2. Manufacturer’s Edge Mission:
To strengthen and grow the manufacturing community
in Colorado
• Provide coaching,
consulting, training
and programs to
Colorado
manufacturers
• Public/private
partnership hosting
the Colorado
Manufacturing
Extension Partnership
(a Department of Commerce
program)
3. Colin Gray
• 30 years auditing, training and consulting
with ISO
• MBA Middlesex University
• Professional Lead Auditor IRCA, EG, PECB
• IRCA ISO 9001:2015 Lead Auditor instructor
and training designer
• colin@cavendishscott.com
3
4. Agenda
• Introduction and Speakers
• The need for change
• Annex SL
• New Processes
• Changed Processes
• Impacts
• Why its great!
• Questions
4
5. The Need for Change
• Customer Survey
• Problems with ISO
– Documents that are not used/meaningful
– A system that is defined around the standard
– The absence of management
– Illogical mandatory documents
– Some requirements poorly addressed e.g.
change, communication
– Lack of flexibility
• Poorly audited (lack of requirements?)
5
6. Solutions
• Process based system
• Integration with business systems
• Leadership responsibilities, no Mgmt Rep.
• Limited documentation specified
• Flexibility in demonstration of conformance
• Expanded requirements (for some e.g. change,
objectives, communication….but others e.g. people)
• Flexibility throughout with risk
• Poorly audited – now specific requirements
– No accreditation training reqs (EG 2 hours online)
– No more audit time (MD5)
6
7. Management System Structure - Annex
SL
• Common structure
– 4 QMS
– 5 Leadership
– 6 Planning
– 7 Support processes
– 8 Operations
– 9 Measurement and analysis
– 10 Improvement
• Common terminology/definitions
• ALL management system standards
7
8. Substantive Change
• Leadership Involvement
• Alignment of management system with strategic
direction,
– organizational context, interested parties, strategic direction
reflected in management system planning
• Risk based approach/thinking - opportunities
• Integration with business systems
• Process approach
• Flexibility in demonstration
– Down to the organization to determine how to demonstrate
conformance – no mandated procedures and few mandated
records
8
9. 5.1 Leadership & commitment
• 5.1.1 General
• Top management shall demonstrate leadership and commitment with respect to
the quality management system by:
• a) taking accountability for the effectiveness of the quality management system;
• b)ensuring that the quality policy and quality objectives are established for the quality management system and are
compatible with the context and strategic direction of the organization;
• c) ensuring the integration of the quality management system requirements into
the organization’s business processes;
• d) promoting the use of the process approach and risk-based thinking;
• e) ensuring that the resources needed for the quality management system are available;
• f) communicating the importance of effective quality management and of conforming to the quality management system
requirements;
• g) ensuring that the quality management system achieves its intended results;
• h) engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;
• i) promoting improvement;
• j) supporting other relevant management roles to demonstrate their leadership as
it applies to their areas of responsibility.
9
10. 4.1/2
• 4.1 Context of the Organization
• 4.1 Understanding the organization and its context
• The organization shall determine external and internal issues that are
relevant to its purpose and its strategic direction and that affect its ability
to achieve the intended result(s) of its quality management system.
• The organization shall monitor and review information about these
external and internal issues.
• NOTE 1 Issues can include positive and negative factors or conditions for consideration.
• NOTE 2 Understanding the external context can be facilitated by considering issues arising
from legal, technological, competitive, market, cultural, social and economic environments,
whether international, national, regional or local.
• NOTE 3 Understanding the internal context can be facilitated by considering issues related to
values, culture, knowledge and performance of the organization.
10
11. 4.1/2
• 4.1 Context of the Organization
• 4.2 Interested Persons and their Requirements
• 4.2 Understanding the needs and expectations of interested
parties
• Due to their effect or potential effect on the organization’s ability to
consistently provide products and services that meet customer and
applicable statutory and regulatory requirements, the organization shall
determine:
– the interested parties that are relevant to the quality management system;
– the requirements of these interested parties that are relevant to the quality
management system.
• The organization shall monitor and review information about these
interested parties and their relevant requirements
11
12. 6
• Risk and Opportunities
• 6.1 Actions to address risks and opportunities
• 6.1.1 When planning for the quality management system, the organization shall
consider the issues referred to in 4.1 and the requirements referred to in 4.2 and
determine the risks and opportunities that need to be addressed to:
– give assurance that the quality management system can achieve its intended result(s);
– enhance desirable effects;
– prevent, or reduce, undesired effects;
– achieve improvement.
• 6.1.2 The organization shall plan:
• actions to address these risks and opportunities;
• how to:
– integrate and implement the actions into its quality management system processes (see 4.4);
– evaluate the effectiveness of these actions.
– Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of
products and services.
• NOTE 1 Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the
risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.
• NOTE 2 Opportunities can lead to the adoption of new practices, launching new products, opening new markets,
addressing new customers, building partnerships, using new technology and other desirable and viable possibilities to
address the organization’s or its customers’ needs.
12
13. Risk
• Risk and Opportunities
• Strategic Approach
• (and) Applies throughout the organization
• No approach mandated (KISS)
• Changes in environment affect risks and
opportunities
• Are opportunities different from risks
13
15. Significant Changes
• Objectives
• Change Management
• Communication
• Knowledge
• People
• Control of externally provided processes,
products and services
• Integration – to risk, opportunities, context
15
16. Objectives
• 6.2 Quality objectives and planning to achieve them
• 6.2.1 The organization shall establish quality objectives at relevant functions,
levels and processes needed for the quality management system.
• The quality objectives shall:
– be consistent with the quality policy;
– be measurable;
– take into account applicable requirements;
– be relevant to conformity of products and services and to enhancement of customer satisfaction;
– be monitored;
– be communicated;
– be updated as appropriate.
• The organization shall maintain documented information on the quality objectives.
• 6.2.2 When planning how to achieve its quality objectives, the organization shall
determine:
– what will be done;
– what resources will be required;
– who will be responsible;
– when it will be completed;
– how the results will be evaluated.
16
17. Change Management
• 6.3 Planning of changes
• When the organization determines the need for changes to the quality
management system, the changes shall be carried out in a planned manner (see
4.4).
• The organization shall consider:
• the purpose of the changes and their potential consequences;
• the integrity of the quality management system;
• the availability of resources;
• the allocation or reallocation of responsibilities and authorities.
• 8.5.6 Control of changes
• The organization shall review and control changes for production or service
provision, to the extent necessary to ensure continuing conformity with
requirements.
• The organization shall retain documented information describing the results of the
review of changes, the person(s) authorizing the change, and any necessary
actions arising from the review.
17
18. Communication
• 7.4 Communication
• The organization shall determine the
internal and external communications
relevant to the quality management system,
including:
• on what it will communicate;
• when to communicate;
• with whom to communicate;
• how to communicate;
• who communicates.
18
19. Knowledge
• 7.1.6 Organizational knowledge
• The organization shall determine the knowledge necessary for the operation of its
processes and to achieve conformity of products and services.
• This knowledge shall be maintained and be made available to the extent
necessary.
• When addressing changing needs and trends, the organization shall consider its
current knowledge and determine how to acquire or access any necessary
additional knowledge and required updates.
• NOTE 1 Organizational knowledge is knowledge specific to the organization; it is
generally gained by experience. It is information that is used and shared to
achieve the organization’s objectives.
• NOTE 2 Organizational knowledge can be based on:
• internal sources (e.g. intellectual property; knowledge gained from experience;
lessons learned from failures and successful projects; capturing and sharing
undocumented knowledge and experience; the results of improvements in
processes, products and services);
• external sources (e.g. standards; academia; conferences; gathering knowledge
from customers or external providers).
19
20. People
• 7.1 Resources
7.1.1 General
• The organization shall determine and provide the resources
needed for the establishment, implementation, maintenance and
continual improvement of the quality management system.
• The organization shall consider:
• the capabilities of, and constraints on, existing internal resources;
• what needs to be obtained from external providers.
• 7.1.2 People
• The organization shall determine and provide the persons
necessary for the effective implementation of its quality
management system and for the operation and control of its
processes.
20
21. Externally….
• 8.4 Control of externally provided
processes, products and services
• Same…
• Changes to “scope”
• Emphasis on control of externally provided
“processes”
– Corporate
21
22. The Requirement for Documentation
• 4.4.2 To the extent necessary, the organization shall:
– A) maintain documented information to support the operation of its processes;
– B) retain documented information to have confidence that the processes are being carried
out as planned.
• 8.1 Operational planning and control
• E) determining, maintaining and retaining documented information to the extent
necessary:
• to have confidence that the processes have been carried out as planned;
• to demonstrate the conformity of products and services to their requirements.
• 1 Scope
• This International Standard specifies requirements for a quality
management system when an organization:
• needs to demonstrate its ability to consistently provide products and
services that meet customer and applicable statutory and regulatory
requirements, and…
22
23. Key Issues
• Less Prescriptive to demonstrate conformance
– What procedures, records
– What will satisfy an auditor
– What do we need to make sure we are effective
– How will verbal evidence be treated
• How do you demonstrate Leadership and Commitment
– Not all verbal
– Engagement
• Auditing leadership – are internal auditors going to be comfortable challenging the
CEO on his/her strategy?
• Integration with business processes. Quality Manager promoted to top
management? Attending senior meetings?
• Interrelationships within the new structure
• Process Based mandatory
• Don’t focus on “getting ISO” (focus on a great QMS and it will get ISO for you)
• Always do an Document Review so you know you meet the requirements.
• Full Internal Audit – don’t cut corners,.
23
24. Why So Good?
• Accountability of Leadership
• Involvement of Leadership
• Integration with strategic and business
processes (new role for quality)
• More comprehensive and successful QMS
• Annex SL – common, consistent and a lot less
likely to change
• Fix poor processes – Preventive Action, Change,
etc.
• Deliberately Successful
• Auditing – to be seen
24
25. Certification Transition
• It’s a new standard – many additional
requirements – losing 3 very minor requirements –
Its going to take more time
• You have to maintain conformance to 2008 until
you are 2015 certified (in case there are issues)
• Best at recertification
• Deadlines
– Sept 1 2017 No new certifications to 2008
– Sept 1 2018 standard withdrawn
25
ME provides support, training and helps with government grants for Colorado organizations
CG Bio
After its been out a while ISO surveys the users to get their comments as to what works and what doesn’t with the standard.
That is the basis of the next development.
Issues with the last standard are…
In addition certification auditors are considered problematic.
And of course the solutions attempt to address the problems.
(the standard did a good job at addressing all of the problems.
Apart from the poor auditing which is still a valid concern of customers and in fact with the new standard will potentially worse.
ISO is responsible for thousands of standards.
One frequent example is management system standards (27001, 9001, 14001, 45001, 22000)
One complaint against ISO was the subtle difference between the standards, which are not substantive but which cause effort to address.
Also an organization has a single way of operating. A single management system. That system has to/could meet different standards but with meaningful differences in standards it is difficult and costly to maintain.
The solution is to publish a guide for the developers of all ISO standards that are management system standards. This resulted in a document (annex SL) that outlines the structure of an organizational management system. The structure will cope with different objectives (quality, environmental control, information security, safety, etc.) but assures consistency. All management system standards will be developed around this structure and common terminology. Standards developers may change the content of the requirements but they have to justify the change and the change has to be restricted.
Annex SL is the solution. It ensures consistency between different standards, assures common terminology and greater consistency (changes will be rarer)
This has been incorporated into 9001:2015
Interestingly this development solved many of the problems in ISO 9001:2008
During development of ISO 9001:2015, the committees and groups voiced their logic about the development. They talked about how they expected the new standard to be adopted.
Some of these expectations got the backing of specific requirements in the standard. Others got commentary in Annex A and others got less traction.
These are the areas that are the most significant changes. They are all backed by requirements – so you have to follow them.
DEMONSTRATE – leadership and commitment (two pieces of evidence?) and don’t think it is acceptable to address all of these with verbal evidence. Verbal is less reliable than other forms of evidence. Auditors will want more.
Note – a) is similar to g) (but different of course – one says that our system must be successful, the other says that we must be successful by design not by accident)
Accountability is new and may be difficult to implement. Consider having top management deal with unhappy customers.
c. Not a separate system – managements fault if it is.
d. Must lead and commit to the process approach (no more ISO numbered procedures, focus on processes [inputs, outputs, controls, metrics, objectives, etc.] and risk (preventive thinking)
g. Focus on success.
Demonstrate leading and committing to the principle of improving things.
j. Demonstration of support
Note the early introduction of purpose and strategic direction. You have to have them, they are strategic/business panning in nature.
