Check Your Blind Spots
Pay attention to often-overlooked new ISO 9001 requirements
by John J. Guzik
The highly significant addition of risk-based thinking to ISO 9001:2015 has received a lot of attention. Many organizations focus so hard on this new requirement—some erroneously wasting time and resources on a formal product-focused risk management program, which is not what the standard really requires—they can overlook the other new requirements.
In some cases, the other requirements can bring equally significant changes to a quality management system (QMS). These new requirements include context of the organization, interested parties, leadership, organizational knowledge, management of change, the expansion of "monitoring and measuring equipment" to "monitoring and measuring resources," and the ever-present saturation of the standard with the concept of "engagement of the people."
I was recently asked by a member of an organization’s top management to briefly describe the changes in ISO 9001:2015.
"Are you looking for an elevator speech?" I asked. The leaders replied, "Yes."
I suggested their building wasn’t tall enough. When organizations face the revision, they must be mindful of all the revisions in ISO 9001:2015, not just the one getting the most attention: risk-based thinking.
Context of the organization requires that an organization take a good look at itself to understand the internal and external issues that can affect its business and QMS. This will allow it to build, implement and improve a QMS so that the QMS contributes to the organization’s holistic business needs and doesn’t just become a set of tools that have no direct relationship to the organization’s real needs.
Add to this the consideration of interested parties’ needs and requirements that are relevant to the QMS. Also, an organization must recognize the three pillars that must be considered when defining the scope of a QMS. The three pillars are: internal and external issues, the requirements of interested parties that are relevant to the QMS, and the products and services of the organization. This is critical to the up-front QMS planning. If you disregard or miss these requirements, your organization is facing a potential major nonconformity, not to mention squandering resources on a do-nothing system.
Leading the way
Leadership is finally required to take true ownership of an organization’s QMS. With this addition to the standard, authorization of the QMS now truly comes from the top. By removing the requirement for a management representative (although organizations may choose to keep one), the crutch that top management has been using—sometimes too often—is now gone.
Even if an organization chooses to keep the position of management representative, accountability now formally rests with top management. It is top management that will be required to answer sensitive questions about the effectiveness of the QMS. Driving the controls of the QMS into the regular business processes is critical to this aspect.
Too often, organizations have carried out regular business practices and conducted the "other stuff" for ISO 9001. These two aspects now must have the same importance in the organization for it to achieve business sustainability through quality management.
Management of change is mentioned in several places in ISO 9001:2015. These mentions include changes to product or service requirements, changes of documents or design changes.
Perhaps the most significant mentions of change, however, relate to changes to the QMS: processes and to operational processes. The revised standard requires what had been implied in all the earlier versions—that changes to overall QMS processes and to operational processes must be carried out in a controlled manner.
Organizations that don’t consider the impact of changes to other processes as well as to their products or services through risk-based thinking are destined to fail. I had an experience and—I’m sure it wasn’t unique—in which I was involved in resurrecting an organization that had gone from high profitability to near-ruin within one year.
This happened because when the organization was implementing its QMS for its initial ISO 9001 certification, it started making rampant changes to its processes without considering the potential effects on other processes. The result was devastating, and the organization was on the verge of bankruptcy.
In operational control
Control of changes to operational processes is even more specific. There is a requirement for the review and control of the changes to ensure a product or service will continue to meet requirements. Records of these changes also are required to include the results of the review of changes, actions resulting from the review and the identification of persons authoring the change.
Many have asked why this requirement is so specific. It’s because these kinds of processes have a direct impact on customers through products and services, not to mention the potential for negative impacts to other internal operational processes—which, in turn, can also directly affect the customer in the same way.
While organizational knowledge is a new requirement of ISO 9001:2015, it’s really not new to many organizations. Most organizations already have some sort of information-transfer activities in place—whether they are defined processes or simply informal practices.
These could include cross-functional awareness sessions, departmental meetings where issues relevant to the QMS are discussed, on-the-job training, lessons learned programs or operator notes. All of these relate to the new organizational knowledge requirement. The concept here is to secure information that is critical to continuing the effective operation of the organization’s processes.
Monitor and measure
The expansion of "monitoring and measuring equipment" to "monitoring and measuring resources" is more than a mere verbiage change, as we saw in the 2000 version of ISO 9001. With the 2000 change, many organizations wondered whether there was a significant difference between "equipment" and "devices," when there was not.
The 2008 version of the standard reverted the language back to "equipment" to end the consternation. This change, however, actually expands the scope of application of calibration to include things such as visual comparisons, go-no go gauges, and software and software-driven tools.
In the past, organizations have been able to sidestep the issue of preserving the integrity of some of these tools because they were technically not "equipment," yet they have a direct impact on the conformity of a product or service.
Perhaps the best kept secret related to changes in ISO 9001:2015 is the saturation of the standard with the concept of "engagement of the people." While no single clause specifies it, the notion is mentioned at least 10 times.
As an underlying concept, people engagement carries ownership of the processes beyond simple involvement of the people. By engaging people, an organization will implement an effective QMS, and conversely, an effectively implemented QMS will promote and enhance engagement of the people. The application of people engagement is a never-ending cycle—much like continual improvement.
Bypassing these less-publicized new requirements of ISO 9001:2015 can result in a major nonconformity. Even if their absence is somehow missed by an auditor, however,I can’t imagine howthe resulting impact on the effectiveness of the QMS will prove devastating.
Remember to keep your eye on the ball.
John J. Guzik is principal of Impact Management in Hanover, PA. He is a participating member of the U.S. Technical Advisory Group to ISO Technical Committee 176 and the ASQ ASC Z1-Q subcommittee on quality management.