I have been an RABQSA (Exemplar Global) lead auditor for twenty years. My auditing experience includes conducting over 500 audits for worldwide organizations and providing dozens of Internal Auditor training classes. I am currently assisting several companies in upgrading to the ISO 9001:2015 quality management system (QMS) requirements. While the previous ISO 9001 revisions had their share of interpretation issues, the latest revision, ISO 9001:2015, has many issues which are hampering the transition to the new standard in my opinion.
Examples where I feel ISO 9001:2015 has missed the mark and needs to be corrected or clarified:
- While promoting the need for organizations to practice process management and integrate the QMS into the organization’s business context, ISO 9001:2015 dilutes the requirements of the previous ISO 9001:2008 clauses related to process measuring and validation.
- Several clauses of the new standard are poorly structured with confusing linkage among clauses and excessive use of indexing or subsets.
- The benefits that could be gained by addition of the risk based thinking requirement is diminished by guidance in the Annex to ISO 9001:2015 that allows organizations to have an informal risk management process.
- The revised clause “Environment for the operation of processes”, suggests organizations should include areas of employee safety and social awareness as part of their QMS. The ISO 9001 requirements for work environment should clearly relate to conformance to product quality- not employee safety or social issues.
- The attempt to harmonize the documentation for all ISO standards using Annex SL does not provide any obvious benefit to quality management. The 30 year old ISO 9000 concept of documents and records has been obfuscated by the 2015 terminology of documented information. The inference in the new standard that a quality manual is not required or useful will serve to weaken some current quality systems by removing the high level policy summary currently required by ISO 9001:2008.
I suggest the US TC 176 initiate a process to recommend to the International Organization for Standardization that ISO 9001:2015 be amended, or at a minimum the Annex be rewritten to remove the existing confusion and contradictions. My concerns with the new Standard and the Annex to ISO 9001:2015 are illustrated as follows:
The Dilution of ISO 9001:2008 Requirements:
A key goal of ISO 9001:2015 is to require organizations to integrate the quality management system into the business model and to encourage organizations to employ process management. In my opinion, the committees who developed (or approved) the new standard diluted the important business strategy of process measuring to establish a baseline for improvements. Additionally, the current requirement to validate processes where the output cannot be measured has been de-emphasized compared to the clearer statement in the previous revision, ISO 9001:2008.
Monitoring or Measuring of Processes:
ISO 9001:2008 Clause 8.2.3: “The organization shall apply suitable methods for monitoring and, where applicable, measurement of the quality management system processes:” was often misunderstood by organizations to only refer to the manufacturing or servicing processes. That was not the case. Under ISO 9001:2008, organizations were required to establish metrics (and goals) for their core processes (e.g. sales, design, purchasing, manufacturing, servicing). Corrections would need to be initiated when goals were not met. Support processes would be monitored as part of the organization’s Internal Audit process. Under ISO 9001:2015, the requirement to monitor or measure processes is dropped down as subsets of clause 4.4 “Quality management system and its processes”:
4.4.1c: “Determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;”
4.4.1 g: “Evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;”
This terminology will continue to cause organizations to believe they only need to measure their manufacturing or servicing processes.
Validation of Processes:
ISO 9001:2015 removed a main clause from ISO 9001:2008, “Validation of Processes” clause 7.5.2 and moved the requirement into a lower subset of 8.5.1, “Control of production and service provision, 8.5.1f”. This is unfortunate, as validation of processes can be an important facet of and organization’s quality performance and has often been overlooked by both auditors and organizations.
In simple terms, if an organization can measure their products, either by dimensional, functional or visual standards, then the organization would not have process validation requirements for products delivered to customers. If there are situations where the organization cannot measure the product (e.g. soldering, welding, machine assembly, cleaning, lamination), then the organization needs to define and control these situations to ensure product conformity. Dropping the requirement several layers down in the Production and Service Provision clause will not be helpful in ensuring organizations (and auditors) pay attention to product conformity issues where the customer might be the first to see a defective product.
Poorly structured clauses:
Many clauses of ISO 9001:2015 contain requirements that are difficult to interpret, in my opinion, and the Annex A, (informative): “Clarification of new structure” does not effectively clarify the requirements. Clause 6.1, “Actions to address risks and opportunities” includes references to previous clause requirements, using the clause number only, without clarifying the linkage. Organizations or auditors should not have to return to clauses 4.1, 4.2, 4.4 to understand the issues or requirements connected to clause 6.1-or why these clauses are important in the context of planning for risks. It would have been clearer to simply say: “When planning for the quality management system, the organization shall consider the context of the organization and the needs of interested parties.”
