Behind the scenes of the next version of ISO 9001
by Sandford Liebesman
The latest version of ISO 9001 was published in December 2008. Since then, the International Organization for Standardization’s Technical Committee (ISO/TC) 176 has created a task group to consider concepts for inclusion in the next revision, which is scheduled for publication in 2015.
The group initially sent a document containing 19 future concepts and recently added a 20th, "people involvement."1 Table 1 contains a list of the concepts the group discussed, but I’ll address only the six key concepts I think should definitely be part of the next revision of ISO 9001.
Concept 1: financial resources of the organization
The recent financial crisis has raised everyone’s interest in how financial organizations operate and the associated controls they use. An organization’s financial system has a major effect on how customer requirements are met, how the quality management system (QMS) operates and how the organization’s resources are used.
Table 2 is a list ISO 9001:2008 clauses in which the use of resources is stated or implied. The description section is paraphrased material from each clause or note.
The future concepts document states that financial resources directly support an organization’s management systems and operations. Financial resources and financial information are important organizational requirements, but the subject is not specifically addressed in ISO 9001.
According to the task group, "Where the financial organization compromises its ability to consistently meet customer requirements and create sustained performance, it is relevant to the operation of the QMS and within the scope of ISO 9001."2
It seems that financial organizations seldom use key quality tools, such as process management, continual improvement, preventive action and corrective action. ISO 9001 can be a factor in eliminating the silos that exist between quality and finance. ISO 9001 can also have a positive effect on compliance to the Sarbanes-Oxley Act.3, 4
Concept 6: inclusion of a risk–based thinking approach
Effective management systems can reduce risks to an organization. Risks occur as the result of uncertainty, whereas effective management systems improve control over factors that create uncertainty. ISO 9001 can play a major role improving risk–based thinking in an organization.
ISO 9001:2008 considers risk in various clauses that can be a starting point for expanding this concept. Several clauses in the standard imply risk:
- 5.4, quality planning.
- 5.6, management review.
- 7.1, planning of product realization.
- 7.3, design and development.
- 8.5.2, corrective action.
- 8.5.3, preventive action.5
In each of these clauses, management must consider the risks to the organization and the means to reduce them. The future concepts document from ISO/TC 176 introduces several considerations for developing a risk-based thinking approach:
- Any requirement needs to be capable of allowing organizations of all sizes and types to determine their own approach.
- Any text added to ISO 9001 must add value to the user.
- Consideration should be given as to whether requirements should be explicit or implied.6
A risk–based approach should be applied to the following areas:
- Ensuring products meet customer, statutory and regulatory requirements.
- Reinforcing the process approach and reducing the risk that a process might not produce the desired result.
the effectiveness of the management system to achieve objectives and analyzing
changes in the organization’s internal and external environment.
Concept 7: life-cycle management
Life-cycle management covers the entire life of a product from design to product withdrawal. The phases of the life cycle are:
- Design (concepts, preliminary design and detailed design).
- Manufacture production (service provision).
- Distribution, transport and delivery.
- Use and support.
- Reclamation, recycling and disposal.
The current version of ISO 9001 relates to life-cycle management in clause 7.2.1, "determination of requirements related to the product." Also, the accompanying note ("Post-delivery activities include, for example, actions under warranty provisions, contractual obligations such as maintenance services, and supplementary services such as recycling or final disposal") has a clear relation to life-cycle management.
ISO 9001:2008 does a good job of covering the early stages of the product life cycle: customer requirements, internal and customer communication, design and development, production and supplier management. But there is a need to have requirements for the rest of the product life.
We can look at TL 9000 requirements for life-cycle management, end-of-life planning, configuration management, service delivery planning, customer problem identification and inclusion of product life-cycle management in the project plan.
Concept 10: process results and effectiveness
There are three major stages in the life of a process: identification, implementation and maintenance or improvement. To get expected results, it is essential to design or plan the process, including the equipment, methods and control parameters.
Early in the process, an organization should develop preliminary documentation that takes into account the structure of the organization and the effect of the proposed process. After the process is implemented, it should be controlled, have key measurements taken and provide feedback on its operation. Over time, it should be maintained, measured and improved.
Two actions are recommended: specify the process precisely, including the organizational level for its use, and consider tools such as turtle diagrams, balanced scorecards and Six Sigma methods. Small to medium-sized organizations will benefit greatly from these considerations because they will need to provide more process details than they currently do. That will improve the effectiveness of their operations.
Concept 12: process innovation
It is necessary to foster innovation and maintain competitiveness that will ensure the organization’s survival and growth. Innovation will help organizations be more competitive in the marketplace by creating new features, reducing cost and improving product suitability that affects buying decisions. Innovation should be part of an organization’s strategic thinking.
I recommend the following detailed steps in the innovation process:
- Investigate innovation opportunities.
- Choose an opportunity.
- Generate solutions with early prototyping where appropriate.
- Choose a solution and develop a full design specification to enable development and stage reviews.
- Develop the solution with a prototype to field test.
- Where appropriate, implement the solution.
The future concepts document states that including process innovation requirements in the next version of ISO 9001 will:
- Add new requirements.
- Require updates to an organization’s documentation.
- Require organizations that do not currently have an innovative process to establish, document and implement the new process and train their staff.
- Provide customers additional assurance so the products they purchase meet their requirements.
- Make organizations implementing the requirements more competitive with more effective and efficient processes.
Note that a more practical approach for the introduction of innovation may be published in a guideline document. Also, innovation requirements may not be practical for small businesses.
Concept 14: process management
The future concepts document deals with process management by stating it is necessary to determine objectives of the QMS, identify processes to achieve the objectives, determine the relationships between processes and relate the processes to the organizational structure.
In addition, to implement a process successfully, it is necessary to understand elements forming the relevant processes and manage these elements based on the plan-do-check-act (PDCA) cycle and process control. Process management’s goal is to achieve objectives of the QMS over time.
In clause 4.1, ISO 9001:2008 identifies requirements that form the process approach:
Determine the processes needed for the QMS and their applications throughout the organization.
- Determine the sequence and interaction of these processes.
- Determine criteria and methods needed to ensure the operation and control of these processes are effective.
- Ensure the availability of resources and information necessary to support the operation and monitoring of these processes.
- Monitor, measure (where applicable) and analyze these processes.
- Implement actions necessary to achieve planned results and continual improvement of these processes.
In 2006, I suggested improvements to the standard with respect to process management.7 For an organization wanting to strengthen its process approach, the following suggested add-ons are effective:
- Identify an owner for each process, making that person responsible for ensuring effective operation of the process.
- Define the inputs and outputs of each process.
- Define the constraints on the operation of each process and the resources needed.
- Identify the activities of each process in terms of the PDCA cycle, thus providing a tool for continual improvement of each process.
The process approach should also have an effect on internal auditing. An added value for internal audits is to structure each audit around the organization’s processes. Process auditing built on the PDCA cycle provides a much more effective feedback mechanism than checklist audits because organizations operate in terms of their processes, and opportunities for improvement will be more readily identified when auditing these processes.
How does an organization identify the needed processes? First, determine objectives of the QMS. Then, identify processes needed to achieve these objectives, determine relationships between the processes and relate them to the organizational structure. ISO/TC 176 recommends using a PDCA structure to develop each process.
Management should continuously look at improving processes. The goals of improvement should be defined and an improvement team formed. The causes of concern should be understood, countermeasures implemented and work standards revised.
More to come
I have addressed six of the 20 future concepts I think are the most important. Adding financial requirements will expand the usefulness of ISO 9001 to an entire organization. The financial, quality, environmental and IT management systems will benefit from applying the process approach, life-cycle management and risk-based thinking.
Note that the entire set of concepts will be considered at the next meeting of the U.S. Technical Advisory Group this month. It will take some time to convert the concepts to a set of directions for ISO/TC 176, but the future concepts document is a good start for improving ISO 9001.
- ISO/TC 176/SC 2/N956, "Quality Concepts for a future revision of ISO 9001," 2011. A 20th concept, "people involvement," was sent by ISO/TC 176 after the document was published.
- Sandford Liebesman, "Mitigate SOX Risk With ISO 9001 and 14001," Quality Progress, September 2005, pp. 91–93.
- William A. Stimson, ISO 9001 & Sarbanes-Oxley, Paton Press, 2006.
- International Organization for Standardization’s Technical Committee 176, "Quality Concepts for a future revision of ISO 9001," see reference 1.
- Sandford Liebesman, "Increase ISO 9001’s Value," Quality Progress, August 2006, pp. 84–85.
Sandford Liebesman is president of Sandford Quality Consulting in Morristown, NJ, following more than 30 years of experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia). He is an author of TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, second edition, and Using ISO 9000 to Improve Business Processes. Liebesman, a fellow of ASQ and past chair of the Electronics and Communications Division, is a member of ISO technical committee 176 and the ANSI Z-1 committee on quality assurance.