by Lorri Hunt
ISO 9001:2015 is the first major revision to the standard since the 2000 version. The intent of the 2015 revision was simple: Consider the technological changes in business during the last 15 years, develop requirements that could be dynamic enough to adjust when additional changes occur in industry, and include requirements that could be audited for conformance.
Any changes in requirements should enhance a customer’s confidence in the organization’s quality management system (QMS) and help the organization achieve intended results. A common criticism of past versions of ISO 9001 was that organizations could meet the standard’s requirements but deliver products that didn’t meet customer requirements. ISO 9001:2015 includes requirements that focus on achieving intended results. This new approach focuses on the performance and effectiveness of the QMS.
By making the standard less prescriptive and more reliant on risk-based thinking to determine the level of complexity needed for an organization’s QMS, ISO 9001:2015 accomplishes what many users have requested. However, this introduces new challenges.
For this reason, ISO 9001:2015 includes an annex that provides the rationale for some of the changes.
Here are some of the key changes in ISO 9001:2015.
Because the new structure of ISO 9001:2015 is the most obvious change in the revision, it’s important to understand the rationale for the change so that users can move on to the more substantive changes.
The structure of ISO 9001:2015 changed due to a decision by the ISO Technical Management Board to adopt a standardized format and common core text and terms for use in all new and revised ISO management system standards. This is to promote greater ease of use for organizations that want to integrate the requirements of multiple management system standards such as ISO 9001, ISO 14001, and ISO 50001. This standardized format is referred to as Annex SL, which is simply the alphanumeric indication of the index from the ISO Directives.
Understanding the change
Before getting too caught up in the structure of the revised standard, it’s important to read subclause 0.4, Relationship with other management system standards, and Annex A. Subclause 0.4 introduces the Annex SL high-level structure, explains the rationale of the structure, and highlights some of the changes in ISO 9001:2015. Specifically, it indicates that the structure relates to the framework developed by ISO to approve alignment among management system standards.
Subclause A.1 (located within Annex A), Structure and terminology, provides details that should help organizations understand the requirements related to structure. Subclause A.1 specifically states that there is no requirement for organizations to adopt the ISO 9001:2015 structure in their own QMS, nor do organizations have to change the terminology used in their QMS.
The text included in the annex should alleviate any concerns related to structure and required changes. With that said, organizations with an existing ISO 9001-based QMS should have already adopted the process approach in the structure of their QMS. Therefore, before making any structural changes to your organization’s QMS, it’s important to carefully consider the opportunities and issues associated with making such changes. Any change should add value. Making a change for the sake of aligning a QMS to an outside structure of any kind potentially adds unneeded cost and overhead.
If an organization wants to ensure that it has addressed any new requirements in ISO 9001:2015, it should develop a cross-reference of compliance methods such as implemented processes or documented procedures from whatever structure it’s using to the requirements in the revised standard. A cross-reference of ISO 9001:2008 requirements to ISO 9001:2015’s requirements is included in chapter 21. This cross-reference will help organizations understand the relationship of current requirements to requirements in ISO 9001:2015. This cross-reference is available to the public at no charge at: http://isotc.iso.org/livelink/livelink/open/tc176SC2public.
Subclause 4.4, Quality management system and its processes, should also be considered when reviewing requirements related to the structure. Organizations that have taken a minimal approach to this requirement may need to make some changes in how they identify and control their processes. Organizations that have embraced the process approach will not only find that the transition to ISO 9001:2015 is simpler, but also that the integration of any new requirements into their QMS is easier to accomplish.
Products and services
Ever since the first of edition of ISO 9001 was published, there has been feedback from some users that the standard is difficult to apply to all types of industries, specifically the service sector. For that reason, the language in ISO 9001 was modified to make it easier to use across all sectors.
One way that ISO 9001:2015 has been made more generic is by replacing the word “product” with “products and services.” Using “products and services” helps to emphasize that the standard can be applied to all types of organizations. In addition, some requirements have been specifically changed to emphasize this point. This includes subclause 7.1.5, Control of monitoring and measuring resources, which was made easier to apply to service industries by changing the words “monitoring and measuring equipment” to “monitoring and measuring resources” and incorporating requirements related to monitoring and measuring as applicable to the service sector.
