Implementing ISO 9001:2015 requirements

Published in September 2015, ISO 9001 has recently undergone some of the most significant changes in recent years. It needed to change to enable it to adapt to an ever changing world where organisations are operating in increasingly complex environments.

It has been revised to not only ensure it continues to provide a consistent foundation for the future, but to ensure it reflects the needs of all relevant interested parties.

With the introduction of Annex SL, the new high-level structure for all new and revised management system standards, ISO 9001:2015 also ensures easy integration with other management system standards, such as ISO 14001:2015, also published in September 2015.

Originally, ISO 9001 was aimed more at manufacturing organisations, but as industry has developed, ISO 9001 was being used by organisations in all industry sectors; after all, most organisations want to deliver a quality service that meets customer expectations, whether that be for a service or product. ISO 9001, therefore, needed to change to become more compatible with service organisations and non-manufacturing users.

With the ever complex environments organisations now operate in, there is a clearer understanding that ‘one size does not fit all’. ISO 9001 now expects a stronger emphasis on an organisation’s context. Organisations must now determine what the relevant external and internal issues are and then demonstrate these are relevant or aligned with the organisations strategic direction.

Greater emphasis is on leadership where top management are now directly responsible and therefore, accountable for the management system. Top management can no longer delegate the responsibility to a management systems representative.

As with the 2008 standard, there is a focus on a process-based approach, but ISO 9001:2015 has strengthened this focus and it has become more explicit.

Concept of preventive action has now been addressed throughout the standard by risk identification and mitigation and there has been an increased emphasis on seeking opportunities for improvement.

Although the structure has changed to ISO 9001:2015, the Plan-Do-Check-Act (PDCA) cycle is still very much at the heart of the management system standard.

This article provides some practical guidance and advice for those who are responsible for implementing a quality management system to ISO 9001:2015 requirements.

Context of Organization

Understand your external and internal issues

To fully understand your organisation and its purpose, it is necessary to determine your external and internal issues which may affect your organisation’s ability to meet its intended strategic objectives. This is the flagstone of your organisation’s quality management system as it underpins why your organisation is here.

External issues that may affect your organisation and therefore you need to consider your economic, political, legislative, regulatory, environmental, technological and social factors.

For example, the economy can affect the success of your business and the ability of your customers to pay for your product or service which then directly impacts on your bottom line.

Whether the economy is specific to your industry or a global trend, it can still have an optimistic or detrimental impact on meeting your strategic objectives. Your organisation may need to offer sales promotions, diversify your product line or recruit new staff to cater for the increase in demand.

Internal issues are also likely to fall into the same basic areas as external issues. For example, the economic issues may relate to employee benefits or bonus related pay, whereas social issues may relate to an ageing workforce and issues relating to succession planning.

When looking at understanding your organisation and its context in relation to your quality management system, make sure you consider that issues can positively or negatively affect your organisation.

Recognise the requirements of your relevant interested parties

Ultimately, quality is given as a result of a product or service that satisfies all key stakeholders requirements. Your organisation will therefore be required to identify all relevant interested parties (the new terminology for stakeholders) and their relevant requirements.

Interested parties who can affect or be affected by the activities and decisions of an organisation are likely to be linked to the external and internal issues previously identified.

Determination and documentation of scope

"Now that ISO 9001:2015 has been published, organisations looking to transition to the new standard can really benefit from a performance based management system which delivers competitive advantage."

Richard Crute Morris, Assessment Services Capability Development Manager
LRQA

As in the 2008 standard, ISO 9001:2015 still stipulates that your organisation needs to determine and document its scope to outline your quality management system boundaries.

The scope is now better defined and as well as considering the external and internal issues and the requirements of interested parties as mentioned previously, your organisation must state the products and services covered by your quality management system, the applicability of specific requirements and justification for any case where a requirement cannot be applied (exclusion).

The processes that form the quality management system must address the applicable requirements and expectations of interested parties, which are considered by the organisation as integral to meeting its purpose and required outcomes.

These processes must include monitoring and measuring processes to ensure all interested party requirements are identified and understood and all activities undertaken by your organisation are meeting these requirements.

Key change from ISO 9001:2008

Although ISO 9001:2015 standard does not refer to ‘exclusions’, your organisation will be required to justify where a requirement cannot be applied. You must evaluate the applicability on the basis that decisions do not result in failure to achieve conformity to product or service requirements.

Leadership

Demonstration of leadership and commitment

Top management are required to demonstrate commitment and leadership by taking responsibility for the effective running of your organisation’s quality management system.

They can do this by taking accountability for the effectiveness of the quality management system and ensuring the quality policy and quality objectives are compatible with the context and strategic direction of your organisation.

Top management need to have a clear line of sight from your organisation’s business plans and strategy, to the objectives and business measures. These should provide the basis for developing the quality policy.

