ISO standards are reviewed every five years and revised if required. This supports make sure they remain helpful tools for the market. The challenges faced by business and organizations today are very different from a few decades ago and ISO 9001 has been updated to take this new environment into account.
Both old and new standards cover effectively the same topics. However, there are some essential differences. Some of these are discussed below.
A general structure is possible because basic concepts such as management, client, needs, policy, procedure, planning, performance, objective, control, monitoring, measurement, auditing, decision making, corrective action, and nonconformity are general to all management system standards. While this will make it easier for organizations to implement multiple standards because they will all share the same basic needs, it may cause some disturbance in the short run as organizations get used to the new structure.
A common structure is possible because basic concepts such as management, customer, requirements, policy, procedure, planning, performance, objective, control, monitoring, measurement, auditing, decision making, corrective action, and nonconformity are common to all management system standards. While this will make it easier for organizations to implement multiple standards because they will all share the same basic requirements, it may cause some disruption in the short run as organizations get used to the new structure.
Unlike the old standard, the new one expects you to understand your organization's context before you establish its QMS. When ISO 9001 2015 asks you to understand your organization's context it wants you to think the external and inside issues that are relevant to its reason and strategic direction and to think about the influence these issues could have on its QMS and the results it intends to get.
This means that you require understanding your organization's external environment, its culture, its values, its performance, and its interested parties before you develop its QMS. Why? Because your QMS will need to be able to manage all of these influences.
And once you understand all of this, you're expected to use this special insight to help out you defines the scope of your QMS and the challenges it must deal with. While this will certainly help make sure that organizations develop unique quality management systems that address their own needs and requirements, doing all of this could be quite a challenge for some organizations.
The new ISO 9001 2015 standard has also eliminate the long standing distinction between documents and records. Now they are both referred to as “documented information”. Why ISO chose to abandon two common sense concepts and replace them with one that is needlessly awkward and esoteric is not entirely clear.
According to ISO's definition, the term documented information refers to information that must be controlled and maintain. So, at any time ISO 9001 2015 uses the term recognized information it implicitly expects you to control and maintain that information and its supporting medium. However, this isn't the whole story.
An annex to the new standard (A.6) further says that "Where ISO 9001:2008 would have referred to documented procedures ...
this is now expressed as a need to maintain documented information”, and "Where ISO 9001:2008 would have referred to records this is now expressed as a requirement to retain documented information".
So, whenever the new standard refers to documented information and it asks you to maintain this information, it's talking about what used to be referred to as procedures, and whenever it asks you to retain this information, it's talking about what used to be called records. So sometimes it must be maintained and sometimes it must be retained (contrary to what the official definition says).
So, while the definition of the term "documented information" abandons the distinction between documents (or documented processes) and records, through the use of the words "maintain" and "retain" and because of what this means (according to Annex A) the main body of the standard actually restore this distinction.
In other words, while documents and records were kicked out the front door, they were actually permitted back in through the back door.
According to the new standard, “risk-based thoughts has always been implicit in ISO 9001”. According to this perspective, ISO 9001 has always been about anticipating and preventing mistakes, which is what risk-based thinking is all about. That's why we train people, why we plan our work, why we assign roles and responsibilities, why we validate and verify results, why we audit and review behavior, and why we monitor, measure, and control procedures. We do these things because we want to prevent mistakes. We do them because we're trying to manage risk. So, if we think of risk-based thinking in this way, it's always been an inherent part of ISO 9001. Before it was implicit; now it's explicit.
So what kind of thinking is risk-based thinking and how is it applied? What does the new standard expect organizations to do? The new standard expects organizations to recognize and address the risks that could influence their ability to provide compliant products and services and to satisfy clients. It also expects them to identify and address the opportunities that could enhance their ability to provide compliant products and services and to satisfy customers.
The new ISO standard also expects organizations to identify the risks and opportunities that could influence the performance of their quality management systems or disrupt their operation and then it expects them to define actions to address these risks and opportunities. It then further expects them to figure out how they're going to make these actions part of their QMS processes and how they're going to implement, control, evaluate, and review the efficiency of these actions and these procedures.
While risk-based thinking is now an essential part of the new standard, it does not actually expect you to implement a formal risk managing process nor does it be expecting you to document your risk-based approach.
Section 1.2 of ISO 9001 2008 says that organizations may exclude or ignore product recognition requirements (section 7) if they cannot be applied and if doing so doesn't interfere with its ability or responsibility to meet customer and legal requirements. The new standard takes a similar approach but, instead, appear to apply this thinking to all requirements.
Section 4.3 of ISO 9001 2015 says “The organization shall apply all the requirements of this International Standard if they are applicable within the determined scope of its quality management system”. So once you’ve determined the scope of your QMS, ISO 9001 2015 says that every need must be applied within the boundaries defined by your statement of scope if it applies in your case.
However, while the new ISO 9001 2015 standard says that every requirement must be applied, section 4.3 and Annex A5 also says that any requirement may be excluded if it cannot be applied, if you can justify and explain why it can’t be applied, and if excluding it does not undermine your ability or responsibility to ensure that products and services are in compliance.
So, the message is clear: if a requirement can be applied you can't just disregard it. You must apply it. And if you really can’t apply it, you better be able to explain why not.
The definition of the term “object” is new. The introduction of the term “object” to mean anything conceivable or perceivable and its use in a variety of definitions (quality, design and development, innovation, review, traceability) appear to suggest that the new ISO 9001 standard can be applied to any object whatsoever. In theory at least, this greatly expands its scope.
What ISO 9000 2005 used to call a “product” the new standard now calls an “output”. The two definitions are the same. Since the term “output” was not defined in 2005, this shift in terminology suggests that the procedure approach is now even more central to the new standard.
And to further complicate things, the old definition of “product” has now been split into three separate definitions for the terms output, product, and service. “Output” is the general concept since both “products” and “services” are now thought of as “outputs”.
While the earlier changes could be the most important ones, the new standard has also clarified some concepts and modified others. Some of these changes are listed below.
The old standard said that a “service” was a type of “product”. Now, the phrase "products and services" is used throughout the new standard and the term "service" has received its own definition. This should help out make it clear that ISO 9001 2015 applies not only to manufacturers but also to all types of service providers.
What used to be called “customer property” has been customized and greatly expanded to include products, services, and processes belonging to all types of external providers (including clientele). The new standard now expects you to control externally provided products and services if they are included in your products or services or if they are provided directly to clients.
The old definition of “continual improvement” has changed. When ISO 9001 2008 asked you to make continual improvements it was asking you to improve your ability to fulfill needs. Now, ISO 9001 2015 says it means enhancing performance (getting better results). This is an important shift.
According to the new standard, organizations must now recognize, acquire, and share the “knowledge” that personnel need in order to support procedure operations and achieve conformity of products and services.
The old concept of “product realization” is gone. Most of the material in the old product understanding section has been customized and moved to the new ISO 9001 2015 section on Operations.
The term “management representative” has been dropped. The management duties and responsibilities that were earlier assigned to someone called a “management representative” may now be assigned either to one person or to many people.
"Preventive action" has also disappeared. It’s been replaced by "risk-based-thinking", evidently because both approaches try to achieve the same thing. Both try to prevent future problems. Once you introduce risk-based thinking, you no longer need a separate clause on preventive action. It's redundant.
While the old standard asked you to use monitoring and measuring “equipment”, the new standard refers to monitoring and measuring “resources”. This is a more bendy approach to monitoring and measuring because it identify the fact that these activities can often be carried out without the use of equipment.
ISO 9001:2008 | ISO 9001:2015 | |
---|---|---|
The Structure | Compare the old Structure | Preparing for Integrated Standards |
Context | How the QMS relates internal issues to external issues | 9001:2015 requires how an organization defines internal and external influences |
Documented Information | The documents are strictly defined | The new standard loosens the definition to "information" and the quality manual requirements |
Risk Based Emphasis | Risk was implicit in ISO 9001:2015 | ISO 9001:2015 explicity expects risk assessment and avoidance |
Exclusions & Requirements | Excluding a standard requirement was specific to Product Realization | The new standard allows for a more general way to exclude specific requirements |
Objects, Outputs, Products and Services | Process Based Only | The process model is expanded to include anything that affects quality |
Clarifications | From implementing, and auditing within ISO 9001:2008, there were a number of issues that needed clarification |
ISO 9001: 2015 | ISO 9001:2008 | Discussion |
---|---|---|
4 Context of the organization | 1.0 Scope | |
4.1 Understanding the organization and its context | 1.1 General | A new requirement - the organization must determine the external and internal context that affects the organization |
4.2 Understanding the needs and expectations of interested parties | 1.1 General | |
4.3 Determining the scope of the quality management system | 1.2 Application 4.2.2 Quality manual | The Quality Manual is no longer mandatory. The requirement remains for determining and documenting its scope. |
4.4 Quality management system and its processes | 4 Quality management system 4.1 General requirements |
This requirements remains, the new cover risks, opportunities, and assigning authority for processes. |
5 Leadership | 5 Management responsibility | |
5.1 Leadership and commitment | 5.1 Management commitment | |
5.1.1 Leadership and commitment for the quality management system | 5.1 Management commitment | |
5.1.1 Leadership and commitment for the quality management system | 5.1 Management commitment | The new version requires top management to become accountable for the QMS' effectivness. |
5.1.2 Customer focus | 5.2 Customer focus | Virutally the same except the new version includes services (along with products) and also addresses government regulations. |
5.2 Quality policy | 5.3 Quality policy | |
5.3 Organizational roles, responsibilities and authorities | 5.5.1 Responsibility and authority 5.5.2 Management representative |
The new version details the responsibilities, roles and authorities within the QMS. |
