Assessment Services Capability Development Manager, Lloyd's Register
ISO 9001 was revised in September 2015 to not only ensure it continues to provide a consistent foundation for the future, but to also reflect the needs of the organisation’s interested parties.
It needed to change to become more compatible with service organisations and non-manufacturing users. And with the ever-complex environments organisations now operate in, there is a clearer understanding that ‘one size does not fit all’.
There are four key concepts that organisations should be aware of when implementing the ISO 9001:2015 requirements:
- Organisational context
ISO 9001 now expects a stronger emphasis on an organisation’s context. This means organisations must now determine what the relevant external and internal issues are and then demonstrate these are relevant or aligned with the organisation’s strategic direction.
A greater emphasis is on leadership in ISO 9001:2015 now requires top management to be directly responsible and therefore, accountable for their management system. Top management can no longer delegate the responsibility to a management systems representative.
- Process approach
As with the 2008 standard, there is a focus on a process-based approach, but ISO 9001:2015 has strengthened this focus and it has become more explicit. Although the structure has changed the Plan-Do-Check-Act (PDCA) cycle is still very much at the heart of the management system standard.
- Risk-based thinking
The concept of preventive action has now been addressed throughout the standard by risk identification and mitigation and there has been an increased emphasis on seeking opportunities for improvement.
- Organisational context
For an organisation to successfully steer their future success, there must be a clear understanding of where they are and where they want to go. That is why defining organisational context is so important in ISO 9001.
Understand your external and internal issues
To fully understand your organisation and its purpose, it is necessary to determine your external and internal issues which may affect your organisation’s ability to meet its intended strategic objectives. This is the flagstone of your organisation’s quality management system as it underpins why your organisation is here.
External issues that may affect your organisation and therefore you need to consider, are your economic, political, legislative, regulatory, environmental, technological and social factors.
For example, the economy can affect the success of your business and the ability of your customers to pay for your product or service which then directly impacts on your bottom line.
Whether the economy is specific to your industry or a global trend, it can still have an optimistic or detrimental impact on meeting your strategic objectives. Your organisation may need to offer sales promotions, diversify your product line or recruit new staff to cater for the increase in demand.
Internal issues are also likely to fall into the same basic areas as external issues. For example, the economic issues may relate to employee benefits or bonus related pay, whereas social issues may relate to an ageing workforce and issues relating to succession planning.
When looking at understanding your organisation and its context in relation to your quality management system, make sure you consider issues can positively or negatively affect your organisation.
Recognise the requirements of your relevant interested parties
Ultimately, quality is determined by a product or service that satisfies all stakeholder requirements. Your organisation will therefore be required to identify all relevant interested parties (the new terminology for stakeholders) and their relevant requirements.
Interested parties who can affect or be affected by the activities and decisions of an organisation are likely to be linked to the external and internal issues previously identified.
Determination and documentation of scope
ISO 9001 requirements stipulate that your organisation needs to determine and document its scope to outline your quality management system boundaries. As well as considering the external and internal issues and the requirements of interested parties, your organisation must outline the products and services contained in your quality management system, the applicability of specific requirements and justification for any case where a requirement cannot be applied (exclusion).
The processes that form the quality management system must address the applicable requirements and expectations of interested parties, which are considered by your organisation as integral to meeting its purpose and required outcomes.
These processes must include monitoring and measuring processes to ensure all interested party requirements are identified and understood and all activities undertaken by your organisation are meeting these requirements.
The ISO 9001 requirements now expect top management to understand and engage with your organisation’s quality management system, providing you with the opportunity to drive business performance.
Demonstration of leadership and commitment
The involvement of top management in your organisation’s quality management system should be explicit and hands-on.
Top management are required to demonstrate commitment and take responsibility for the effective running of your organisation’s quality management system. To do this they need to become accountable for its effectiveness by ensuring the quality policy and objectives are compatible with the context and strategic direction of your organisation.
Top management should have a clear line of sight from your organisation’s business plans and strategy, to the objectives and business measures. These should provide the basis for developing the quality policy.