Leadership from your top management needs to ensure the integration of the quality management system requirements into the organisation’s business processes. The quality management system can no longer be a ‘stand-alone’ function of the business, but an integral aspect of business as usual activities, from highest level business planning to process outputs.

To ensure demonstration of leadership, top management need to be seen as promoting the use of a process and risk- based thinking approach. The risk based approach should work at a number of levels within your organisation, from identification and mitigation of risk at strategic planning level, to process risk management and control.

To demonstrate commitment, top management are required to make sure the quality management system achieves its intended outcome(s) and has adequate resources assigned.

Additionally, they are required to engage, direct and support all individuals that the quality management system applies. They need to communicate the importance and ensure its continued success by encouraging all individuals to contribute to the overall effectiveness of the management system.

To encourage engagement, top management should support relevant roles within the quality management system and always promote improvement.

Leading by example, top management are required to demonstrate customer commitment by ensuring there is a focus on products and services meeting customer requirements, applicable statutory and regulatory requirements are being determined and met and risk and opportunities are being addressed.

The involvement of top management in the management system is now explicit and hands-on.

Establishing a quality policy

The quality policy has also been strengthened and needs to be developed in line with the purpose and context of the organisation.

Top management have an explicit requirement to apply the policy and should ensure it provides a framework for the organisation’s quality objectives that include the commitment to satisfying interested party requirements and promote the continual improvement of the quality management system.

Top management shall make sure the policy is available as documented information and communicated and understood by all relevant interested parties.

Roles and responsibilities

As with the 2008 standard, top management need to ensure that individuals are given the responsibility and authority to enable them to carry out their roles in relation to the quality management system.

All individuals should be assigned and communicated their relevant roles by top management and top management should ensure these are understood and the quality management processes are delivering their intended outputs.

In the 2015 standard, there is now no requirement for a specific management representative and the responsibility now resides with top management to assign and manage all the quality management roles and responsibilities.

Key change from ISO 9001:2008

The quality management system is now the sole responsibility of top management and therefore, they are now accountable and must be able to demonstrate involvement.

Top management must support other managers within the organisation to help them lead within their areas of responsibility. This clause now requires management to not only demonstrate commitment to the management system, but to demonstrate effective leadership also.

Planning

Addressing risk and opportunities

After highlighting the external and internal issues and the requirements of interested parties in ‘Context of organization’, your organisation now needs to address the risks and opportunities it may face.

Planning plays an integral role when addressing risks and opportunities and will focus on how your organisation can prevent, or reduce undesired effects, making sure your organisation still achieves its set objectives.

Don’t forget the need to look at the positive aspect or opportunities for the business and how to optimise them.

Through determining the risks and opportunities which need to be addressed, actions can be taken and then your organisation should evaluate the effectiveness of these actions. Ultimately, this should reduce the need for corrective action at a later date.

Setting objectives

The risks and opportunities identified will lead to setting quality objectives, which have been made more detailed in the 2015 standard. Your organisation should set quality objectives that are established for processes that are relevant to your quality management system.

The quality objectives must be consistent with your organisation’s quality policy and be in line with the products and services you provide. They should be measured and monitored in order to determine whether the requirements of interested parties are being met. They should also be communicated throughout your organisation and updated when appropriate.

This clause puts a greater emphasis on your organisation’s quality planning which is integral to your business. You must undertake planning in order to determine how your organisation’s quality objectives will be achieved.

Planning for change

ISO 9001:2015 has evolved to enable organisations to adapt to changing environments or circumstances, which relate directly to your external and internal issues.

When your organisation decides there is a need to change, changes must be planned and then acted upon and should include a review of the risks in relation to these changes.

You must be clear as to what it is you are attempting your organisation to achieve.

Key change from ISO 9001:2008

With the 2015 standard evolving, the main difference is how organisations include change into their quality management system and how they approach change management.

Planning brings risk to the forefront by establishing the review of risk as a process for reducing, eliminating or controlling potential issues (possibly those previously outlined in the identification of your organisation’s external and internal issues). There is also a stronger focus on planning to achieve performance objectives.

Support

In order for your organisation to meet its objectives outlined in its quality management system, you need to make sure you can provide the necessary support required to meet these objectives.

The support clause is composed of five key elements:

  • Resources
  • Competence
  • Awareness
  • Communication
  • Creation and control of documented information.

Resources

You need to make sure your organisation has competent resource in place to ensure the effectiveness of your quality management system.

Resource considerations should now include:

  • Internal resources
  • External providers
  • People
  • Monitoring and measuring resources
  • Organisational knowledge required to ensure the processes provide conforming products and services
  • External communication.

Competence

Your organisation must determine the competency levels needed for those people performing work under your control. Once these competency levels have been determined, your organisation must then ensure that those people possess the necessary competencies, either on the basis of their education, training or experience.

