iso 9001: 2015 – a guide to understanding and implementing ...jemo.co.uk/linked/free guide to iso...

JEMO Limited 11 Willowbank, Chippenham Wiltshire SN14 6QG, United Kingdom Phone: +44 (0) 1249 447 544 Fax: +44 (0) 1249 400 200 E-mail: [email protected] www.jemo.co.uk

This guide provides details of the High

Level Structure requirements based on DIS

9001: 2014. It concentrates on the core

requirements that should not change

when ISO 9001: 2015 is published.

ISO 9001: 2015 – A Guide to

Understanding and

Implementing the High Level

Structure (HLS) JeffMonk

mailto:[email protected]

Guide to ISO 9001: 2015 – the requirements that should not change

©JEMO Ltd. 2015 Page 1 of 15

Introduction

ISO 9001: 2015 is nearing publication, the certification industry is gearing up with road shows, and

new terminology is entering the quality language. The jury is out on whether the changes are ground

breaking or just a tidy up job; whether you should get started now or wait for the “amnesty period” to

expire before you get started. Two highly respected commentators - the Chartered Quality Institute

(CQI) and the IRCA (the International Register of Certificated Auditors) in a joint statement have said

“This is the most important event since ISO 9001”.

We consider the changes to be sufficiently significant, affecting the way your organization is run for

you to make a start now. In this guide we cut to the chase and provide you in plain language an

introduction to the new core requirements and a brief overview of the quality related changes.

“But there could still be some changes, couldn’t there? Well – “Yes” and “No”. Some of the changes

that have been made are to the core material that affects all ISO management system standards and

these should not change. It is these that we concentrate on in this guide.

As we are auditors working for international accredited certification bodies we also provide some

opinions on how their auditors may approach the changes.

Why does the standard have to change?

The International Standards Organization (ISO) reviews its standards every five to seven years. It

also carries out surveys and takes into account feedback from many quarters. Based on this it has

decided this time to standardise as much content as possible in all of its management system

standards. This has resulted in at least 60% of ISO 9001 having core content that is the same as ISO

14001 (environmental management) and other standards. This should not change. The remaining

40% is quality specific and could be subject to minor further change.

A significant comment received was that the standard was biased too much to manufacturing and did

not adequately take into account the needs of service industries. This has been addressed in the new

standard and service has the same status as product.

What is standardised and what is not?

The core requirements common to all ISO management system standards are known as the High

Level Structure (HLS) and are derived from an IEC/ISO Directive which the standards writing teams

must follow. Without going into the technical details, this is in an annex to a Directive and you may

also hear these referred to as Annex SL.

As we said earlier, on top of these core requirements the rest for each standard are discipline-

specific. The quality related standards such as ISO 9001, ISO 13485 and others will have different

discipline specific requirements to ISO 14001, ISO 22000 (food management) and others.

Will the HLS/Annex SL requirements change?

This is unlikely, but you never can tell with standards not yet published. The consensus of opinion

from the quality professionals such as the (CQI) is that they will not change. Which is why have

recommended that you make a start now.

Many of the quality discipline requirements have been developed from the existing ISO 9001: 2008

standard and our experience from previous major revisions is that the changes to these from now on

will be relatively minor.



What is the position with ISO 9001: 2015 at the moment?

The standard is currently at Draft International Standard (DIS) status. This has been reviewed and will

be issued as Final Draft International Standard (FDIS) in June this year. There should be no changes

between the FDIS and the publication of ISO 9001: 2015 in September this year

Caveat

Whilst we have done our best to ensure the information we have provided is accurate we cannot be

held responsible for any errors or omissions or actions resulting from your interpretation and

implementation of this guidance.



The major changes to the core (HLS/Annex SL) requirements

There are ten clauses instead of eight

Whilst ISO 9001: 2008 has eight clauses, the 2015 version has ten. This would not be an issue if

clauses had simply been sub-divided, but most of the clauses have new requirements. The common

clause titles and sequence are shown in Table 1 with comments on the changes:

Clause Title Comment

1 Scope Basically as the 2008 version

2 Normative references There are no normative references – they are now contained within the standard

3 Terms and definitions These are now contained within the standard

4 Context of the organization This is a completely new requirement and is significant

5 Leadership This involves top management leading the quality management system (QMS). The management representative role is now redundant – significant change

6 Planning This now involves risk assessment and management and is significant

7 Support This develops “Resources” of the 2008 version to a higher level. Significant changes in terminology

8 Operation This develops “product realization” of the 2008 version to a higher level. Significant changes.

9 Performance evaluation This develops several 2008 requirements for monitoring and measuring the QMS and the processes, products and services.

10 Improvement This develops Non-conformance, Corrective action and Improvement of ISO 9001: 2008. Preventive action is dropped – the whole standard is aimed at prevention.

Table 1 The ISO 9001: 2015 clauses and sequence

Changes to terminology

There are some significant changes to terminology that will need to be understood by you and your

auditors. As examples:

documented procedures are not now referred to but you do need to maintain documented

information – wherever you see the verb maintain this means document

records are not referred to and are embraced by documented information – wherever you see

the verb retain this means record

product is replaced by products and services – emphasising that the standard is equally

applicable to services



quality manual has been dropped – it is now up to you how you describe what you do and

what you call it. The standard requires integration of the quality processes with the overall

business processes so Business Manual might be an appropriate title for your quality manual

quality context is a completely new term which when combined with internal and external

issues and will need to be thoroughly understood

risk based approach is what it says it is – identified risks, their impacts, the chances of

occurrence and the management of them.

management representative (MR) – as we have said in Table 1, this has been dropped and

the roles and the MR responsibilities need to be spread around the top management team

monitoring and measuring resources – this spreads the net wider than instruments to include

the people who make decisions as a result of checks they do

externally provided products and services replaces purchasing – products, services and even

processes can be provided from a wide range of sources

Some old friends are still there e.g.:

quality objectives

processes and a process approach

design and development – this was dropped in the committee draft but reinstated in DIS

9001: 2014 and will be retained in the published standard

The core HLS requirements

To repeat ourselves, these should not change and you can make a start on these. We will look at

them in the sequence of the standard.

Clause 4 Context of the organization

This has the following sub-clauses covering: 4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the quality management system

4.4 The quali t y management system and its processes

The “Organization and its context” may look a little intimidating at first but what it really means is that

you should clearly define what your organization does and its reason for existence. You probably

already have this in place in high level strategy documents such as business and marketing plans. If

so, include this in your quality system documentation.

You will then need clear definition of the issues that can affect what you are there to achieve. These

can be many and varied and include those from within your organization (such as cultural issues) and

external issues (such as the ability to raise credit in a tough financial market). There may be many

more issues and it may take some time to identify them all. They should be regularly reviewed as

circumstances and the issues change.



The other influences on what you achieve can be from stakeholders in your business. The standard

now calls these interested parties and they can be more than customers. You will need a good idea of

who they are, their interests and any risks to your business that they present.

If you have an ISO 9001: 2008 compliant system you should already have a well-defined scope of

your quality management system stating what is included and what is not. We suggest you examine

this to see if it is still appropriate to the issues identified and the needs and expectations of all

interested parties.

Finally for this clause your quality management system should be centred on your key processes and

be continually developed and improved to cope with changing circumstances. You are probably

already doing this. We will look at this further when we get to Clause 6 which covers planning and

Clause 10 which covers improvement.

The quality related requirements.

Most of this clause is HLS/Annex SL and there are no significant quality related requirements

How auditors may approach this

This can make an auditor’s job easier. When they approach an organization for the first time they may

have only a limited idea of what you do and the issues you face. They may only glean a proportion of

this from studying websites and questionnaire returns. You should now be able to provide a profile

and an insight into your business goals, objectives and influencing factors. Of course expect them to

challenge this if it is not transparent, over-biased in your favour or conflicts with what their experience

of similar organizations suggests.

Clause 5 Leadership

This has the following sub-clauses:

5.1 Leadership and commitment to the quality management system

5.2 Quality Policy

5.3 Organisational roles, responsibilities and authorities

The qualifier Quality differs with other management system standards. For example ISO 14001 will

have Environmental Policy. There are sub-sub clauses that are quality specific and listed later.

At first glance this appears to be much like Clause 5 (management responsibility) of ISO 9001: 2008.

Look closer and you will see it has some significant changes. In many organizations top management

do not lead the QMS and leave this to “Mr or Ms Quality” – the management representative (MR). In

these organizations this must change because the quality management representative role has

disappeared.

Much of what ISO 9001: 2008 required the MR to do have been transferred to the top management

team, although they can delegate some of this. If you are the management representative we suggest

you closely examine what you do now. Re-position your role as an internal consultant to your top

management team to provide them with the assistance they need to make the transition and to be on

hand when needed afterwards.

Top management now have to accept genuine accountability and “hands on” commitment to the

quality management system and be able to demonstrate this.



They have to ensure the quality management system is integrated into the business and is not a bolt-

on extra. The general purpose of this is to spread the involvement in the QMS to the wider

management team and involve people in a “quality culture”. This is one good reason for starting now

– culture changes can take substantial time to introduce.

The quality policy has been strengthened and developed and now includes a commitment to meet all

applicable requirements and to be improved. It must be understood by everyone who works under

your organization’s control and who can affect the quality of what you deliver. This includes other

interested parties and providers and you should make the policy available to them.


There are quality related requirements in sub-clauses to 5.1 and also in Organizational roles,

responsibilities and authorities (5.3) but as we are concentrating on the HLS/Annex SL requirements

in this briefing we confined ourselves to listing these in Table 2. If you require comprehensive tools for

implementing and auditing all of the changes please visit www.jemo.co.uk or contact us at

[email protected]


5.1.1 Leadership and commitment to the quality management system

This was summarised above and is one of the most significant changes

5.1.2 Customer focus Basically as the 2008 version but now includes risk assessment

Table 2 Clause 5.1 Leadership and commitment

The disappearing management representative

If the quality management system revolves around you or a small team under your leadership and

everyone leaves all matters “Quality” to you we strongly suggest you examine how his can be spread

wider. Expect issues with, for example, other managers not being prepared to take on the

management representative roles. There may be other issues that arise from this such as conflicts of

interest and internal politics. If you are the management representative start now on planning your

career progression after the publication of the standard. You will be joining 1.2 million others working

for registered organizations!


The changes also make their job easier. Expect them to reserve more time for interviewing top

management and obtaining objective evidence of their commitment (or not) to the QMS. They will look

for evidence that more people are involved with the quality management system and that it is

genuinely embedded in the overall business systems. Expect them to look for risk identification when

examining your focus on your customers.

6 Planning for the quality management system

This has the following HLS/Annex SL sub-clauses:

6.1 Actions to address risks and opportunities 6.2 Quali t y objectives and planning to achieve them

http://www.jemo.co.uk/

mailto:[email protected]



The new standard has removed the requirement for preventive action in the 2008 version and

replaced it with risk based thinking. This means the whole standard is intended to look ahead, to

identify risks and put in place controls to manage them. In addition to risks you may identify

opportunities for improvement and you should exploit these. How this is done is via the planning work

you do to meet this clause.

This is the logical development of the process you started in Clause 4 where your interested parties,

their needs and issues were defined and in clause 5 where you identified risks to your customers from

your products and services. These are now at the heart of the risk management processes.

You probably already have quality objectives and departments, teams or individuals working on them.

The new standard reinforces the principle that these should be clearly defined, measurable (when

practicable), achievable and with responsibilities defined for their achievement in specified timescales.


There are quality specific requirements in 6.1 Actions to address risks and opportunities, 6.2 Quality

objectives and planning to achieve them and 6.3 - Planning of changes, which we list in Tables 3 - 5


6.1.1 No title Covers planning the QMS in the context of your organization and identifying risks and opportunities

6.1.2 No title Covers how you will manage the risks and opportunities

Table 3 Clause 6.1 Actions to address risks and opportunities


6.2.1 No title This covers establishing your quality objectives and now includes objectives for processes

6.2.2 No title This covers planning to achieve the objectives, the resources needed and the way the results are measured and monitored

Table 4 Clause 6.2 Quality objectives and planning to achieve them


6.3 Planning of changes This covers the planning of known changes and preserving the integrity of the QMS. It is more explicit than ISO 9001: 2008

Table 5 Clause 6.3 Planning of changes

If you require comprehensive tools for implementing and auditing all of the changes please visit

www.jemo.co.uk or contact us at [email protected]





Auditors who are not familiar with risk management techniques should not be auditing you. Expect

experienced auditors to look for tangible evidence that you are evaluating the risks and effectively

eliminating them or reducing them to an acceptable level. They will examine your resources and

competencies to do this. A useful tool for this is a risk register. ISO 31000 provides useful guidance

on risk management.

They should be familiar with how to audit your objectives and planning of changes and may spend

more time with your top management on this.

Clause 7 Support

This has the following HLS/Annex SL clauses:

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

There are also sub-sub clauses but with the exception of 7.5 below these are quality specific and so are listed but not discussed here.

7.5 Documented information – this has the following sub-sub clauses that are HLS/Annex SL:

7.5.1 General

7.5.2 Creating and updating

7.5.3 Control of documented information

In general, this is a development of existing ISO 9001: 2008 requirements for support to your main operational processes. The human resources (i.e. your colleagues) need to be demonstrably competent and aware of the requirements that apply to them and the consequences of not following the “rules” of the QMS.

Your communication systems need to be robust and include external and internal communications. A gap in the ISO 9001: 2008 standard has been filled – communication with your suppliers and external providers has to be as robust as communication with your customers

The documented quality system may not have to include your quality manual, documented

procedures or work instructions but there should be something that does a similar job for instruction

and control. This is called documented information. Much of what you already have can still suffice,

although you may want to take this opportunity to examine your documentation to see what can be

retained, what is superfluous and if it is all in the right format and media for your current and future

needs.

Your top management could, as part of their leadership role, engage the workforce in deciding what

they really need in the documentation and the media that is most suitable for them.




There are many additional quality related requirements here under sub-clauses - in particular in

clause 7.1 which has six sub-clauses with significant additional requirements. We have listed these in

Tables 6 but do not discuss them in detail here as we are focusing on the HLS/Annex SL

requirements.


7.1.1 General

Basically as ISO 9001: 2008 - you must determine and obtain the resources needed to run your QMS – from inside and outside your organization

7.1.2 People Basically as ISO 9001: 2008

7.1.3 Infrastructure Basically as ISO 9001: 2008

7.1.4 7.1.4 Environment for the operation of processes

This extends the work environment of ISO 9001: 2008 to include environments for the effective operation of processes

7.1.5 7.1.5 Monitoring and measuring resources

This is a substantial development of the ISO 9001: 2008 requirements and now embraces the “calibration control” of people used in monitoring and measurement

7.1.6 Organizational knowledge

This is a new requirement which covers the knowledge needed by your organization and how you obtain and control this and keep it up to date

Table 6 Clause 7.1 Resources

For comprehensive tools for implementing and auditing all of the changes please visit



Auditors should use flexibility with your documented system. They should not expect you to throw out

your existing quality manual and documented procedures, but they should expect you to be reviewing

them against the requirements for documented information. There is a three year transition period

before the 2008 standard is withdrawn and this should be ample time for them to determine if you

have things under control.

They should find the more explicit requirements for communication easier to audit and to obtain

evidence of the effectiveness of your communication processes.

Competence should also be easier to audit. Note that this can also include the competence of people

working under your organization’s control – especially where you outsource processes and activities.

You are still responsible for the results of these.

Clause 8 Operation

The bulk of this clause contains quality specific requirements that are derived from the 2008 standard.

You are recommended to use our gap analysis checklist and PowerPoint presentation to familiarise

yourself with these, or obtain a copy of the standard.




The only HLS/Annex SL requirements are in:

8.1 Operational planning and control

All the rest are quality specific. We list these but do not look at them in detail

This takes the “strategic planning” you did for clause 6 and focuses down onto the planning of the

specific processes for creating products and providing services. This extends beyond your internal

process chain to include processes that you outsource. A new requirement is for you to have controls

for unplanned changes as well as the changes you plan to make.


There are many quality specific requirements here, much of which you will probably be doing already.

We have listed these in Table 7, but it is beyond the scope of this brief to cover them in detail.


8.2 Determination of requirements for products and services

8.2.1 Customer communication An extension of ISO 9001; 2008 to include contingency and other quality related communications

8.2.2 Determination of requirements related to the products and services

Subtle change from ISO 9001: 2008 including a need to substantiate all claims you make for your products and services

8.2.3 Review of requirements related to products and services

Basically as ISO 9001: 2008 but extended to include other interested party requirements

8.3 Design and development of products and services

This has six sub-clauses, amalgamating some of the sub-clauses of ISO 9001: 2008. The only significant change relates to reviewing experience from previous design – now dropped, and determining the risk of design failure. We consider this significant omissions

8.4 Control of externally provided products and services

This has three sub-clauses similar to ISO 9001: 2008. The range of supply is extended to include anything including sub-contracted processes that is provided (excluding property provided by your customer)

8.5 Production and service provision This has six sub-clauses, including new requirements for post-delivery activities and the control of unplanned process changes

8.7 Control of nonconforming process outputs, products and services

This is basically as ISO 9001: 2008

If you require comprehensive tools for implementing and auditing all of the changes please visit






The auditors will be discipline-oriented and should have a good understanding of how to audit process

based quality management systems. Expect them to look in detail at your planning and link this to the

planning of the overall QMS and risk management that you did for clause 6. They will then probably

devote the bulk of their examination to the quality specific requirements. We have indicated where

these are new and expect them to devote more time to these.