Leadership from your top management needs to ensure the integration of the quality management system requirements into your organisation’s business processes. The quality management system can no longer be a ‘stand-alone’ function of the business, but an integral aspect of business-as-usual activities, from highest level business planning to process outputs.
To ensure demonstration of leadership, top management need to be seen to be promoting the use of a process and risk- based thinking approach. The risk based approach should work at all levels within your organisation, from identification and mitigation of risk at strategic planning level, to process risk management and control.
To demonstrate commitment, top management are required to make sure the quality management system achieves its intended outcome(s) and has adequate resources assigned.
Additionally, they are required to engage, direct and support all individuals where the quality management system applies. They need to communicate its importance and ensure it continues to succeed by encouraging all individuals to contribute to the overall effectiveness of the management system.
To encourage engagement, top management should support relevant roles within the quality management system and always promote improvement.
Leading by example, top management are required to demonstrate customer commitment by ensuring there is a focus on products and services meeting customer requirements, applicable statutory and regulatory requirements are being determined and met, and risk and opportunities are being addressed.
Establishing a quality policy
The quality policy should be developed in line with the purpose and context of the organisation. Top management have an explicit requirement to apply the policy and ensure it provides a framework for the organisation’s quality objectives. These should include the commitment to satisfying interested party requirements and promote the continual improvement of the quality management system.
Top management are now responsible for making sure the policy is available as documented information and communicated and understood by all relevant parties.
Roles and responsibilities
Top management need to ensure that individuals are given the responsibility and authority to enable them to carry out their roles in relation to the quality management system.
All individuals should be assigned and communicated their relevant roles within the quality management system by top management. Top management should then make sure these roles are understood and the quality management processes are delivering their intended outputs.
The ISO 9001:2015 requirements do not require a specific management representative, as the responsibility now resides with top management to assign and manage all the quality management roles and responsibilities.
Every organisation faces uncertainty and how this is addressed can often influence and even determine an organisation’s success. Planning plays an integral role when addressing risks and opportunities and will focus on how your organisation can prevent, or reduce, undesired effects to achieve its objectives.
Addressing risk and opportunities
Determining your organisation’s risks and opportunities enables you to put actions in place to mitigate risks and optimise opportunities and then evaluate the effectiveness of these actions. Ultimately, this should reduce the need for corrective action in the future.
The risks and opportunities identiﬁed will help you to establish your organisation’s quality objectives that are related to your quality management system processes.
The quality objectives must be consistent with your organisation’s quality policy and be in line with the products and services you provide. They should be communicated throughout your organisation and measured and monitored to determine whether the requirements of interested parties are being met.
This clause puts a greater emphasis on your organisation’s quality planning which is integral to your business. You must undertake planning to determine how your organisation’s quality objectives will be achieved.
Planning for change
ISO 9001 has evolved to enable organisations to adapt to changing environments or circumstances, which relate directly to your external and internal issues.
When your organisation decides there is a need to change, it must be clear with what it is attempting to achieve and changes must be planned, acted upon and should include a review of the risks in relation to these changes.
For your organisation to meet its objectives outlined in its quality management system, you need to make sure you can provide the necessary support required to meet these objectives.
You need to make sure your organisation has competent resource in place to ensure the effectiveness of your quality management system. Resource considerations should include:
- Internal resources
- External providers
- Monitoring and measuring resources
- Organisational knowledge required to ensure the processes provide conforming products and services
- External communication.
Your organisation must determine the competency levels needed for those people performing work under your control. Once these competency levels have been determined, your organisation must then ensure that those people possess the necessary competencies, either based on of their education, training or experience.
All relevant people doing work under your organisation’s control need to be made aware of your quality policy, any quality objectives that are relevant to them, how they are contributing to the effectiveness of your quality management system and the implications for not conforming to the quality management system requirements.
Your organisation must be able to communicate the quality management system requirements to all people doing work under your organisation’s control. You must determine how you wish to communicate, who it will be aimed at and when such communications will be made. Consider both internal and external communications relevant to the quality management system.
Put simply, documented information should reflect the focus of ISO 9001:2015 on the organisational processes and results, rather than conformance with each element of the standard.
