Into the Future
How key management system standards are changing
by R. Dan Reid
During the past 30 years or so, there has been a lot of content in this column and in QP dealing with management system standards (MSS). A quick search of past QP references indicates more than 6,400 hits on standards such as ISO 9001, ISO 14001, OHSAS 18001, ISO/IEC 27001 and ISO 50001, ISO/IEC 17025 and others. Well, get ready. ISO MSSs as you know them are about to change, starting as soon as next year.
As of July 2013, the catalog of the International Organization for Standardization (ISO) lists more than 19,500 international standards. Among these are MSSs that "provide requirements or guidelines for organizations to develop and systematically manage their policies, processes and procedures to achieve specific objectives. They are usually based on managing an organization’s processes using a plan-do-check-act approach to achieve the intended outcomes.
Typically, MSSs address the following components:
- Implementation and operation.
- Performance assessment.
- Management review."1
ISO 9001 requirements
ISO requires that standards be reviewed about every five years to determine whether they need to be revised. Results from ISO’s 2012 global user survey2 concluded 27% of respondents thought the ISO 9001 standard was "fine as it is." Another 64% said it was "OK, but with enhancement." More than 70% of respondents favored including the following concepts in ISO 9001:
- Resource management.
- Voice of the customer.
- Measurements (performance, satisfaction and return on investment).
- Knowledge management.
- Risk management.
- Systematic problem solving and learning.
Only 7,918 respondents generated these findings from a field of more than 1.1 million ISO 9001-certified organizations globally, as reported in the 2011 ISO user survey.3 This is a small sample size for such a large population. It does not suggest a mandate for significant change, but the decision was nevertheless taken to revise the standard. Why?
The ISO technical committee (TC) responsible for ISO 9001 has indicated that ISO 9001 is being revised to:
- Account for changes in quality management systems (QMS) practices and technology since the last major revision to ISO 9001 in 2000.
- Provide a stable core set of requirements for the next 10 years or more.
- Ensure requirements in the standard reflect changes in the increasingly complex, demanding and dynamic environments in which organizations operate.
- Ensure requirements are stated to facilitate effective implementation by organizations and effective conformity assessment by first, second and third parties, as applicable.
- Ensure the standard is adequate to provide confidence in those organizations meeting the standard’s requirements.
- Decrease the emphasis on documented procedures.
- Increase the emphasis on achieving value for the organization.
- Increase emphasis on risk management.
Based on the current committee draft (CD) 2 of the revised standard, the changes will likely cause some problems. The standard is now being written more generically to increase its appeal to nonmanufacturing sectors. The likely result is that it will be more difficult to control variation among auditors and registrars.
There is less emphasis on documented procedures and no longer a requirement for a quality manual. This will require auditors to perform more interviews and audit a larger sample size with quality system documentation available. Some prefer this option, but it will surely drive up the cost of audits and allow more variation in the audit processes.
The removal of previously agreed-on verbiage will be objectionable to manufacturing sectors where ISO 9001 has thrived.
Annex SL is developed
Prior to drafting the text of a revised ISO standard, a design specification is developed. The design specification for the next revision to ISO 9001 includes a requirement that "the revised standard will apply Annex SL to the ISO/IEC Directives, Procedures specific to ISO, third edition, 2012,4 to ISO 9001 to enhance its compatibility and alignment with other ISO management system standards."5 So, what is Annex SL?
ISO has long had an interest in driving the use of integrated management standards. A report of the ISO Technical Management Board Ad-Hoc Group on MSSs advocated such standards in February 2006. Annex SL is just the latest in these attempts.
ISO/IEC Directives Part 1, Consolidated ISO supplement, 2013, Annex SL, Appendix 26 "sets out the high-level structure, identical core text, and common terms and core definitions that are to form, when possible, the nucleus of future and revised management system standards such as ISO 9001, developed by the Joint Technical Coordination Group. The guidance and structure given in Appendix 2 to this Annex SL shall, in principle, also be followed" (based on ISO/Technical Management Board resolution 18/2012).
