UNDERSTANDING QMS ISO 9001:2015

Eng. Akram Malkawi Eng.karam@outlook.com

Abstract ISO 9001 is the international standard that specifies requirements for a quality management system (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements. This Document helps you to understand the new standard and ease transition.

ISO 9001:2015

1

A. Understanding ISO 9001:2015 ISO 9001 is the international standard that specifies requirements for a quality management system

(QMS). Organizations use the standard to demonstrate the ability to consistently provide products

and services that meet customer and regulatory requirements. It is the most popular standard in the

ISO 9000 series and the only standard in the series to which organizations can certify. Successful

businesses understand the value of an effective Quality Management System that ensures the

organization is focused on meeting customer requirements and they are satisfied with the

products and services that they receive. ISO 9001 is the world’s most recognized management

system standard and is used by over a million organizations across the world. The new version has

been written to maintain its relevance in today’s marketplace and to continue to offer organizations

improved performance and business benefits.

ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an

international agency composed of the national standards bodies of more than 160 countries. The

current version of ISO 9001 was released in September 2015. ISO 9001:2015 applies to any

organization, regardless of size or industry. More than one million organizations from more than 160

countries have applied the ISO 9001 standard requirements to their quality management

systems. Organizations of all types and sizes find that using the ISO 9001 standard helps them

organize processes, improve the efficiency of processes and continually improve. With the 2015

version of ISO 9001 you can have an integrated approach with other management system

standards. Bring quality and continual improvement into the heart of the organization. Increase

involvement of the leadership team. Introduce risk and opportunity management. It’s much less

prescriptive than the 2008 version and can be used as a more agile business improvement tool. This

means that you can make it relevant to the requirements of your own organization to

gain sustainable business improvements. One of the major changes to ISO 9001 is that it brings

quality management and continual improvement into the heart of an organization. This means that

the new standard is an opportunity for organizations to align their strategic direction with their

quality management system. The starting point of the new version of ISO 9001 is to identify internal

and external parties who support the QMS. This means that it can be used to help enhance and

monitor the performance of an organization. The new standard will help you become a more

consistent competitor in the marketplace. It will provide better quality management that helps you

to meet present and identify future customer needs. It increases efficiency that will save you time,

money and resources. It improves operational performance that will cut errors and improves profits.

It will motivate, engage and involve staff with more efficient internal processes. It will help you win

more high value customers, and achieve improved customer retention with better customer service.

It will broaden business opportunities by demonstrating compliance

ISO 9001:2015

2

All ISO management system standards are subject to a regular review under the rules by which they

are written. Following a substantial user survey the committee decided that a review was

appropriate and created the following objectives to maintain its relevance in today’s marketplace:

Integrate with other management systems

Provide an integrated approach to organizational management

Provide a consistent foundation for the next 10 years

Reflect the increasingly complex environments in which organizations’ operate

Ensure the new standard reflects the needs of all potential user groups

Enhance an organization’s ability to satisfy its customers

1. Structure and terminology

The most significant change we will see in ISO 9001:2015 is the new structure. ISO 9001:2015 is

based on Annex SL – the new high level structure. This is a common framework for all

ISO management systems. This helps to keep consistency, align different management system

standards, offer matching sub-clauses against the top level structure and apply common language

across all standards. It will be

easier for organizations to incorporate their QMS into core business processes and get more

involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all

processes and to the quality management system as a whole. The reason for the change is to adopt

the common approach outlined in Annex SL, the new document that all ISO management system

standards, including ISO 9001, ISO 14001 and the recently released ISO 27001, must follow.

Currently, ISO 9001 contains 8 sections, of which four attempt to approximate “Plan, Do, Check, And

Act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “plan,

do, check, and act.” All new management system standards will have this common structure.

ISO 9001:2015

3

New structure:

1. Scope

This section describes the scope of the management system standard and will be unique to the

individual standard. Clause 1 details the scope of the standard and there has been very little

change to this clause from ISO 9001:2008.

2. Normative References

This section references other relevant standards, which are indispensable for the application of

the document and will also be unique. ISO 9000, Quality Management System – Fundamental

and vocabulary is referenced and provides valuable guidance.

3. Terms and Definitions

Section three contains definitions, and while some of these are common terms related to Annex

SL, other definitions will be unique to the management system standard. All the terms and

definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and

vocabulary.

4. Context of the Organization

This part is about understanding the organization’s purpose, the management system and who

the stakeholders are. It describes how to set up the management system and is similar in some

respects to the old section 4 except that it explicitly requires a broader understanding of the

situation and needs of the business. This is a new clause that establishes the context of the QMS

and how the business strategy supports this. The ‘context of the organization’ is the clause that

underpins the rest of the new standard. It gives an organization the opportunity to identify and

ISO 9001:2015

4 understand the factors and parties in their environment that support the quality management

system. Firstly, the organization will need to determine external and internal issues that are

relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact

on what the organization does, or that would affect its ability to achieve the intended outcome(s)

of its management system. It should be noted that the term “issue” covers not only

problems which would have been the subject of preventive action in previous standards, but also

important topics for the management system to address, such as any market assurance and

governance goals that the organization might set. Secondly an organization will also need to

identify the “interested parties” that are relevant to their QMS. These groups could

include shareholders, employees, customers, suppliers, and even pressure groups and regulatory

bodies. Each organization will identify their own unique set of “interested parties” and over time

these may change in line with the strategic direction of the organization. Next the scope of the

QMS must be determined. This could include the whole of the organization or specific identified

functions. Any outsourced functions or processes will also need to be considered in the

organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to

establish, implement, maintain and continually improve the QMS in accordance with

the requirements of the standard. This requires the adoption of a process approach and although

every organization will be different, documented information such as process diagrams or

written procedures could be used to support this

4.1 Understanding the organization and its context.

A new requirement; one of several that might suggest a greater union between the QMS and

wider business planning activities. Requires organizations to ascertain, monitor and review both

internal and external issues that are relevant to its purpose and strategic direction, and have the

ability to impact the QMS and its intended results.

4.2 Understanding the needs and expectations of interested parties.

A broadening of scope beyond just customers. Requires the organization to determine “the

relevant requirements” of “relevant interested parties” e.g. a person or organization that can

affect, be affected by, or perceive themselves to be affected by a decision or activity.

4.3 Determining the scope of the QMS.

The scope statement must state the products and services covered.

4.4 The QMS and its processes.

A major change that specifies a number of factors to be considered when planning the processes

that make up the QMS. Although a process-planning approach has been previously expressed in

earlier standards, this greatly reinforces the requirement.

ISO 9001:2015

5

5. Leadership

This section provides requirements for commitment, policy and responsibilities. This section is

similar to the old section 5 on Management but the emphasis is perhaps more on leadership than

just management. This clause places requirements on “top management” which is the person or

group of people who directs and controls the organization at the highest level. It is no longer the

responsibility of an individual or to have a “Management Representative” who is responsible for

the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual.

The purpose of these requirements is to demonstrate leadership and commitment by leading

from the top. Top management now have greater involvement in the management system and

must ensure that the requirements of it are integrated into the organization’s processes and that

the policy and objectives are compatible with the strategic direction of the organization.

The quality policy should be a living document, at the heart of the organization. To ensure this,

top management are accountable and have a responsibility to ensure the QMS is made available,

communicated, maintained and understood by all parties. There is also a greater focus on top

management to enhance customer satisfaction by identifying and addressing risks

and opportunities that could affect this. Top management need to demonstrate consistent

customer focus by showing how they meet customer requirements, regulatory and statutory

requirements, and also how the organization maintains enhanced customer satisfaction. In the

same context, they need to have a grasp of the organization’s internal strengths and weaknesses

and how these could have an impact to deliver products or services. This will strengthen

the concept of business process management. In addition, top management need to demonstrate

an understanding of the key risks associated with each process and the approach taken to

manage, reduce or transfer the risk. Finally, the clause places requirements on top management

to assign QMS relevant responsibilities and authorities, but must

remain accountable for the effectiveness of the QMS.

5.1 Leadership and commitment.

Greater emphasis is placed on the role of top management. Requires top management to

“demonstrate leadership and commitment”, and suggests that a more hands-on approach is

expected.

ISO 9001:2015

6

5.2 Policy.

Policy requirements are enhanced. A requirement is introduced that the quality policy is

appropriate to the context of the organization, and that it is applied throughout the organization.

5.3 Organizational roles, responsibilities and authorities.

The requirement for a Management representative is no longer specified. The duties previously

assigned to that role may now be assigned to any role or split across several roles.

6. Planning

Planning is now a section on its own. Planning was always covered by the current standard in

sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which is now a clear

requirement) and opportunities, the setting of goals and objectives to achieve plans, and

resources. Interestingly, risk was introduced in AS9100 (the aerospace version of ISO 9001) in a

similarly limited manner. In the latest version of AS9100, however, risk was expanded and defines

a number of specific requirements/activities for a risk process. It will be interesting to see whether

ISO will leave the requirement for risk as a general requirement as defined in Annex SL or whether

it will take AS’s lead and expand it. This planning section also requires a greater application of

goals and objectives to integrate with the management system’s planning and operation to

generally facilitate success of the organization.

Planning has always been a familiar element of ISO 9001, but now there is an increased focus on

ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2

‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is

concerned with risk treatment. When determining actions to identify risks and opportunities

these need to be proportionate to the potential impact they may have on the conformity of

products and services. Opportunities could for example include new product launches,

geographical expansion, new partnerships, or new technologies. The organization will need to

plan actions to address both risks and opportunities, how to integrate and implement the actions

into its management system processes and evaluate the effectiveness of these actions. Actions

must be monitored, managed and communicated across the organization. Another key element of

this clause is the need to establish measurable quality objectives. This clause retains some of

the requirements contained in Clause 5.4 of the 2008 version but is more specific. Quality

objectives now need to be consistent with the quality policy, relevant to the conformity of

products and services as well as enhancing customer satisfaction. The last part of the clause

considers planning of changes which must be done in a planned and systemic manner. There is a

need to identify the potential consequences of changes, determine who is involved, when

changes are to take place, what resource needs to be allocated.

ISO 9001:2015

7 6.1 Actions to address risks and opportunities.

A major change introduced to require a risk-based approach. In addition to this clause, reference

to the terms ‘risk’ and ‘opportunity’ are made throughout the standard.

6.2 Quality objectives and planning to achieve them.

Requirements for objective planning are tightened up. An objective should include a description

of who is responsible, what is the target, when is it planned to be achieved. Progress must be

monitored. Also, requires objectives to be set for relevant processes.

6.3 Planning of changes.

The clause lists items to be considered in change management.

7. Support

The support section includes most of the expected support processes that exist in an organization

and which are covered in the current ISO standard. Clause 7 ensures there are the right resources,

people and infrastructure to meet the organizational goals. It requires an organization to

determine and provide the necessary resources to establish, implement, maintain and continually

improve the QMS. Simply expressed, this is a very powerful requirement covering all QMS

resource needs and now covers both internal and external resources. Clause 7.1 builds on Clauses

6.1, 6.2, 6.3 and 7.6 from 2008 and splits into 5 sub-clauses. There are additional requirements to

meet applicable statutory and regulatory requirements. The sub-clauses continues to cover

requirements for infrastructure and environment for the operation of processes. Monitoring and

measuring has been changed to include resources, such as personnel or training. Organizational

knowledge is a new requirement which deals with requirements for competence, awareness, and

communication of the QMS. Personnel must not only be aware of the quality policy, but they

must also understand how they contribute to it and what the implications of not conforming

are. There is a key requirement to maintain the knowledge held by an organization to ensure

conformity of products and services. This could include the knowledge held by an individual as

well as for example, the intellectual property of an organization. Organizations are required to

examine whether the current knowledge they have is sufficient when planning changes and

whether any additional knowledge is required. Finally there are the requirements for

“documented information”. This is a new term, which replaces the references in the 2008

standard to “documents” and “records”. Organizations need to determine the level of

documented information necessary to control the QMS. This will differ between organizations due

to size and complexity. In line with the increased importance of information security

in organizations, there is also greater emphasis on controlling access to documented information

such as use of passwords. Organizations should also have systems in place to provide a back-up

should IT systems crash. Human resources is renamed as “competence”, and communication,

which will require a new approach in most organizations, is given its own section rather than a

ISO 9001:2015

8 mention as a management responsibility. Finally, document control has been renamed

“documented information.” It now covers both procedure/document control and records control.

7.1 Resources.

7.2 Competence.

7.3 Awareness.

There is an expansion of application from “personnel” to “persons doing work under the

organization’s control”.

7.4 Communication.

Now includes external communication about the QMS.

7.5 Documented information.

New requirement to determine, make available, and maintain knowledge. No requirement for

quality manual or procedures. “Documents”, “Documentation” and “Records” are combined to

become “Documented information”.

Requirements are expanded to mention issues such as confidentiality, access, and (data) integrity.

This suggests an adoption of information security considerations in recognition of the increasing

use of electronic documents/data.

8. Operation

This is a relatively short section, which essentially says “Do a good job” at whatever your

management system is trying for. This clause deals with the execution of the plans and processes

that enable the organization to meet customer requirements and design products and services. It

includes much of what was previously referred to in Clause 7 of the 2008 version, but there is

greater emphasis on the control of processes especially planned changes and review of

the consequences of unintended changes, and mitigating any adverse effects as necessary. The

revised version of the standard acknowledges the trend towards greater use of subcontractors and

outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the

performance of these parties in addition to keeping records used to establish selection criteria. The

Clauses continue to cover ‘Requirements for products and services’ which remains largely

unchanged from the 2008 version. However, it now requires communication with regards to

contingency actions where required and also the treatment of customer property. A

new requirement for communicating with ‘potential’ customers is also included, useful for bringing

new offerings or solutions to the market. There are more explicit requirements in terms of the

standards or codes of practice that the organization has committed to implement; internal and

external resource needs for the design and development of products and services and finally the

potential consequences of failure due to the nature of products and services. There is also a new

clause which covers post-delivery activities. This could include activities such as maintenance

ISO 9001:2015

9 programmes or work carried out under warranty, and activities covering final disposal or recycling

of the product.

When determining the extent of these activities organizations must consider the risks associated

with a product or service, customer requirements, customer feedback, and any

statutory requirements. In a welcome change of terminology, the rather clumsy ‘Product

realization’ becomes ‘Operations’

8.1 Operational planning and control.

8.2 Requirements for products and services.

8.3 Design and development of products and services.

This may be interpreted that more organizations do some form of design and development.

8.4 Control of externally provided processes, products and services.

An expansion of scope – from just suppliers to also include other external providers of products

and services. Purchasing” and “Purchased product” become “Externally provided products and

services”.

8.5 Production and service provision.

An expansion on previous requirements e.g. documented information to specify intended results,

and to determine the nature and extent of any post-delivery (after-sales) activities.

8.6 Release of products and services.

8.7 Control of nonconforming outputs.

9. Performance Evaluation

The section on evaluation includes monitoring, measurement and analysis, internal audits and

management review. All familiar topics with some subtle changes. Performance evaluation covers

many of the areas previously featured in Clause 8 of the 2008 version. Requirements for monitoring,

measurement, analysis and evaluation are covered and you will need to consider what needs to be

measured, methods employed, when data should be analysed and reported on and at

what intervals. Documented information that provides evidence of this must be retained. There is

now an emphasis on directly seeking out information that relates to how customers view the

organization. Organizations must actively seek out information on customer perception. This can

be achieved in a number of ways including satisfaction surveys, analysis of market share, and

through complaints logged. There is now an explicit requirement that organizations must show how

the analysis and evaluation of this data is used, especially with regards to the need for

improvements to the QMS. Internal audits must also be conducted and this is largely unchanged

from those in the 2008 version.

ISO 9001:2015

10

There are additional requirements relating to defining the ‘audit criteria’ and ensuring the results

of the audits are reported to ‘relevant’ management’. Management reviews are still required but

there are additional requirements including the consideration of changes in external and internal

issues that are relevant to the QMS.

Documented information must be retained as evidence of management reviews.

9.1 Monitoring, measurement, analysis and evaluation.

There is a new requirement to obtain information relating to customer views and opinions of the

organization.

9.2 Internal audit.

Audit schedule must take customer feedback into account.

9.3 Management review.

Expanded requirements for management review inputs or agenda.

10. Improvement

Improvement covers nonconformity and corrective action, as well as continual improvement, all

of which are outlined in section 8 of the current standard. There is no preventive action section

any more as effectively it is replaced by “risk” under planning – improvement is now defined as a

proactive planning activity. This clause starts with a new section that organizations

should determine and identify opportunities for improvement such as improved processes to

enhance customer satisfaction. There is also a need to actively look for opportunities to improve

processes, products and services, and the QMS, especially with future customer requirements in

mind. Due to the new way of handling preventive actions, there are no preventive action

requirements in this clause. However, there are some new corrective action requirements. The

first is to react to the nonconformities and take action, as applicable, to control and

correct the nonconformities and deal with the consequences. The

second is to determine whether similar nonconformities exists or

could potentially occur. The requirement for continual improvement has been extended to cover

the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how

an organization achieves this.

10.1 General.

10.2 Nonconformity and corrective action.

Specific reference to preventive action is removed.

Now includes an additional requirement to record the nature of nonconformities.

On discovering a nonconformity, an explicit requirement is introduced for organizations to

determine whether other similar nonconformities actually exist, or could potentially exist.

10.3 Continual improvement.

ISO 9001:2015

11

B. Comparison between ISO 9001:2015 and ISO 9001:2008 & Interpretations

ISO 9001:2015 ISO 9001:2008 4 Context of the organization 1.0 Scope

4.1 Understanding the organization and its context

1.1 General

4.2 Understanding the needs and expectations of interested parties

1.1 General

4.3 Determining the scope of the quality management system

1.2 Application 4.2.2 Quality manual

4.4 Quality management system and its processes

4 Quality management system 4.1 General requirements

5 Leadership 5 Management responsibility

5.1 Leadership and commitment 5.1 Management commitment

5.1.1 General 5.1 Management commitment

5.1.2 Customer focus 5.2 Customer focus

5.2 Policy 5.2.1 Developing the quality policy 5.2.2 Communicating the quality policy

5.3 Quality policy

5.3 Organizational roles, responsibilities and authorities

5.5.1 Responsibility and authority 5.5.2 Management representative

6 Planning 5.4.2 Quality management system planning

6.1 Actions to address risks and opportunities

5.4.2 Quality management system planning 8.5.3 Preventive action

6.2 Quality objectives and planning to achieve them

5.4.1 Quality objectives

6.3 Planning of changes 5.4.2 Quality management system planning

7 Support 6 Resource management

7.1 Resources 6 Resource management

7.1.1 General 6.1 Provision of resources

7.1.2 People 6.1 Provision of resources

7.1.3 Infrastructure 6.3 Infrastructure

7.1.4 Environment for the operation of processes

6.4 Work environment

7.1.5 Monitoring and measuring resources

7.6 Control of monitoring and measuring equipment

7.1.6 Organizational knowledge New

ISO 9001:2015

12

7.2 Competence 6.2.1 General

6.2.2 Competence, training and awareness

7.3 Awareness 6.2.2 Competence, training and awareness

7.4 Communication 5.5.3 Internal communication

7.5 Documented information 4.2 Documentation requirements

7.5.1 General 4.2.1 General

7.5.2 Creating and updating 4.2.3 Control of documents 4.2.4 Control of records

7.5.3 Control of documented Information

4.2.3 Control of documents 4.2.4 Control of records

8 Operation 7 Product realization

8.1 Operational planning and control

7.1 Planning of product realization

8.2 Requirements for products and services

7.2 Customer-related processes

8.2.1 Customer communication 7.2.3 Customer communication

8.2.2 Determination of requirements related to products and services

7.2.1 Determination of requirements related to the product

8.2.3 Review of requirements related to the products and services

7.2.2 Review of requirements related to the product

8.2.4 Changes to requirements for product and services 8.3 Design and development of products and services

7.3 Design and development

8.3.1 General New

8.3.2 Design and development planning

7.3.1 Design and development planning

8.3.3 Design and development inputs

7.3.2 Design and development inputs

8.3.4 Design and development controls

7.3.4 Design and development review 7.3.5 Design and development verification 7.3.6 Design and development validation

8.3.5 Design and development outputs

7.3.3 Design and development outputs

8.3.6 Design and development changes

7.3.7 Control of design and development changes

8.4 Control of externally provided processes, products

7.4.1 Purchasing process and services

ISO 9001:2015

13

8.4.1 General 7.4.1 Purchasing process

8.4.2 Type and extent of control 7.4.1 Purchasing process 7.4.3 Verification of purchased product

8.4.3 Information for external providers

7.4.2 Purchasing information

8.5 Production and service provision

7.5 Production and service provision

8.5.1 Control of production and service provision

7.5.1 Control of production and service provision

8.5.2 Identification and traceability

7.5.3 Identification and traceability

8.5.3 Property belonging to customers or external providers

7.5.4 Customer property

8.5.4 Preservation 7.5.5 Preservation of product

8.5.5 Post-delivery activities 7.5.1 Control of production and service provision

8.5.6 Control of changes 7.3.7 Control of design and development changes

8.6 Release of products and services

8.2.4 Monitoring and measurement of processes 7.4.3 Verification of purchased product

8.7 Control of nonconforming outputs

8.3 Control of nonconforming product

9 Performance evaluation New

9.1 Monitoring, measurement, analysis and evaluation

8 Measurement, analysis and improvement

9.1.1 General 8.1 General

9.1.2 Customer satisfaction 8.2.1 Customer satisfaction

9.1.3 Analysis and evaluation 8.4 Analysis of data

9.2 Internal audit 8.2.2 Internal audit

9.3 Management review 5.6 Management review

9.3.1 General 5.6.1 General

9.3.2 Management review inputs 5.6.2 Review inputs

9.3.3 Management review outputs

5.6.3 Review outputs

10 Improvement 8.5 Improvement

10.1 General 8.5.1 Continual improvement

10.2 Nonconformity and corrective action

8.3 Control of nonconforming product 8.5.2 Corrective action

10.3 Continual Improvement 8.5.1 Continual improvement

ISO 9001:2015

14

The structure is based on the mandate that Annex SL from the ISO Directives be applied to

management system standards. The clause structure and some of the terminology in ISO 9001:2015 is

different than ISO 9001:2008 to improve alignment with other management system standards. The

structure is to provide a presentation of requirements. It is not a model for document for documenting

the organization’s policies, objectives and processes. There is no requirement for the structure of an

organization’s quality management system documentation to mirror that of this International

Standard.

Major differences in terminology between ISO 9001:2008 and ISO 9001:2015

ISO 9001:2008 ISO 9001:2015

Products Products and services

Exclusions Applications

Documentation, records

Documented information

Work Environment Environment for the operation of processes

Purchased Product Externally provided products and services

Supplier External provider

2. Products and services

ISO 9001:2008 used product to include all output categories such as products, services, processed

materials, and hardware. In ISO 9001:2015 the term product have been replaced by term product and

services and includes all output categories such as hardware, services, software and processed

materials. The term services is to highlight the difference between products and services in the

application of some requirements. In most cases, the terms are used together. In some cases, the word

product is only used to specify a certain requirement.

3. Context of the organization

An organization’s context involves its “operating environment.” The context must be determined both

within the organization and external to the organization. To establish the context means to define the

external and internal factors that the organizations must consider when they manage risks. An

organization’s external context includes its outside stakeholders, its local operating environment, as

well as any external factors that influence the selection of its objectives (goals and targets) or its ability

to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to

governance, its contractual relationships with its customers, and its capabilities and culture.

The internal context may include, but is not limited to:

ISO 9001:2015

15

Product and service offerings

Governance, organizational structure, roles, and accountability.

Regulatory requirements

Policies and goals, and the strategies that are in place to achieve them.

Assets like facilities, property, equipment and technology

Capabilities, understood in terms of resources and knowledge like capital, time, people, processes,

systems, and technologies.

Information systems, information flows, and decision-making processes (both formal and informal).

Relationships of the staff/volunteers/members and the perceptions and values of their internal

stakeholders including suppliers and partners.

Organization’s culture.

Standards, guidelines, and models adopted by the organization and

Form and extent of the organization’s contractual relationships.

The external context’s micro-environment consists of the organization’s immediate operations and

how they affect its performance and decision-making. Some of the micro-environmental context

factors

Customers – Organizations must attract and retain customers by offering products services that

meet their needs along with providing excellent customer service

Employees/Members/Volunteers – There must be availability of people with the motivation to

remain as contributing members of the organization and develop the skills necessary to provide a

competitive edge

Suppliers – Suppliers provide organizations with the resources they need to carry out their

activities. If a supplier provides bad service, this affects the way the organization operates. Close

supplier relationships are an effective way to remain competitive and secure the resources needed

Investors – All organizations require investment to grow. They may borrow the money from a bank

or have people invest in their work. Relationships with investors need to be managed carefully as

problems can detrimentally affect the long term success of the organization

Media – Positive media attention can bring success to the organization by maintaining its

reputational strength. Managing the media (including the presence in social media) is a challenge.

Competitors – Members of the organization need to have a sense of belonging. Can the

organization offer benefits that are better than those offered by the competitors? Is there a strong

value proposition? Competitor analysis and monitoring is crucial if an organization is to maintain or

improve its position in the competitive landscape of the community. The organization must always

be aware of its competitor’s activities. The landscape can change quickly.

There are two new clauses relating to the context of the organization, 4.1 Understanding the

organization and its context and 4.2 Understanding the needs and expectations of interested parties.

ISO 9001:2015

16

Together these clauses require the organization to determine the issues and requirements that can

impact on the planning of the quality management system. Interested parties cannot go beyond the

scope of ISO 9001.There is no requirement to go beyond interested parties that are relevant to the

quality management system. Consider impact on the organization’s ability to consistently provide

products and services that meet customer and applicable statutory and regulatory requirements or

the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum

requirements to determine additional needs and expectations for interested parties that would not be

“relevant” at the discretion of organization and should be clear in quality management system.

Clause 4.1 Understanding the Organization and its context

The organization should determine external and internal issues for the organization relevant to its

purpose, strategic planning and which affect the organization’s ability to achieve its objectives. The

Organization should monitor and review the information about external and internal issues.

Management Review required the monitoring of external and internal issues. The organization must

consider issues related to values, culture knowledge and performance of the organization for

understanding of internal issues. The organization must consider issues related to arising from legal,

technological, competitive, market, cultural, social, and economic environments, whether

international, national, regional or local for understanding of external context.

Clause 4.2 Understanding the needs and expectations of interested parties

The organization shall determine relevant interested parties and requirements of relevant interested

parties. Interested parties include Customers, Partners, Persons in the organization, External providers.

Relevant interested parties to be considered are those that potentially could impact the organization’s

ability to provide products and services that meet requirements. Monitor and review information

related to interested parties and relevant requirements. Management Review requires the monitoring

of relevant interested parties.

Clause 4.3 determining the scope of the quality management system

The organization must establish scope of the quality management system by determining the

boundaries and applicability of the quality management system. While determining the scope the

organization must consider the internal and external issues determined in 4.1, the requirements of

relevant interested parties in 4.2. And the products and services of the organization.

