Professional Documents
Culture Documents
1 Context
2 Leadership
3 Planning
4 Support
5 Operations
6 Evaluation
7 Improvement
Both old and new standards cover essentially the same topics.
However, there are some important differences. Some of these
are discussed below.
Structure of the standard
Perhaps the biggest difference between the old and the new
standard is the structure. ISO 9001 2008 had five main sections
(4 to 8) and ISO 9001 2015 now has seven (4 to 10). This is because
the new edition uses the new Annex SL template. According to ISO,
all future management system standards (MSSs) will use this new
layout and share the same basic requirements. As a result, all new
MSSs will have the same basic look and feel.
And once you understand all of this, you're expected to use this
special insight to help you define the scope of your QMS and the
challenges it must deal with. While this will certainly help ensure
that organizations develop unique quality management systems
that address their own needs and requirements, doing all of this
could be quite a challenge for some organizations.
Documented information
The new ISO 9001 2015 standard has also eliminated the long
standing distinction between documents and records. Now they
are both referred to as documented information. Why ISO chose
to abandon two common sense concepts and replace them with
one that is needlessly awkward and esoteric is not entirely clear.
In other words, while documents and records were kicked out the
front door, they were actually allowed back in through the back door.
Risk-based thinking
According to the new standard, risk-based thinking has always
been implicit in ISO 9001. According to this perspective, ISO 9001
has always been about anticipating and preventing mistakes, which
is what risk-based thinking is all about. That's why we train people,
why we plan our work, why we assign roles and responsibilities, why
we validate and verify results, why we audit and review activities, and
why we monitor, measure, and control processes. We do these things
because we want to prevent mistakes. We do them because we're
trying to manage risk. So, if we think of risk-based thinking in this
way, it's always been an inherent part of ISO 9001. Before it was
implicit; now it's explicit.
Section 4.3 of ISO 9001 2015 says The organization shall apply all
the requirements of this International Standard if they are applicable
within the determined scope of its quality management system.
So once youve determined the scope of your QMS, ISO 9001 2015
says that every requirement must be applied within the boundaries
defined by your statement of scope if it applies in your case.
However, while the new ISO 9001 2015 standard says that every
requirement must be applied, section 4.3 and Annex A5 also says
that any requirement may be excluded if it cannot be applied, if you
can justify and explain why it cant be applied, and if excluding it
does not undermine your ability or responsibility to ensure that
products and services are in compliance.
What ISO 9000 2005 used to call a product the new standard
now calls an output. The two definitions are the same. Since the
term output was not defined in 2005, this shift in terminology
suggests that the process approach is now even more central
to the new standard.
While the old standard asked you to use monitoring and measuring
equipment, the new standard refers to monitoring and measuring
resources. This is a more flexible approach to monitoring and
measuring because it recognizes the fact that these activities
can often be carried out without the use of equipment.
4. Context
Identify the external issues that are relevant to your organization's purpose.
Identify the external conditions that are relevant to your organization's purpose.
Identify the internal issues that are relevant to your organization's purpose.
Identify the internal conditions that are relevant to your organization's purpose.
Identify the interested parties that are relevant to your organization's EMS.
Clarify boundaries and think about what your EMS should apply to.
Use boundary and applicability information to define the scope of your EMS.
Include all the products that fall within the scope (boundary) of your EMS.
Include all the services that fall within the scope (boundary) of your EMS.
Include all the activities that fall within the scope (boundary) of your EMS.
Consider your organization's context when you establish and maintain its EMS.
Consider your external context when you develop your organization's EMS.
Think about how external issues could influence your organization's EMS.
Think about how external interested parties could influence your EMS.
Develop an EMS in accordance with the requirements of this ISO 14001 standard.
Establish the processes that you need and clarify your process interactions.
5. Leadership
6. Planning
Consider how you're going to determine your risks and opportunities (4.1).
Identify environmental aspects that fall within the scope of your EMS.
Identify the environmental impacts that fall within the scope of your EMS.
Identify the compliance obligations that fall within the scope of your EMS.
Plan how you're going to ensure that EMS achieves its intended outcomes.
Plan how you're going to address significant environmental aspects.
Formulate actions to ensure that your EMS achieves its intended outcomes.
Carry out actions to ensure that your EMS achieves its intended outcomes.
7. Support
Discuss your EMS with people at all organizational levels and functions.
Select all the documents and records that your EMS needs.
Select all the internal documents and records that EMS needs.
Select all the external documents and records that EMS needs.
Select all of the EMS documents and records that you need.
Control all the EMS documents and records that you need.
Control all the internal documents and records that your EMS needs.
Control all the external documents and records that your EMS needs.
8. Operations
8.1 Establish your EMS processes and control how they operate
Clarify the operating criteria that your EMS processes must meet.
Plan how you're going to find out if compliance obligations are being met.
10.1 Take action to improve your EMS and achieve intended outcomes
Take all necessary actions to improve EMS and achieve its intended outcomes.
Also see the new ISO 9001 2015 and ISO 13485 2016 standards (in Plain English).
Audit - Audit Criteria - Audit Evidence - Audit Findings - Audit Program
Characteristic - Competence - Complaint - Concession - Conformity -
Context
Continual Improvement - Contract - Correction - Corrective Action -
Customer
Customer Satisfaction - Data - Defect - Design and Development -
Determination
Documented Information - Effectiveness - Feedback - Function -
Improvement
Information - Information System - Infrastructure - Innovation - Interested
Party
Involvement - Knowledge - Management - Management System -
Measurement
Measuring Equipment - Monitoring - Nonconformity - Object -
Objective
Objective Audit Evidence - Objective Evidence - Organization - Output
Outsource - Performance - Performance Indicator - Policy - Process
Process Approach - Process-based QMS - Product - Provider - Quality
Quality Management - Quality Management System - Quality Objective
Quality Policy - Regulatory Requirement - Release - Requirement - Review
Risk - Risk-based Thinking - Service - Statutory Requirement -
Strategy
Supplier - System - Top Management - Traceability - Validation -
Verification
3.1 Availability
Corrective actions are steps that are taken to eliminate the causes of
existing nonconformities in order to prevent recurrence. The corrective
action process tries to make sure that existing nonconformities and
undesirable situations dont happen again.
3.7 Customer
3.8 Document
NOTE: ISO IEC 20000-1 2011 does not expect you to write a manual.
3.9 Effectiveness
3.10 Incident
An incident is any unplanned service interruption or any reduction in
service quality. The term incident also includes any event that has not
yet interrupted service to the customer or reduced its quality but could
potentially cause a disruption or a deterioration in quality.
NOTE: The ISO IEC 27000 2014 information security standard refers to
the availability of information (instead of accessibility). ISO IEC 20000
uses the term accessibility because the term availability is already being
used to refer to a characteristic that applies to a service (see 3.1 above).
3.16 Nonconformity
Nonconformity is a nonfulfillment or failure to meet a requirement.
A requirement is a need, expectation, or obligation. It can be stated or
implied by an organization, its customers, or other interested parties.
3.17 Organization
Preventive actions are steps that are taken to remove the causes of
potential nonconformities or potential situations that are undesirable.
The preventive action process is designed to prevent the occurrence
of nonconformities or situations that do not yet exist.
3.19 Problem
ISO 20000-1 uses the term problem to refer to the root cause of one or
more incidents . ISO 20000-1, section 8.2, expects you to use a formal
problem management procedure to investigate reported problems in
order to uncover the real underlying problem (i.e., the root cause).
3.20 Procedure
3.21 Process
3.22 Record
3.23 Release
3.25 Risk
3.26 Service
3.35 Supplier
3.37 Transition
The term transition refers to all the activities that are carried out when
a new or changed service is moved to or from a live environment.
PROCESS APPROACH
ISO 9001 2015 section 0.3 expects organizations to adopt a process approach
and section 5.1.1 asks top management to exercise leadership by promoting
an awareness of this approach. But what is it?
PROCESS DEFINITION
A process is a set of activities that are interrelated or that interact with
one another. Processes use resources to transform inputs into outputs.
They are interconnected because the output from one process often
becomes the input for another process. Since all of this is rather
abstract, well try to make it more concrete with examples.
PROCESS EXAMPLES
Since the process approach is now central to ISO 9001, we've tried
to identify the processes that could make up a process-based QMS.
Some of these are listed below.
But what about inputs? Since the output of an upstream process often
becomes the input for a downstream process, outputs and inputs are
really the same thing.
PROCESS INTERACTIONS
When you think about all the processes that could make up a quality
management system and then think about all the possible input-output
relationships that tie these processes together, you soon realize how big
and complex such a system is. Because of this, you may find it difficult to
create a single map or diagram of your entire process-based quality
management system. There are just too many processes and too
many input-output relationships.
For this reason, we suggest that you diagram one process at a time
using a single flowchart on a single page (see diagram below). This
will allow you to specify the most important input-output relationships
without getting buried in complexity. The diagram below shows, in
general terms, how this could be done.
The box in the center is the process you want to diagram. Thats your
focus. Upstream processes provide outputs for the central process and
downstream processes receive inputs from them. Arrows represent inputs
and outputs and the associated text describes them. These arrows also
show that an input-output relationship is sometimes a two-way street.
Sometimes inputs go one way and outputs go the other way.
PROCESS-BASED QMS
ISO 9001 section 0.3 introduces the concept of a process-based quality
management system and sections 4 to 10 explain what you need to do
to establish one. But what is it?
ISO 9001 asks you to identify the processes that your QMS needs,
to identify their sequence and interaction, to identify required inputs
and expected outputs for each process, to identify process risks and
opportunities, and to assign responsibilities and authorities for each
process. It also expects you to identify the methods needed to manage,
monitor, measure, evaluate, and control each process and to provide the
resources that each process needs. Once you've done all of this you've
defined your process-based QMS. But that's not enough. It also asks
you to address the risks and opportunities that could influence your
organization's process-based QMS or disrupt its operation and to
consider how its context and its interested parties could affect
the results it intends to achieve.
This leaves you with quite a bit of leeway. Essentially, you can provide as
much documentation as you need in order to support your process-based
QMS. While this general requirement allows for quite a bit of flexibility, the
ISO 9001 standard also expects you to establish quite a few very specific
documents and records (most of these are discussed in section 7.5).
We suggest that you use flowcharts to give people a view of the big
picture and develop more detailed procedures to show them how
process activities should be carried out. However, this is only our
recommendation. It's not an ISO 9001 requirement.
PDCA MODEL
PDCA stands for Plan-Do-Check-Act. ISO used the PDCA model
to organize the new ISO 9001 standard in the following way:
Plan (sections 4, 5, 6, 7)
Do (section 8)
Check (section 9)
ISO 9001 also recommends that you use the PDCA model to
establish your organization's processes. It suggests that you: