefing we confined ourselves to listing these in Table 2. If you require comprehensive tools for implementing and auditing all of the changes please visit www.jemo.co.uk or us at [email protected] Clause

Title

Comment

5.1.1

Leadership and commitment to the quality management system

This was summarised above and is one of the most significant changes

5.1.2

Customer focus

Basically as the 2008 version but now includes risk assessment

Table 2 Clause 5.1 Leadership and commitment The disappearing management representative If the quality management system revolves around you or a small team under your leadership and everyone leaves all matters “Quality” to you we strongly suggest you examine how his can be spread wider. Expect issues with, for example, other managers not being prepared to take on the management representative roles. There may be other issues that arise from this such as conflicts of interest and internal politics. If you are the management representative start now on planning your career progression after the publication of the standard. You will be ing 1.2 million others working for ed organizations! How auditors may approach this The changes also make their job easier. Expect them to reserve more time for interviewing top management and obtaining objective evidence of their commitment (or not) to the QMS. They will look for evidence that more people are involved with the quality management system and that it is genuinely embedded in the overall business systems. Expect them to look for risk identification when examining your focus on your customers. 6 Planning for the quality management system This has the following HLS/Annex SL sub-clauses: 6.1 Actions to address risks and opportunities 6.2 Q u alit y objectives and planning to achieve them

©JEMO Ltd. 2015

Page 6 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The new standard has removed the requirement for preventive action in the 2008 version and replaced it with risk based thinking. This means the whole standard is intended to look ahead, to identify risks and put in place controls to manage them. In addition to risks you may identify opportunities for improvement and you should exploit these. How this is done is via the planning work you do to meet this clause. This is the logical development of the process you started in Clause 4 where your interested parties, their needs and issues were defined and in clause 5 where you identified risks to your customers from your products and services. These are now at the heart of the risk management processes. You probably already have quality objectives and departments, teams or individuals working on them. The new standard reinforces the principle that these should be clearly defined, measurable (when practicable), achievable and with responsibilities defined for their achievement in specified timescales. The quality related requirements. There are quality specific requirements in 6.1 Actions to address risks and opportunities, 6.2 Quality objectives and planning to achieve them and 6.3 - Planning of changes, which we list in Tables 3 - 5 Clause

Title

Comment

6.1.1

No title

Covers planning the QMS in the context of your organization and identifying risks and opportunities

6.1.2

No title

Covers how you will manage the risks and opportunities

Table 3 Clause 6.1 Actions to address risks and opportunities Clause

Title

Comment

6.2.1

No title

This covers establishing your quality objectives and now includes objectives for processes

6.2.2

No title

This covers planning to achieve the objectives, the resources needed and the way the results are measured and monitored

Table 4 Clause 6.2 Quality objectives and planning to achieve them Clause 6.3

Title

Comment

Planning of changes

This covers the planning of known changes and preserving the integrity of the QMS. It is more explicit than ISO 9001: 2008

Table 5 Clause 6.3 Planning of changes If you require comprehensive tools for implementing and auditing all of the changes please visit www.jemo.co.uk or us at [email protected]

©JEMO Ltd. 2015

Page 7 of 15

Guide to ISO 9001: 2015 – the requirements that should not change How auditors may approach this Auditors who are not familiar with risk management techniques should not be auditing you. Expect experienced auditors to look for tangible evidence that you are evaluating the risks and effectively eliminating them or reducing them to an acceptable level. They will examine your resources and competencies to do this. A useful tool for this is a risk . ISO 31000 provides useful guidance on risk management. They should be familiar with how to audit your objectives and planning of changes and may spend more time with your top management on this.

Clause 7 This has the following HLS/Annex SL clauses: 7.1 Resources 7.2 Competence 7.3 Awareness 7.4 Communication There are also sub-sub clauses but with the exception of 7.5 below these are quality specific and so are listed but not discussed here. 7.5 Documented information – this has the following sub-sub clauses that are HLS/Annex SL: 7.5.1 General 7.5.2 Creating and updating 7.5.3 Control of documented information In general, this is a development of existing ISO 9001: 2008 requirements for to your main operational processes. The human resources (i.e. your colleagues) need to be demonstrably competent and aware of the requirements that apply to them and the consequences of not following the “rules” of the QMS. Your communication systems need to be robust and include external and internal communications. A gap in the ISO 9001: 2008 standard has been filled – communication with your suppliers and external providers has to be as robust as communication with your customers

The documented quality system may not have to include your quality manual, documented procedures or work instructions but there should be something that does a similar job for instruction and control. This is called documented information. Much of what you already have can still suffice, although you may want to take this opportunity to examine your documentation to see what can be retained, what is superfluous and if it is all in the right format and media for your current and future needs. Your top management could, as part of their leadership role, engage the workforce in deciding what they really need in the documentation and the media that is most suitable for them.