Requirements that can be applied by the organization shall be applied. Requirements that cannot be

applied cannot affect the organization’s ability to provide product and services that meet

requirements. The organization must maintain scope as documented information. Stating the Products

and services covered by the QMS and any Justification where a requirement cannot be applied.

ISO 9001:2015

17

Any interested party which is not relevant to the quality management system need not be considered

and similarly any requirement of the interested party need not be considered. Determining what is

relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability

to consistently provide products and services that meet customer and applicable statutory and

regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization

can decide to determine additional needs and expectations that will meet its quality objectives.

However, it is at the organization’s discretion whether or not to accept additional requirements to

satisfy interested parties beyond what is required by this Standard.

4. Risk-based approach

The main objectives of ISO 9001 is to provide confidence in the organization’s ability to consistently

provide customers with conforming goods and services and to enhance customer satisfaction. The

concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.

This International Standard makes risk-based thinking more explicit and incorporates it in

requirements for the establishment, implementation, maintenance and continual improvement of the

quality management system. Organizations can implement a formal risk management program such

as 31000, but there is no requirement to do so. The concept of risk has always been implicit in ISO

9001, this revision makes it more explicit and builds it into the whole management system. Risk-based

thinking is already part of the process approach. Risk-based thinking makes preventive action part of

the routine. Risk-based thinking can also help to identify opportunities. Organizations are required to

understand the context of the organization and any external and internal issues (clause 4.1).Risks and

opportunities are determined in clause 6.1.One of the key purposes of a quality management system

is to act as a preventive tool.

ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive

action is controlled through risk-based thinking and managing risks and opportunities identified in

clause 6.1

Clause 6.1 Actions to address risks and opportunities

Consider the issues determined in clause 4.1 and consider the requirements for relevant interested.

The organization should determine risks and opportunities to assure that that the quality

management system can achieve its objective, prevent or reduce undesired effects, and for continual

improvement. Intended results cannot be achieved. Organization shall plan actions to address risks

and opportunities which should be appropriate to the potential impact. The action of risk and

opportunities must be integrated and implemented into the QMS processes. The effectiveness of

these action must be evaluated.

NOTE: No formal risk management program is required.

ISO 9001:2015

18

5. Applicability

The revised standard will focus on application and not exclusions. There are no limits to which

clauses where application can be determined. Justification will be required as documented

information to ensure that limited application does not affect the organization’s ability to provide for

the provision of product and services. The application of requirements may vary. Where a

requirement can be applied within the scope of its quality management system, the organization

cannot decide that it is not applicable. Where a requirement cannot be applied (for example where

the relevant process is not carried out) the organization can determine that the requirement is not

applicable. However, this non-applicability cannot be allowed to result in failure to achieve

conformity of products and services or to meet the organization’s aim to enhance customer

satisfaction. A manufacturing organization that does not have any monitoring and measuring

resources could determine requirements in 7.1.5 do not apply. Organizations that build from a

customer provided design could determine requirements for design in 8.3 do not apply.

Organizations could not determine that requirements such as competence are not applicable since

this directly affects the ability to provide product that meets requirements.

6 Documented information

The term “documented procedure” and “record” have both been replaced by “documented

information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define,

control or support a process) this is now expressed as a requirement to maintain documented

information. Where ISO 9001:2008 would have referred to records this is now expressed as a

requirement to retain documented information. The current draft of ISO 9001 does not require a

quality manual or documented procedure as Annex SL does not require documented procedures or a

quality manual. The requirements in 7.5 are similar to ISO 9001:2008 – 4.2.3 Control of documents and

4.2.4 Control of Records.

As discussed earlier, documents and records now come under documented information.

The requirements for documented information are spread throughout the standard. In summary

they are:

4.3 Scope of the QMS

4.2 Support operation of its processes and needed for confidence.

5.2.2 a) Quality policy

6.2.1 Quality objectives

7.1.5.1 Monitoring and measuring resource – fitness for purpose

7.1.5.2 Basis used for calibration or verification

7.2 d) Evidence of competence

ISO 9001:2015

19

7.5.1 b) Documented information determined by the organization as being necessary for the

effectiveness of the QMS

8.1 e) Extend necessary (for confidence in processes and product/service conformity)

8.2.3.2 Review of requirements related to products and services

8.2.4 Amended documented information

8.3.2 Design and development requirements met

8.3.3 Design and development inputs

8.3.4 Design and development control activities

8.3.5 Design and development outputs

8.3.6 Design and development changes/results of reviews etc.

8.4.1 Results of evaluations, monitoring, re-evaluations of external providers

8.5.1 a) Characteristics of the products/services, activities to be performed , and result achieved.

8.5.2 Maintain traceability

8.5.3 Reports on what has occurred

8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions

8.6 Release of products and services – traceability of person(s) authorizing release, evidence of

conformity

8.7.2 Describes nonconformity, actions taken, concessions, authority

9.1.1 Evidence of the monitoring and measurement results

9.2 f) Evidence of the audit programme (s) and the audit results

9.3.3 Evidence of the results of management reviews

10.2.2 Evidence of the results of any corrective action and the, nature of the nonconformity.

7. Organizational knowledge

The organization shall determine the knowledge necessary for the operation of the QMS, ensure

conformity of products and services, and enhance customer satisfaction. The organization is

responsible for maintaining, protecting and making sure the knowledge is available (as

necessary). Knowledge is to be considered when making changes to the organization. Depending on

the size and complexity of the organization, the risks and opportunities it needs to address, the need

for accessibility of knowledge, the process for considering and controlling past, existing and additional

knowledge needs is to be considered. As long as the conformity of products and services can be

achieved, balance between knowledge held by competent people and knowledge made available by

other means is at the discretion of the organization. Consideration can be given to whether competent

employees have this knowledge

8. Control of externally provided products and services

ISO 9001:2015

20

The term “Supplier” and “Outsourcing” have been replaced by the term “external provider” and

includes Purchasing from suppliers, Arrangement with an associate/sister company, Outsourcing of

processes and functions. The term “Purchased products” has been replaced with the term “externally

provided products and services”. Clause 8.4 Control of externally provided products and services

addresses all forms of external provision, whether it is by purchasing from a supplier, through an

arrangement with an associate company, through the outsourcing of processes and functions of the

organization or by any other means. The organization is required to take a risk-based approach to

determine the type and extent of controls appropriate to particular external providers and externally

provided products and services.

C. Seven principles of Quality management Introduction:

This fifth edition (ISO 9001:2015) cancels and replaces the fourth edition ( ISO 9001:2008). This

document was being prepared by Technical committee of ISO “ISO/TC 176/SC 2-Quality Management

and Quality Assurance/ Quality Systems” also known as ISO/TC 176 in short. The process of preparing

the ISO 9001:2015 went through a six stage process. Organizations have been granted a three-year

transition period after the revision has been published to migrate their quality management system to

the new edition of the standard.

The key changes in the standards are

1. There is no quality manual.

2. It emphasis on organization context and risk based thinking,

3. There is no requirement of management representative

4. The standard does not include a specific clause for “Preventive Actions”.

5. The terms “document” and “records” have been replaced with the term “documented

information”. Documented procedure in iso 9001:2008 have been replaced by maintained

documented information and Documented record in iso 9001:2008 have been replaced by

retained documented information.

6. In 2008 version of the standard the term “product” was used. This term also included services.

This term has been changed to Product and Services

7. In addition to the term “continual improvement” another term “improvement” have been

introduced

8. Outsourcing is now an external provision.The term “purchased product” has been replaced with

“externally provided products and services”.The term “supplier” has been replaced with “External

provider”.Control of external provision of goods and services address all forms of external

provisions.

ISO 9001:2015

21

9. The new standard does not make any reference to the exclusions which was for only for clause 7

in ISO 9001:2008, but in ISO 9001:2015 after proper justification any of the requirement of this

international standards may not be included in the scope, provided it does not affect the

organization’s ability or responsibility to ensure the conformity of its product and services and the

enhancement of customer satisfaction

10. The term “work environment” used in ISO 9001:2008 has been replaced with “Environment for

the operation of processes”.

The ISO 9000:2015 and ISO 9001:2015 standard is based on the following seven principles of QMS.

1 – Customer Focus

The primary focus of quality management is to meet customer requirements and to strive to exceed

customer expectations.

Rationale

Sustained success is achieved when an organization attracts and retains the confidence of customers

and other interested parties on whom it depends. Every aspect of customer interaction provides an

opportunity to create more value for the customer. Understanding current and future needs of

customers and other interested parties contributes to sustained success of an organization

ISO 9001:2015

22

Explanation:

This is the first of the seven principles of Quality management and there is no change in the heading

of this principle. The Eight principle definition stated “Organizations depend on their customers and

therefore should understand current and future customer needs, should meet customer requirements

and strive to exceed customer expectations.” The Seven principle definition states “The primary focus

of quality management is to meet customer requirements and to strive to exceed customer

expectations. “. Customer focused means putting your energy into satisfying customers and

understanding that profitability comes from satisfying customers.

There should be researching, establishing and understanding current and future customer needs and

expectations. The organization should ensure that the objectives of the organization are linked to

customer needs and expectations. The top Management should communicate customer needs and

expectations throughout the organization. There should be measuring customer satisfaction and acting

on the results.

The organization should ensure a balanced approach between satisfying customers and other

interested parties.

2 – Leadership

Leaders at all levels establish unity of purpose and direction and create conditions in which people

are engaged in achieving the quality objectives of the organization.

Rationale

Creation of unity of purpose, direction and engagement enable an organization to align its strategies,

policies, processes and resources to achieve its objectives.

Explanation:

This is the second of the Seven principles of Quality management and there is no change in the heading

of this principle. The Eight principle definition stated “Leaders establish unity of purpose and direction

of the organization. They should create and maintain the internal environment in which people can

become fully involved in achieving the organization’s objectives.” The Seven principle definition states

“Leaders at all levels establish unity of purpose and direction and create conditions in which people are

engaged in achieving the quality objectives of the organization. “Leadership is providing role model

behaviors consistent with the values of the organization. Behavior that will deliver the organizations

objectives. Internal environment includes the culture and climate, management style, shared, trust,

motivation and support. The leadership should consider the needs of all interested parties including

customers, owners, employees, suppliers, financier, local communities and society as whole. The

leadership should establish a clear vision of the organization’s future. The leadership should set a

challenging goals and targets. The leadership should create and sustain a shared values, fairness and

ethical role models at all levels of the organization. The leadership should Establish trust and eliminate

ISO 9001:2015

23

fear. The leadership should provide people with the required resources training and freedom to act

with responsibility and accountability. The leadership should Inspire, encourage and recognize people

contributions.

3 – Engagement of People

It is essential for the organization that all people are competent, empowered and engaged in

delivering value. Competent, empowered and engaged people throughout the organization

enhance its capability to create value.

Rationale

To manage an organization effectively and efficiently, it is important to involve all people at all levels

and to respect them as individuals. Recognition, empowerment and enhancement of skills and

knowledge facilitate the engagement of people in achieving the objectives of the organization.

Explanation:

This is the third of the seven principles of Quality management and the term “Involvement of

People” has been change to “Engagement of People“. The Eight principle definition stated “People at

all levels are the essence of an organization and their full involvement enables their abilities to be

used for the organization’s benefit.” The Seven principle definition states “It is essential for the

organization that all people are competent, empowered and engaged in delivering value. Competent,

empowered and engaged people throughout the organization enhance its capability to create

value.” Engaging people means employees are committed to their organization’s goals and values,

motivated to contribute to organizational success, and are able at the same time to enhance their own

sense of well-being. An engaged employee experiences a blend of job satisfaction, organizational

commitment, job involvement and feelings of empowerment. When we talk of engagement of people

it means that all the employees are competent, empowered and they are delivering value. An engaged

employee will have a better perception of job importance. An engaged employee will have better

clarity of job expectation. There will be more improvement opportunities. There will be regular

feedback and dialog with supervisors. The Quality of working relationships of an engaged employee

with peers, superiors, and subordinates is much improved. There is effective employee

communication.

4 – Process Approach

Consistent and predictable results are achieved more effectively and efficiently when activities are

understood and managed as interrelated processes that function as a coherent system.

Rationale

The quality management system is composed of interrelated processes. Understanding how results

are produced by this system, including all its processes, resources, controls and interactions, allows

the organization to optimize its performance.

ISO 9001:2015

24

Explanation:

This is the fourth of the seven principles of Quality management and there is no change in the heading

of this principle. The Eight principle definition stated “A desired result is achieved more efficiently when

activities and related resources are managed as a process.” The Seven principle definition states

“Consistent and predictable results are achieved more effectively and efficiently when activities are

understood and managed as interrelated processes that function as a coherent system.” Processes are

dynamic-they cause things to happen. Processes within an organization should be structured in order

to achieve a certain objective in the most efficient and effective manner.

It helps us in systematically defining the activities necessary to achieve/obtain desired results.

It helps us in establishing clear responsibility and accountability for managing key activities.

It helps us in analyzing and measuring of the capabilities of key activities.

It helps us in identifying the interfaces of key activities within and between the functions of the

organization.

It helps us in evaluating risks, consequences and impacts of activities on customers, suppliers

and other interested parties.

Quality Management System are constructed by connecting interrelated processes together to deliver

the system objectives which is the satisfaction of the interested parties.

This helps us in structuring a system to achieve the organizations objectives in the most

effective and efficient way and understanding the interdependencies between the processes

of the system.

It also helps us in providing a better understanding of the roles and responsibilities necessary

for achieving common objectives and thereby reducing cross functional barriers and targeting

and defining how specific activities within a system should operate.

5 – Improvement

Successful organizations have an ongoing focus on improvement.

Rationale

Improvement is essential for an organization to maintain current levels of performance, to react to

changes in its internal and external conditions and to create new opportunities.

