by Roderick A. Munro
The updated ISO 9001:2015 standard has been available for over nine months. The mandatory time to transition to the standard is fast approaching (September 15, 2018), and it’s beginning to feel like déjà vu back to 2003.
When ISO 9001:2000 was released, many companies waited to nearly the last minute to make the transition. This caused countless issues for registrars and clients as there were not enough trained auditors available to conduct all the audits that were required. Most registrars today face the same shortage, which is becoming more critical for specialized standards such as ISO/TS 16949 and AS9100. So if you have a good registrar now, it would be best for your company to plan the next two years of audits to lock in your timing as soon as possible.
Remember that even though your registration certificate is good through September 15, 2018, your registrar will need to conduct your transition audit anywhere from 90 to 120 days prior to that date to allow for resolution of any potential major findings. And the probability (risk) is that your company will receive at least one major and numerous minor findings (due to changes in the standard as well as rules required by ANAB and UKAS on the registrars) unless you start planning now. Remember that advance quality planning can work for office settings just as well as it does for any product launch.
In the past three years, I have had the opportunity to help conduct more than 200 audits, many of them as the lead auditor. This experience has allowed me to talk with many people in many industries about ISO 9001:2015’s requirements. The degree of change that your organization will face depends on a number of factors around your organizational culture and how your quality management system (QMS) is currently structured.
A number of blogs and some lead auditors are touting that there are relatively few substantial changes to the new standard and, as such, you should have an easy time making the needed changes. However, this all depends on your current QMS. The biggest surprise to me in the past three years is that 80 to 85 percent of the clients I have worked with are still conducting “compliance” internal audits.
Related Article: Analyzing ISO 9001:2015
Most new and recently revised management system standards are based on Annex SL, which was published by the International Organization for Standardization (ISO) to provide a common structure for auditable ISO management system standards.
Click Here to Read
It’s true that many clever consultants have pointed out that in both the 2000 and 2008 versions of ISO 9001 there was no “shall” statement around the term “process approach“ anywhere in the auditable text of the standard. Some hacks (a term that W. Edwards Deming used frequently for those with limited understanding) will even point out that in ISO 9001:2015, subclause 9.2, Internal audit, the term “process approach” is not present so the initial audit team is free to conduct compliance audits only. What they are failing to acknowledge is that in subclause 5.1.1, the standard states: “Top management shall demonstrate leadership and commitment with respect to the quality management system by… d) promoting the use of the process approach and risk-based thinking…” And because the internal audit process is supposed to be a tool of top management, the internal audit team must now demonstrate both the process approach and risk-based thinking in the organization (a double-edged sword on top of compliance). Just this past weekend I saw an advertisement from a respected consulting organization pointing out that their internal audit training now includes the process approach but it didn’t mention risk-based thinking. Beware: missing this will be a finding in a third-party audit.
Where should you start your transition process?
When in conversations with general managers, plant managers, and company presidents, I usually state that if I were in their position, I would start with the following three basic steps:
- At the next direct reports (staff) meeting, distribute blank sheets of paper and ask each person to draw a flowchart of how he or she thinks the organization operates (a process flowchart vs. a product flow chart). Give them five minutes to complete this task and collect all sheets of paper. Then continue with your planned meeting for the day. If your company already has a high-level flowchart, post it on a wall and put all of the newly drawn hand sketches around it. Otherwise, put all of the flowcharts up on the wall and use them as a starting point for your high-level flowchart. The next challenge is to have your team discuss the organization’s flow as a team until you get everyone mentally and physically on one sheet of paper (the same page). This now can be used to address the beginnings of the context of the organization (clause 4) of the standard and gives each manager and supervisor common talking points with internal and external auditors.
- Once you have the common flowchart, look through each one of its boxes and the area between the boxes (the interactions) and ask: “What could go wrong?” This should become the basis for your risk analysis. Note: there is no requirement to formally document this list; however, it would be highly advisable to create a matrix of these items. There is no prescribed method for risk-based thinking, so keep it simple. A good approach is to look at your safety program and ask how the concept of high risk to safety is defined. The probability is that management must take action within 30 days. Simply use this three-level scale: high risk = action in 30 days; medium risk = action between a 31 and 180 days; and low risk = 181 days or more to take management action. (You could also use a five-level scale with severe risk = immediate action, and no risk = no action.)
- After the risk matrix is developed, go back through the flowchart a second time and ask: “In a perfect world, what would we like here?” Again, no there is no requirement for a list here; however, by creating a list the management team now has the “opportunities” identified that will be asked by auditors (again, lacking something here will be a finding in external/third-party audits). This list can be used as a feeder to your continual improvement program and can be reviewed during the management review meetings.
Follow Up
With the development of the three steps, top management should be well on their way to completing clauses 4 and 5 of ISO 9001:2015. Now, train your internal auditors on ISO 9001:2015’s requirements and start conducting multiple rounds of internal audits (at least two to three times as many as normal for the next year or two) to the new standard. This should help management and the organization to understand and move forward in meeting ISO 9001:2015’s new requirements and a much smoother transition.
About the author
Roderick A. Munro has spent his career in the pursuit of continual learning and helping others understand and utilize process improvement (systems thinking, continuous improvement, systems improvement, and total quality management) methodologies and tools to help make their work and lives better.
Munro has more than 40 years of experience working from the shop/store floor up into the senior leadership ranks. He is a Fellow of the Chartered Quality Institute (UK) and an ASQ Fellow, CQE, CQA, and Certified Manager of Quality/Organizational Excellence. He is an IRCA certified QMS lead auditor and Lean Six Sigma Master Black Belt coach. Munro has extensive experience with ISO 9001, QS-9000, ISO/TS 16949, ISO 14001, and BSI OHSAS 18001.
Munro’s most recent publication is the ASQ Certified Six Sigma Green Belt Handbook, Second Edition. He is also the author of the Automotive Internal Auditor Pocket Guide: Process Auditing to ISO/TS 16949, and co-author of The ISO/TS 16949 Answer Book. The last two books are in review now with the ASQ Automotive Division for review and updating to the ISO 9001:2015 standard.
A must read for all professional auditors.
I work in the medical device manufacturing industry as a professional consultant. One of my responsibilities is conducting ISO 13485 compliance audits. Some of my clients still have current ISO 9001 certificates (in addition to ISO 13485 certs). Do you believe that an ISO 9001 cert may actually be needed in the cases of medical device manufacturers that have current ISO 13485 certificates?
I didn’t realize that so many companies waited until the last minute to update to ISO 9001:2000. You make a good point when you urge companies not to do the same thing with the current standards. If they haven’t already started, your section on how to begin the transition process would be really helpful. I would think that most companies would want to be proactive about this kind of thing.
I would like to know that when is the deadline of ISO 9001:2015. As I know that previous system ISO 9001:2008 deadline was September 12, 2018. If there are needed to transit from ISO 9001:2015 to ISO 9001:20xx, what kinds of requirements are we need to know. Is there any modification of that requirements?