My previous article in CERM Insights #164: “The ISO 9001:2015 Standard should be amended”, described my thoughts related to the confusion and ambiguous requirements in both the text of the Standard and the Annex to ISO 9001:2015. This article describes additional requirements that, in my opinion, are not clearly presented in ISO 9001:2015.
- The difference between purchasing and outsourcing;
- ISO 9001:2015 does not include definitions and with helpful guidance:
- The requirements of the Design and Development clause and project complexity;
- Organizational Knowledge and client confidentiality.
Details for these aspects of ISO 9001:2015 with ambiguous or unclear requirements are outlined below:
Outsourcing vs purchasing:
ISO 9001:2015 does not define the difference between “outsourced” processes in either the text of the standard or the Annex to the standard. Note 2 in clause 4.1 General requirements of the current ISO 9001:2008 revision, provided the following definition of an outsourced process:
“A process that the organization needs for its quality management system, and which the organization chooses to have performed by an external party”
Since organizations purchase the output of processes (or materials) from external parties, what’s the difference between purchasing and outsourcing? More importantly, how does the organization maintain controls to ensure outsourced products or materials meet the organization’s commitments to its customers? For the last several years I have advised my clients to consider the following distinction between the two processes:
Purchasing: “Materials, products or services provided for the organization by external providers and delivered directly from the external provider’s site to the organization’s site.”
Outsourcing: “Materials, products or services provided for the organization’s customers by external providers and shipped directly from the external provider’s site to the customer of the organization.”
To illustrate the concept, the following situation may be helpful: An organization engages an external source (supplier) to chrome plate parts that have been produced by the organization.
– If the supplier returns the chrome plated parts to the organization- that is purchasing, as the organization can ensure the quality requirements are met at the organization’s premises.
– If the organization engages the supplier to chrome plate parts produced by the organization and the supplier delivers the chrome plated parts directly to the organization’s customer- that is outsourcing, as the organization will have to establish controls for the chrome plater to ensure quality requirements are met before the parts reach the organization’s customer.
When the parts come back to the organization, they can be inspected by the organization before release to the customer. In the outsourced case, the organization has to rely on the chrome plating supplier to properly inspect, package and ship the finished product to the organization’s customer. This adds the risk that the supplier will not perform the tasks properly. When outsourcing is used in this context, the organization needs to establish controls to monitor the supplier’s quality. Controls for outsourced sources include a wide range of activities depending on the quality risk of the outsourced activity. At the high end of risk, the outsourced provider would be required to transmit inspection or functionality results to the organization requesting the work, before shipping the product to the organization’s customer. Other high-risk level outsourced processes are managed by having a representative of the organization release the product at the provider’s plant. Lower level controls include: certifying the provider via performance history and/or quality audits at the provider’s plant.
The outsourcing example described is related to the ISO 9001 clause 8 for Operations. There are other processes outsourced related to Human Resources, Information Technology and Accounting that require controls appropriate to the activities and risk. When Design activities are outsourced, the potential impact on the customer requirements is normally controlled by the hiring organization’s approval of the outsourced designer’s work.
Many auditors may disagree with my distinction between outsourcing and purchasing. I advise my clients to document the definitions provided above. When ISO 9001 does not provide a clear definition within the requirements clause sections of the Standard (not an external document), the organization can apply a definition that fits the context of their business to ensure adequate controls to satisfy customer requirements.
ISO 9001:2015 should include definitions and better guidance:
A well written management system standard should include the terms and definitions within the standard, with appropriate interpretation guidance. To obtain terms and definitions supporting ISO 9001: 2015, you need to obtain a copy of ASQ/ANSI/ ISO 9000:2015 “Quality management systems – Fundamentals and vocabulary”. If you require interpretation assistance, you can obtain “Guidelines for the application of ISO 9001:2015, ISO/TS 9002:2016: Quality management systems.” The obvious question is why does an organization need to have three separate documents to navigate through the new requirements?
The ASQ/ISO/ ISO 14001:2015 Standard for environmental management systems include clearly stated definitions in Section 3: “Terms and Definitions”. The Annex provides some helpful guidance for interpretation issues. The ISO 14001:2015 Standard has some issues similar to the quality analog – mostly due to harmonization of all management systems required by the “ISO/IEC Directives, Part 1 Consolidated ISO Supplement —Procedures specific to ISO” (Annex SL for short). The composers of ISO 14001:2015 created a workable set of requirements- all in one document. I would suggest the US TAG 176 consider the ISO 14001 model when amending ISO 9001 or re-issuing the standard.