Clause 6.1 includes five levels of indexing (6.1.2.a, 1). Why is this necessary? The clause 6.1 could have been just as clear with two or three levels. The previous revision of ISO 9001 in 2008 used a maximum of three levels and is much more readable and easier to interpret than the 2015 version. Other clauses in ISO 9001:2015 that provide excessive indexing include clauses: 8.1: “Operational Planning and control”; 8.5: “Production and service provision”; 9.2: “Internal audit”.
The committees who composed the 2015 standard may defend the need to provide multi-levels of a requirement to assist the clear presentation of gaps or nonconformances in an organization’s actions related to the requirement. This concept is contradicted by the majority of the clauses in ISO9001:2015. For example, clause 8.5.2: “Identification and traceability” contains four requirements (shalls); but has no indexing. Clauses 8.5.3 “Property belonging to customers” and 8.5.4 “Preservation” are other clauses without excessive indexing. Based on my experience, Identification and Customer Property requirements have more potential for discrepancies and nonconformances than the over-indexed clause 6.1 for Risk Management.
Risk-Based-Thinking process can be informal
Annex A to ISO 9001:2015: “Clarification of new structure, terminology”, is intended to clarify the requirements of clause 6.1, Actions to address risks and opportunities. This interpretation provides a path for organizations to essentially ignore the new requirement related to analyzing and addressing risk, as the clarifications indicates risk planning documentation is not required.
A.4 Risk-based thinking:
Although (6.1) specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management process. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards. Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1 the organization is responsible for its application of risk based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.
I believe most 3rd party auditors will expect some form of documentation to indicate risk-based thinking is part of the organization’s quality management system. A guideline I use in training internal auditors: “If it is not documented, it didn’t happen.” How an auditor can determine if an organization is applying risk based thinking, without objective evidence (documentation) is contrary to the concept of auditing. From the genesis of ISO 9000 in 1987, anecdotal or verbal evidence has never been acceptable verification for satisfying a requirement.
How the organization assesses the risks and opportunities related to its purpose, business strategy and expectations of interested parties to ensure the quality management system meets its objectives should be a requirement, unless the organization can convince themselves (and the auditor) that after consideration the risk analysis process adds no value to their business- unlikely in my opinion. Even very small organizations have reason to be concerned about the challenges and risks facing their business.
The elimination of the requirement of preventive action is a good step. The advent of the quality tools Six Sigma and Lean Manufacturing the last several years have provided organizations of all sizes with techniques to eliminate the causes of potential nonconformities. Quality tools currently used in many organizations include Strength, Weakness, Opportunities, Threats (SWOT) Analysis and Failure Mode Effect Analysis (FMEA). While organizations with an effective Quality Management System certainly understand risks related to their operations, the new requirements of ISO 9001:2015 may have a positive effect on organizations by requiring a more formalized process and subjecting the risk evaluation process to a 3rd party audit. I would encourage organizations certifying to ISO 9001:2015 to include some form of documentation explaining their risk planning process. It is a good business practice- and may help the organization avoid a disagreement with an auditor who did not read Annex 4!
Misapplication of quality controls related to the Work Environment:
Clause 7.1.4, “Environment for the operation of processes”, formerly referred to as Work Environment has been a continual source of confusion for both the organization and the auditors. Clause 6.4 “Work Environment in ISO 9001:2008 included the Note:
The term “work environment” relates to those conditions under which work is performed including physical, environmental and other factors (such as noise, temperature, humidity, lighting or weather).
ISO 9001:2015 did not help resolve the situation, but added even more irrelevant information. Clause 7.1.4 has a Note that suggests:
A suitable environment can be a combination of human and physical factors, such as:
- a) Social (e.g. non-discriminatory, calm, non-confrontational);
- b) Psychological (e.g. stress-reducing, burnout prevention, emotionally protective)
- c) Physical (e.g. temperature, heat, humidity, light, airflow, hygiene, noise).
These factors can differ substantially depending on the products and services provided.
Clause 7.1.4 requires the organization to determine, provide and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services. So, should the organization (and the auditor) be concerned that a nervous or sweaty employee will make a poor product? I believe that the intent of clause 7.1.4 is to cover work environment issues, such as work area temperature and humidity and electrostatic conditions and dirt that can cause nonconforming product. There are many products that need to be produced (and measured) in a controlled temperature/ humidity environment. Electronic circuit boards often need to be produced in an atmosphere free of electrostatic charge from employees; similarly many products need to be produced in an atmosphere free of dirt or contamination. While organization should maintain a safe and clean and comfortable workplace; auditing to those requirements should not be in the scope of ISO 9001 auditing.