ISO 9001:2015 requirements do not refer to a quality manual, procedures, instructions or records so when documented information is created or updated, your organisation must ensure that it is appropriately identified, described, reviewed and approved for suitability and adequacy.
Your organisation is now required to control documented information, which now explicitly includes confidentiality, integrity and access
Operation moves into to the ‘doing’ part of the Plan-Do-Check-Act (PDCA) cycle. This clause implements your organisation’s quality management system processes to meet the requirements for the delivery of your products and services and therefore, all interested parties.
Operation planning and control Requires your organisation to establish criteria for planning, implementing and controlling processes identfied in ‘Context of organization’ in order to meet the requirements of all interested parties.
You must determine the process for the delivery of your products and services and implement the actions determined as a result of your risk assessment.
Requirements for products and services
Your organisation must put processes in place to enable communication with customers on matters relating to your products or services. Ensure you have implemented processes to make sure all requirements are known for your products or services, statutory and regulatory and customer requirements.
Make sure your organisation reviews these requirements on a regular basis to ensure you are still meeting the current requirements of all interested parties.
Design and development of products and services
This clause on design and development of products and services has substantially changed and simplified to allow for a more process orientated approach. There is more of a requirement to involve the customers or users as part of design planning to be considered.
Internal and external resource needs, potential consequences of failure and the level of control expected by customers should be considered as part of your organisations design and development inputs.
You organisation should apply design and development controls that combines the review, verification and validation of all requirements.
Make sure your organisation’s outputs from the design and development process meet input requirements and that change to the design and development input or output is controlled.
Control of externally provided processes, products and services The terms which were previously referred to as purchasing and ‘outsourcing’ in the 2008 standard is now ‘Control of externally provided processes, products and services’ and requires your organisation to ensure that they meet specified requirements.
Your organisation needs to stipulate the type and extent of controls or requirements it wishes to apply to the external provider or supplier. The information your organisation needs to provide for external providers is now more detailed and explicit.
Production and service provision
This clause specifically considers the monitoring and measurement activities that will ensure the control of your organisation’s processes and outputs or your products and services.
Your organisation must be able to identify and trace you output (product or service) and if necessary, take care of property belonging to customers or external providers to ensure you preserve your organisation’s output.
Post-delivery activity is a new clause and requires your organisation to decide on the extent of the post-delivery activities made to your products or services. It also considers risks associated and determines the nature, use and intended lifetime of your products and services.
It also reviews the potential consequences of changes to control the changes made to the provision of your output.
Release of products and services
The release of products and services to your customers is now part of the operational requirements and your organisation must implement planned activities to verify that the product and service requirements have been met.
Your organisation needs to ensure delivery to the customer shall not proceed until the planned arrangements verify product or service conformity, unless otherwise authorised by a relevant authority. Ensure your documented information provides traceability of the person authorising the release of the products or services to the customer.
Key change from ISO 9001:2008
Whilst the operation clause is the shortest, it covers most of the quality management systems processes, from enquiry to delivery and post-delivery activities including suppliers and outsourced services.
There is more emphasis on the control of outsourced processes to ensure that the same level of monitoring and management is applied to those carried out in-house.
This section of the standard emphasises the process based approach which should be taken in planning, implementing and measuring the quality management system processes to meet the objectives of your organisation and your interested parties.
The focus should be on ensuring that the desired outcomes of the processes are achieved and not just procedures being followed. The procedures and processes should ultimately be designed to achieve the intended outcomes.
We now move into the ‘checking’ part of the PDCA cycle where your organisation should identify what needs monitoring and measuring to identify whether your quality management system is meeting all the requirements of interested parties.
Monitoring, measurement, analysis and evaluation
Your organisation should identify what needs monitoring and measuring and identify the relevant methods to collect this data.
Your organisation must monitor your customer’s satisfaction in relation to your products or services and analyse and evaluate data and information relevant to your business and management system operation.
New to this clause, is the requirement that you must effectively monitor the successful implementation of planning and actions to address risks and opportunities within your organisation.