6 Planning for the quality management system | 5.4.2 Quality management system planning | |
6.1 Actions to address risks and opportunities | 5.4.2 Quality management system planning 8.5.3 Preventive action | |
6.2 Quality objectives and planning to achieve them | 5.4.1 Quality objectives | |
6.3 Planning of changes | 5.4.2 Quality management system planning | |
7 Support | 6 Resource management | |
7.1 Resources | 6 Resource management | |
7.1.1 General | 6.1 Provision of resources | |
7.1.2 People | 6.1 Provision of resources | |
7.1.3 Infrastructure | 6.3 Infrastructure | |
7.1.4 Environment for the operation of processes | 6.4 Work environment | The 2015 version focuses the provision of resources to monitor and measure. The organization must retain the evidence monitoring and measuring resources. |
7.1.5 Monitoring and measuring resources | 7.6 Control of monitoring and measuring equipment | |
7.1.6 Organizational knowledge | New | The organization must determine the knowledge necessary to run the processes and achieve conformity of products and services |
7.2 Competence | 6.2.1 General 6.2.2 Competence, training and awareness | The old version covered both competence and awareness in the same clause. The new clause separates them. |
7.3 Awareness | 6.2.2 Competence, training and awareness | Separated for clarity and focus. |
7.4 Communication | 5.5.3 Internal communication | Internal and External communication responsibilities must be defined. |
7.5 Documented information | 4.2 Documentation requirements | |
7.5.1 General | 4.2.1 General | |
7.5.2 Creating and updating | 4.2.3 Control of documents 4.2.4 Control of records | Documents and records are now considered in the same category (i.e. documented information) |
7.5.3 Control of documented Information | 4.2.3 Control of documents 4.2.4 Control of records | |
8 Operation | 7 Product realization | |
8.1 Operational planning and control | 7.1 Planning of product realization | |
8.2 Determination of requirements for products and services | 7.2 Customer-related processes | The new version emphasizes documenting the treatment of customer property. |
8.2.1 Customer communication | 7.2.3 Customer communication | |
8.2.2 Determination of requirements related to products and services | 7.2.1 Determination of requirements related to the product | |
8.2.3 Review of requirements related to the products and services | 7.2.2 Review of requirements related to the product | |
8.3 Design and development of products and services | 7.3 Design and development | |
8.3.1 General | New | |
8.3.2 Design and development planning | 7.3.1 Design and development planning | |
8.3.3 Design and development Inputs | 7.3.2 Design and development inputs | |
8.3.4 Design and development controls | 7.3.4 Design and development review 7.3.5 Design and development verification 7.3.6 Design and development validation |
The new clause aggregates of the three 2008 clauses, and emphasizes the nature, duration of design and development processes. |
8.3.5 Design and development outputs | 7.3.3 Design and development outputs | |
8.3.6 Design and development changes | 7.3.7 Control of design and development changes | |
8.4 Control of externally provided products and services | 7.4.1 Purchasing process | |
8.4.1 General | 7.4.1 Purchasing process | |
8.4.2 Type and extent of control of external provision | 7.4.1 Purchasing process 7.4.3 Verification of purchased product | |
8.4.3 Information for external providers | 7.4.2 Purchasing information | The 2015 version emphasizes monitoring and control of external providers. |
8.5 Production and service | 7.5 Production and service provision | |
8.5.1 Control of production and service provision | 7.5.1 Control of production and service provision | |
8.5.2 Identification and traceability | 7.5.3 Identification and traceability | |
8.5.3 Property belonging to customers or external providers | 7.5.4 Customer property | Describes extending requiments for property belonging to external providers (as well as customers). |
8.5.4 Preservation | 7.5.5 Preservation of product | |
8.5.5 Post-delivery activities | 7.5.1 Control of production and service provision | The new standard separates to a new clause. |
8.5.6 Control of changes | 7.3.7 Control of design and development changes | A new separate clause is used to highlight the importance of change control. |
8.6 Release of products and services | 8.2.4 Monitoring and measurement of processes 7.4.3 Verification of purchased product | |
8.7 Control of nonconforming process outputs, products and services | 8.3 Control of nonconforming product | |
9 Performance evaluation | New | |
9.1 Monitoring, measurement, analysis and evaluation | 8 Measurement, analysis and improvement | |
9.1.1 General | 8.1 General | |
9.1.2 Customer satisfaction | 8.2.1 Customer satisfaction | |
9.1.3 Analysis and evaluation | 8.4 Analysis of data | |
9.2 Internal audit | 8.2.2 Internal audit | The new standard does not require a documented procedure |
9.3 Management review | 5.6 Management review | |
10 Improvement | 8.5 Improvement | |
10.1 General | 8.5.1 Continual improvement | |
10.2 Nonconformity and corrective action | 8.3 Control of nonconforming product 8.5.2 Corrective action | |
10.3 Continual Improvement | 8.5.1 Continual improvement | The 2015 standard emphasizes the use of all available information for continually improving the Quality Management System |
The new version of the standard brings the user a number of benefits:
Section Number | Current Standard Sections | Proposed Standard Sections |
---|---|---|
Section 1: | Scope | Scope |
Section 2: | Normative Reference | Normative References |
Section 3: | Terms and Definitions | Terms and Definitions |
Section 4: | General Requirements | Context of the Organization |
Section 5: | Management Responsibility | Leadership |
Section 6: | Resource Management | Planning |
Section 7: | Product Realization | Support |
Section 8: | Measurement, Analysis and Improvement | Operation |
Section 9: | Performance Evaluation | |
Section 10: | Improvement |