Recently, we successfully completed the certification audit to update our organization Quality Management System to ISO 9001:2015. This is what we learned about the new standard, and how different this is compared to now obsolete (would be officially over by September this year) ISO 9001:2008.
1. Focus on prevention; new standard requires from the organization responsibility to manage the QMS considering all potential risks and taking actions to prevent impact those risks might produce in the organization.
2. Structure: norm went from 8 requirements to 10, and they were re-arranged to easily communicate PDCA through them:
3. As part of the change mentioned above, some requirements were merged and some new were added: section 7 now is dedicated to “Resources” (it was Process related in previous standard), section 8 is now Operational requirements (it was dedicated to Quality requirements). Sections 9 (Performance Evaluation) and 10 (Improvement) focus on what previously was section 8 but split in two.
4. As part of the new structure, some of the most well-known requirements moved and/or changed focus; v.g.: Competence, Training and Awareness (6.2.2 in ISO 9001:2008) has been fully updated and separated in two different requirements (7.2 Competence and 7.3 Awareness), Control of Documents and Records (4.2.3 and 4.2.4 before) are merged now on section 7.5 Documented Information, Control of Monitoring and Measuring Equipment (7.6 in the past) is now 7.1.5 Monitoring and Measuring Resources, etc.
Standard is now more flexible, for instances:
1. Controlled Documents has been replaced for the term “Documented Information”; days of strict document control system based on codes and revision levels are going to end: now we can use different type of documents, in different formats with dates as revision levels and signatures and/or written consent as approval for changes/updates.
2. Management Representative is removed (but responsibilities now resides on Top Management Staff)
3. Quality Manual is no longer required.
4. Corrective Actions process has changed: it starts with corrections (actions to eliminate the nonconformity condition) and then organization will take a data driven decision in orderto move forward with corrective actions (actions that eliminates the root cause) or not.
Requirements for Top Management are now heavier loaded:
1. Organization must (for this report I prefer “must”, in present, instead of “shall”) have evidences that has evaluated external and internal issues, taking actions to minimize or eliminate risks impact and evaluate those actions effectiveness (including but not limited during the Management Review Meeting) – Requirement 4.1
2. External and internal “interested parties” requirements must be considered, and actions to meet their requirements must be taken, then evaluation of the effectiveness of those actions (including but not limited in the Management Review Meeting) – Requirement 4.2
3. Exclusions are no longer allowed: scope of QMS and its processes must be defined and documented at first and any “not applicable” process must be justified and documented as well. – Requirement 4.3
NOTE: for these 3, SWOT (or similar) is the tool mostly used. Standard ISO 9002:2016 mentions also PESTLE (or PEST) analysis.
4. Quality Objectives must now include actions to achieve them and results evaluated (requirement 6.2)
5. Customer Orders should not be accepted unless organization has analyzed its “ability to meet the requirement” (product and service):
8.2.3 Review of the requirements for products and services
188.8.131.52 The organization shall ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization shall conduct a review before committing to supply products and services to a customer…