Then context and interested parties are about research and data gathering and if they have to lead to the development of the management system then they are really about the business planning process. These requirements are best addressed as part of the business planning process – it is not likely that they were expected to be implemented as separate procedures (this will be a sign for auditors of non process based systems)
Note that the information in these systems is required to be maintained. Typically a mechanism to update when changes occur (change management) and also (perhaps) an annual review to catch things that slipped through.
A good approach for both of these processes is to break the organization into processes, functions, even physical areas – and brainstorm outputs in small chunks.
Risk and opportunities are part of the strategic business planning process too. Address all of these requirements in one process.
Note that you may find that opportunities are “different” from risks and you may want to do them differently
Note that risk is clearly more than just strategic. Risks (and opportunities) also occur tactically and operationally throughout the organization.
Don’t forget to review and update risks as necessary when changes occur (change management), nonconformances happen and at other times when they will be impacted. Risk is relevant throughout the organization but also that means that when things changes…..risks need to be reviewed.
Opportunities are different from risks – they are not just negative risks.
While opportunities are probably part of the strategic business planning process, they might also be part of continual improvement activities and they may be determined during operational activities.
A single strategic process that addresses the requirements for context, interested parties and risk/opportunities, is business planning. This can be based on SWOT or other similar business planning tools. Ensure the business planning process is documented, covers all requirements and explicitly includes content titled “Quality”.
Summary of the changes These are significant although they may be less substantive.
Note that knowledge and People are both new. Knowledge will be challenging (because its new) but people is a simple statement about providing them.
Objectives, change and communication were in the 2008 standard as simple, one line requirements. They were not well addressed usually. Now they are about half a page of requirements each. Its time to address them seriously
Control of externally…..is still going to be purchasing and supplier control but it is now also applicable to actiivies and services provided by corporate or sister companies or other organizations. They cannot be brushed under the carpet.
Real objectives, real metrics. More and more meaningful measurements.
Clearly a more comprehensive approach is necessary.
A formal process to ensure that quality is maintained, customers remain happy, while changes are happening.
A procedure is necessary (as it is for all processes) it needs to cover these elements of control.
Can you continue to get away with simply including change on the agenda of the management review meeting? Maybe, if its good. But in practice this has been done very badly and auditors need to have serious change management
While not explicit, this is about having a plan for communication. Thinking about it proactively and documenting a plan
Knowledge exists in employees and that is an easy concept. Probably job descriptions are the best place to record knowledge requirements. But other knowledge exists – databases, specifications, technical documentation, etc. That too needs to be identified and controlled.
It is not a bad thing to include knowledge as a resource that must be planned and managed… but it will be challenging in some organizations.
Note that 7.1.2 acknowledges people as a resource. But it does not require much to address.
It is expected that people will continue to call the processes “purchasing” and “supplier control” and the requirements are very similar – possibly a little better. It emphasizes “control” and it also addresses corporate, sister company and other organizations who provide elements of our processes but thus clearly requires more control.
These are the requirements that say – you not only have to be good, you have to prove it. And proving it will be difficult without documentation. And more than that. Common sense says that you wont be successful as an organization if you don’t have documented (defined) processes.
Common sense says we need documents and plans and procedures. ISO says exactly the same thing.
If you have no documents then you are going to lose control and you wont easily demonstrate to an auditor or customer that you are successful.
It is possible to have some processes with no procedures. For instance, you don’t need a procedure for a meeting (management review?) if that meeting has an agenda, minutes, action items, charter, etc. But where there is any complexity you need a procedure. If you have not procedure for risk and no records your only recourse is to “explain” this to the auditor and the audit will be less convinced that there is a process if the only evidence is verbal and appears anecdotal.
If your quality rep is claiming that no procedures are required for a management system then they miss the point. A good QMS has clear definition of the controls for success so that success will be deliberate. Without documents or poor documents and that definition doesn’t exist and you shouldn’t get ISO certified – more importantly if you successful, it is by luck.
Here is a list of potential pitfalls
Attention of management. Properly resourced, clear authority, focus on tangible business success. This is a great standard that will drive quality in a meaningful manner. Management can finally get fully involved in QMS
Ask your Certification Body. Soon.
They would ideally provide a document that explains how they will treat some of the issues mentioned earlier – how will they look at “less or no” documentation, what about verbal evidence? What will/wont they accept to demonstrate “accountability”. They don’t have to do this but its not unreasonable to ask. Actually if they don’t do this they will have huge variation in how their auditors perform.
It’s a great standard with only good to come out of it. Do it now.