I once had an auditor-colleague claim when observing some safety violations in a plant: “the organization won’t meet its shipping commitments if OSHA puts a lock on the door!” Not helpful-quality auditors should focus on quality.
Non-value revisions to documentation and records
Documented Information:
Annex A1 “Structure and terminology” to ISO 9001:2015 includes several changes in terminology. Documented Information now includes documents, procedures, work instructions as well as quality records. According to A1, Structure and terminology, the clause structure was changed from ISO 9001: 2008 to improve alignment with other management systems standards. I am familiar with the environmental management standard ISO 14001:2015; that standard has the same changes in structure and terminology. It also has the same caveat as ISO 9001:2015- no need to adapt to the new terminology. The justification for this change in documentation terminology is quite weak, particularly related to the concept of records. Quality records are an important part of the QMS. In addition to providing evidence of conformance to a specification or requirement, a quality record can often be an organization’s best defense against a customer product return or even in a law suit. Let’s not confuse control of quality records with documented procedures or instructions.
The Annex provides additional confusion. The 3rd paragraph in A1 Structure and terminology states:
The structure of clauses is intended to provide a coherent presentation of requirements, rather than a model for documenting an organization’s policies, objectives and processes. The structure and content of documented information related to a quality management system can often be more relevant to its users if it relates to both the processes operated by the organization and information maintained for other purposes.
It is not clear to me how an organization would find ways to apply the “advice” provided in the above statement. I think the comment might relate to the acceptability of importing documentation from outside the quality management system without useless re-naming and indexing- great, there was never value in over-documentation of maintenance manuals and similar instructions.
I suggest organizations continue to “document what you do- do what you document”. The documentation of the quality management system should be suitable to the organization’s business, and provide value in managing the organization’s processes. The overarching principle in documentation should be to formalize what is needed to ensure users of the documentation have a source for information and instructions that is accurate and timely, providing consistency in managing the business.
Value of the Quality Manual:
ISO 9001:2015 does not make reference to the requirement for a Quality Manual, as was clearly required by ISO 9001:2008. In my opinion, this omission will only make currently weak quality management systems weaker, with no apparent benefit to organizations of any size or complexity.
Organizations currently maintaining a quality manual should continue using the quality manual as a high level consolidation of the key elements- or roadmap, of their quality documentation. It is recommended that organizations with a quality manual that currently includes paraphrasing of each ISO 9001 clause requirement- going back through several ISO 9001 revisions- seriously consider streamlining the QM to include:
- A description of the organization’s business model including the context of the organization and expectations of interested parties;
- The scope (the activities, processes and buildings and locations) of the quality management system;
- The description of those ISO 9001:2015 requirements, which are not applicable to the quality management system, as they do not affect the organization’s ability or responsibility to ensure the conformity of its products and services;
- The documented procedures established for the quality management system, or reference to them;
- A description of the processes and their interaction between the processes of the quality management system;
- The Quality Policy;
- Responsibilities and Authorities
The quality manual can be efficiently constructed in about ten pages. The process and interaction description should define the processes within the organization’s business model- not the generic process of ISO 9001. The quality manual should define what the organization will do– not what it may do.
Summary:
The ISO 9000 concept now has a 30 year history: 1987 to 2017. The original version, with the twenty prescriptive elements, and the revisions in 1994, 2000 and 2008 have provided industries around the world with a disciplined approach to providing products and services. There are now over one million organizations certified to ISO 9001. I believe the discipline of ISO 9001 has been very helpful in improving the quality of products since 1987 and will continue into the future.
While ISO 9001: 2015 adds focus on risk management and encourages the integration of the quality management system with the organization’s business as well as expanding top management’s direct participation, I am concerned the flaws and confusion outlined in this article related to ISO 9001:2015 will hinder its effective implementation.
In the quality world, when a product is deemed incapable of achieving the intended objectives, the product is recalled, redesigned, tested and reintroduced. Rather than wait the traditional seven years, I suggest ISO 9001:2015 be amended in the next few years to present the quality world with an ISO 9001 standard with clearly stated and unambiguous requirements.
Bio:
Milt Dentch is a ISO management systems consultant. He has published two books through ASQ. I have been an Exemplar Global (RABQSA) EMS qualified lead auditor for over 15 years, and have conducted over one hundred ISO 14001 3rd party audits for international Registrars Bureau Veritas and TÜV SÜD America. During my 40 years working at the Polaroid Corporation and the Furon Custom Coating plant, I had responsibility for several environmental controls, including waste water treatment; hazardous waste management; toxic chemical reduction and volatile organic chemical thermal incinerators. I have prepared the training modules and provided training for EMS Internal Auditors.
BTW: You can order Milt’s books by clicking: