Transcription
ISO 9001:2015QUALITY MANAGEMENTSYSTEMS – REQUIREMENTSGuidance Document
IntroductionHow we can helpThis DNV GL guidance document aims to gives a basicoverview of the changes to ISO 9001, resulting from thereview and revision of the 2008 standard. It is not intendedto give an exhaustive and in-depth explanation of allrequirements in the new standard.We are here to support you during the transition, through;ISO standards are reviewed and revised on a regular cycle,typically every 5-10 years, and 2015 sees ISO 9001:2008reaching the end of that review process. A draft internationalstandard (DIS) was published, and after extensive review thefinal draft international standard (FDIS) was published in July.The ISO 9001:2015 standard was published in September 2015. direct contact, e.g. with your lead auditor as part ofscheduled audits open webinars and transition training classroom transition training courses – tailored to your needs gap analysis, either as a separate activity or combined withscheduled audit activity combination of training and gap analysis “Questions on the ISO 9001:2015 and ISO 14001:2015revisions” – LinkedIn discussion groupThe International Standards Organization (ISO) has developeda common Higher Level Structure (HLS) for management systemstandards, issued under an ISO ctives.htmlThat directive has a series of annexes, of which we are interestedin “Annex SL – Proposals for management systems standards”.This annex states that all management system standards will usea consistent structure, common text and terminology, and thisis enacted through “Appendix 2 – High level structure, identicalcore text, common terms and core definitions”.Some revised and new standards have already implementedthis requirement – for example ISO 27001:2013 InformationSecurity Management Systems (revised) and ISO 55001:2014Asset Management Standard (new).ISO 9001 has been revised in accordance with the new HLS and,as is the case with other HLS-based standards, it also containsadditional discipline-specific content.A whole range of country-level committees feed into the overallISO committees which meet to decide on the revisions. Thecommittee for ISO 9001 is TC 176. If you are a member of IRCA,or a trade federation, you can get access to the latest version ofthe draft Standard(s) and even comment on the content.After the new standards are published, there will be a transitionperiod for fully complying with them. This period will be 3 years,but it is strongly recommended that you start thinking nowabout how it will impact you, and review what changes might beneeded.Page 1DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
Layout of ISO 9001:20151Scope2Normative References3Terms and definitions4Context of the organization4.1Understanding the organization and its context4.2 Understanding the needs and expectations of interested parties4.3 Determining the scope of the quality management system4.4Quality management system and its processes55.15.25.3LeadershipLeadership and commitmentPolicyOrganizational roles, responsibilities and authorities66.16.26.3PlanningActions to address risks and opportunitiesQuality objectives and planning to achieve themPlanning of warenessCommunicationDocumented information8Operation8.1Operational planning and control8.2Requirements for products and services8.3Design and development of products and services8.4 Control of externally provided processes, products and services8.5Production and service provision8.6Release of products and services8.7Control of nonconforming outputs.99.19.29.3Performance evaluationMonitoring, measurement, analysis and evaluationInternal auditManagement y and corrective actionContinual improvementPage 2DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
1. Scope4.1 Understanding the organizationand its contextThis section explains the scope of the standard – i.e. what it isfor and what it encompasses. It introduces the requirements ofa quality management system which supports the delivery ofa product or service, through the application of effective andcontinually improving systems, assuring conformity to customerand applicable legal requirements, whilst enhancing customersatisfaction.This clause requires the organization to consider a wide The section on “Application” in ISO 9001:2008 has beendropped, along with reference to “exclusions” (see ISO9001:2015 clause 4.3). n External factors can arise from legal, technological,competitive, market, cultural, social and economicenvironments, whether international, national, regionalor local.2. Normative referencesISO 9000:2015, Quality management systems — Fundamentalsand vocabulary is normatively referenced within ISO 9001:2015.3. Terms and definitionsThis clause simply references back to ISO 9000:2015(see clause 2).4. Context of theorganizationThis clause sets out the requirements for an organization totake a high level overview of the business, considering the keyinternal and external factors which impact it, and how it shouldrespond in the form of a defined management system.range of potential factors which can impact on themanagement system, in terms of its structure, scope,implementation and operation.Impacting factors can be of internal or external nature,and are wide-ranging; n Internal factors may be related to values, culture,knowledge and performance of the organization.4.2 Understanding the needs andexpectations of interested partiesClause 4.2 requires the organization to determine the need and expectations of “interested parties”, bothinternal and external. Previous versions of the draftstandard also contained the term “stakeholder”, whichmany organizations will be more familiar with – the termsare synonymous and there is no need to consider them tobe any different. Interested parties could overnmental Organizations (NGOs)Parent organizations What is clear is that whilst the consideration of contextand interested parties needs to be relevant to thescope and the standard, the assessment needs to beappropriate and proportionate.Page 3DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
What is also clear is that the output from clauses 4.1 and4.2 is a key input to the assessment and determination ofrisks and opportunities required in clause 6.n In terms of demonstrating compliance, the ISO 9001makes it clear that; “The organization shall monitor and review the informationabout these external and internal issues” (clause 4.1).n “The organization shall monitor and review theinformation about these interested parties and theirrelevant requirements” (clause 4.2).n The above implies that there will need to be some form ofretained documented information of this to evidence howinternal and external factors and the views of interestedparties have been considered. There are various methodsand approaches which can be used to capture these inputs.nn As with any significant revision to standards, hopefullythere will be the development of a range of methods andexamples for this. Some current examples include;nInternal and External IssuesnK ey economic and market development which canimpact on the organization; your organization isprobably acutely aware of what is happening in itsmarkets but it may be undertaken in a very ad-hoc wayn Technological innovations and developments; this isalso an area critical to your business success and is alsoprobably being monitored and discussed at numerouslevelsn Regulatory developments; a whole range of externalregulations are being monitored by your organization.If you miss them then it could seriously damage yourbusiness, or if you capture early intelligence on themyou could realize better opportunitiesn Political and other instabilities; if for example you relyon raw materials from one particular country whichexperiences major instability your whole businesscould be jeopardized; or if there are major ethicalconcerns regarding a source of materials or goodsn Organizational culture and attitudes; an effective andmotivated workforce will give you positive impacts, andmany organizations canvas feedback from employees Internal and External PartiesnS takeholder engagement exercises; already widelyused to consult with interested parties and mapPage 4 out concerns and issues. More often utilized bylarger organizations engaging with corporate socialresponsibility initiativesConsultation meetings with neighbourhoods and NGOs on environment, planning and developmentissues; these are often used by major industrial plantswith significant HSE risksMeetings and other interactions with regulators; this can encompass for example quality-critical issueson product specifications and conformity as well asdeveloping compliance requirements and standardsEmployee meetings, consultations and feedback activities; this should be happening already, but maybethis will prompt more efforts to improve an area whichhas been at risk of “lip service” to ISO 9001:2008Supplier reviews and relationship management; many organizations are trying to get much more mutualbenefit from the supplier-client relationships which arecritical to mutual successClient/customer reviews and relationship management; of course this is a fundamental pillar of all standardsand a key to successIt may be that when you reflect on how you capture key issues, and how many interested parties you engagewith already you may be pleasantly surprised. It maybe that you only engage with a limited number ofinternal and external parties, but now is the time to startthinking about whether that is enough, and whetheryou are missing some good opportunities. here will be many ways in which to capture this – andThopefully some improved and new approaches mightemerge as this part of the standard is considered.Approaches could include;nS ummary information from the range of existingapproaches used as listed above (e.g. a brief report)n Information summarized as part of inputs to risk andopportunity registersn Recorded in a simple spreadsheetn Logged and maintained in a databasen Captured and recorded through key meetings These clauses are asking organizations to think clearlyand logically about what can internally and externallyaffect their management systems, and be in a positionto show that this information is being monitored andreviewed. It also requires organizations to elevate thediscussions to the highest levels, since capturing theabove range of information is hard to achieve withoutsenior management involvement.DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
4.3 Determining the scope of the qualitymanagement system This clause should be familiar to most organizations, sinceISO 9001:2008 clause 4.2.2 required the definition of thescope of the management system. For ISO 9001:2015the scoping requirements have become more stringentand require the organization to consider the inputs from4.1 and 4.2, along with the products and services beingdelivered. For the defined scope of the quality management system,the organisation should apply all requirements of thestandard if they are applicable. When any requirementis not applicable there needs to be a clear justification.The defined scope has to be made available andmaintained as documented information. The standardstates, ‘Conformity to this International Standard mayonly be claimed if the requirements determined as notbeing applicable do not affect the organization’s ability orresponsibility to ensure the conformity of its products andservices and the enhancement of customer satisfaction’. For those who are committed to a management systemwhich is at the core of their business, this will probablyalready be an integral part of that system, although youmight need to review how effectively you connect thoseprocesses and understand the influence and impact ofthose processes on each other and on the business. This should also elevate the system in terms of itsimportance and value to the business, because it shoulddrive more meaningful analysis of the key businessprocesses and critical aspects of those processes. Inpractical terms it will require an organization to morefully analyse its processes and ensure that there is goodunderstanding of how they interact with each other- andnot operate as isolated procedures without overlap. Clause 4 introduces some significant innovations tothe management system world, and could represent achallenge to some organizations who have not viewed themanagement system as pivotal to the business, focussed asit is on raising management systems to a higher level andto be more central to the way an organization functions. These clearer requirements on scoping will drive clarity inthe thinking of organizations in scoping the managementsystem. Certification bodies will, as before, look athow organizations has defined its scope, ensuring thatthis is both appropriate and is reflected accurately bythe management system and also in the scope of anycertificate issued.4.4 Quality management systemand its processesThis clause basically states that the organization needs to establish, implement, maintain and continually improvea management system in order to deliver the requiredproducts, services and performance required under thescope. This should also be familiar to organizations whichimplement management systems in order to delivercompliance and improvement. Where this clause is more focused is in requiringorganizations to understand more about the range ofprocesses relevant to the scope of the managementsystem. The term process is defined as; “a set ofinterrelated or interacting activities which transformsinputs into outputs”.Page 5DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
5. LeadershipThis clause includes a good proportion of content which willbe familiar from ISO 9001:2008 but also introduces somesignificant changes on overall leadership and commitment andthe expectations for top management to engage more fully withthe critical aspects of the quality management system.5.1 Leadership and commitment his clause encompasses a range of key activitiesTwhich top management need in order to “demonstrateleadership and commitment with respect to themanagement system”. Therein lies one of the innovationsdelivered by the common HLS – top management mustshow leadership of the management system ratherthan just demonstrate commitment to it. The standardis driving the oversight of the management system tothe highest level of management and making it a keycomponent of the organization and its core businessprocesses and activities. It doesn’t mean that senior management have to beable to regurgitate the policy or recite the objectivesand targets – what it means is that an internal or externalinterested party should feel entitled to have a discussionwith leadership about core and critical aspects ofthe business, because these are at the heart of themanagement system. A further aim of this requirement is to fully determinemarket/customer needs and expectations. Thisinformation then acts as an input into determiningstrategy, which in turn provides direction and facilitatesdevelopment of a management system capable ofsatisfying the targeted market or customer. This is an ongoing process, which can be achieved by many differentmeans. Whilst not specified in the standard, documentedinformation could include market surveys, customermeeting minutes, questionnaires and other areas ofresearch.5.2 Policy he Quality Policy is an important document becauseTit acts as the driver for the organization. It provides thedirection and formally establishes goals and commitment.Top management should ensure the policy is appropriateand compatible with strategic direction. The policy needsto be communicated to all employees and they need tounderstand the part they have in its deployment. ISO 9001:2015 adds requirements for the policy tobe documented and, as appropriate, be available tointerested parties.5.3 Organizational roles, responsibilitiesand authorities or a system to function effectively, those involved needFto be fully aware of what their role is. Top managementmust ensure that key responsibilities and authoritiesare clearly defined and that everybody involvedunderstands their role. Defining roles is a function ofplanning, ensuring awareness can then be achievedthrough communication and training. It is common fororganizations to use job descriptions or procedures todefine responsibilities and authorities. In ISO 9001:2015, top management are more directlyidentified as being responsible for ensuring thatthese aspects of the system are properly assigned,communicated and understood. The specific role of a Management Representative hasbeen removed – the standard still contains all of the keyactivities and responsibilities of that previously identifiedrole, but these now lie more directly within the corestructure of the organization - including top management. Clause 5 contains much familiar content, but with greateremphasis on leadership and commitment and theexpectation that top management will be more activelyengaged with the management system. Customer focus has remained very similar in contextto ISO 9001:2008, but has been extended to includedetermination of risk and opportunities that affectconformity of products and services.Page 6DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