ISO 9001:2015

25

Explanation:

This is the fifth of the seven principles of Quality management and can be mapped to the sixth of the

Eight Quality principle which is “Continual Improvement”. The term “Continual Improvement” has

been change to “Improvement“. The fifth principle of the Eight Quality principle “System approach to

management” no longer exist in the seven principle of quality management. The Eight principle

definition stated “Continual improvement of the organization’s overall performance should be a

permanent objective of the organization.” The Seven principle definition states “Successful

organizations have an ongoing focus on improvement.” Improvement is the improvement in

organizational efficiency and effectiveness. The organization should employ a consistent organization-

wide approach to improvement of the organizations’ tools of improvement. The organization should

provide people with the training in the methods and tools of improvement. The organization should

make improvement of products, processes, and the system an objective for every individual in the

organization.

“The organization should establish the goals to guide and lead”

6 – Evidence-based Decision Making

Decisions based on the analysis and evaluation of data and information are more likely to produce

desired results.

Rationale

Decision-making can be a complex process, and it always involves some uncertainty. It often involves

multiple types and sources of inputs, as well as their interpretation, which can be subjective. It is

important to understand cause and effect relationships and potential unintended consequences. Facts,

evidence and data analysis lead to greater objectivity and confidence in decisions made.

Explanation:

This is the sixth of the seven principles of Quality management and can be mapped to the seventh of

the Eight Quality principle which is “Factual approach to decision making “. The term “Factual

approach to decision making “has been change to “Evidence-based Decision Making“. The fifth

principle of the Eight Quality principle “System approach to management” no longer exist in the

seven principle of quality management. The Eight principle definition stated “Effective decisions are

based on the analysis of data

and information” The Seven principle definition states “Decisions based on the analysis and

evaluation of data and information are more likely to produce desired results.” Evidence is

information that shows or proves that something exists or is true.

Evidence can be collected by performing observations, measurements, tests, or by using any other

suitable method. Any decision making should away be based on evidences. The organization should

ISO 9001:2015

26

ensuring that data/information is sufficiently accurate and reliable. The organization should make data

accessible to those who need them. The organization should analyze data using appropriate tools. The

organization should make decision and take actions based on analysis of data, balanced with

experience and intuition.

7 – Relationship Management

For sustained success, organizations manage their relationships with interested parties, such as

suppliers.

Rationale

Interested parties influence the performance of an organization. Sustained success is more likely to be

achieved when an organization manages relationships with its interested parties to optimize their

impact on its performance. Relationship management with its supplier and partner network is often

of particular importance.

Explanation:

This is the seventh of the seven principles of Quality management and can be mapped to the eighth of

the Eight Quality principle which is “Mutually beneficial supplier relationships “. The term “Mutually

beneficial supplier relationships “has been change to “Relationship Management“. The fifth principle

of the eight Quality principle “System approach to management” no longer exist in the seven principle

of quality management.

The Eight principle definition stated “An organization and its suppliers are interdependent and a

mutually beneficial relationship enhances the ability of both to create value“ The Seven principle

definition states “For sustained success, organizations manage their relationships with interested

parties, such as suppliers. “An interested party is a person or group that has a stake in the success or

performance of an organization. Interested parties may be directly affected by the organization or

actively concerned about its performance. Interested parties can come from inside or outside of the

organization. Examples of interested parties include customers, suppliers, owners, partners,

employees, unions, bankers, or members of the general public. Interested parties are also referred to

as stakeholders. Relation management with interested parties meaning sharing knowledge, vision,

values, understanding and suppliers are not treated as adversaries. The organization establishes a

relationships that balance short-term gains with long term considerations. There is pooling of expertise

and resources with partners. The Organization identifying and selecting key suppliers. There is clear

and open communication with the stake holders. There is sharing of information and future plans. The

organization establishes a joint development and improvement activities. The organization inspiring,

encourages and recognize improvements and achievement by suppliers.

Process Approach

ISO 9001:2015

27

Introduction

All organizations use processes to achieve their objectives. As per ISO definition

“A process:

set of interrelated or interacting activities that use inputs to deliver an intended result

NOTE: Inputs and outputs may be tangible (e.g. materials, components or equipment) or intangible

(e.g. data, information or knowledge).”

The process approach is the foundation upon which your QMS must be developed. The ISO 9001

Standard promotes the adoption of a process approach when developing, implementing and

improving the effectiveness of a quality management system, to enhance customer satisfaction by

meeting customer requirements. ISO 9001:2008 promoted the adoption of a process approach when

developing, implementing and improving the effectiveness of a quality management system. ISO

900:2015 makes this more explicit (in 4.4) by expanding the requirements around QMS Processes –

specifying requirements considered essential to the adoption of a process approach. For example,

determining the inputs required and outputs expected from these processes , then after determining

the-risks and opportunities and plans to address these in 6.1 – integrate these into its QMS

processes(4.1.f – plan and implement actions), related performance indicators (4.4.1c.), assignment

of responsibilities and authorities for these processes (4.4.1 e).

For an organization to function effectively, it has to identify and manage numerous linked activities.

Any activity, using resources and managed in order to enable the transformation of inputs into

outputs, can be considered a process. Often the output from one process directly forms the input to

the next. The application of a system of processes within an organization, together with the

identification and interactions of these processes, and their management, can be referred to as the

“process approach”.

An advantage of the process approach is the ongoing control that it provides over the linkage

between the individual processes within the system of processes, as well as over their combination

and interaction.

When used within a quality management system, such an approach emphasizes the importance of:

An understanding of the intended results and requirements

Consideration of processes in terms of adding Value and effective performance

Improvement of processes based on evaluation of data and information

Consistent and predictable results

Meeting requirements and customer satisfaction

Activity understanding and management of interrelated processes

ISO 9001:2015

28

The model of a process-based quality management system shown in figure illustrates the process

linkages presented in clauses 4 to 10. This illustration shows that customers’ requirements, the needs

and expectations of relevant interested parties along with the organization and its context plays a

significant role in defining requirements as inputs. The output of the process is the result of the QMS

that includes product and service the organization provides, which should result in Customer

satisfaction. The model shown in figure covers all the requirements of this Standard, but does not show

processes at a detailed level.

Understanding Process :

Let’s understand some basics about processes.

All work generally involves a process – things go in (inputs); get worked upon (conversion); and

come out differently (output). The value-adding conversion activity within a process transforms

inputs into outputs, e.g. takes raw materials (the input) and manufactures (the value-adding

conversion activity using various resources) a product (the output).

Process inputs and outputs can be tangible such as raw materials or finished product or

intangible like INFORMATION – e.g. computerized drawing or specification.

All processes have a supplier and a customer. These suppliers and customers may be internal

processes or external to your organization. Each process must have an accountable owner, i.e.,

having defined responsibility and authority to operate, control and improve their process.

All processes require the use of resources, e.g. – people, equipment, materials, technology etc.

These resources can be used as inputs (raw materials or information such as a customer

specification) as well as for the value-adding conversion activity (e.g. use of machinery, equipment,

ISO 9001:2015

29

computers, technology, people, etc.) to transform raw material (input) into finished product

(output).

All processes must meet customer, organizational and applicable regulatory requirements. The

performance of all processes can be monitored and measured. Gather performance data that can

be analyzed to determine process effectiveness and whether any corrective action or improvement

is needed.

As an example, the below process contains a set of activities that are interrelated (showing links

from/to), interacting (showing inputs/ outputs), and the transformation of process inputs into

process outputs.

ISO 9001:2015

30

Schematic Representation of the elements of single process

Procedures are typically used to control deviation where risk/hazards are present. It is defined as a

specified way to carry out an activity or a process’, which may be a documented set of instructions,

or simply an established way of doing a specific task that itself forms part of a larger process. In ISO

9001:2015 this might be considered captured, in the main, by’the availability of documented

information that defines: the characteristics of the products to be produced, the services to be

provided, or the activities to be performed.

An organization’s QMS processes may be grouped or categorized in many ways. One logical way

would include the following:

ISO 9001:2015

31

Customer Oriented Processes (COP’s):

These are product realization processes that determine customer requirements (inputs), design, make,

deliver and service product (outputs) to customers and determine customer satisfaction. These

processes generally have the greatest degree of interaction with external customers. COP’s includes

marketing and sales, design and development, production, shipping, packaging, servicing/ warranty,

customer satisfaction etc., whether performed onsite or off-site.

Support Oriented Processes (SOP’s):

These processes provide the necessary resources to COP’s to facilitate product realization. These

processes generally have the greatest degree of interaction at an operational level with COP’s and to

a lesser degree with other internal QMS processes. SOP’s includes human resources, information

technology, purchasing and receiving, laboratory, maintenance, tooling, facility management etc.,

whether performed onsite or off-site.

Management Oriented Processes (MOP’s)

These processes provide the commitment, leadership, resources, review and decision-making by top

management. These processes generally interact with all QMS processes at the QMS planning and

review level. MOP’s includes business planning, management review, quality planning, resource

planning, communication, etc., whether performed offsite or on-site.

Quality Management Processes (QMP’s):

It includes all process which are used to document, measure, analyze and improve all processes. These

processes provide quality management support to and interact with all QMS processes. QMP’s includes

document control, records control, monitoring and measurement of processes and product, internal

audits, control of nonconforming product, corrective and preventive action, continual improvement,

etc. whether performed onsite or off-site.

Outsourced Processes (OP’s):

An “outsourced process” is a process that the organization has identified as being needed for its quality

management system (QMS), but one which it has chosen to be carried out by an external party outside

the managerial control of your facility and not subject to the your QMS. These could include MOP’s,

COP’s or SOP’s. They may be performed onsite or off-site. These processes may include – strategic

planning done at head office; purchasing or design done at head office or another location; heat

treating; painting; welding, calibration; testing; sort; HR; etc., done by an outside organization.

ISO 9001:2015

32

Implementing QMS using Process Approach

QMS is made up of a network of these value-adding processes that link, combine and interact with one

another to collectively provide product or service. These processes are inter-dependent and can be

defined by complex interactions. For example, any of the COP processes, could interact with some or

all of the MOP’s, SOP’s, QMP’s. Also note that resources (SOP’s) and QMP’s may also be applied to all

other processes.

Interactions between QMS processes may occur at any of the three process stages (input, output or

conversion activity). The interaction may occur in many different ways – physical, documentary, verbal,

electronic, etc. For each process, we must identify these interactions, assess the risks of problems that

may occur and implement appropriate controls to prevent them, e.g., if orders are communicated

verbally by sales personnel to production, what is the risk that production errors will occur?

Therefore, in general, in order to plan and implement your QMS using the ‘Process Approach’, you

must:

Identify the processes needed for the QMS.

Determine their sequence and interaction(show the sequence and interaction of your COP’s). There

are many ways to document this, e.g., a high level flowchart or a process map.

Determine the application of QMS processes throughout the organization (show how MOP’s; SOP’s

and QMP’s are applied to each COP and to each other). There are many ways of documenting this.

A popular way is through graphical representation, e.g. process maps.

Determine (plan) the criteria, methods, information, controls and resources needed for each QMS

process.

Identify the internal/external customer-required output.

Describe the process activity that produces the output.

Identify the resources needed for the process activity.

Identify the inputs for the process – information, materials, supplies, etc.

Define the process methods, procedures, forms etc., that may be needed to produce the output.

Define the controls to prevent or eliminate risk of errors, omissions, or nonconformities in process

activity. controls may come from the IS standards; customer; regulatory and your own

organizational requirements

Interaction with sources that provide the inputs (internal process or external supplier), uses the

output (internal process or external customer), or provide the resources (internal support process)

to perform the process activity.

Implement your QMS according to your plan.

Monitor, measure and improve each QMS process and its interaction with other processes.

Performance indicators to monitor and measure process performance may come from the IS

ISO 9001:2015

33

standard, customer, regulatory and your own organizational requirements.Performance indicators

may relate to the process output as well as the process activity.

Performance indicators for process output must focus on meeting customer and regulatory

requirements. Performance indicators for process activity should focus on measuring process

effectiveness and efficiency.

It is useful to point out that while we do need to identify all QMS processes and describe their

interaction, not all identified QMS processes need to be documented or documented in the detail

described above.

PLAN-DO-CHECK-ACT (PDCA)

In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes.

PDCA can be briefly described as follows.

Plan: Establish the objectives and processes necessary to deliver results in accordance with customer

requirements and the organization’s policies.

Do: Implement the processes

Check: Monitor and check processes and product against policies, objectives and requirements for

the product and report the results

Act: Take actions to continually improve process performance

PLAN-DO-CHECK-ACT (PDCA) is a very effective tool for business management and the ISO 9001

standard strongly recommends its use.

PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the

system of processes as a whole. It may be used to plan, implement, control and continually improve

both product realization and other QMS processes.

Maintenance and continual improvement of QMS processes can be achieved by applying PDCA to

processes at all levels within the organization right from the executive high-level strategic processes,

ISO 9001:2015

34

as business planning or management review to operational processes such as product realization or

calibration.

PLAN :

For each QMS process you must establish:

Process owner and his/her accountability.

Process inputs, outputs, value adding or conversion activities and sequence/interaction of these

activities (sub-processes) within the process. Many of the COP’s and SOP’s may have sub-

processes.

Process policies, responsibilities and accountability.

Process objectives and performance indicators and methods to monitor and measure process

performance to these objectives and indicators.

Resources such as facility, equipment, labor, materials, time, etc needed.

Preventive and detective controls needed for process activity, input, output and resources used.

Process documentation such as procedures, forms, work instructions, specification, etc.

The nature, method, frequency and timing of interaction with other processes and where this

interaction will occur – input, output, use of resources, conversion activity, etc.