Awareness

All relevant people doing work under your organisation’s control need to be made aware of your quality policy, any quality objectives that are relevant to them, how they are contributing to the effectiveness of your quality management system and the implications for not conforming to the quality management system requirements.

Communication

Your organisation must be able to communicate the quality management system requirements to all people doing work under your organisation’s control. You must determine how you wish to communicate, who it will be aimed at and when such communications will be made.

The organisation needs to consider both internal and external communications relevant to the quality management system.

Documented information

"The way documented information is defined provides more scope for an organisation to determine what is appropriate for its unique set of circumstances, rather than following a prescriptive format. Put simply, documented information should reflect the focus of ISO 9001:2015 on the organisational processes and results, rather than conformance with each element of the standard."

Richard Crute Morris, Assessment Services Capability Development Manager
LRQA

The requirements of documented information are not new, but there is no longer a requirement for a documented quality manual.

Annex SL, and subsequently ISO 9001:2015 does not refer to a quality manual, procedures, instructions or records. All forms of documentation (hard copy and electronic forms) are now referred to as ‘documented information’.

ISO 9001:2015 includes an enhanced requirement for the creation and updating of documented information. When documented information is created or updated, your organisation must ensure that it is appropriately identified, described, reviewed and approved for suitability and adequacy.

Your organisation is now required to control documented information, which now explicitly includes confidentiality, integrity and access.

Key change from ISO 9001:2008

Much of this clause is similar in intent to the previous standard, although re-arranged and there have been some enhancements. The most significant change here is that there is no longer a requirement for a quality manual.

Operation

Operation moves into to the ‘doing’ part of the Plan-Do-Check-Act (PDCA) cycle. This clause implements your organisation’s quality management system processes to meet the requirements for the delivery of your products and services and therefore, all interested parties.

Operation planning and control Requires your organisation to establish criteria for planning, implementing and controlling processes identified in ‘Context of organization’ in order to meet the requirements of all interested parties.

You must determine the process for the delivery of your products and services and implement the actions determined as a result of your risk assessment.

Requirements for products and services

Your organisation must put processes in place to enable communication with customers on matters relating to your products or services. Ensure you have implemented processes to make sure all requirements are known for your products or services, statutory and regulatory and customer requirements.

Make sure your organisation reviews these requirements on a regular basis to ensure you are still meeting the current requirements of all interested parties.

Design and development of products and services

This clause on design and development of products and services has substantially changed and simplified to allow for a more process orientated approach. There is more of a requirement to involve the customers or users as part of design planning to be considered.

Internal and external resource needs, potential consequences of failure and the level of control expected by customers should be considered as part of your organisations design and development inputs.

You organisation should apply design and development controls that combines the review, verification and validation of all requirements.

Make sure your organisation’s outputs from the design and development process meet input requirements and that change to the design and development input or output is controlled.

Control of externally provided processes, products and services The terms which were previously referred to as purchasing and ‘outsourcing’ in the 2008 standard is now ‘Control of externally provided processes, products and services’ and requires your organisation to ensure that they meet specified requirements.

Your organisation needs to stipulate the type and extent of controls or requirements it wishes to apply to the external provider or supplier. The information your organisation needs to provide for external providers is now more detailed and explicit.

Production and service provision

This clause specifically considers the monitoring and measurement activities that will ensure the control of your organisation’s processes and outputs or your products and services.

Your organisation must be able to identify and trace you output (product or service) and if necessary, take care of property belonging to customers or external providers to ensure you preserve your organisation’s output.

Post-delivery activity is a new clause and requires your organisation to decide on the extent of the post-delivery activities made to your products or services. It also considers risks associated and determines the nature, use and intended lifetime of your products and services.

It also reviews the potential consequences of changes to control the changes made to the provision of your output.

Release of products and services

The release of products and services to your customers is now part of the operational requirements and your organisation must implement planned activities to verify that the product and service requirements have been met.

Your organisation needs to ensure delivery to the customer shall not proceed until the planned arrangements verify product or service conformity, unless otherwise authorised by a relevant authority. Ensure your documented information provides traceability of the person authorising the release of the products or services to the customer.

Key change from ISO 9001:2008

Whilst the operation clause is the shortest, it covers most of the quality management systems processes, from enquiry to delivery and post-delivery activities including suppliers and outsourced services.

There is more emphasis on the control of outsourced processes to ensure that the same level of monitoring and management is applied to those carried out in-house.

This section of the standard emphasises the process based approach which should be taken in planning, implementing and measuring the quality management system processes to meet the objectives of your organisation and your interested parties.

The focus should be on ensuring that the desired outcomes of the processes are achieved and not just procedures being followed. The procedures and processes should ultimately be designed to achieve the intended outcomes.