If Annex SL is intended to harmonize the various management systems, why doesn’t ISO 9001:2015 include Section 3 “Terms and Definitions” and Annex A “Guidance and use of this International Standard” as included in ISO 14001:2015?
Adjusting the requirements of the Design and development to project complexity:
Clause 8.3, Design and development of products and services of ISO 9001:2015 has the same requirements as ISO 9001:2008 clause 7.3. The 2015 revision does recognize there can be differences in complexity for design and development activities within the organization. This is a good addition and should be considered by both organizations and auditors.
The general requirements for clause 8.3 covers a design process for projects with a cycle time of a few years- and for projects completed in days or weeks (enhancements/modifications or minor reconfiguration of mature designs). Organizations with both complex, lengthy projects and quick turn-around modifications should develop their design process controls accordingly.
Not explicit in the requirements of clause 8.3 is the requirement to have a time bound plan. This has been a deficiency in prior revisions of ISO 9001 as well. When auditing an organization with several designers and several projects running simultaneously, I was often disappointed to observe the lack of an integrated plan to assist scheduling resources. While the required stages of the project were defined, the planned completion dates or milestones were not established (or estimated). Many organizations use a Gantt chart, or similar chart, which establishes estimated completion dates for each design phase- often working backwards from the customer’s required completion. By integrating the timelines of all projects, resources can be better allocated.
In simple terms, the basic requirements for a design project include the following steps or phases:
- Statement of Work- what is “new”?
- Time-bound Plan
- Input requirements- specifications
- Outputs- expectations
- Design Reviews as appropriate
- Verification/ Validation plan- customer acceptance
- Transfer of project to production
When I audit an organization’s design process, I first ask the auditee what type products they design- complexity level and typical cycle time. I then ask to see a few completed (or near completed) project files- looking for evidence of conformance to the seven phases. For projects managed by one or two designers, I rarely question how the organization defines responsibilities and authorities, the internal and external resources as listed under ISO 9001:2015. If the project is a major new development, then I will look for more design reviews and cross-functional planning and controls.
Dr. Robert G. Cooper, one of the founders of Stage-Gate International, introduced the new product development process, referred to as “The Stage-Gate® innovation process”, over 20 years ago. Many organizations have used this process or a variation to satisfy the requirements of ISO 9001- Design clause. (A search on the Internet provides many software products offerings related to Stage-Gate or Phase-gate).
A properly designed and implemented Stage Gate process will satisfy ISO 9001:2015 clause 8.3 requirements, but also adds two management enhancements, while integrating ISO 9001 with the organization’s business model. Stage 1 includes a screening of ideas for new developments to analyze the cost benefits of the project along with potential challenges and competitive factors. The last Stage (often Stage 8) includes a post launch review to measure the project’s results and return on investment, as well as “lessons learned” to apply to future projects. Utilization of the Stage Gate process for new product design is a good way to demonstrate integration of the quality management system into to the context of the organization’s business model.
Organizational Knowledge:
ISO 9001:2015 includes a new requirement: clause 7.1.6 “Organizational knowledge”:
-The organization shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. This knowledge shall be maintained and be made available to the extent necessary.
-This knowledge shall be maintained and be made available to the extent necessary.
-When addressing changing needs and trends, the organization shall consider its current knowledge and determine how to acquire or access any necessary additional knowledge and required updates.
ISO 9001:2008 clause 6.2 “Human resources: 6.2.1 General”: Personnel performing work affecting conformity to product requirements shall be competent on the basis of appropriate education, training, skills and experience- implied organizations should maintain organizational knowledge. ISO 9001:2015 requires organizations to consider and review the organization’s processes to ensure operational/ process or product knowledge is maintained when employees leave the organization and review processes used by organization to remain knowledgeable with new technology relevant to their business model.
A 3rd party auditor would expect the organization, depending on its operations, to have some formalized program for succession planning, technology updating and supplier contingencies. Many currently certified ISO 9001 organizations have processes in place for maintaining organizational knowledge by way of their Business Strategy and Contingency Planning. I don’t believe the Organizational Knowledge clause adds any new requirements to Clause 7.2, “Competence”, which covers continual updating of employee knowledge via training, as applicable. Unfortunately, as clause 7.1.6 is worded, auditors may find determine how to acquire or access any necessary additional knowledge and required updates as an expansion of the training requirements-not an accurate interpretation in my opinion.
