What’s New in ISO 9001:2015? Quite a lot, actually. In part three of this excerpt from Denise Robitaille’s new book, The (Almost) Painless ISO 9001:2015 Transition, we look at ISO 9001:2015’s changed and enhanced requirements. This three-part series will examine:
- Deleted and diminished requirements
- New requirements
- Changed and enhanced requirements
Part II — What’s New in ISO 9001:2015: Changed and Enhanced Requirements
The unique concepts of documents and records have been replaced by the all-encompassing term “documented information.” ISO 9000:2015 defines it as: “…[I]nformation required to be controlled and maintained by an organization and the medium on which it is contained.” The salient word here is “information.”
For many organizations, the information they need is no longer found in binders and paper files. Much of it is electronic or embedded in software programs such as enterprise resource planning (ERP) platforms, computer-aided design packages, manufacturing programs, or e-commerce portals—just to name a few.
Having recognized the fact that information, including requirements and specifications, is now regularly found in different and varied media, it makes sense that the language relating to the requirements is much more reflective of that diversity. It’s also reflective of the increase in the multiplicity of users across a broad spectrum industries and fields.
This shift away from the traditional procedure format is also a welcome concession to the fact that many organizations control their processes very well without the use of verbose documents that are read only by the authors, authorizers, and auditors.
Some processes are so basic that a written instruction is unwarranted and wasteful. Simple common sense should prevail. Consideration also needs to be given to the education level of workers and the ever-increasing reality of a multilingual workforce. And some processes and procedures are better understood in a picture format, regardless of the number of university degrees you have hanging on the wall. Control of a manufacturing process may be achieved by the use of any of the following methods:
- Color coding
- Prompts embedded in software
- Bulleted lists
- Process monitoring
- Verbal reminders/morning meetings
- Training guides
- Many others
There have also been technological advances that have increased availability and affordability of other methods and media. For example, as recently as ten years ago, digital photography was expensive and the files used up enormous space on limited servers. Now, server capacity has increased and digital photos require just a click of the smartphone. This has enhanced the ability to cheaply embed images into electronic documents as work instructions or to use them to provide evidence of conformance.
ERP systems have eliminated the need to print purchase orders. Information is generated electronically—sometimes using automatic fulfillment parameters that preclude the need for a purchaser to even communicate with the supplier. As material is received, the purchase order moves seamlessly from the statement of requirements for purchased product to the record of receipt. The lines of the strict document/record paradigm have been blurred.
This doesn’t mean that you can get rid of all the other documents. But the shift does acknowledge that the methods you use to define and control your processes are unique to your organization—which is as it should be. It would be inappropriate and foolish to attempt to impose one set of uniform rules encompassing every industry and market sector around the globe. The variables that affect definition and control are myriad and include such things as:
- Nature of the product
- Customer base
- Availability of alternate media
- Complexity of processes
- Regulatory and statutory requirements
- Environmental constraints
- Size of the organization
- Internal culture
- Number of processes
- Industry standards
Although some processes are uncomplicated, there are some at the other end of the spectrum that are complex and technically oriented. This documentation should be extremely well-developed and controlled. But even at this level, the need for a traditional procedure is not absolute. Chemists, software engineers, and toolmakers all have their own methods, protocols, and industry standards that provide guidance and impose the requisite control. Generating procedures that reiterate the same requirements is a pointless exercise.
The simple litmus test for any process should be this: In the absence of a procedure, is there adequate information and control to ensure that the process:
- Is understood by the process owner and/or operator?
- Is uniformly carried out?
- Consistently fulfills the requirements of the task?
- Has negligible risk of nonconformance or unacceptable variance?
- Can be verified?
All of this doesn’t mean that you should dismantle your documentation system or throw away your procedures. You may (and probably will) discover as you go through your transition process that the most efficient way to define and control your processes is with the procedures you currently have. That’s great—one less thing on the to-do list for your ISO 9001 transition project.
Another issue to consider is the increase in the number of documents and records that are accessed from remote locations that are external to the organization. For requirements, there are customers who provide their suppliers with access to a secure portal on their server where specifications, quality requirements, and drawings can be downloaded. Some even have an online corrective module that suppliers fill out as they conduct their root cause analysis and develop their plan. The customers can monitor progress of the corrective actions and offer comments as the process unfolds. Mil Specs and regulatory requirements that formerly consumed shelves in the engineering library can now be accessed and downloaded from the internet.
Records providing evidence can also be accessed from supplier portals. Certificates of analysis, calibration certificates, and test results are routinely retained on organizations’ websites to be accessed and downloaded as needed.
And, many companies are now making use of the “cloud” for storage and retrieval of their documented information. In some cases, this facilitates projects being worked on by international teams whose collaboration is largely virtual.
ISO 9001:2015 includes a note in the subclause on documented information. It punctuates the need to differentiate between access and permission or authority. This highlights the need to ensure appropriate control of the tools that we use to manage our documented information.
One final point that will facilitate the migration to this new concept. ISO 9001:2015 hasn’t totally abandoned the fundamental intent of differentiating documents from records. A quick tip as you read through ISO 9001:2015: For requirements (formerly document), the standard uses the word “maintain”; for evidence (formerly record), the word that is used is “retain.” You maintain information relating to requirements and retain information that provides evidence of verifications and task completions.
The good news overall is greater flexibility that more closely mirrors the evolving methods we use to maintain, retain, and communicate information.
There are some subtle but significant changes in the requirements for management review. The first is that the standard now specifically says that management review shall be planned. The level of planning is not prescribed. However, it’s valuable to consider the enhanced requirements that have been added to other parts of the standard relating to such things as monitoring internal and external issues, more prescriptive requirements around quality objectives, and the planning and control of changes. In view of these factors, it makes sense to ensure that the review process used to ensure reliable decision making and allocation of resources is well planned.
The list of items to be reviewed has been rearranged and is better organized to allow for clearer perception of interrelations and interdependencies. Processes that had their own unique classification on the list are now grouped under the general heading of trends. There have also been additions. Briefly, the list of trends now includes, among other things: customer satisfaction, feedback from relevant interested parties, process performance, conformity of products and services, nonconformities, corrective actions, audit results, and supplier performance. There’s also a need to review the extent to which quality objectives have been met.
Apart from the list of trends, there are additional requirements relating to changes in internal and external issues, adequacy of resources, and effectiveness of actions to address risk.
The final interesting change is in the relocation of the requirements for management review to the clause on performance evaluation. Formerly, the gathering and analyzing of data was found in section 8, whereas the requirements for management review were found in section 5. The rearrangement of the requirements makes for a much more logical flow and creates the path from deciding what are relevant performance indicators, to the monitoring of process, to the gathering of data and analysis, to the determination of further actions to be taken.
There are multiple other changes of lesser significance. Some clarify existing requirements. Others accommodate nonmanufacturing environments. Still others improve the relevance of the standard and the benefits that can be derived.