Some of ISO 9001:2015’s new requirements are practices that most organizations already do, but may cause some discussion regarding implementation. This is partially due to the new terminology in ISO 9001:2015 related to “interested parties.”
ISO 9001 has always been and remains a customer-focused standard. The high-level structure and common text that is required to be used by Annex SL uses the term “interested parties” instead of “customers.” Specifically, subclauses 4.1, Understanding the organization and its context, and 4.2, Understanding the needs and expectations of interested parties, require you to focus on these aspects. These requirements, while new in the text of the standard, were implied in subclause 0.1, General, in ISO 9001:2008, which indicated that the QMS is influenced by the environment that the organization operates in, including changes and risks.
Understanding the change
To eliminate the potential for the term “interested parties” to be interpreted beyond the intent of ISO 9001:2015, subclause A.3, Understanding the needs and expectations of interested parties (located in Annex A), explains subclauses 4.1 and 4.2. Specifically, ISO 9001:2015 doesn’t require an organization to consider interested parties that aren’t relevant to its QMS. Organizations will need to determine what is relevant for them based on whether the interested party has an effect on the organization’s ability to meet customer, statutory, and/or regulatory requirements. Some organizations may choose to expand the interpretation of the requirement, but this is at their discretion and where it can be determined that such an application can add value. A list of examples of interested parties is included in ISO 9000:2015.
When ISO 9001:2000 was published and ISO 9002 was eliminated, the concept of exclusions was introduced into the standard. Exclusions allowed an organization to exclude a requirement of clause 7 of the standard as long as it doesn’t affect the organization’s ability to meet customer, statutory, and/or regulatory requirements or provide a product or service that conformed to such requirements.
With the introduction of the core Annex SL text, which includes a different structure, the standard has been made more generic. Therefore, it’s easier to apply the standard’s requirements. This change focuses ISO 9001:2015 on the application of the requirements and not on the exclusion of requirements. ISO 9001:2015 requires organizations to apply the requirements where they can.
Subclause 4.3, Determining the scope of the quality management system, still requires an organization to justify any instance where a requirement cannot be applied. However, it isn’t limited to certain clauses of ISO 9001:2015 like it was in the previous two versions of the standard. The required justification for not applying a requirement of ISO 9001:2015 will assist with establishing the framework of an organization’s QMS. This will be helpful not only to the organization, but also to any third-party auditors who will be reviewing the organization’s QMS.
Understanding the change
Subclause A.5, Applicability (located in Annex A), outlines the new concept of “application not exclusion.” It specifically addresses the idea that not all requirements have to be applied by an organization due to the nature of the product or service that it provides. Other influences might be the size of the organization, the management model it adopts, and/or its risks and opportunities.
Organizations that are already taking an exclusion to a requirement in their ISO 9001:2008-based QMS should be able to determine the requirement still no longer applies when they transition to ISO 9001:2015.
Another concept that has been integrated into ISO 9001:2015 is risk-based thinking. Although risk was implied in previous versions of ISO 9001, the word “risk” is now actually used in ISO 9001:2015. Using risk-based thinking allows an organization to determine the level of controls needed for certain requirements, thereby reducing some requirements that were seen as more prescriptive than others.
In alignment with risk-based thinking, ISO 9001:2015 doesn’t use the term “preventive action.” The language in the standard looks at how an organization determines the risks and opportunities that need to be addressed as part of an effective QMS. Subclause 6.1, Actions to address risks and opportunities, includes requirements to ensure that the QMS can achieve its intended outputs. It also addresses taking action appropriate to the potential effect of conformity of products and services and preventing the occurrence of potential issues.
Understanding the change
Subclause 6.1 includes a note that provides clarification of the options that can be used to address risks and opportunities, including the idea that risks and opportunities aren’t always negative. The organization can take actions to avoid risks or actions to pursue an opportunity.
