By IJ Arora
Over the years, ISO 9001 has proactively kept up with various industry expectations to permit the standard’s adoption by a broad spectrum of industry stakeholders. The 2015 revision was a thoughtfully planned, giant step forward. It defined risk (clause 6.1) in the context of the organization (clauses 4.1 and 4.2) and redefined what an organization does not do or outsources in its scope (clause 4.3). ISO 9001:2015 also removed preventive action, which is a reactive concept, and introduced proactive risk appreciation (clauses 6.1 and 8.1 in industry-specific standards such as AS9100).
This took preventive action from the delayed “Act” stage of the Plan-Do-Check-Act cycle to the more logical “Plan” stage. After all, “look before you leap,” as a historical fundamental, could not be left as a preventive action decision. It had to be at the “Plan” (meaning “look”) stage! Risk also needed not just mitigation, but also had to be considered as an input. This has allowed innovation to be thought of in terms of an opportunity for improvement.
These were all positive steps in keeping with technical advancements, including AI tools. The high-level structure, later updated to harmonized structure, recognized the need to enable ease of implementation of integrated management systems. This in turn has led to greater efficiency, better return on investment, and, where applicable, more robust environmental protections, increased security of the global supply chain, more effective business continuity, stronger cybersecurity, and better health and safety systems.
The differentiation of knowledge (clause 7.1.6) from competence (clause 7.2) was also a clever and much-needed change. Organizations needed to define their corporate knowledge aspects and differentiate it from the individual knowledge held by personnel. Knowledge and competence needed merging and a healthy marriage but also the recognition that these are different elements. Removing the reference to quality managers and quality manuals took away the narrowness of thinking in quality and brought about greater clarity that top management must remain accountable. This also helped differentiate authority delegation from the retention of that accountability.
I am a member of the U.S. Technical Advisory Group to ISO/TC 176, which is the technical committee responsible for ISO 9001. There has not been much movement toward changes to ISO 9001, nevertheless, it is wise for all stakeholders to engage in debate to consider updating the standard.
Because the 2015 version of ISO 9001 represented a major fundamental change to the standard, I doubt there would be a significant departure in the forthcoming revision. Instead, I believe that the emphasis would be to clarify and strengthen the present thoughts in the 2015 version. I might suggest the following:
- Over the years, I have often thought about a two-standard concept: one for manufacturing organizations and other for those in service and transactional sectors. However, I am always concerned about management system standards injecting too much bureaucracy into organizations, and the two-standard approaches may hurt more than it helps in that vein. In my opinion, clause 8.3 for design and development can, if needed, be strengthened, clarified, and made more useful for service organizations.
- Risk must be better defined and opportunities for improvement (OFI) must be clarified to avoid auditors using them as tools to sneak in recommendations. OFIs are the outcome of considering risk as an input for innovation. They are NOT recommendations.
- The knowledge clause needs to be strengthened and made more inclusive to systematize the requirements for organizational lessons learned.
- An annex might be added to bring clarity and ease to designing and implementing a combined management system for an organization.
- Clause 4.3, “Scope,” requires consideration of the context of the organization, which is based on clauses 4.1 and 4.2. However, although the scope must be available as documented, 4.1 and 4.2 do not require documentation. I would suggest both clauses 4.1 and 4.2 be made documented requirements.
In conclusion, I believe that updating ISO 900 from the ground up is not a wise idea at this stage. The standard could perhaps use slight tweaking, including some minor changes like the ones I recommend above. This would provide stability in the implementation of an already robust standard.
About the author
Inderjit Arora is the president and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and a 32-year record of achievement in the military, mercantile marine, and civilian industry.