Make sure you understand the specific requirements for analysis and evaluation when using results as inputs into your management review.
Internal audit requirements are largely similar. Planning for internal audits now has explicit considerations for quality objectives, customer feedback and changes impacting your organisation.
Your top management responsibility for action is now implicit whereas previously this was explicit, although there is a requirement for audit results to be reported to relevant management and for correction and corrective action to be taken without undue delay.
Auditors must be objective and impartial which is relatively unchanged from the previous standard. In fact, with the exception of there being now no requirement for a documented procedure, the internal audit clause remains mostly unchanged.
The potential impact on auditor competence is probably more significant. In particular internal auditors should have the demonstrated knowledge and skills to audit Annex SL and the new structure and content in the standard especially if the quality management system does not include a quality manual and very few or even no documented procedures at all.
There are now additional requirements for the management review. Management review outputs have been enhanced to include many of the new areas of focus. These include:
Changes in external and internal issues (such as strategic direction)
Performance concerning external providers
Adequacy of resources for effective quality management system and effectiveness of actions taken addressing risks and opportunities.
The basic requirement to conduct management reviews is much the same as in the existing clause 5.6 in ISO 9001:2008, but it now requires the organisation to take into account the business’ strategic direction and changing business environment.
What are currently labelled as inputs in ISO 9001:2008, are now called ‘considerations’ and whilst similar to the existing inputs, they are more clearly defined and rely heavily on utilising the data generated from monitoring and measuring activities as defined in earlier clauses.
Key change from ISO 9001:2008
Overall, the requirements within this clause remain largely unchanged although some have been enhanced. Monitoring perceptions of customer satisfaction are similar from previous requirements.
This clause has combined monitoring and measuring activities, added to them, made the requirements much more explicit and now requires the organisation to consider what they expect to achieve and how closely they have met those expectations.
To complete the PDCA cycle, the improvement clause moves into the ‘acting’ stage of the cycle. The improvement of products and services, and future needs and expectations is addressed here.
There is now emphasis on improving processes to prevent nonconformities and improving products and services, therefore acting on findings found in the previous clause.
Nonconformity and corrective action
The nonconformity referred to in this clause concerns the entire quality management system and not specifically the products or services of your organisation which are addressed under clause 8.7.
There is a new emphasis placed on nonconformity and corrective action with consequences now included. Thus actions taken now recognise the potential occurrence of a similar nonconformity elsewhere.
Make sure your organisation readdresses risks and opportunities in case they need updating following nonconformity.
If any nonconformities are identified, make sure you document the nature of the nonconformity and subsequent actions taken.
Not much has changed since the 2008 standard, as ISO 9001:2015 still requires your organisation to continually improve the performance of your quality management system. Opportunities can be addressed as part of this continual improvement activity.
Key change from ISO 9001:2008
This clause now combines improvement with correcting and preventing issues. Although there was previously a clause for improvement, the new standard prescribes a more holistic approach to identifying a range of opportunities for improvement. Not only for continual improvement but there is also an emphasis on various levels of improvement, from individual actions to company-wide changes.
Determining the organisational context enables a more effective implementation of the quality management system. There is a greater emphasis on processes being managed to achieve planned results and an alignment with your organisation’s strategic direction.
There is a much greater emphasis on leadership where top management are now responsible for the management system and it cannot be delegated to a system representative. Sole responsibility now resides with top management to assign, manage and improve the quality management system.
Organisations can set firm targets to complete or begin their transition to the revised standard and get a head start on the three year transition deadline.
System and Governance Manager, Lloyd's Register
The integration of the quality management system into your organisation’s business processes determines whether the risks and opportunities increase the effectiveness of your system.
The concept of organisational knowledge was introduced to ensure your organisation acquires and maintains the necessary knowledge to satisfy the requirements of your management system.
Communication requirements previously related to internal communication in ISO 9001:2008 has now been expanded and includes internal and external communication along with when, how and with whom to communicate.
The ISO 9001:2015 standard provides a framework for your organisation to manage your quality management system as an integral part of your business management planning and governance, including the effective management of risk on behalf of all stakeholders or interested parties.