The organization’s internal auditors and 3rd party auditors will need to be sensitive to possible confidentiality issues with regard to exposure to this information. Additionally, since the requirement is to consider its current knowledge and determine how to acquire or access any additional knowledge, auditors should not require the organization to implement actions to acquire additional knowledge as the implementation of a business strategy is confidential and outside the scope of ISO 9001 and the skill set of ISO auditors. Auditors should expect a process is in place to ensure organizational knowledge is maintained appropriate to the context of the organization’s business.
Summary:
My objective in writing the two articles is to assist organizations in working through the confusion created by the new standard, while finding opportunities to improve their quality management system. I also wanted to advise the US TAG 176 of my concerns with the new standard- requesting the US TAG start a process to amend the standard.
I sent “The ISO 9001:2015 Standard should be amended” article to standards@asq.org for forwarding to the US TAG 176 for consideration. I was advised by the Standards Manager, ISO Secretary – PC 302, TC176 SC1, TC207 SC4, TC69, ASQ that Clause 2.10 Technical Corrigenda and Amendments of the ISO/IEC Directives Part 1 provides a procedure on how a published standard may be modified.
Additionally I was advised by the Standards Manager: “The 6 year+ revision process incorporated public comments and international mirror committee comments, and followed the consensus process. In the US, ASQ reached out to members and beyond for public comments, and also administer the TAG. I mention this in part because I rarely see amendments to ISO standards.”
I was also advised that the TC176 has an interpretations process. I should send any requests for interpretation to standards@asq.org and the US committee reviews and responds to them, then forwards them to the international committee (TC176 SC2). You could consider this as an avenue to receive a response to your concerns. The guidance link is: www.iso.org/tc176/sc02/public. I was aware of the Auditing Practices Group (APG) and had perused it in the past with frankly little value. For those new to APG, I suggest you bring up the Guidance on Risk Based Thinking and see what you think.
Many readers on LinkedIn who responded to my CERM article suggested the TAG would take no steps to consider an Amendment to ISO 9001:2015 in the near future. I also knew that; but a good auditor is open minded and makes fact- based decisions. Better to have an official “rejection” than be criticized later for not using the process.
I hope the two articles with the interpretation opinions and suggestions will be helpful to organizations faced with upgrading to ISO 9001:2015. They are obviously not endorsed by ASQ.
I have particular concern for the many wonderful small shops who have been obliged by customers to maintain an ISO 9001 certificate- organizations with minimum resources. Many of these companies have developed a solid “nuts and bolts” quality system under the older version of ISO 9001 and maintain excellent product quality and customer satisfaction. These organizations have to spend $5,000 to $10,000 annually to cover the Registration surveillance audit expenses- and then every 3rd year are burdened with additional costs for Recertification- and then in the 7th year have to hire a consultant to “teach” them about new requirements: risk based thinking, the context of their business and organizational knowledge.
The poorly drafted ISO 9001:2015 Standard and its apparent little value-added to their business may cause them to not maintain their certificate. My clients in past years who dropped ISO lost little business. If you make a cost-effective, quality product, customers will look beyond the ISO certificate.
Bio:
Milt Dentch has a BS in mechanical engineering from Worcester Polytechnic Institute and an MS in quality management systems from the National Graduate School of Quality Management (NGS). After college, he worked as an engineer in the paper industry for 5 years, and then he worked as an engineer and senior manager at the Polaroid Corporation in Waltham, Massachusetts, for 27 years. He was plant manager for the Custom Coating and Laminating plant in Worcester for the Furon Corporation for several years.
Milt currently provides consulting, training, and auditing related to the International Organization for Standardization requirements for quality, environmental, and safety management systems. He has conducted over 500 audits worldwide for large and small companies. Milt is an Exemplar Global qualified Lead Auditor for Quality and Environmental Management Systems and a Registrar approved OHSAS 18001 Lead Auditor.
ASQ Quality Press published Milt’s books: “The ISO 9001:2015 Implementation Handbook” and “The ISO 14001:2015 Implementation Handbook.”