Notice the use of the qualifying phrases on two occasions from this directive: "when possible" and "in principle." It was not intended that there would strictly be no deviations from this guidance. In reality, though, the drafters of the ISO 9001 revision have taken this more literally and are not considering amendments or deletions from the high-level structure or common text. They are allowing only additional text.
The Annex SL high-level structure has been previously reported in this column by various contributors. The structure will consist of 10 elements for all new or revised MSSs going forward:
- Normative references.
- Terms and definitions.
- Context of the organization.
- Operational planning and control.
- Performance evaluation.
- Continual improvement.7
This mandated structure also has common text that must be used with some of these elements. New elements, such as context of the organization, and new terms, such as "documented information," "configuration management" and "innovation," will likely drive the need for additional processes and training for currently certified organizations. Other requirements already common across the key MSSs have been deleted, such as a management representative, an MSS manual and preventive action.
The current ISO standards development process takes as long as it does—five years or more—to reach consensus on the content, including terms, to ensure the standards can be accurately translated into local languages and applied to all types and sizes of organizations. This process has been bypassed by the committee that developed Annex SL. The U.S. delegation to the ISO TC responsible for ISO 9001 has objected to this, but the global consensus is to proceed according to this plan.
Annex SL has already met significant resistance from manufacturing sectors—automotive, aerospace and medical devices. It has been viewed as a return to a "clause-based approach" even though there is now a requirement in the draft standard mandating the use of the process approach, which was introduced in ISO 9001:2000.
The automotive sector has already petitioned ISO and was granted a waiver to continue to use the current edition of ISO 9001. For organizations that have automotive and other customers, this could mean compliance with two versions of ISO 9001. Aerospace and medical device sectors are also considering decoupling from ISO 9001 for similar concerns. Why this does not drive a major rethinking of its Annex SL approach by ISO is curious at best.
There is a better solution. The ISO drive for integrated management systems would not be so objectionable if it used existing text from one or more of the currently issued MSSs for the mandated common text. There is already a high degree of alignment of MSSs, such as ISO 14001, OHSAS 18001 and others issued recently. This would forgo the need for new training on the terms while avoiding potential translation problems in the national versions of the new standard. It would respect the intent of the ISO consensus process for standards development.
The biggest impact of implementing Annex SL, however, is not on ISO 9001.
ISO 14001 was also reviewed and is being revised at this time, and it is also targeted for release next year.8 The number of clauses in the new ISO 14001 will increase from four to the 10 mandated by Annex SL, and the length will likely increase quite considerably from the 2004 edition (CD 2 increased from 23 to 44 pages).
There currently is not an element in ISO 14001 for top management, but there will be. The revision also will include a requirement for value chain control—whether goods are procured from an outside supplier or affiliated location. There are also implications for ISO 14001-related standards, such as OHSAS 18001/ANSI Z10, Responsible Care 14001.9
It remains to be seen how much appetite there is in the global community for changes to ISO 14001, especially based on Annex SL. The trend for third-party certification is already on the decline with a couple of exceptions.
The current version of ISO/IEC 17025—General requirements for the competence of testing and calibration laboratories10 is from 2005. In its last review, the decision was made not to revise it.
ISO/IEC 17025 does not incorporate all ISO 9001 requirements but claims to contain those that are relevant to the scope of testing and calibration services that are covered by a laboratory’s management system. ISO/IEC 17025 also indicates testing and calibration laboratories that comply with it, therefore, also operate in accordance with ISO 9001. Given the mandated high-level structure, ISO 9001 will continue to differ from ISO/IEC 17025 content.
Currently, ISO/IEC 17025 has only five clauses. This will need to incorporate the mandated 10 listed earlier. The length of the new standard will increase from the current 28 to about 44 pages. It is unclear whether and when ISO/IEC 17025 will be revised to address the high-level structure. But until it does, there will be a significant disconnect with other ISO MSSs.
Many organizations have internal labs that are accredited to or comply with ISO/IEC 17025. For those organizations that need ISO 9001 or ISO 14001 certification, this will drive additional differences that must be carefully managed to ensure compliance with all specified requirements.
