The Final Draft International Standard (FDIS) for ISO 9001:2015 is coming up very quickly, due out in July. This FDIS will be finalized in August and released as ISO 9001:2015 in September. If you haven’t had time to look it over, the first thing you’ll notice when you see the next draft will be the number of ‘Clauses’. Where ISO 9001:2008 had 8 clauses, the 2015 version has 10.
|Clause 1: ScopeClause 2: Normative ReferencesClause 3: Terms and DefinitionsClause 4: Quality Management SystemClause 5: Management ResponsibilityClause 6: Resource ManagementClause 7: Product RealizationClause 8: Measurement, Analysis, and Improvement||Clause 1: ScopeClause 2: Normative ReferencesClause 3: Terms and DefinitionsClause 4: Context of the OrganizationClause 5: LeadershipClause 6: PlanningClause 7: SupportClause 8: OperationClause 9: Performance EvaluationClause 10: Improvement
In addition to expanding to 10 clauses, you’ll note that clauses 4-10 have new titles.
Let’s start with the big picture…
First, there’s a less explicit requirement for documented procedures. There’s no requirement for a quality manual or any specific documented procedures, in fact. As in ISO 14001 and OHSAS 18001 (clause 4.4.6 d) you only need to document procedures ‘where their absence could lead to a deviation from policies and/or objectives’. We still need documented “information” – data that is required to be maintained or retained to demonstrate fulfillment of requirements.
This means documents and records (now called ‘documented information) still must be ‘controlled’. We have to take care of the results determined by our measurements and monitoring of our quality processes. We have to retain appropriate documented information as evidence of the results. This information has to be stored, be retrievable, be preserved, retained, access controlled and maintained. We imagine most organizations will still document most of their processes, but at least we now might be inclined to replace some documentation with training like we do with activities like CPR. A binder never saved a life!
This does not mean documented processes are no longer necessary – they are still necessary for the success of a good QMS, but your ISO certification will not be evaluated on them as much as they have been in the past. I think this will also encourage us to explore newer, more ‘visual’ ways to show how we do things. You’ll see what we mean if you take a tour of SimplifyISO’s ‘One Page Quality Manual’.
Other major shifts in philosophy include a higher level of involvement from senior management, the measuring and assessment of risk and a focus on ‘change management’. These will all help us create stronger, more useful quality management systems that are an asset, not a liability. Management is now required to show more than just ‘commitment’. Top management must demonstrate ‘Leadership’. Quite a welcome change!
A ‘formal risk management program’ is not required (as of the DIS) but risks related to meeting customer requirements in your organization’s ‘context’ will give you the ability to identify risks and opportunities, and develop a systematic approach to address them. With ‘Preventive Action’ gone as a separate and distinct clause, proactive processes become even more vital to system improvement and a good return on your Management System investment.
The shift is intended to make ISO more relevant to business. For example “preventive action” is terminology specific to or at least common to QMS folks, while “risk management” is a more commonly used business/organizational term, especially among senior executives who may not be directly involved in quality control, but whose decisions directly impact it.
Simply reading through the titles of the new clauses gives you some insight into the “big picture” view of 2015. “Management Responsibility” is now “Leadership” implying an evolution from ISO requirements restricted to tactical operations into a strategic perspective.
“Quality Management System” is now based on the “Context of the Organization”. This shows that quality is a strategic organizational issue, not a specific ‘activity’. There’s even a requirement to consider our ‘purpose’ and ‘strategic direction’ when designing our systems. The ‘Quality Management Rep has had his/her responsibilities diffused in order to move away from the last 27 years of, Quality? Oh that’s Pat’s job” to a philosophy of “Quality is everyone’s job”. Most organizations will still have someone who is a bit closer than most, but we need to start thinking more like Red Green, who often said “We’re all in this together”.
The new standard is not a ‘make work’ project, but is a significant step in evolving your QMS to become an organizational asset. The new standard will present a core set of requirements for the next decade. It will remain generic and relevant to organizations of all sizes and types within any sector. It will maintain the current focus on effective process management to produce a desired set of outcomes.
ISO 27001, (Information technology — Security techniques — Information security management systems – Requirements) has already been released in this format of 10 Sections, called ‘Annex SL’, ISO 14001 is about to be released this fall, and OHSAS 18001 (Health and Safety) will come out next year as ISO 45001. This will make integrated systems much easier to implement.
Business is evolving rapidly – fuelled by access to greater data and analysis capability. The greater visibility we have into processes, the greater control we can exert. Also the business environment we find ourselves in has grown more complex, demanding and requiring continual response to stay competitive. This latest version of this 1987 Standard will help us achieve our purpose.