Subclause A.4, Risk-based thinking (located in Annex A), emphasizes the point that there is no requirement to implement a specific, formal risk-management system. Instead, ISO 9001:2015 focuses on the potential risks and opportunities associated with the implementation of a specific requirement and the level of implementation required.
In addition, subclause 0.3.3, Risk-based thinking, includes the consideration of risks and the potential consequences for different types of organizations, which allows the application of requirements based on those consequences.
Throughout the many versions of ISO 9001, the terms “documents” and “records” have been used. In ISO 9001:2015, these terms have been replaced with the term “documented information.” In addition, in previous versions of ISO 9001 the requirements for documents and records were kept in separate clauses. They are now included in subclause 7.5, Documented information.
It’s important to understand that this new terminology has been introduced because the way we control documented information today is vastly different than it was when ISO 9001 was first released. Despite this fact, there had been little change to the requirements in past revisions.
Understanding the change
Subclause A.1, Structure and terminology (located in Annex A), identifies some of the biggest terminology changes in ISO 9001:2015. It states that although the terms have been changed, organizations aren’t required to use the same terminology used by ISO 9001:2015 in their QMS. Furthermore, subclause A.6, Documented information (located in Annex A), includes clarifying information related to when the term “documented information” is used. It states, “Where ISO 9001:2008 used specific terminology such as ‘document’ or ‘documented procedures,’ ‘quality manual’ or ‘quality plan,’ this edition of this International Standard defines requirements to ‘maintain documented information.’
“Where ISO 9001:2008 used the term ‘records’ to denote documents needed to provide evidence of conformity with requirements, this is now expressed as a requirement to ‘retain documented information.’ ”
The annex goes on to explain that when the word “information” is used without “documented,” there is no requirement that the organization maintain documented information unless the organization determines it’s necessary.
Subclause 7.1.6, Organizational knowledge, requires organizations to determine what knowledge is necessary for the operation of their processes to meet product or service requirements. This is one of ISO 9001:2015’s new requirements, but it’s something that most organizations already have in place, even if informally.
This requirement is frequently confused with the requirements for employee competence. Organizational knowledge relates to the organization; competence is employee knowledge.
Understanding the change
Subclause A.7, Organizational knowledge (located in Annex A), addresses this requirement. It specifically relates that the organization needs to safeguard against loss of knowledge through employee turnover. It also provides examples of methods for acquiring knowledge, such as benchmarking or sharing lessons learned.
Control of externally provided products and services
This is another aspect of ISO 9001:2015 where the terminology has changed. In ISO 9001:2000, the term “vendor” was changed to “supplier.” In ISO 9001:2015, the term “supplier” has been replaced with “external provider.” This is because not all products or services are obtained through a traditional purchasing process. For example, some organizations receive parts or services from an associate company.
Understanding the change
Using the term “supplier” limited the organization’s ability to see that there might be the need for controls for providers other than suppliers. With the understanding that the controls for a traditional “supplier” might be different than those for an associate company, subclause A.8, Control of externally provided processes, products, and services (located in Annex A), provides clarification that the organization can take a risk-based approach to determine the type and extent of controls needed for each external provider based on the products and services to be provided.
In addition to this terminology change, additional terminology changes are included in subclause A.1, Structure and terminology (located in Annex A). As with the previous examples outlined, there is no requirement that organizations transition to these terms. Organizations should use terms that best fit their needs regardless of their use in the standard.
ISO 9001:2015 introduces concepts that are familiar to organizations. However, some of these terms may have some nuances and specific steps that need to be incorporated into an organization’s QMS.
About the author
Lorri Hunt is a U.S. technical expert and co-convener for WG24, the group responsible for ISO 9001:2015, TS9002, and The Small Business Handbook. She is an ASQ Senior member, an Exemplar Global lead auditor, a frequent contributor to quality publications and journals, and a speaker all over the world. She is the president of Lorri Hunt and Associates Inc.
This article originally appeared as chapter 2 in The ISO 9001:2015 Handbook: A Practical Approach to Implementation. It is reprinted with permission from the publisher Paton Professional and the authors Lorri Hunt, Jose Dominguez, and Craig Williams.