What’s New in ISO 9001:2015? Quite a lot, actually. In this excerpt from Denise Robitaille’s new book, The (Almost) Painless ISO 9001:2015 Transition, we look at what’s new in ISO 9001:2015. This three-part series will examine:
- Deleted and diminished requirements
- New requirements
- Changed and enhanced requirements
What’s New in ISO 9001:2015: Deleted and diminished requirements
There are several noteworthy changes that have resulted in either deleted or diminished requirements. There are other smaller changes in language that have resulted in less prescriptive requirements. The significance of those changes will vary from one organization to the next. However, the following four changes merit discussion.
ISO 9001:2015 no longer requires a quality manual. However, it’s important to note that ISO 9001:2015 doesn’t prohibit the use of a quality manual. It’s merely silent on the subject.
Prior revisions of ISO 9001 had clear and prescriptive requirements on what needed to be included in the quality manual. With the removal of the requirement, organizations now have the freedom to revise their quality manual so that it has greater value and is more reflective of the organization’s character and scope. Or, they may choose to forego a quality manual altogether.
Each organization has the opportunity to assess the quality manual’s value. There are multiple factors to consider:
- If an organization has multiple management system standards, it may find that one of the others, such as ISO 13485 still requires a quality manual. Similarly, there are regulatory requirements for a quality manual, such as those found in the Food and Drug Administration’s 21 CFR 820—Quality System Regulation. It’s also possible that customers require the organization to have a quality manual. Any of these scenarios make discussion about deleting the quality manual moot.
- Some quality manuals are terrible. They are either a fill-in-the-blanks document that regurgitates the standard or a generic off-the-shelf template with no relevance to the organization’s structure, scope, market, or culture. They’ve been around for years—legacy documents that individuals have been loath to tamper with due to ISO 9001’s requirements. Now’s your chance to either pitch them or make them into something useful.
- ISO 9001 continues to require organizations to define their scope and the interrelation of processes. If you make the decision to dump the quality manual (which was the traditional repository for this information), where then will the organization document these requirements?
Requirements for a quality manual may have gone away. But the decision to trash what is supposed to be a top-level document should be made with careful deliberation.
ISO 9001:2015 no longer has any specific requirements for documented procedures. As a matter of fact, the word “procedure” only appears in the foreword and the annexes of the standard. It’s conspicuously absent from the requirements.
Like the quality manual, it’s best to simply say that ISO 9001:2015 is silent on the subject. If you have procedures and they work for you, there’s no need to change the manner in which you document your internal requirements.
There is still a need to maintain documents that are deemed necessary by the organization to fulfill its mission. This is all covered under the new concept of “documented information,” which is discussed later in this chapter.
This change grants organizations greater flexibility in determining how processes will be documented and controlled. In Part II of this book, the individual work sheets allow you to note how activities are documented—in a procedure, work instruction, or some other method or medium. Again, more on this later.
The term “preventive action” has been deleted from ISO 9001. It’s been replaced by the concept of “risk-based thinking,” which will be discussed later. This is a great enhancement. Preventive action is a good and necessary idea, and was always intended to encompass the concept of risk. Unfortunately, ISO 9001 has never provided adequate guidance or specificity. Consequently, the output of attempting to fulfill this requirement resulted in confusion, resentment, and needless paperwork. The term and the requirement for a documented procedure are gone.
By contrast, risk-based thinking makes a meaningful addition to an organization’s system.
ISO 9001 no longer has a requirement for an individual from management to be appointed as the management representative. Unlike the quality manual, however, the requirement has been transformed. Clause 5.3 now requires that “…Top management shall assign the responsibility and authority for…” The text that follows includes most of the language formerly found under the 2008 heading of “Management Representative” and actually expands the role. So, the responsibility is diffused and may be assigned but remains within the purview of management.
This is a somewhat different change. ISO 9001:2015 still requires the appropriate maintenance of the infrastructure needed to carry out processes. The requirement has been diminished in that all subsequent text relating to equipment, buildings, vehicles, etc., has been moved into a note. Notes are used for guidance and do not constitute requirements. This is one of the examples of changes that were made to be more generic and reflective of nonmanufacturing organizations. Because the language is no longer prescriptive, it creates the mandate for each organization to figure out which aspects of its infrastructure need to be maintained and controlled.
There is no longer a requirement to cite allowable exclusions. In the past, items such as design could be excluded if the organization produced product based upon the customers’ designs or specifications. Other common examples included calibration of equipment, control of customer property, and purchasing.
ISO 9001:2015 now addresses applicability. It states that the organization must provide justification for not applying any requirements of the standard. The rule is simply that if it can be applied, it must be applied. Therefore, an organization may not exclude from its QMS any requirement that can be applied to the scope of its QMS. You can’t exclude processes because you want to. Any process that affects the organization’s ability to provide conforming product or enhance customer satisfaction is considered applicable.
Unlike in the 2008 version, exclusions (or lack of applicability) may be cited for any clause of the standard. Formerly exclusions were limited to section 7.
As a side note, there’s still the need to provide justification. This was previously documented in the quality manual. If the decision is made to abandon the quality manual, the organization must decide where this justification will reside.
We hope you enjoyed this excerpt. Part 2 will look at new requirements in ISO 9001:2015.