©JEMO Ltd. 2015

Page 8 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The quality related requirements. There are many additional quality related requirements here under sub-clauses - in particular in clause 7.1 which has six sub-clauses with significant additional requirements. We have listed these in Tables 6 but do not discuss them in detail here as we are focusing on the HLS/Annex SL requirements. Clause

Title

Comment

7.1.1

General

Basically as ISO 9001: 2008 - you must determine and obtain the resources needed to run your QMS – from inside and outside your organization

7.1.2

People

Basically as ISO 9001: 2008

7.1.3

Infrastructure

Basically as ISO 9001: 2008

7.1.4

7.1.4 Environment for the operation of processes

This extends the work environment of ISO 9001: 2008 to include environments for the effective operation of processes

7.1.5

7.1.5 Monitoring and measuring resources

This is a substantial development of the ISO 9001: 2008 requirements and now embraces the “calibration control” of people used in monitoring and measurement

7.1.6

Organizational knowledge

This is a new requirement which covers the knowledge needed by your organization and how you obtain and control this and keep it up to date

Table 6 Clause 7.1 Resources For comprehensive tools for implementing and auditing all of the changes please visit www.jemo.co.uk or us at [email protected] How auditors may approach this Auditors should use flexibility with your documented system. They should not expect you to throw out your existing quality manual and documented procedures, but they should expect you to be reviewing them against the requirements for documented information. There is a three year transition period before the 2008 standard is withdrawn and this should be ample time for them to determine if you have things under control. They should find the more explicit requirements for communication easier to audit and to obtain evidence of the effectiveness of your communication processes. Competence should also be easier to audit. Note that this can also include the competence of people working under your organization’s control – especially where you outsource processes and activities. You are still responsible for the results of these.

Clause 8 Operation The bulk of this clause contains quality specific requirements that are derived from the 2008 standard. You are recommended to use our gap analysis checklist and PowerPoint presentation to familiarise yourself with these, or obtain a copy of the standard.

©JEMO Ltd. 2015

Page 9 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The only HLS/Annex SL requirements are in: 8.1 Operational planning and control All the rest are quality specific. We list these but do not look at them in detail This takes the “strategic planning” you did for clause 6 and focuses down onto the planning of the specific processes for creating products and providing services. This extends beyond your internal process chain to include processes that you outsource. A new requirement is for you to have controls for unplanned changes as well as the changes you plan to make. The quality related requirements. There are many quality specific requirements here, much of which you will probably be doing already. We have listed these in Table 7, but it is beyond the scope of this brief to cover them in detail. Clause

Title

8.2

Determination of requirements for products and services

8.2.1

Comment

Customer communication

An extension of ISO 9001; 2008 to include contingency and other quality related communications

Determination of requirements related to the products and services

Subtle change from ISO 9001: 2008 including a need to substantiate all claims you make for your products and services

Review of requirements related to products and services

Basically as ISO 9001: 2008 but extended to include other interested party requirements

8.3

Design and development of products and services

This has six sub-clauses, amalgamating some of the sub-clauses of ISO 9001: 2008. The only significant change relates to reviewing experience from previous design – now dropped, and determining the risk of design failure. We consider this significant omissions

8.4

Control of externally provided products and services

This has three sub-clauses similar to ISO 9001: 2008. The range of supply is extended to include anything including sub-contracted processes that is provided (excluding property provided by your customer)

8.5

Production and service provision

This has six sub-clauses, including new requirements for post-delivery activities and the control of unplanned process changes

8.7

Control of nonconforming process outputs, products and services

This is basically as ISO 9001: 2008

8.2.2

8.2.3

If you require comprehensive tools for implementing and auditing all of the changes please visit www.jemo.co.uk or us at [email protected]

©JEMO Ltd. 2015

Page 10 of 15

Guide to ISO 9001: 2015 – the requirements that should not change How auditors may approach this The auditors will be discipline-oriented and should have a good understanding of how to audit process based quality management systems. Expect them to look in detail at your planning and link this to the planning of the overall QMS and risk management that you did for clause 6. They will then probably devote the bulk of their examination to the quality specific requirements. We have indicated where these are new and expect them to devote more time to these. Clause 9 Performance evaluation This has the following HLS/Annex SL sub-clauses: 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review

