ISO 9001:2015 - The likely impact (Part I)

How will the new version affect ISO 9001:2008 registrations?

According to BSI, the new standard, ISO 9001:2015, will be published in September this year (2015). From the date of publication, organisations holding a valid ISO 9001:2008 certificate will have three years to make the transition to the new version of the standard. The old version will be recognised and can be audited against until the end of the three year transition for ISO 9001:2015 (expected to last until September 2018).

Some people have asked what to do in the interim, i.e. does it make sense in 2015 to become certified to the 9001:2008 version? Most experts advise that it does. First, there is the 3 year transition period which gives companies until 2018 to update their system to the new version. Second, it is possible to append the additional requirements from 9001:2015 to the current requirements. Third, the restructuring changes should remind all users that it is not a good idea to base a company's QMS just on the ISO structure, but rather it should map to the latter as appropriate. If you must use the ISO structure, then yes, it is better now to use that of 9001:2015.

Another often asked question is whether holders of 9001:2008 certificates will or should re-certify to the 2015 version? There is no reason why they must do so in the short term, but they will want to look contemporary.

Accredited Certification Bodies (e.g. BSI) will stop issuing new certificates to ISO 9001:2008 twelve months after the 2015 version is published. This means that if you are developing a quality management system based on the requirements of the current, 2008, version of the standard, you have until late 2016 to gain a certificate issued to ISO 9001:2008. If your organisation's QMS is already certified ISO 9001:2008 compliant, you may wish to look at your processes to see if they are in line with the new high level structure. However, your system must remain compliant with ISO 9001:2008 until ISO 9001:2015 is released.

What are the most notable changes in the 2015 version?

1) High Level Structure

A key fact about the ISO 9001:2015 DIS draft document is that the text has been prepared using the new “high-level structure” (i.e. clause sequence, common text and terminology) provided in Annex SL, Appendix 2 of the ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013. This is intended to enhance alignment among ISO’s management system standards, and to facilitate their implementation for organisations that need to meet the requirements of two or more standards simultaneously.

Annex SL defines the framework for what is a generic management system. All new ISO management system standards (MSS) will adhere to this framework and all current MSS will migrate at their next revision.

The major clause numbers and titles of all MSS will be identical. They are:

Introduction

1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement.

Referencing the DIS, the following structure comparison chart illustrates some of the differences between ISO 9001:2015 and the ISO 9001:2008 standard:

Table 1: Structure Comparison Chart

The new harmonised approach that ISO 9001:2015 will fit into allows for the addition of discipline-specific (in this case quality-specific) text which has been applied in the wording of the DIS by including the following:

a) Specific quality management system requirements considered essential to meet the scope of the ISO 9001 standard;

b) Text to reflect the use of the Quality Management Principles that form the basis for ISO’s quality management system standards;

c) Requirements and notes to clarify and ensure consistent interpretation and implementation of the common text in the context of a quality management system.

You should keep the Annex SL changes to the 2008 structure in mind when building your quality management system processes in the future. The familiar “Plan-Do-Check-Act” (PDCA) methodology will continue to be used in the new version of the standard; however, there will be an overall  focus on “Risk based thinking" aimed at preventing undesirable outcomes - see below.

2) Risk-based thinking

There will be a much greater emphasis in ISO 9001:2015 on risk based thinking, which is incorporated in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. ISO 9001:2015, like its cousin ISO 27001:2013, does not mandate a particular risk assessment method - not even ISO 31000! I will deal with this key aspect further in a subsequent blog post.

3) Documented Information

Following Annex SL, gone are the terms documents, documentation and records. In comes 'Documented Information'. However, the requirements for the management of documented information are not new or excessive.

Section 4.2.3 Control of documents in the 2008 version has effectively moved to Section 7.5 Documented Information, under Section 7.5.2 Creating and updating and 7.5.3 Control of documented Information.

The list of six mandatory procedures has gone but it will still be necessary to document the required processes. Management of the processes and the system as a whole can be achieved using a “Plan-Do-Check-Act” (PDCA) methodology (see 0.4) with an overall focus on “Risk-based thinking" aimed at preventing undesirable outcomes (see 0.5). However, we should always remember that processes have to be controlled, which will mean creating and maintaining documented information. The term "documented information" in this regard is repeated throughout the draft version.

Section 4.4 makes the need for a QMS less explicit. That has begged the question in discussion forums: "what is a QMS anyway?" For some, the Quality Manual describes the quality management system in the form of a printed document in a ring binder. For others, it's one of many documents in an electronic document management system (DMS). How best to 'do the QMS' is a more central issue now. The graphical QMS developed by CogniDox is one answer to this need.

4) Knowledge management

Section 7.1.6 talks about Organisational Knowledge. This requires an organisation to ensure that it has or obtains the knowledge resources necessary to respond to changing business environments, changing customer and interested party needs and expectations and, where applicable, related improvement initiatives. It points to important issues affecting quality, like for example how knowledge is accessed within the organisation; and also how the organisation's IP is stored and protected.

5) Training records

One of the popular "crystallizations" of the 2008 version was the training records register. It's not clear to me whether Section 7.2 Competence requires the same. The catch-all mandate in 7.2 d) to "retain appropriate documented information as evidence of competence" would suggest that it does; although we will have to wait and see just how this is interpreted.

6) Responsibility of Top Management

ISO 9001:2015 signals more of a hands-on role for top management. Section 5 Leadership makes it clear that there is now a responsibility for top management to take accountability for the effectiveness of the QMS.

New requirements for leadership and accountability include ensuring that:

• quality policy and objectives are compatible with strategic direction;
• quality policy is applied, not just communicated and understood;
• quality system requirements are integrated into business processes.

Top management will be actively involved in the operation of the QMS. The removal of all references to the role of ‘management representative’ reinforces a need to see the QMS embedded into your routine business operations. The days of the QMS operating as an independent system in its own right with its own dedicated management structure are numbered.

#   #   #

We will have to wait until the FDIS is approved to be completely certain of the all the facts ... however, a reading of the DIS text strongly suggests that ISO 9001:2015 will turn out to be a major reworking of the standard.

Comment on this post:
Is your organisation already ISO 9001 certified? What action if any are you likely to take when ISO 9001:2015 has been published and the 2008 version withdrawn? Let us know via the comments.

Next time:   ISO 9001:2015 - the likely impacts of 'risk based thinking'.

This post was authored by: Michael Shuff