6. PlanningThis clause is an excellent addition to ISO 9001:2015,introducing the concept of risk (and opportunity) via the HLS.DNV GL has been in the “risk” business for a very long time. Aswell as working with our customers to help manage risk, wehave been delivering Risk Based Certification since 2004. Thisinnovative approach is based on an audit being built aroundrelevant areas of risk to the organization, auditing in depth toassess whether the organization is managing that risk effectively.6.1 Actions to address risks and opportunities In basic terms, this clause requires the organization to;nU nderstand the range of risks and opportunities relevantto the scope of the organization and determine actions,objectives and plans to address themn In understanding those risk and opportunities, usethe inputs that the organization has identified inunderstanding its context as required in clause 4.1,and the views and inputs from interested parties inclause 4.2 The strength of this clause lies in both introducing theprinciples of risk and opportunity to management systemsstandards via the HLS, and by connecting it very clearlyto the processes defined under clause 4 (the clause fordetermining the context of the organization and alsoconsidering the views and inputs from interested parties). A well-established approach already implementedby many organizations is the use of risk registers,which if properly managed and implemented caneffectively manage risks and opportunities across awide range of areas and issues. There will also be otherapproaches which result from the various relevantclauses of 9001 (e.g. the results from clause 4.1 and4.2) along with management of change, with an overallanalysis and review resulting in objectives, targetsand plans. The depth and complexity of approach willdepend significantly on the size and complexity of theorganization, as well as other factors which could includethe level of external regulation, existing requirements forpublic reporting, shareholder interests, public profile,numbers and types of customers, range and types ofsuppliers. Hence there will be a range of approacheswhich will be appropriate for the wide spectrum oforganizations.Page 7 It is worth reviewing the introductory clause 0.3.3 andAnnex A.4 of the standard, which discusses the overallconcept of “risk-based thinking”, which covers the need foran organization to consider all aspects of risk, and the factthat the revisions to 9001 bring the concept of risk to thefore as a generic and fundamental term.6.2 Quality objectives and planningto achieve them s part of the planning process, top managementAneeds to set quality objectives which will help to turnthe Quality Policy into reality. Objectives should beconsistent with the Quality Policy and be capable ofbeing measured. This clause requires the organizationto establish quality objectives and plans, ensuring thatthese are clear, measurable, monitored, communicated,updated and resourced. There are many different types of objectives that couldbe considered; market position and/or growth, processeffectiveness and/or efficiency, improved awareness levels,maintenance of present position, reduction in quality costs,improvements in product conformity/reduction in defectrates, improved customer satisfaction etc. The objectivesneed to be deployed throughout relevant parts of theorganization and must be meaningful to those who areassigned responsibility for achieving them and thosewhose activities contribute to their achievement. Documented information needs to kept in relation toobjectives and there will need to be evidence regardingmonitoring of achievement.6.3 Planning of changes his clause sets requirements to ensure that neededTchanges to the management system is carried out ina planned manner. This include to consider potentialconsequences of change, availability of resourcesand defining roles and responsibilities. Changes tothe management system can be needed in case ofacquisition of companies, introduction of new productsand services etc.DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
7. SupportAn effective quality management system cannot be maintainedor improved without adequate resources. As a function ofplanning, such resources should be determined and provided.This includes contract or project specific resources. This clausegathers together in one place all the areas relating to the“people, place and procedural” aspects of the managementsystems. The basic HLS clauses cover the following;nnnnn .1 Resources77.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented Information 7.1 Resources The main intention behind this general requirement isthat the people working within the quality managementsystem are competent to fulfil their duties, supportedby equipment and infrastructure that is fit for purpose.There must be adequate provision of infrastructuresuch as buildings, equipment, IT systems, transport, etc.Determining what is needed and what maintenanceprogramme should be developed to ensure its continuingcapability is part of planning. The work environment of an organization has manyhuman and physical factors that can influence quality,effectiveness and efficiency. These factors need to beidentified and managed and can include; protectiveequipment, ergonomics, heat, noise, light, hygiene,humidity, vibration, temperature etc. The relevantfactors are obviously different for each product orservice.An example of a work environment issue couldbe control of humidity in a paint shop. There are nospecific documentary requirements required by ISO9001:2015, but work environment criteria are often foundin procedures, contracts, specifications and codes ofpractice. Evidence of compliance should be available viaretained documented information. The organization must determine what monitoring andmeasuring has to be undertaken and provide evidencethat it was undertaken using correct and reliableequipment. Regular calibration and maintenance (andretained documented information) is one way to provideconfidence that results are reliable.Page 8 Critical measuring equipment must be available and in aknown state of accuracy to provide assurance and evidencethat products meet their relevant requirements. This alsoincludes software. For ISO 9001:2015, these familiar requirements relatingto the provision of resources for the management systemand the effective delivery of the