Organizations have Three years to implement the New ISO 9001 - 2015

Your organization has three years to implement the New ISO Standards.  There are some important differences. Our Multicultural Associates Consultant and ISO expert, Charles Corrales, pictured above discusses a few below.

Structure of the Standard

Perhaps the biggest difference between the old and the new 
standard is the structure. ISO 9001 2008 had five main sections 
(4 to 8) and ISO 9001 2015, now has seven (4 to 10). This is because 
the new edition uses the new Annex SL template. According to ISO, 
all future management system standards (MSSs) will use this new
layout and share the same basic requirements. As a result, all new
MSSs will have the same basic look and feel.

A common structure is possible because basic concepts such as
management, customer, requirements, policy, procedure, planning,
performance, objective, control, monitoring, measurement, auditing,
decision making, corrective action, and nonconformity are common 
to all management system standards. While this will make it easier for
organizations to implement multiple standards because they will all
share the same basic requirements, it may cause some disruption 
in the short run as organizations get used to the new structure.

Context of the Organization

Unlike the old standard, the new one expects you to understand 
your organization's context before you establish its Quality Management System (QMS). When ISO 9001 2015 asks you to understand your organization's context it wants you to consider the external and internal issues that are relevant to its purpose and strategic direction and to think about the influence these issues could have on its QMS and the results it intends to achieve.

This means that you need to understand your organization's 
external environment, its culture, its values, its performance, and 
its interested parties before you develop its QMS. Why? Because 
your QMS will need to be able to manage all of these influences.

And once you understand all of this, you're expected to use this
special insight to help you define the scope of your QMS and the
challenges it must deal with. While this will certainly help ensure 
that organizations develop unique quality management systems 
that address their own needs and requirements, doing all of this 
could be quite a challenge for some organizations.

Documentation of Information

The new ISO 9001 2015 standard has also eliminated the long 
standing distinction between documents and records. Now they 
are both referred to as “documented information”. Why ISO chose 
to abandon two common sense concepts and replace them with 
one that is needlessly awkward and esoteric is not entirely clear.

According to ISO's definition, the term documented information 
refers to information that must be controlled and maintained. So,
whenever ISO 9001 2015 uses the term documented information 
it implicitly expects you to control and maintain that information 
and its supporting medium. However, this isn't the whole story.

An annex to the new standard (A.6) further says that "Where 
ISO 9001:2008 would have referred to documented procedures ... 
this is now expressed as a requirement to maintain documented
information”, and "Where ISO 9001:2008 would have referred to
records this is now expressed as a requirement to retain 
documented information".

So, whenever the new standard refers to documented information 
and it asks you to maintain this information, it's talking about what
used to be referred to as procedures, and whenever it asks you to
retain this information, it's talking about what used to be called
records. So sometimes it must be maintained and sometimes it 
must be retained (contrary to what the official definition says).

So, while the definition of the term "documented information"
abandons the distinction between documents (or documented
procedures) and records, through the use of the words "maintain" 
and "retain" and because of what this means (according to Annex A)
the main body of the standard actually restores this distinction.

In other words, while documents and records were kicked out the 
front door, they were actually allowed back in through the back door.

Risk-based Thinking

According to the new standard, “risk-based thinking has always 
been implicit in ISO 9001”. According to this perspective, ISO 9001 
has always been about anticipating and preventing mistakes, which 
is what risk-based thinking is all about. That's why we train people,
why we plan our work, why we assign roles and responsibilities, why
we validate and verify results, why we audit and review activities, and
why we monitor, measure, and control processes. We do these things
because we want to prevent mistakes. We do them because we're
trying to manage risk. So, if we think of risk-based thinking in this 
way, it's always been an inherent part of ISO 9001. Before it was
implicit; now it's explicit.

So what kind of thinking is risk-based thinking and how is it applied?
What does the new standard expect organizations to do? The new
standard expects organizations to identify and address the risks 
that could influence their ability to provide compliant products and
services and to satisfy customers. It also expects them to identify 
and address the opportunities that could enhance their ability to
provide compliant products and services and to satisfy customers.

The new ISO standard also expects organizations to identify the 
risks and opportunities that could influence the performance 
of their quality management systems or disrupt their operation 
and then it expects them to define actions to address these risks 
and opportunities. It then further expects them to figure out how
they're going to make these actions part of their QMS processes 
and how they're going to implement, control, evaluate, and review 
the effectiveness of these actions and these processes.

While risk-based thinking is now an essential part of the new  
standard, it does not actually expect you to implement a formal 
risk management process nor does it expect you to document 
your risk-based approach.

Requirements and Exclusions

Section 1.2 of ISO 9001 2008 says that organizations may 
exclude or ignore product realization requirements (section 7) 
if they cannot be applied and if doing so doesn't interfere with its 
ability or responsibility to meet customer and legal requirements. 
The new standard takes a similar approach but, instead, seems 
to apply this thinking to all requirements.

Section 4.3 of ISO 9001 2015 says “The organization shall apply all 
the requirements of this International Standard if they are applicable 
within the determined scope of its quality management system”. 
So once you’ve determined the scope of your QMS, ISO 9001 2015 
says that every requirement must be applied within the boundaries 
defined by your statement of scope if it applies in your case.

However, while the new ISO 9001 2015 standard says that every
requirement must be applied, section 4.3 and Annex A5 also says 
that any requirement may be excluded if it cannot be applied, if you 
can justify and explain why it can’t be applied, and if excluding it 
does not undermine your ability or responsibility to ensure that
products and services are in compliance.

So, the message is clear: if a requirement can be applied you 
can't just ignore it. You must apply it. And if you really can’t 
apply it, you better be able to explain why not.

Objects, Outputs, Products, and Services

The definition of the term “object” is new. The introduction of 
the term “object” to mean anything conceivable or perceivable 
and its use in various definitions (quality, design and development,
innovation, review, traceability) seems to suggest that the new 

ISO 9001 standard can be applied to any object whatsoever. 
In theory at least, this greatly expands its scope.

What ISO 9000 2005 used to call a “product” the new standard 
now calls an “output”. The two definitions are the same. Since the 
term “output” was not defined in 2005, this shift in terminology
suggests that the process approach is now even more central 
to the new standard.

And to further complicate things, the old definition of “product” has
now been split into three separate definitions for the terms output,
product, and service. “Output” is the general concept since both
“products” and “services” are now thought of as “outputs”.

Other Clarifications and Modifications

While the previous changes could be the most important ones, 
the new standard has also clarified some concepts and modified
others. Some of these changes are listed below.

The old standard said that a “service” was a type of “product”. 
Now, the phrase "products and services" is used throughout the 
new standard and the term "service" has received its own definition.
This should help make it clear that ISO 9001 2015 applies not only 
to manufacturers but also to all types of service providers.

What used to be called “customer property” has been modified 
and greatly expanded to include products, services, and processes
belonging to all types of external providers (including customers). 
The new standard now expects you to control externally provided
products and services if they are included in your products or 
services or if they are provided directly to customers.

The old definition of “continual improvement” has changed. 
When ISO 9001 2008 asked you to make continual improvements 
it was asking you to improve your ability to fulfill requirements. 
Now, ISO 9001 2015 says it means enhancing performance 
(getting better results). This is an important shift.

According to the new standard, organizations must now identify,
acquire, and share the “knowledge” that personnel need in order 
to support process operations and achieve conformity of 
products and services.

The old concept of “product realization” is gone. Most of the 
material in the old product realization section has been modified 
and moved to the new ISO 9001 2015 section on Operations.

The term “management representative” has been dropped. 
The management duties and responsibilities that were previously
assigned to someone called a “management representative” may 
now be assigned either to one person or to many people.

"Preventive action" has also disappeared. It’s been replaced 
by "risk-based-thinking", evidently because both approaches try 
to achieve the same thing. Both try to prevent future problems through corrective actions. 
Once you introduce risk-based thinking, you no longer need a separate clause on preventive action.

It's redundant.

While the old standard asked you to use monitoring and measuring
“equipment”, the new standard refers to monitoring and measuring
“resources”. This is a more flexible approach to monitoring and
measuring because it recognizes the fact that these activities 
can often be carried out without the use of equipment. Remember that 100% “human inspection” is a fallacy and only about 85% reliable due to factors such as: proper training or certification, environmental, how the person is feeling both physically and mentally that day, etc.

Please contact us for more information on ISO Audits or to hire Charles.

Website: www.mculture.net            

Email:  [email protected]                                                                                              Phone: 805-405-2569