The current version of ISO 13485—Medical devices—Quality management systems—Requirements for regulatory purposes11 is from 2003. It has eight clauses and is about 20 pages long without the informative appendixes at the end. To adopt Annex SL, this standard also must change to 10 clauses and increase to about 44 pages.
ISO 13485 is also being revised, but this revision began prior to the issuance of Annex SL. The TC responsible for this document is not planning to implement the Annex SL requirements in its next revision. ISO 13485 likely will continue to be based on ISO 9001:2008, as will the auto industry’s ISO Technical Specification 16949. The committee is looking into decoupling ISO 13485 future versions from ISO 9001 using another standards body if the current ISO MSS plan is carried out.
Annex SL applies to all new and revised ISO MSSs going forward, so the ripple effect will continue as the mandatory review cycles for existing MSSs occur.
What should you do now?
This column is not to suggest that all of the planned MSS changes are bad. The process and approach used to develop and mandate Annex SL is flawed, however, and will likely have lasting ramifications if it is implemented as planned.
Do not, therefore, begin implementing any of the drafts’ new requirements just yet. There will be additional drafts of standards now being revised, and changes are likely. Also, don’t assume your current MSS documentation—your quality manual—procedures are obsolete if they are still applicable. They still can be used with the new standard to efficiently prove to auditors that processes are working and are effective. So what should you do now?
- Develop an organization position on the proposed ISO 9001 changes and communicate your position to your customers. There likely will be auditability concerns and additional auditing costs.
- Provide comments on the drafts to your national standards body.12 It is not too late to get revisions to the current plan.
- Know what is going on and be ready to implement any new requirements. A transition period will be designated for implementing any new standard. In the past, this has been up to three years.
- Have processes that accommodate any new clauses. This can be facilitated by implementing an integrated management system for your organization, but one that is based on an approach that makes sense for your organization. Eventually, clause cross-references can be implemented or updated to show how your system maps to any of the customer-required ISO MSSs. There is a lot of redundancy among current ISO MSS content—internal audit, management review and competency—that can be effectively leaned out, even now.
ISO MSS life as you know it is likely to change forever in the near future, and unfortunately, it does not appear to be getting any easier or less costly.
References and note
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC Directives, Part 1, Annex SL, clause 5.2, fourth edition, 2013.
- International Organization for Standardization, "ISO Survey of Management System Standard Certifications—2012," 2012.
- International Organization for Standardization, "ISO Survey of Management System Standard Certifications—2011," 2011.
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC Directives, Procedures specific to ISO, Annex SL, third edition, 2012.
- Nigel H. Croft, "The Future of ISO 9000 and Other Management System Standards," 2012, http://bit.ly/1m9uQUm.
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC Directives, Part 1, Consolidated ISO supplement, Annex SL, Appendix 2, 2013.
- Sandford Liebesman, "Work in Progress," Quality Progress, November 2013, pp. 52-53.
- Susan L.K. Briggs, "(Re)visionary Thinking," Quality Progress, September 2012, pp. 24-29.
- Occupational Health and Safety Advisory Services and American National Standards Institute, OHSAS 18001/ANSI Z10, Responsible Care 14001.
- International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 17025:2005—General requirements for the competence of testing and calibration laboratories.
- International Organization for Standardization, ISO 13485:2003—Medical devices—Quality management systems—Requirements for regulatory purposes.
- You can find a listing of national member bodies at www.iso.org/iso/about/iso_members/about/iso_members.htm. Visit your member body’s website to obtain contact information for submitting comments on drafts.
R. Dan Reid is director of consulting at Omnex Engineering and Management in Ann Arbor, MI. He is the first delegation leader of the International Automotive Task Force, an author of ISO Technical Specification 16949, QS-9000/QSA, ISO 9001:2000, the first ISO International Workshop Agreement, and its replacement, Automotive Industry Action Group’s Business Operating Systems for Healthcare Organizations (HF-2). Reid is an ASQ fellow and certified quality engineer.