scope of services arerefreshed to reflect the fact that these assets can now bebroader and can cover not just equipment and hardware. There is also a very interesting additional requirementtermed “organizational knowledge”, which relates toensuring that the organization understands internal andexternal knowledge needs and can demonstrate how this ismanaged. This could also include knowledge managementof resources, and ensuring that there is effective successionplanning for personnel, and processes for capturingindividual and group knowledge.7.2 Competence In order to determine competence, competence criterianeed to be established for each function affecting quality.This can then be used to assess existing competence anddetermine future needs. Where criteria are not met, someaction is required to fill the gap. Training or reassignmentmay even be necessary. Retained documentedinformation is required to be able to demonstratecompetence. Recruitment and induction programmes,training plans, skills tests and staff appraisals oftenprovide evidence of competence and their assessment.Competency requirements are often included inrecruitment notices and job descriptions.7.3 Awareness Personnel need to be made aware of the relevance oftheir activities and how they contribute to achievementof the quality objectives and the effectiveness of themanagement system and resulting organizationalperformance. Induction programmes and staff reviews areoften used for this purpose.DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
7.4 Communication7.5 Documented information ISO 9001:2015 brings (through the HLS) a clear emphasison the importance of both internal and externalcommunications (i.e. greater emphasis on externalcommunication than the 2008 standard). Most of the ISO 9001:2015 text is familiar, being similar The clause emphasizes the need to plan and implement aprocess for communications along the familiar ‘who, what,when, how’ principles. Effective communication is essential for a managementsystem. Top management need to ensure thatmechanisms are in place to facilitate this. It should berecognised that communication is two-way and will notonly need to cover what is required, but also what wasachieved. In other words, what was planned and what wasachieved? Changes in the quality management systemshould be communicated appropriately to interestedparties (albeit in practice this is mainly internal parties)and should identify appropriate levels of re-training.Mechanisms for communication could include; meetings,notice boards, in-house publications, awareness raisingseminars, toolbox talks, intranet, email, etc.to the requirements of ISO 9001:2008, but there is somelogical broadening to encompass electronic and webbased environments. It is worth emphasising here that thestandard no longer mandates the need for documentedprocedures – it is up to the organization to decide whatis needed. However, it does specify on a number ofoccasions the need to maintain or retain documentedinformation, in order to give structure, clarity andevidence of the system being maintained and effective.The term “documented information” now replaces thepreviously used terms “documented procedure” and“records”. Documented information can be in any format as longas it provide appropriate evidence to demonstratecompliance, and such documented information does notmean there has to be a procedure for everything – in fact,it can be in any format decided by the organization. With ISO 9001:2015, there is more additional text and anumber of sub-sub-clauses, but these are mainly drivenby the need to ensure that content from the existingISO 9001:2008 is carried over into the appropriate andsuitable clause of ISO 9001:2015. In most areas this clause does not require any significantchanges, but there are some of the additionalrequirements which will require some new thinking,particularly around organizational knowledge. Thechanges introduced with the HLS in terms of notspecifically requiring documented procedures is inreality not a significant issue – organizations still need tolook at where documented information (e.g. processes,procedures, data, records) is critical for the managementsystems and its effective operation.Page 9DNV GL AS, NO-1322 Høvik, Norway, Tel: 47 67 57 99 00, www.dnvgl.comVersion 24.09.15
8. OperationThis clause basically represents the production and operationalcontrol parts of the standard – the ‘engine house’ of production.There are a significant number of clauses added to the basic HLS.8.1 Operational planning and control This clause makes very clear statements about theimportance of linking to the critical elements of clause4.4 where the critical processes and their interactions aredetermined, and to actions determined in ch. 6. There arealso some additional requirements on control of changes,which are made more explicit now, and also on controlover outsourced processes (previously covered under thepurchasing clause of ISO 9001:2008).8.2 Requirements for products and services There must be a process to ensure that the needs andexpectations of customers (and their requirements) aredetermined. This should include the determination of theintended product use and any statutory requirements thatapply to the product in its intended market. Only once allrequirements are identified can they be reviewed. Once determined, requirements need to be reviewedby the organization prior to any commitment to supplyto ensure that they are understood, that any anomaliesare resolved and that the organization has the ability tomeet the requirements. There are numerous incidentsof offers being made and orders a
The section on “Application” in ISO 9001:2008 has been dropped, along with reference to “exclusions” (see ISO 9001:2015 clause 4.3). 2. Normative references ISO 9000:2015, Quality management systems — Fundamentals and vocabulary is normatively referenced within ISO 9001