You must pay a lot of attention to this stage of your QMS development. Planning must also

consider how you will meet customer, applicable regulatory, and your own organizational

requirements, in addition to ISO 9001 requirements.

DO:

Deploy and implement your QMS processes and manage and control them according to your plan as

documented above.

ISO 9001:2015

35

CHECK:

Monitor and measure the effectiveness of your QMS processes against policies and objectives that

you established under PLAN. Monitoring and measuring activity may focus on any or all of a process’s

inputs; outputs; use of resources for conversion; and interaction with other processes.

ACT:

Collect and analyze your monitoring and measurement information and use it to determine the

effectiveness of each process as well as your overall QMS in meeting requirements. Use the

information to correct problems and continually improve individual processes.

CONTINUOUS IMPROVEMENT PROCESS MODEL

The above figure shows the macro level application of the PDCA model to an entire organization. The

organization’s QMS as depicted by the processes within the circle is used to PLAN the controls over all

inputs, resources, value-adding activities and outputs. We DO implement our plan by using various

resources to convert customer inputs (requirements) into outputs (product) that meet customer

requirements. We CHECK – by monitoring and measuring QMS performance and through customer

feedback. We ACT by using this information to continually improve QMS effectiveness. At the micro

level, this same model can be applied to each QMS process.

The process approach in ISO 9001:2015

**(Taken from white paper at ISO.org website)

ISO 9001:2015

36

The process approach includes establishing the organization’s processes to operate as an integrated

and complete system.

The management system integrates processes and measures to meet objectives

Processes define interrelated activities and checks, to deliver intended outputs

Detailed planning and controls can be defined and documented as needed, depending on the

organization’s context.

These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that

may impact on objectives and results must be addressed by the management system. Risk‐based

thinking is used throughout the process approach to:

Decide how risk (positive or negative) is addressed in establishing the processes to improve process

outputs and prevent undesirable results

Define the extent of process planning and controls needed (based on risk)

improve the effectiveness of the quality management system

maintain and manage a system that inherently addresses risk and meets objectives

PDCA can be used to manage processes and systems.

Plan: set the objectives of the system and processes to deliver results (“What to do” and “how to

do it”)

Do: implement and control what was planned

Check: monitor and measure processes and results against policies, objectives and requirements

and report results

Act: take actions to improve the performance of processes

PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.

STEPS IN THE PROCESS APPROACH WHAT TO DO? GUIDANCE

ISO 9001:2015

37

Define the context of the organization

The organization should identify its responsibilities, the relevant interested parties and their relevant requirements, needs & expectations to define the organization’s intended purpose.

Gather, analyze and determine external and internal responsibilities of the organization to satisfy the relevant requirements, needs and expectations of the relevant interested parties. Monitor or communicate frequently with these interested parties to ensure continual understanding of their requirements, needs and expectations.

Define the scope, objectives and policies of the organization

Based on the analysis of the requirements, needs and expectations establish the scope, objectives and policies that are relevant for the organization’s quality management system.

The organization shall determine the scope, boundaries and applicability of its management system taking into consideration the internal and external context and interested party requirements. Decide which markets the organization should address. Top management should then establish objectives and policies for the desired outcomes.

Determine the processes in the organization

Determine the processes needed to meet the objectives and policies and to produce the intended outputs.

Management shall determine the processes needed for achieving the intended outputs. These processes include management, resources, operations, measurement, analysis and improvement.

Determine the sequence of the processes

Determine how the processes flow in sequence and interaction.

Define and describe the network of processes and their interaction. Consider the following: The inputs and outputs of

each process (which may be internal or external).

Process interaction and interfaces on which processes depend or enable.

Optimum effectiveness and efficiency of the sequence.

Risks to the effectiveness of process interaction.

ISO 9001:2015

38

Note: As an example, realization processes (such as those needed to provide the products or services delivered to a customer) will interact with other processes (such as the management, measurement, procurement in the provision of resources). Process sequences and their interactions may be developed using tools such as modeling, diagrams, matrices and flowcharts.

Define people who take process ownership and accountability

Assign responsibility and authority for each process.

Top Management should organize and define ownership, accountability, individual roles, responsibilities, working groups, remits, authority and ensure the competence needed for the effective definition, implementation, maintenance and improvement of each process and its interactions. Such individuals or remits are usually referred to as the Process Owners. To manage process interactions it may be useful to also establish a management system team that has a system overview across all the processes and may include representatives from the interacting processes and functions.

Define the need for documented information

Determine those processes that need to be formally defined and how they are to be documented.

Processes exist within the organization. They may be formal or informal. There is no catalogue or list of processes that have to be formally defined. The organization should determine which processes need to be documented on the basis of risk‐based thinking, including, for example:

ISO 9001:2015

39

The size of the organization

and its type of activities. The complexity of its

processes and their interactions.

The criticality of the processes.

The need for formally accountability of performance.

Processes can be formally documented using a number of methods such as graphical representations, user stories, written instructions, checklists, flow charts, visual media or electronic methods including graphics and systemization. However, the method or the technology chosen are not the goals. They can be used to describe processes, which are the means to achieve the goals. Effective and organized processes can then deliver consistent and accountable operations and the desired objectives and results which can then be improved.

Define the interfaces, risks and activities within the process

Determine the activities needed to achieve the intended outputs of the process and risks of unintended outputs.

Define the required outputs and inputs of the process. Determine the risks to conformity of products, services and customer satisfaction if unintended outputs are delivered. Determine the activities, measures and inherent controls required to transform the inputs into the desired outputs. Determine and define the sequence and interaction of the activities within the process. Determine how each

ISO 9001:2015

40

activity will be performed. Ensure that the management system as a whole takes account of all material risks to the organization and users. Note: In some cases the customer may specify requirements not only for the outputs but also for the realization of a process.

Define the monitoring and measurement requirements

Determine where and how monitoring and measuring should be applied. This should be both for control and improvement of the processes and the intended process outputs. Determine the need for recording results.

Identify the validation necessary to assure effectiveness and efficiency of the processes and system. Take into account such factors as: Monitoring and measuring

criteria. Reviews of performance Interested parties satisfaction. Supplier performance. On time delivery and lead

times. Failure rates and waste. Process costs. Incident frequency. Other measures of conformity

with requirements.

Implement Implement actions necessary to achieve planned activities and results.

The organization should perform activities, monitoring, measures and controls of defined processes and procedures (which may be automated), outsourcing and other methods necessary to achieve planned results.

Define the resources needed

Determine the resources needed for the effective operation of each process.

Examples of resources include: Human resources. Infrastructure. Environment. Information. Natural resources (including

knowledge). Materials. Financial resources.

ISO 9001:2015

41

Verify the process against its planned objectives

Confirm that the process is effective and that the characteristics of the processes are consistent with the purpose of the organization.

The organization should compare outputs against objectives to verify that all the requirements are satisfied. Processes are needed to gather data. Examples include measurement, monitoring, reviews, audits and performance analysis.

D. Annex SL

Introduction:

Annex SL is not a standard, but rather a guide to help standards developers write management systems

standards. It forms part of the ‘ISO Directives, Part 1 — Consolidated ISO Supplement — Procedures

specific to ISO document, which is currently in its 6th edition. ISO has over the years published many

management system standards for topics ranging from quality and environment to information

security, business continuity management and records management. Despite sharing common

elements, ISO management system standards come in many different shapes and structures. The guide

was developed in response to standard users criticism that while current standards have many

common components, they are not sufficiently aligned, making it difficult for organizations

to rationalize their systems and to interface and integrate them. This, in turn, results in some confusion

and difficulties at the implementation stage .Many organizations have implemented multiple

management system standards such as ISO 9001 along with ISO 14001 and ISO 18001, or ISO 9001

along with ISO 27001 and ISO 20000 or ISO 9001 along with TS 16949. This has led to the need to easily

combine or integrate them in an effective and efficient manner. To date subtle and not so subtle

differences in requirements and terminology across Management Standard System have made such

integration difficult. ISO has produced Annex SL with the objective of delivering consistent and

compatible management system standards in an attempt to make this process easier. Annex SL

describes the framework for a generic management system. However, it will require the addition of

discipline-specific requirements to make a fully functional quality, environmental, service

management, food safety, business continuity, information security and energy management system

standard. Annex SL is freely available; it is contained within the ISO Supplement, Procedures specific

to ISO.

In future all new management system standards will have the same overall ‘look and feel’.

Current management system standards will migrate during their next revision. This should be

completed within the next few years. For management system implementers this will provide an

overall management system framework within which they can pick and choose what discipline-specific

ISO 9001:2015

42

standards they wish to include. Gone will be the conflicts and duplication, confusion and

misunderstanding arising from different management system standards. In future all ISO management

system standards should be consistent and compatible. For management system auditors, it will mean

that for all audits there will be a core set of generic requirements that need to be addressed no matter

which discipline is being examined.

Overview

The HLS (High Level Structure) is the outcome of the work of the ISO/TMB/JTCG ‘Joint

technical Coordination Group on MSS’.

The structure has been mandated by the ISO TECHNICAL MANAGEMENT BOARD (TMB) (based on

ISO/TMB Resolution 18/2012) and the belief is that this will enhance consistency, make it

more generic and more easily applicable to service industries. Accordingly, ISO 9001:2015 has adopted

this. The HLS is based on published information related to Annex SL and not directly the result of

any particular published study or survey. ‘The aim of the HLS is to enhance the consistency and

alignment of ISO MSS by providing a unifying and agreed upon high level structure, identical core text

and common terms and definitions. The aim being that all ISO Type A MSS (Requirements) and Type B

where appropriate (Guidance) are aligned and the compatibility of these standards is enhanced. It is

envisaged that individual MSS will add additional ‘discipline-specific’ requirements as required. The

intended audience of this HLS is the ISO Technical Committees (TC), Subcommittees (SC) and Project

Committees (PC) and others involved in the development of MSS.'(SL 9.1). This approach is intended

to increase value of such standards to users: particularly those operating multiple MSS simultaneously

contained within one MSS (Integrated) The HLS forms the nucleus of future and revised ISO Type ‘A’

MSS and Type ‘B’ MSS (where possible). The primary intention is for organizations to have one

management system (ISO supports this approach). Annex SL, Appendix 2 will make it easier to work

with more than one management.

System standard simultaneously; as it has standardized terminology and requirements

for fundamental Management Systems and provides a l0-clause high-level structure,

common definitions and text for all management system standards. Annex SL addresses the

requirements for proposals for management system standards. It consists of 9 clauses and 3

appendices. The audience for this annex is primarily ISO technical committees who develop

management system standards; however the impact of Appendix 2 of Annex SL will be felt by all users

of management system standards in the future. Appendix 2 is in three parts:

• High level structure,

• Identical core text,

• Common terms and core definitions.

ISO 9001:2015

43

In future all management system standards will need to have these elements. In addition, there will

be less confusion and inconsistency because common terms will all have the same definition and there

will be common requirements across all the management system standards, for example the

requirement to establish, implement, maintain and continually improve the management system. So

what changes can and cannot be made? The high level structure (i.e. major clause numbers and titles)

cannot be changed, however sub-clauses can be added. Discipline-specific text can also be added;

For example:

• New bullets

• Discipline-specific explanatory text (e.g. Notes or Examples)

• Discipline-specific new paragraphs to sub-clauses

• Adding text that enhances (but does not modify) the existing requirements

The common terms and core definitions cannot be changed. However, terms and definitions may

be added as needed and Notes may be added or modified to serve the purpose of each standard. To

facilitate the adoption of the core text the device ‘XXX’ is used. Throughout Annex SL for ‘XXX’ the

appropriate reference needs to be inserted; for example in ISO 22000 ‘XXX’ needs to be replaced by

“food safety” and in ISO 14001 the ‘XXX’ needs to be replaced by “environmental”. In addition the term

discipline is used to describe the nature of the management system i.e. quality, environmental, service

management, food safety, business continuity, information security or energy.

This Annex applies to all Management System Standards – full ISO standards, Technical Specifications

(TS) and Publicly Available Specifications (PAS) – but not to International Workshop Agreements (IWA).

Examples of standards that it applies to are:

ISO 14001:2004 Environmental management systems – Requirements with guidance for use.

ISO/TS 16949:2009 Quality management systems – Particular requirements for the application of

ISO 9001:2008 for automotive production and relevant service part organizations

Examples of standards that it does not apply to are:

ISO 19011:2011 Guidelines for auditing management systems

IWA 2:2007 Quality management systems – Guidelines for the application of ISO 9001:2000 in

education.

High level structure

The major clause numbers and titles of all management system standards will be identical They are:

ISO 9001:2015

44

Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Context of the organization

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement.

Example of identical definitions:

Organization

Interested party

Policy

Objective

Competence

Conformity

Example of identical requirements:

“Establish, implement, maintain and continually improve the management system.”

“Top management shall ensure that the responsibilities and authorities for relevant roles are

assigned and communicated within the organization.”

The Introduction, Scope and Normative references will have content that are specific to each discipline

and each standard can have its own bibliography. Overall there is a reorganizing of management

system requirements into this structure that may be unfamiliar to those using and assessing current

MSS. However, some management system standards (such as ISO 22301:2012 Societal security –

Business continuity management systems – Requirements) have already successfully migrated to this

new structure.

For management system auditors, it will mean that for all audits there will be a core set of generic

requirements that need to be addressed, no matter which discipline. There are subtle language

changes such as the change from document and records to documented information. The new text

recognizes the use of the broad concept of risk and the need to understand risk in the context of the

management system. It also encourages everyone to view preventive action as a broader concept than

simply preventing an incident from occurring. The term preventive action has been replaced

ISO 9001:2015

45

with “actions to address, risks and opportunities” and features earlier in the standard. The concept of

preventive actions is very much embedded in the risk assessment. The new HLS does not require an

organization to renumber existing documents’

Identical core text

There are 45 “shall” statements (generating 84 requirements) in Annex SL Appendix 2,

therefore there must be at least 45 “shall” statements with 84 requirements in all future

management system standards. Obviously each discipline will have their own requirements, so the

total for any new standard will have more – this is the minimum.