You will recognise these from the 2008 version and in most cases the requirements are very similar. The scope of your management review should be expanded and more aligned to reviewing the QMS performance in the context of the overall business. The finer details include making use of the results of data analysis and your management review. If you are operating a successful ISO 9001: 2008 system you should have little problem with this. The quality related requirements. There are no quality specific requirements. These are all HLS/Annex SL. How auditors may approach this The standard includes considerable detail that was not in the 2008 version and auditors may be expected to be more explicit in what they look for. Expect them to focus more on requiring your top management to explain the management review process and results and to have a more hands on approach to directing and monitoring actions from these. Expect them to also examine closely the analysis you do of data and especially what you do as a result of this.

Clause 10 Improvement The HLS/Annex SL requirements are covered under the following sub-clauses: 10.2 Nonconformity and corrective action 10.3 Continual improvement

The key change here from ISO 9001: 2008 is the removal of a separate sub-clause for preventive action. The work you did in 4.1 where you identified internal and external issues that affect your QMS achieving its intended outcomes and the risk assessment and management of clause 6 together with the remainder of the standard are all preventive. If anything they exceed the requirements of the 2008 standard. Continual improvement is required for the QMS as in ISO 9001: 2008 and the controls for nonconformance are similar.

©JEMO Ltd. 2015

Page 11 of 15

Guide to ISO 9001: 2015 – the requirements that should not change The quality specific requirements. The major quality specific requirements are covered under 10.1 General. This focuses on the processes you have for improving your products, services, processes and the overall performance of your QMS. For comprehensive tools for implementing and auditing all of the changes please visit www.jemo.co.uk or us at [email protected] What you should do now The HLS/Annex SL requirements that we have outlined have less than a 5% chance of being further changed. The main reason is that these are already in recently issued standards and those being amended. It therefore follows that you can make a start on the changes at very little risk. Figure 1 is a suggestion of how you may want to approach this: What you get in the JEMO Implementation Tools The JEMO implementation tools have been developed from over 30 years of working with ISO management system standards. We currently have the following available through our website www.jemo.co.uk :



An auditor’s guide to ISO 9001: 2015. Based on the DIS, this is a comprehensive distance learning course that explains in plain language the requirements and the changes and guidance on how to audit these. There are over 320 slides with the changes graded in severity and the Annex SL requirements highlighted. Cost £ 49.50 + VAT



ISO 9001: 2015 Gap Analysis. Based on the current DIS this comprises over 100 pages and is published in landscape so that it can be bound as a working checklist. This allows you to capture conformity and non-conformity and the audit evidence that you found. At the end of each clause there is comprehensive, plain language explanation of the requirements, comprehensive guidance on how to audit this and the evidence you would look for. This is designed to be used by both internal and external auditors and you can indicate the severity of the gaps (graded as high, medium or low). The Annex SL requirements (that should not change) are highlighted. This also serves as an executive report in which you can record action summaries conclusions and who will do what. Cost £ 49.50 + VAT

Discount for early purchasers. If you purchase both of these before 1 March 2015 we are offering these at 20% discount for £ 80 + VAT Free updates if there are changes. For purchases before 1 March 2015 we are offering a free update if there are changes in the published standard. Coming shortly We will shortly have available:  

an implementation guide to ISO 9001: 2015 – comprising over 320 slides an audit checklist with guidance for implementers and internal auditors – comprising over 100 pages

©JEMO Ltd. 2015

Page 12 of 15

Guide to ISO 9001: 2015 – the requirements that should not change  

an e-learning executive awareness course for top management an e-learning awareness course for other of the workforce

©JEMO Ltd. 2015

Page 13 of 15

Guide to ISO 9001: 2015 – the requirements that should not change

Do a gap analysis on your existing QMS The JEMO Gap Analysis Tool is ideal for this

Estimate the work and resources needed and produce a report for your top management

The Gap Analysis Tool provides a template for this

Obtain authorisation to go ahead and assemble an implementation team

Give training to top management and staff on what the HLS/ Annex SL changes mean to them

The JEMO distance learning package is ideal for this

Implement the HLS/Annex SL changes first

Train internal auditors to audit to the HLS/Annex SL requirements using the JEMO tools

Do the internal audits and a management review

Implement any changes

Repeat the exercise for the quality specific requirements

Figure 1 A suggested approach to implementing the changes

©JEMO Ltd. 2015

Page 14 of 15