Performance Evaluation

We now move into the ‘checking’ part of the PDCA cycle where your organisation should identify what needs monitoring and measuring to identify whether your quality management system is meeting all the requirements of interested parties.

Monitoring, measurement, analysis and evaluation

Your organisation should identify what needs monitoring and measuring and identify the relevant methods to collect this data.

Your organisation must monitor your customer’s satisfaction in relation to your products or services and analyse and evaluate data and information relevant to your business and management system operation.

New to this clause, is the requirement that you must effectively monitor the successful implementation of planning and actions to address risks and opportunities within your organisation.

Make sure you understand the specific requirements for analysis and evaluation when using results as inputs into your management review.

Internal audits

Internal audit requirements are largely similar. Planning for internal audits now has explicit considerations for quality objectives, customer feedback and changes impacting your organisation.

Your top management responsibility for action is now implicit whereas previously this was explicit, although there is a requirement for audit results to be reported to relevant management and for correction and corrective action to be taken without undue delay.

Auditors must be objective and impartial which is relatively unchanged from the previous standard. In fact, with the exception of there being now no requirement for a documented procedure, the internal audit clause remains mostly unchanged.

The potential impact on auditor competence is probably more significant. In particular internal auditors should have the demonstrated knowledge and skills to audit Annex SL and the new structure and content in the standard especially if the quality management system does not include a quality manual and very few or even no documented procedures at all.

Management review

There are now additional requirements for the management review. Management review outputs have been enhanced to include many of the new areas of focus. These include:

  • Changes in external and internal issues (such as strategic direction)
  • Performance concerning external providers
  • Adequacy of resources for effective quality management system and effectiveness of actions taken addressing risks and opportunities.

The basic requirement to conduct management reviews is much the same as in the existing clause 5.6 in ISO 9001:2008, but it now requires the organisation to take into account the business’ strategic direction and changing business environment.

What are currently labelled as inputs in ISO 9001:2008, are now called ‘considerations’ and whilst similar to the existing inputs, they are more clearly defined and rely heavily on utilising the data generated from monitoring and measuring activities as defined in earlier clauses.

Key change from ISO 9001:2008

Overall, the requirements within this clause remain largely unchanged although some have been enhanced. Monitoring perceptions of customer satisfaction are similar from previous requirements.

This clause has combined monitoring and measuring activities, added to them, made the requirements much more explicit and now requires the organisation to consider what they expect to achieve and how closely they have met those expectations.

Improvement

To complete the PDCA cycle, the improvement clause moves into the ‘acting’ stage of the cycle. The improvement of products and services, and future needs and expectations is addressed here.

There is now emphasis on improving processes to prevent nonconformities and improving products and services, therefore acting on findings found in the previous clause.

Nonconformity and corrective action

The nonconformity referred to in this clause concerns the entire quality management system and not specifically the products or services of your organisation which are addressed under clause 8.7.

There is a new emphasis placed on nonconformity and corrective action with consequences now included. Thus actions taken now recognise the potential occurrence of a similar nonconformity elsewhere.

Make sure your organisation readdresses risks and opportunities in case they need updating following nonconformity.

If any nonconformities are identified, make sure you document the nature of the nonconformity and subsequent actions taken.

Continual improvement

Not much has changed since the 2008 standard, as ISO 9001:2015 still requires your organisation to continually improve the performance of your quality management system. Opportunities can be addressed as part of this continual improvement activity.

Key change from ISO 9001:2008

This clause now combines improvement with correcting and preventing issues. Although there was previously a clause for improvement, the new standard prescribes a more holistic approach to identifying a range of opportunities for improvement. Not only for continual improvement but there is also an emphasis on various levels of improvement, from individual actions to company-wide changes.

Conclusion

"Organisations can set firm targets to complete or begin their transition to the revised standard and get a head start on the three year transition deadline."

Steve Williams, System and Governance Manager
LRQA

Determining the organisational context enables a more effective implementation of the quality management system. There is a greater emphasis on processes being managed to achieve planned results and an alignment with your organisation’s strategic direction.

There is a much greater emphasis on leadership where top management are now responsible for the management system and it cannot be delegated to a system representative. Sole responsibility now resides with top management to assign, manage and improve the quality management system.

The integration of the quality management system into your organisation’s business processes determines whether the risks and opportunities increase the effectiveness of your system.

The concept of organisational knowledge was introduced to ensure your organisation acquires and maintains the necessary knowledge to satisfy the requirements of your management system.

Communication requirements previously related to internal communication in ISO 9001:2008 has now been expanded and includes internal and external communication along with when, how and with whom to communicate.

The ISO 9001:2015 standard provides a framework for your organisation to manage your quality management system as an integral part of your business management planning and governance, including the effective management of risk on behalf of all stakeholders or interested parties.