The detailed content is:

1. Scope

The Scope should define what the ‘intended outcome(s)’ are of the discipline. The term ‘expected

outcome’ will not be used. Auditors should expect alignment between what the organization has

determined in clause 4 with what is stated here.The scope sets out the intended outcomes of the

management system. The outcomes are industry specific and should be aligned with the context of

the organization

Clause 2: Normative references

Provides details of the reference standards or publications relevant to the particular standard.

Clause 3: Terms & definitions

Details terms and definition applicable to the specific standard in addition to any formal related

terms and definitions standard.

4. Context of the organization

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the XXX management system

4.4 XXX management system

As the flagstone of a management system, clause 4 determines why the organization is here. As part

of the answer to this question, the organization needs to identify internal and external issues that can

impact on its intended outcomes, as well as all interested parties and their requirements. It also needs

to document its scope and set the boundaries of the management system – all in line with the business

objectives. At first glance, clause 4 is radical and daunting, but on further consideration it makes sense

ISO 9001:2015

46

in practice. The organization will have already have completed this thinking before even

considering implementing any ISO management system. This is the flagstone of the management

system – why the organization is here. The organization needs to determine its relevant issues, both

inside and outside, that have an impact on what it is trying to achieve, its intended outcomes. Also,

who are the relevant interested parties (the preferred term to stakeholders) and what are their

requirements? The organization needs to determine and document its own scope where are the

boundaries of the management system? What’s in and what’s out? This must be needs to be

appropriate to the organization and it objectives. Finally, the organization needs to build, operate and

improve its management system; nothing new or difficult there. The issues and requirements

identified here will be addressed in clause 6 – Planning. Auditors should now have a clear and concise

list of objective evidence to identify and confirm. It will include the organizations goals and intended

outcomes, internal and external issues, the relevant stakeholders and their requirements and the

management system scope. Collectively this will provide a key insight into the organization. This should

not be just a tick-list, but the entirety will provide a key insight into the organization – it should provide

illumination and clarity.

5. Leadership

5.1 Leadership and commitment

5.2 Policy

5.3 organizational roles, responsibilities and authorities

The new high level structure places particular emphasis on leadership, not just management as set

out in previous standards. This means top management now has greater accountability and

involvement in the organization’s management system. They need to integrate the requirements of

the management system into the organization’s core business process, ensure the management

system achieves its intended outcomes and allocate the necessary resources. Top management is also

responsible for communicating the importance of the management system and heighten employee

awareness and involvement.

At first glance, clause 5 appears to be just a reiteration of what’s gone before –policy, organizational

roles, responsibilities and authorities etc. However, there is an emphasis on leadership, not just

management. On further examination there is more here; top management now have to have a

greater involvement in the management system. They have to make sure that the requirements of the

management system are integrated into the organization’s business processes – the management

system is not just a bolt-on. The ‘business’ is whatever activities are at the heart of the organization’s

reason for existing. In addition, they have to demonstrate their commitment by making sure that the

management system achieves its intended outcome(s) and has adequate resources. Additionally they

ISO 9001:2015

47

have to inform everyone that management system is important and that everyone should participate

in its effective implementation. The involvement of top management in the management system is

now explicit and hands-on. The ‘XXX’ policy has also been strengthened. It has to include commitments

to satisfy applicable requirements and continually improve the management system. As well as being

communicated internally it has to be made available to interested parties. Auditors should now find it

easier to audit management commitment – the requirements are much more specific and tangible and

the evidence required should be more obvious.

6.Planning

6.1 Actions to address risks and opportunities

6.2 XXX objectives and planning to achieve them

Clause 6 brings risk-based thinking to the front. Once the organization has highlighted risks and

opportunities in clause 4, it needs to stipulate how these will be addressed through planning. The

planning phase looks at what, who, how and when these risks must be addressed. This proactive

approach replaces preventative action and reduces the need for corrective actions later on. Particular

focus is also placed on the objectives of the management system. These should be measurable,

monitored, communicated, aligned to the policy of the management system and updated when

needed.

After much deliberation, the decision to make risk explicit has been made – here it is in clause 6. Having

highlighted the issues and requirements in clause 4, now it is time to address the risks

and opportunities the organization faces through planning. How will the organization prevent, or

reduce, undesired effects? How will the organization ensure that it can achieve its intended outcomes

and continual improvement? It will do it here in planning. Planning will address what, who, how and

when. Not difficult. This proactive approach is easier to understand than preventive action and should

reduce the need for correction and corrective action at a later date. The requirements around the ‘XXX’

objectives have also been made more detailed. They are to be consistent with the ‘XXX’ policy,

measurable (if practicable), monitored, communicated, and updated as appropriate. They have to be

established at relevant functions and levels. Clause 6 puts a greater emphasis on the organization’s

XXX’ planning which is integral to the business. Auditors should be familiar with risk – the

ISO 9001:2015

48

consequences of an event and the associated likelihood of occurrence – and how to avoid, eliminate,

minimize or mitigate it. They also need to focus on the positive aspect – opportunities for the business

and how to optimize them. The risks and opportunities identified will lead to policies and objectives.

Auditors should be able to identify and follow a clear path from issues and requirements through risks

and opportunities, policies and objectives.

7. Support

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

7.5.1 General

7.5.2 Creating and updating

7.5.3 Control of documented information

After addressing the context, commitment and planning, organizations will have to look at the support

needed to meet their goals and objectives. This includes resources, targeted internal and external

communications, as well as documented information that replaces previously used terms such

as documents, documentation and records. The organization needs to supply competent resource to

deliver its goods and services. Again, nothing new here, awareness has been strengthened so now

everyone needs to know the implications of not conforming to the management

system requirements. The organization needs to consider the need for both internal and external

communications relevant to the management system – what, when and with whom it will

communicate. The final support requirement is going to generate a lot of heat but not much light –

documented information. Gone are the terms documents, documentation and records. However

the requirements for the management of documented information are not new, exceptional

or excessive. One skeleton which is finally laid to rest is the idea that everyone needs work instructions

no matter how experienced or senior they are in the organization (check out the Note in clause 7.5.1).

Auditing awareness and communication should be easier; the requirements are crisper – the 3 W’s.

Again, auditors should find the consistent definition of and requirements for competence

a benefit. Auditors will need to understand and use the term ‘documented information’. Although

there will be a lot of confusion and misunderstanding as everyone transitions from the old terms, in

the long run auditors should benefit from the greater clarity and consistency.

8. Operation

8.1 Operational planning and control

ISO 9001:2015

49

The bulk of the management system requirements lies within this single clause. Clause 8 addresses

both in-house and outsourced processes, while the overall process management includes adequate

criteria to control these processes, as well as ways to manage planned and unintended change.

Whatever the organization is in business to achieve, clause 8 is it. At its core, the organization needs

to “…plan, implement and control the processes needed…”. This addresses both in-house and any

outsourced processes. This overall process management includes having process criteria, controlling

the processes within the criteria, controlling planned change and addressing unintended change as

necessary. This is the shortest clause because this is where the bulk of each discipline – the ‘XXX’ –

requirements will be. It is also where the need for a discipline-specific management system model

will come from. So where will all the requirements go that don’t fall easily into the High level

Structure and Identical core text? For example in ISO 9001:2008 7.3.4 Design and development

review and in ISO 14001: 2004 4.4.7 Emergency preparedness and response. Whatever is at the heart

of the ‘XXX’ management system – ‘the business’ – then this is what goes into clause 8. The auditor

will have to have a good understanding of process management before getting involved in assessing

the discipline-specific requirements. This is where an understanding of the business context of clause

4 will bear fruit – the sharp end of the business operations.

9. Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

Having “done the business” in clause 8 it is time to check performance. The usual suspects appear here.

The organization determines what, how and when things are to be monitored, measured, analyzed

and evaluated. Add internal audit and management review to the mix and everything expected is

addressed. Internal audits provide information on whether the management system conforms to

the requirements of the organization and the standard and is effectively implemented and

maintained. Management review addresses the question: ‘is the management system suitable,

adequate and effective?’ Once again, the auditor should benefit from a consistent set of requirements

for checking results against plan. There is a long list of objective evidence that can be identified and

confirmed: metrics, schedules, evaluations, nonconformities and corrective actions, monitoring

and measurement results, and audit and management review results.

10. Improvement

10.1 Nonconformity and corrective action

10.2 Continual improvement

Occasionally undesired things occur; now it’s time to address nonconformity and corrective action.

And to make things better there’s continual improvement. The requirements here are familiar and well

ISO 9001:2015

50

understood. But what about preventive action? It does not appear. As some have argued for many

years, one of the objectives of a management system is preventive action. The requirements in clause

4.1 to “…determine external and internal issues that are relevant to its purpose and that affect its

ability to achieve the intended outcome(s) of its XXX management system” and in clause 6.1 to

“determine the risks and opportunities that need to be addressed to assure the XXX management

system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual

improvement.” not only address preventive action but go beyond. And in the end auditors will look

back at the management system established in clause 4.4, reviewed in clause 9.3 and now continually

improved. Finally, although there remains a requirement for processes (check out clause 4.4) there is

no mention anywhere of procedures, documented or otherwise. If a discipline considers that they

are required then they will appear in the ‘XXX’ standard, probably in clause 8 – Operations. However, if

they are not a requirement but the organizations themselves consider they need them then that will

be their decision.

Attachment 01: ISO/IEC Directives, Part 1

ISO/IEC

Directives, Part 1

Consolidated ISO Supplement —

Procedures specific to ISO

Directives ISO/IEC, Partie 1

Supplément ISO consolidé — Procédures spécifiques à l’ISO

ISO 9001:2015

51

Sixth edition, 2015

[Based on the eleventh edition (*corrected version 2015) of the ISO/IEC Directives, Part 1]

* Clause 1.8 corrected to align with the IEC’s eleventh edition of the ISO/IEC Directives

© ISO/IEC 2015

Annex SL

(normative) Proposals for management system standards

SL.1 General Whenever a proposal is made to prepare a new management system standard (MSS), including sectoral applications of generic MSS, a justification study (JS) shall be carried out in accordance with Appendix 1 to this Annex SL. NOTE No JS is needed for the revision of an existing MSS whose development has already been approved ( unless it was not provided during its first development ).

To the extent possible, the proposer shall endeavour to identify the full range of deliverables which will constitute the new or revised MSS family, and a JS shall be prepared for each of the deliverables.

SL.2 Obligation to submit a JS All MSS proposals and their JS must be identified by the relevant TC/SC/PC leadership and must be sent to the ISO/TMB (or its MSS task force) for evaluation before the NWI ballot takes place. It is the responsibility of the relevant TC/SC/PC secretariat to identify all MSS proposals, without exception, so that there will be no MSS proposals which fail (with knowledge or without knowledge) to carry out the JS or which fail to be sent to the ISO/TMB for evaluation. NOTE No JS is required for a Type B MSS providing guidance on a specific Type A MSS for which a JS has already been submitted and approved. For example, ISO/IEC 27003:2010 (Information technology — Security techniques — Information security management system implementation guidance) does not need to have JS submitted as ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) has already had a JS submitted and approved.

SL.3 Cases where no JS have been submitted MSS proposals which have not been submitted for ISO/TMB evaluation before the NWI ballot will be sent to the ISO/TMB for evaluation and no new ballot should take place before the ISO/TMB decision (project on hold). It is considered good practice that the TC/SC/PC members endorse the JS prior it is sent to the ISO/TMB. NOTE Already published MSS which did not have a JS submitted will be treated as new MSS at the time of revision, i.e. a JS is to be presented and approved before any work can begin.

SL.4 Applicability of Annex SL The above procedures apply to all ISO deliverables including IWAs. SL.5 Terms and definitions For the purposes of this Annex SL, the following terms and definitions apply.

SL.5.1 management system See definition contained in Appendix 2 (clause 3.4) of this Annex SL.

ISO 9001:2015

52

SL.5.2 Management System Standard MSS Standard for management systems (SL.5.1). Note to entry: For the purposes of this document, this definition also applies to other ISO deliverables (e.g. TS, PAS).

SL.5.3 Type A MSS MSS providing requirements EXAMPLES

— Management system requirements standards (specifications).

— Management system sector-specific requirements standards.

SL.5.4 Type B MSS MSS providing guidelines EXAMPLES

— Guidance on the use of management system requirements standards.

— Guidance on the establishment of a management system.

— Guidance on the improvement/enhancement of a management system.

SL.5.5 High Level Structure HLS

outcome of the work of the ISO/TMB/JTCG “Joint technical Coordination Group on MSS” which refers to high level structure (HLS), identical sub-clause titles, identical text and common terms and core definitions. See Appendix 2 to this Annex SL.

SL.6 General principles All projects for new MSS (or for MSS which are already published but for which no JS was completed) must undergo a JS (see SL.1 and Note to SL.3). The following general principles provide guidance to assess the market relevance of proposed MSS and for the preparation of a JS. The justification criteria questions in Appendix 1 to this Annex SL are based on these principles. The answers to the questions will form part of the JS. An MSS should be initiated, developed and maintained only when all of the following principles are observed.

1) Market relevance — Any MSS should meet the needs of, and add value for, the primary users and other affected parties.

2) Compatibility — Compatibility between various MSS and within an MSS family should be maintained.

3) Topic coverage — An MSS should have sufficient application coverage to eliminate or minimize the need for

sector-specific variances.

