These bullet points list the most significant changes:
- Adopts a common high-level structure and terminology being introduced across all management system standards.
- Since the original ISO 9001 quality management standard was released back in 1987, there has been a plethora of management system standards that address topics from the environment to business continuity. With the increasing trend towards integrated management systems that address multiple standards, it makes a lot of sense for them to adopt a common structure (in terms of major clause numbering and titles), and terminology. Examples of the high-level clause numbering and titles are:
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement.
While this change would not have much effect on an organisation seeking single certification, it would have some benefit for an organisation seeking several, and a standardised approach would presumably also be welcomed by consultants and auditors.
Changes in terminology include the rather clumsy ‘Product realization’ now becoming ‘Operations’.
- Terminology is now more relevant to service industries e.g. the term ‘goods and services’ used in place of ‘product’.
This is a long-overdue recognition that most organisations with an ISO 9001-based QMS no longer simply make widgets, but provide some form of service. It should lead to improvements in awareness of relevance and general understanding. - Introduces new clauses relating to understanding the context of the organisation.
These requirements put focus on the organisation’s reason for being, consideration of just who are ‘interested parties’ (which seems to now be the preferred term to stakeholders), and what are their needs and expectations. - Makes more explicit requirements for the process approach to quality management.
Although the process approach has been part of ISO 9001 since the 2000 version, requirements have not previously been so clearly spelt out. The new standard clearly specifies what is expected in the process approach e.g. identifying required processes, their sequence, the inputs required to them, the outputs expected from them, how they are controlled, the resources needed for them, responsibilities for them, and so on. While most of these requirements could be inferred from various parts of the previous standard, the concentration of them in a list in a single clause suggests something more. This may lead to wider use of process mapping and planning tools to describe the listed requirements. - No specific Preventive action clause.
The Preventive action clause has always been widely misunderstood. Of course, one of the fundamental problems has been that a large part of any quality management system is aimed at preventing things from going wrong, and could therefore come within the scope of a Preventive action procedure. There has also been widespread confusion over the meaning of corrective and preventive, and the two are often lumped together. The welcome removal of this clause is directly related to the next item. - Consideration of risk.
The 2008 version of the standard did not explicitly mention risk, although its Preventive action clause could be addressed by assessing risk and taking appropriate action to eliminate or minimise it (otherwise known as risk management). The 2015 version is a bit more forthcoming on the topic. There is a requirement to ‘determine external and internal issues that may affect the ability to achieve intended outcomes’. Those acquainted with the risk management approach will recognise those words as describing the step of hazard identification. Alongside the earlier bullet point that mentions ‘the context of the organisation’, a very familiar risk management pattern is developing here. Indeed, the R-word itself makes numerous appearances, such as in clause 4.1 which requires the organisation to ‘determine the risks and opportunities to be addressed’. So, the concept of preventive action is essentially still covered by the new ‘risk’ clauses, and is also expanded upon. - Documented information.
The terms ‘document’, ‘documentation’ and ‘record’ are replaced throughout by the term ‘Documented information’. While the full implications of this change in terminology are worked through, one thing is very clear: For the first time in ISO 9001, there are no requirements for a ‘Quality Manual’ or ‘Documented procedures’. There are plenty of requirements to ‘maintain documented information’ as evidence. These are what are currently known as records. Why use two long words in place of one short one? - Control of external provision of goods and services.
The new draft standard lists this as a significant change from the previous version, although at first glance it may appear not to be so. The 2008 standard has its purchasing clause which covers the purchasing process, purchasing information, and verification of purchased product. The existing general requirements also state that where an organisation outsources any process that affects conformity to requirements, the organisation shall ensure control over that process. Outsourcing is defined as a process which the organisation chooses to have performed by an external party. So, what are the significant changes for the new standard? Well, once again the R-word comes into play. Organisations are required to take a risk-based approach to the required controls. You may be forgiven for thinking that is not such a significant change. Wouldn’t organisations have done that anyway?One interesting difference is the new reference to external provision including ‘an arrangement with an associate company’. That may be quite significant for organisations that are part of a larger group and rely to some degree on head office or another site for certain functions. Although the draft standard specifically mentions ‘associate company’, the same principle should presumably be applied to organisations in the public and NGO sectors, and we may well see the term modified to ‘associate organisation’ in later drafts and the final release of the standard.
- Care of property belonging to others.
The clause in the 2008 standard referring to customer property is expanded to include property belonging to external providers. This seems very sensible. As property can include intellectual property and data, this requirement may lead to more widespread information security measures being implemented to protect external providers’ IP and ensure confidentiality.
At this stage, that is our perception of the most significant changes, along with our initial thoughts on them. There are, of course, many other changes of varying degrees of significance, and others may well have a different view on them. There are two more draft versions planned before the official release – scheduled for September 2015. From previous experience, it is likely that arguments will rage during that time, and wording will be adjusted and adjusted again. We can feel fairly certain that the principle changes – the common structure and terminology, more defined process approach, and consideration of risk – will remain. While we may not all agree with every change, the update will hopefully be seen by most as a step in the right direction.