Clause 9 Performance evaluation

This has the following HLS/Annex SL sub-clauses:

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

You will recognise these from the 2008 version and in most cases the requirements are very similar.

The scope of your management review should be expanded and more aligned to reviewing the QMS

performance in the context of the overall business. The finer details include making use of the results

of data analysis and your management review.

If you are operating a successful ISO 9001: 2008 system you should have little problem with this.


There are no quality specific requirements. These are all HLS/Annex SL.


The standard includes considerable detail that was not in the 2008 version and auditors may be

expected to be more explicit in what they look for. Expect them to focus more on requiring your top

management to explain the management review process and results and to have a more hands on

approach to directing and monitoring actions from these. Expect them to also examine closely the

analysis you do of data and especially what you do as a result of this.

Clause 10 Improvement

The HLS/Annex SL requirements are covered under the following sub-clauses:

10.2 Nonconformity and corrective action

10.3 Continual improvement

The key change here from ISO 9001: 2008 is the removal of a separate sub-clause for preventive

action. The work you did in 4.1 where you identified internal and external issues that affect your QMS

achieving its intended outcomes and the risk assessment and management of clause 6 together with

the remainder of the standard are all preventive. If anything they exceed the requirements of the 2008

standard.

Continual improvement is required for the QMS as in ISO 9001: 2008 and the controls for non-

conformance are similar.



The quality specific requirements.

The major quality specific requirements are covered under 10.1 General. This focuses on the

processes you have for improving your products, services, processes and the overall performance of

your QMS.

For comprehensive tools for implementing and auditing all of the changes please visit


What you should do now

The HLS/Annex SL requirements that we have outlined have less than a 5% chance of being further

changed. The main reason is that these are already in recently issued standards and those being

amended. It therefore follows that you can make a start on the changes at very little risk.

Figure 1 is a suggestion of how you may want to approach this:

What you get in the JEMO Implementation Tools

The JEMO implementation tools have been developed from over 30 years of working with ISO

management system standards. We currently have the following available through our website

www.jemo.co.uk :

An auditor’s guide to ISO 9001: 2015. Based on the DIS, this is a comprehensive distance

learning course that explains in plain language the requirements and the changes and

guidance on how to audit these. There are over 320 slides with the changes graded in

severity and the Annex SL requirements highlighted. Cost £ 49.50 + VAT

ISO 9001: 2015 Gap Analysis. Based on the current DIS this comprises over 100 pages and is

published in landscape so that it can be bound as a working checklist. This allows you to

capture conformity and non-conformity and the audit evidence that you found. At the end

of each clause there is comprehensive, plain language explanation of the requirements,

comprehensive guidance on how to audit this and the evidence you would look for. This is

designed to be used by both internal and external auditors and you can indicate the severity

of the gaps (graded as high, medium or low). The Annex SL requirements (that should not

change) are highlighted. This also serves as an executive report in which you can record

action summaries conclusions and who will do what. Cost £ 49.50 + VAT

Discount for early purchasers. If you purchase both of these before 1 March 2015 we are offering

these at 20% discount for £ 80 + VAT

Free updates if there are changes. For purchases before 1 March 2015 we are offering a free update

if there are changes in the published standard.

Coming shortly

We will shortly have available:

an implementation guide to ISO 9001: 2015 – comprising over 320 slides

an audit checklist with guidance for implementers and internal auditors – comprising over 100

pages





an e-learning executive awareness course for top management

an e-learning awareness course for other members of the workforce



Figure 1 A suggested approach to implementing the changes

Do a gap analysis on your existing QMS

Estimate the work and resources needed and

produce a report for your top management

Obtain authorisation to go ahead and assemble

an implementation team

Implement the HLS/Annex SL changes first

Give training to top management and staff on what

the HLS/ Annex SL changes mean to them

The JEMO Gap Analysis Tool is ideal for this

The Gap Analysis Tool provides a template for this

The JEMO distance learning package is ideal for this

Train internal auditors to audit to the HLS/Annex SL

requirements using the JEMO tools

Do the internal audits and a management review

Implement any changes

Repeat the exercise for the quality specific requirements

iso 9001: 2015 – a guide to understanding and implementing ...jemo.co.uk/linked/free guide to iso...

Documents