4) Flexibility — An MSS should be applicable to organizations in all relevant sectors and cultures and of every size. An MSS

should not prevent organizations from competitively adding to or differentiating from others, or enhancing their

management systems beyond the standard.

5) Free trade — An MSS should permit the free trade of goods and services in line with the principles included in the WTO Agreement on Technical Barriers to Trade.

6) Applicability of — The market need for first-, second- or third-party conformity assessment, conformity assessment or

any combination thereof, should be assessed. The resulting MSS should clearly address the suitability of use for conformity

assessment in its scope. An MSS should facilitate joint audits.

ISO 9001:2015

53

7) Exclusions — An MSS should not include directly related product (including services) specifications, test methods,

performance levels (i.e. setting of limits) or other forms of standardization for products produced by the implementing

organization.

8) Ease of use — It should be ensured that the user can easily implement one or more MSS. An MSS should be easily

understood, unambiguous, free from cultural bias, easily translatable, and applicable to businesses in general.

SL.7 Justification study process and criteria

SL.7.1 General

This clause describes the justification study (JS) process for justifying and evaluating the market relevance of proposals for an MSS. Appendix 1 to this Annex SL provides a set of questions to be addressed in the justification study.

SL.7.2 Justification study process

The JS process applies to any MSS project and consists of the following:

a) the development of the JS by (or on behalf of) the proposer of an MSS project;

b) an approval of the JS by the ISO/TMB (or ISO/TMB MSS task force).

The JS process is followed by the normal ISO balloting procedure for new work item approval as appropriate.

SL.7.3 Justification study criteria

Based on Annex C of the ISO/IEC Directives, Part 1, 2012, and the general principles stated above, a set of questions (see Appendix 1 to this Annex SL) must be used as criteria for justifying and assessing a proposed MSS project and must be answered by the proposer. This list of questions is not exhaustive and any additional information that is relevant to the case should be provided. The JS should demonstrate that all questions have been considered. If it is decided that they are not relevant or appropriate to a particular situation, then the reasons for this decision should be clearly stated. The unique aspect of a particular MSS may require consideration of additional questions in order to assess objectively its market relevance. SL.8 Guidance on the development process and structure of an MSS

SL.8.1 General

The development of an MSS will have effects in relation to — the far-reaching impact of these standards on business practice, — the importance of worldwide support for the standards, — the practical possibility for involvement by many, if not all, ISO Member Bodies, and — the market need for compatible and aligned MSS. This clause provides guidance in addition to the procedures laid down in the ISO/IEC Directives, in order to take these effects into account. All MSS (whether they are Type A or Type B MSS) shall, in principle, use consistent structure, common text and terminology so that they are easy to use and compatible with each other. The guidance and structure given in Appendix 2 to this Annex SL shall, in principle, also be followed (based on ISO/TMB Resolution 18/2012). A Type B MSS which provides guidance on another MSS of the same MSS family should follow the same structure (i.e. clauses numbering). Where MSS providing guidance (Type B MSS) are involved, it is important that their functions be clearly defined together with their relationship with the MSS providing requirements (Type A MSS), for example: — guidance on the use of the requirements standard; — guidance on the establishment/implementation of the management system; — guidance on improvement/enhancement of the management system. Where the proposed MSS is sector specific: — it should be compatible and aligned with the generic MSS; — the relevant committee responsible for the generic MSS may have additional requirements to be met or procedures to be

followed; — other committees may need to be consulted, as well as CASCO on conformity assessment issues.

ISO 9001:2015

54

In the case of sector specific documents, their function and relationship with the generic MSS should be clearly defined (e.g. additional sector-specific requirements; elucidation; or both as appropriate). Sector-specific documents should always show clearly (e.g. by using different typographical styles) the kind of sector-specific information being provided. NOTE 1 The ISO/TMB/JTCG “Joint Technical Coordination Group on MSS” has produced a set of rules for the addition of discipline specific text to the identical text.

NOTE 2 Where the identical text or any of the requirements cannot be applied in a specific MSS, due to special circumstances, this should be reported to the ISO/TMB through the TMB Secretary at tmb@iso.org (see SL.9.3).

SL.8.2 MSS development process

SL.8.2.1 General

In addition to the JS, the development of an MSS should follow the same requirements as other ISO deliverables (ISO/IEC Directives, Part 1, Clause 2).

SL.8.2.2 Design specification

To ensure that the intention of the standard, as demonstrated by the justification study, will be maintained, a design specification may be developed before a working draft is prepared. The responsible committee will decide whether the design specification is needed and in case it is felt necessary, it will decide upon its format and content that is appropriate for the MSS and should set up the necessary organization to carry out the task. The design specification should typically address the following. User needs The identification of the users of the standard and their associated needs, together with the costs and

benefits for these users.

Scope The scope and purpose of the standard, the title and the field of application.

Compatibility How compatibility within this and with other MSS families will be achieved, including identification of

the common elements with similar standards, and how these will be included in the recommended

structure (see Appendix 2 to this Annex SL).

Consistency Consistency with other documents (to be) developed within the MSS family.

NOTE Most, if not all of the information on user needs and scope will be available from the justification study.

The design specification should ensure that

a) the outputs of the justification study are translated correctly into requirements for the MSS,

b) the issues of compatibility and alignment with other MSS are identified and addressed,

c) a basis for verification of the final MSS exists at appropriate stages during the development process,

d) the approval of the design specification provides a basis for ownership throughout the project by the members of the

TC/SC(s),

e) account is taken of comments received through the NWI ballot phase, and

f) any constraints are taken into account.

The Committee developing the MSS should monitor the development of the MSS against the design specification in order to ensure that no deviations happen in the course of the project.

ISO 9001:2015

55

SL.8.2.3 Producing the deliverables

SL.8.2.3.1 Monitoring output

In the drafting process, the output should be monitored for compatibility and ease of use with other MSS, by covering issues such as

— the high level structure (HLS), identical sub-clause titles, identical text and common terms

and core definitions the need for clarity (both in language and presentation), and — avoiding

overlap and contradiction.

SL.8.2.4 Transparency of the MSS development process

MSS have a broader scope than most other types of standard. They cover a large field of human endeavour and have an impact on a wide range of user interests. Committees preparing MSS should accordingly adopt a highly transparent approach to the development of the standards, ensuring that — possibilities for participation in the process of developing standards are clearly identified, and — the development

processes being used are understood by all parties.

Committees should provide information on progress throughout the life cycle of the project, including — the status of the project to date (including items under discussion), — contact points for further information, — communiqués and press releases on plenary meetings, and — regular listings of frequently asked questions and answers. In doing this, account needs to be taken of the distribution facilities available in the participating countries. Where it may be expected that users of a Type A MSS are likely to demonstrate conformity to it, the MSS shall be so written that conformity can be assessed by a manufacturer or supplier (first party, or self-declaration), a user or purchaser (second party) or an independent body (third party, also known as certification or registration). Maximum use should be made of the resources of the ISO Central Secretariat to facilitate the transparency of the project and the committee should, in addition, consider the establishment of a dedicated openaccess website. Committees should involve the national member bodies to build up a national awareness of the MSS project, providing drafts as appropriate for different interested and affected parties, including accreditation bodies, certification bodies, enterprises and the user community, together with additional specific information as needed. The committee should ensure that technical information on the content of the MSS under development is readily available to participating members, especially those in developing countries.

SL.8.2.5 Process for interpretation of a standard

The committee may establish a process to handle interpretation questions related to their standards from the users, and may make the resulting interpretations available to others in an expedient manner. Such a mechanism can effectively address possible misconceptions at an early stage and identify issues that may require improved wording of the standard during the next revision cycle. Such processes are considered to be “committee specific procedures” [see Foreword f)].

SL.9 High level structure, identical core text and common terms and core definitions for use in Management Systems Standards

SL.9.1 Introduction

The aim of this document is to enhance the consistency and alignment of ISO MSS by providing a unifying and agreed upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS (and B where appropriate) are aligned and the compatibility of these standards is enhanced. It is envisaged that individual MSS will add additional “discipline-specific” requirements as required. NOTE In Annex SL.9.1 and Annex SL.9.4 “discipline-specific” is used to indicate specific subject(s) to which a management system standard refers, e.g. energy, quality, records, environment etc.

ISO 9001:2015

56

The intended audience for this document is ISO Technical Committees (TC), Subcommittees (SC) and Project Committees (PC) and others that are involved in the development of MSS. This common approach to new MSS and future revisions of existing standards will increase the value of such standards to users. It will be particularly useful for those organizations that choose to operate a single (sometimes called “integrated”) management system that can meet the requirements of two or more MSS simultaneously. Appendix 2 to this Annex SL sets out the high level structure, identical core text and common terms and core definitions that form the nucleus of future and revised ISO Type A MSS and Type B MSS when possible.

Appendix 3 to this Annex SL sets out guidance to the use of Appendix 2 to this Annex SL. SL.9.2 Use

ISO MSS include the high level structure and identical core text as found in Appendix 2 to this Annex SL. The common terms and core definitions are either included or normatively reference an international standard where they are included. NOTE The high level structure includes the main clauses (1 to 10) and their titles, in a fixed sequence. The identical core text includes numbered sub-clauses (and their titles) as well as text within the sub-clauses.

SL.9.3 Non applicability

If due to exceptional circumstances the high level structure or any of the identical core text, common terms and core definitions cannot be applied in the management system standard then the TC/PC/SC needs to explain their rationale for review by:

a) providing an initial deviation report to ISO/CS with the DIS submission;

b) providing a final deviation report to ISO/TMB (through the ISO/TMB Secretary at tmb@iso.org) upon submission of the

final text of the standard for publication.

TC/PC/SC shall use the ISO commenting template to provide their deviation reports. NOTE 1 The final deviation report can be an updated version of the initial deviation report.

NOTE 2 TC/PC/SC strive to avoid any non-applicability of the high level structure or any of the identical core text, common terms and core definitions.

SL.9.4 Using Annex SL Appendix 2

Discipline-specific text additions to Annex SL Appendix 2 are managed as follows.

1. Discipline-specific additions are made by the individual ISO/TC, PC, SC or other group that is developing the specific

ISO management system standard.

2. Discipline-specific text does not affect harmonization or contradict or undermine the intent of the high level structure,

identical core text, common terms and core definitions.

3. Insert additional sub-clauses, or sub-sub-clauses (etc.) either ahead of an identical text sub-clause ( or sub-sub-clause

etc.), or after such a sub-clause (etc.) and renumbered accordingly.

NOTE 1 Hanging paragraphs are not permitted — see ISO/IEC Directives, Part 2, clause 5.2.4.

NOTE 2 Attention is drawn to the need to check cross referencing.

4. Add or insert discipline-specific text within Appendix 2 to this Annex SL. Examples of additions include:

a) new bullet points

b) discipline-specific explanatory text (e.g. Notes or Examples), in order to clarify requirements

c) discipline-specific new paragraphs to sub-clauses (etc.) within the identical text

d) adding text that enhances the existing requirements in Appendix 2 to this Annex SL

5. Avoid repeating requirements between identical core text and discipline-specific text by adding text to the identical core

text taking account of point 2 above.

6. Distinguish between discipline-specific text and identical core text from the start of the drafting process. This aids

identification of the different types of text during the development and balloting stages.

ISO 9001:2015

57

NOTE 1 Distinguishing options include by colour, font, font size, italics, or by being boxed separately etc.

NOTE 2 Identification of distinguishing text is not necessarily carried into the published version.

7. Understanding of the concept of “risk” may be more specific than that given in the definition under 3.9 of Appendix 2 to

this Annex SL. In this case a discipline-specific definition may be needed. The discipline-specific terms and definitions

are differentiated from the core definition, e.g. (XXX) risk.

NOTE The above can also apply to a number of other definitions.

8. Common terms and core definitions will be integrated into the listing of terms and definitions in the discipline-specific

management system standard consistent with the concept system of that standard.

SL.9.5 Implementation

Follow the sequence, high level structure, identical core text, common terms and core definitions for any new management system standard and for any revisions to existing management system standard.

SL.9.6 Guidance

Find supporting guidance in Appendix 3 to this Annex SL.

Appendix 1

( normative )

Justification criteria questions

1. General

The list of questions to be addressed in the justification study are in line with the principles listed in SL.6. This list is not exhaustive. Additional information not covered by the questions should be provided if it is relevant to the case. Each general principle should be given due consideration and ideally when preparing the JS, the proposer should provide a general rationale for each principle, prior to answering the questions associated with the principle. The principles the proposer of the MSS should pay due attention to when preparing the justification study are:

1. Market relevance

2. Compatibility

3. Topic coverage

4. Flexibility

5. Free trade

6. Applicability of conformity assessment

7. Exclusions

NOTE No questions directly refer to the principle 8 “ease of use”, but it should guide the development of the deliverable.

Basic information on the MSS proposal

1 What is the proposed purpose and scope of the MSS? Is the document supposed to be a guidance document or

a document with requirements?

ISO 9001:2015

58

2 Does the proposed purpose or scope include product (including service) specifications, product test methods,

product performance levels, or other forms of guidance or requirements directly related to products produced or

provided by the implementing organization?

3 Is there one or more existing ISO committee or non-ISO organization that could logically have responsibility for

the proposed MSS? If so, identify.

4 Have relevant reference materials been identified, such as existing guidelines or established practices?

5 Are there technical experts available to support the standardization work? Are the technical experts direct

representatives of the affected parties from the different geographical regions?

6 What efforts are anticipated as being necessary to develop the document in terms of experts needed and

number/duration of meetings?

7 Is the MSS intended to be a guidance document, contractual specification or regulatory specification for an

organization?

Principle 1: market relevance

8 Have all the affected parties been identified? For example:

a) organizations (of various types and sizes): the decision-makers within an organization who approve work to implement and achieve conformance to the MSS;

b) customers/end-users, i.e. individuals or parties that pay for or use a product (including service) from an organization;

c) supplier organizations, e.g. producer, distributor, retailer or vendor of a product, or a provider of a service or information;

d) MSS service provider, e.g. MSS certification bodies, accreditation bodies or consultants; e) regulatory

bodies;

f) non-governmental organizations.

9 What is the need for this MSS? Does the need exist at a local, national, regional or global level? Does the need

apply to developing countries? Does it apply to developed countries? What is the added value of having an ISO

document (e.g. facilitating communication between organizations in different countries)?

10 Does the need exist for a number of sectors and is thus generic? If so, which ones? Does the need exist for small,

medium or large organizations?

11 Is the need important? Will the need continue? If yes, will the target date of completion for the proposed MSS

satisfy this need? Are viable alternatives identified?

12 Describe how the need and importance were determined. List the affected parties consulted and the major

geographical or economical regions in which they are located.

13 Is there known or expected support for the proposed MSS? List those bodies that have indicated support. Is there

known or expected opposition to the proposed MSS? List those bodies that have indicated opposition.

ISO 9001:2015

59

14 What are the expected benefits and costs to organizations, differentiated for small, medium and large

organizations if applicable?

Describe how the benefits and the costs were determined. Provide available information on geographic or

economic focus, industry sector and size of the organization. Provide information on the sources consulted and

their basis (e.g. proven practices), premises, assumptions and conditions (e.g. speculative or theoretical), and

other pertinent information.

15 What are the expected benefits and costs to other affected parties (including developing countries)?

Describe how the benefits and the costs were determined. Provide any information regarding the affected parties

indicated.

16 What will be the expected value to society?

17 Have any other risks been identified (e.g. timeliness or unintended consequences to a specific business)?

Principle 2: compatibility

18 Is there potential overlap or conflict with (or what is the added value in relation to) other existing or planned ISO

or non-ISO international standards, or those at the national or regional level? Are there other public or private

actions, guidance, requirements and regulations that seek to address the identified need, such as technical

papers, proven practices, academic or professional studies, or any other body of knowledge?

19 Is the MSS or the related conformity assessment activities (e.g. audits, certifications) likely to add to, replace all

or parts of, harmonize and simplify, duplicate or repeat, conflict with, or detract from the existing activities

identified above? What steps are being considered to ensure compatibility, resolve conflict or avoid duplication?

20 Is the proposed MSS likely to promote or stem proliferation of MSS at the national or regional level, or by industry

sectors?

Principle 3: topic coverage

21 Is the MSS for a single specific sector?

22 Will the MSS reference or incorporate an existing, non-industry-specific ISO MSS (e.g. from the ISO 9000 series

of quality management standards)? If yes, will the development of the MSS conform to the ISO/IEC Sector Policy

(see 6.8.2 of ISO/IEC Directives, Part 2), and any other relevant policy and guidance procedures (e.g. those that

may be made available by a relevant ISO committee)?

23 What steps have been taken to remove or minimize the need for particular sector-specific deviations from a

generic MSS?

Principle 4: flexibility

24 Will the MSS allow an organization competitively to add to, differentiate or encourage innovation of its

management system beyond the standard?

ISO 9001:2015

60

Principle 5: free trade

25 How would the MSS facilitate or impact global trade? Could the MSS create or prevent a technical barrier to

trade?

26 Could the MSS create or prevent a technical barrier to trade for small, medium or large organizations?

27 Could the MSS create or prevent a technical barrier to trade for developing or developed countries?

28 If the proposed MSS is intended to be used in government regulations, is it likely to add to, duplicate, replace,

enhance or support existing governmental regulations?

Principle 6: applicability of conformity

29 If the intended use is for contractual or regulatory purposes, what are the potential methods to demonstrate

conformance (e.g. first party, second party or third party)? Does the MSS enable organizations to be flexible in

choosing the method of demonstrating conformance, and to accommodate for changes in its operations,

management, physical locations and equipment?

30 If third-party registration/certification is a potential option, what are the anticipated benefits and costs to the

organization? Will the MSS facilitate joint audits with other MSS or promote parallel assessments?

Principle 7: exclusions

31 Does the proposed purpose or scope include product (including service) specifications, product test methods,

product performance levels, or other forms of guidance or requirements directly related to products produced or

provided by the implementing organization?

Appendix 2

( normative )

High level structure, identical core text, common terms and core definitions

NOTE In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic safety, IT security, food safety, societal security, environment, quality) that needs to be inserted. Blue italicized text is given as advisory notes to standards drafters.

Introduction

DRAFTING INSTRUCTION Specific to the discipline.

1. Scope

DRAFTING INSTRUCTION Specific to the discipline.

ISO 9001:2015

61

2. Normative references

DRAFTING INSTRUCTION Clause Title shall be used. Specific to the discipline.

3. Terms and definitions

DRAFTING INSTRUCTION 1 Clause Title shall be used. Terms and definitions may either be within the standard or in a separate document. To reference Common terms and Core definitions + discipline specific ones. The arrangement of terms and definitions shall be according to the concept systems of each standard.

For the purposes of this document, the following terms and definitions apply. DRAFTING INSTRUCTION 2 The following terms and definitions constitute an integral part of the “common text” for management systems standards. Additional terms and definitions may be added as needed. Notes may be added or modified to serve the purpose of each standard.

DRAFTING INSTRUCTION 3 Italics type in a definition indicates a cross-reference to another term defined in this clause, and the number reference for the term is given in parentheses.

DRAFTING INSTRUCTION 4 Where the text “XXX” appears throughout this clause, the appropriate reference should be inserted depending on the context in which these terms and definitions are being applied. For example: “an XXX objective” could be substituted as “an information security objective”.

3.1 organization

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.8) Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

3.2 interested party (preferred term) stakeholder (admitted term) person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision or activity

3.3 requirement

need or expectation that is stated, generally implied or obligatory Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

3.4

management system set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and objectives (3.8) and processes (3.12) to achieve those objectives Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and operation.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.

3.5

top management person or group of people who directs and controls an organization (3.1) at the highest level Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.

ISO 9001:2015

62

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management refers to those who direct and control that part of the organization.

3.6 effectiveness

extent to which planned activities are realized and planned results achieved

3.7 policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.5)

3.8 objective result to be achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process (3.12)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an XXX objective, or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of XXX management systems, XXX objectives are set by the organization, consistent with the XXX policy, to achieve specific results.

3.9 risk effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3) , or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

3.10 competence

ability to apply knowledge and skills to achieve intended results

3.11 documented information

information required to be controlled and maintained by an organization (3.1) and the medium on which it is contained Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:

— the management system (3.4), including related processes (3.12);

— information created in order for the organization to operate (documentation);

— evidence of results achieved (records).

3.12 process

ISO 9001:2015

63

set of interrelated or interacting activities which transforms inputs into outputs

3.13 performance measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including services), systems or organizations (3.1).

3.14 outsource (verb)

make an arrangement where an external organization (3.1) performs part of an organization’s function or process (3.12) Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the outsourced function or process is within the scope.

3.15 monitoring determining the status of a system, a process (3.12) or an activity

Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

3.16

measurement process (3.12) to determine a value

3.17 audit

systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

3.18 conformity fulfilment of a requirement (3.3)

3.19 nonconformity

non-fulfilment of a requirement (3.3)

3.20 corrective action action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence

3.21 continual improvement recurring activity to enhance performance (3.13)

4. Context of the organization

ISO 9001:2015

64

4.1 Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its XXX management system.

4.2 Understanding the needs and expectations of interested parties

The organization shall determine: — the interested parties that are relevant to the XXX management system; — the relevant

requirements of these interested parties.

4.3 Determining the scope of the XXX management system

The organization shall determine the boundaries and applicability of the XXX management system to establish its scope. When determining this scope, the organization shall consider: — the external and internal issues referred to in 4.1; — the

requirements referred to in 4.2.

The scope shall be available as documented information.

4.4 XXX management system

The organization shall establish, implement, maintain and continually improve an XXX management system, including the processes needed and their interactions, in accordance with the requirements of this International Standard/this part of ISO XXXX/this Technical Specification.

5. Leadership

5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the XXX management system by: — ensuring that the XXX policy and XXX objectives are established and are compatible with the strategic direction of the

organization; — ensuring the integration of the XXX management system requirements into the organization’s business processes; — ensuring that the resources needed for the XXX management system are available; — communicating the importance of effective XXX management and of conforming to the XXX management system

requirements; — ensuring that the XXX management system achieves its intended outcome(s); — directing and supporting persons to contribute to the effectiveness of the XXX management system; — promoting continual improvement; — supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. NOTE Reference to “business” in this International Standard/this part of ISO XXXX/this Technical Specification can be interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

5.2 Policy

Top management shall establish a XXX policy that:

a) is appropriate to the purpose of the organization;

b) provides a framework for setting XXX objectives;

c) includes a commitment to satisfy applicable requirements;

d) includes a commitment to continual improvement of the XXX management system.

The XXX policy shall: — be available as documented information; — be communicated within the organization;

ISO 9001:2015

65

— be available to interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. Top management shall assign the responsibility and authority for:

a) ensuring that the XXX management system conforms to the requirements of this International Standard/this part of ISO

XXXX/this Technical Specification;

b) reporting on the performance of the XXX management system to top management.

6. Planning

6.1 Actions to address risks and opportunities

When planning for the XXX management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: — give assurance that the XXX management system can achieve its intended outcome(s); — prevent, or reduce, undesired effects; — achieve continual improvement. The organization shall plan:

a) actions to address these risks and opportunities;

b) how to:

— integrate and implement the actions into its XXX management system processes; — evaluate the effectiveness of these actions.

6.2 XXX objectives and planning to achieve them

The organization shall establish XXX objectives at relevant functions and levels. The XXX objectives shall:

a) be consistent with the XXX policy;

b) be measurable (if practicable);

c) take into account applicable requirements;

d) be monitored;

e) be communicated;

f) be updated as appropriate.

The organization shall retain documented information on the XXX objectives. When planning how to achieve its XXX objectives, the organization shall determine: — what will be done; — what resources will be required; — who will be responsible; — when it will be completed; — how the results will be evaluated.

7. Support

7.1 Resources

ISO 9001:2015

66

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the XXX management system.

7.2 Competence

The organization shall: — determine the necessary competence of person(s) doing work under its control that affects its XXX performance; — ensure that these persons are competent on the basis of appropriate education, training, or experience; — where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken; — retain appropriate documented information as evidence of competence. NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of currently employed persons; or the hiring or contracting of competent persons.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of: — the XXX policy; — their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX performance; — the implications of not conforming with the XXX management system requirements.

7.4 Communication

The organization shall determine the internal and external communications relevant to the XXX management system, including: — on what it will communicate; — when to communicate; — with whom to communicate; — how to

communicate.

7.5 Documented information

7.5.1 General

The organization’s XXX management system shall include:

a) documented information required by this International Standard/this part of ISO XXXX/this Technical Specification;

b) documented information determined by the organization as being necessary for the effectiveness of the XXX

management system.

NOTE The extent of documented information for a XXX management system can differ from one organization to another due to:

— the size of organization and its type of activities, processes, products and services;

— the complexity of processes and their interactions; — the competence of persons.

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate: — identification and description (e.g. a title, date, author, or reference number); — format (e.g. language,

software version, graphics) and media (e.g. paper, electronic);

— review and approval for suitability and adequacy.

7.5.3 Control of documented information

Documented information required by the XXX management system and by this International Standard /this part of ISO XXXX/this Technical Specification shall be controlled to ensure:

ISO 9001:2015

67

a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

For the control of documented information, the organization shall address the following activities, as applicable: — distribution, access, retrieval and use; — storage and preservation, including preservation of legibility; — control of changes (e.g. version control); — retention

and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the XXX management system shall be identified, as appropriate, and controlled. NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

8. Operation

8.1 Operational planning and control

DRAFTING INSTRUCTION This sub-clause heading will be deleted if no additional sub-clauses are added to Clause 8.

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by: — establishing criteria for the processes; — implementing control of the processes in accordance with the criteria; — keeping documented information to the extent necessary to have confidence that the processes have been carried out as

planned. The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate any adverse effects, as necessary. The organization shall ensure that outsourced processes are controlled.

9. Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine: — what needs to be monitored and measured; — the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; — when the monitoring and measuring shall be performed; — when the results from monitoring and measurement shall be analysed and evaluated. The organization shall retain appropriate documented information as evidence of the results. The organization shall evaluate the XXX performance and the effectiveness of the XXX management system.

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the XXX

management system:

a) conforms to:

— the organization’s own requirements for its XXX management system; — the requirements of this International Standard/this part of ISO XXXX/this Technical Specification;

b) is effectively implemented and maintained.

9.2.2 The organization shall:

ISO 9001:2015

68

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities,

planning requirements and reporting, which shall take into consideration the importance of the processes concerned and

the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) retain documented information as evidence of the implementation of the audit programme and the audit results.

9.3 Management review

Top management shall review the organization’s XXX management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the XXX management system;

c) information on the XXX performance, including trends in:

— nonconformities and corrective actions; — monitoring and measurement results; — audit results;

d) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the XXX management system. The organization shall retain documented information as evidence of the results of management reviews.

10. Improvement

10.1 Nonconformity and corrective action

When a nonconformity occurs, the organization shall:

a) react to the nonconformity and, as applicable:

— take action to control and correct it; — deal with the consequences;

b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur

elsewhere, by:

— reviewing the nonconformity; — determining the causes of the nonconformity; — determining if similar nonconformities exist, or could potentially occur;

c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) make changes to the XXX management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall retain documented information as evidence of: — the nature of the

nonconformities and any subsequent actions taken;

— the results of any corrective action.

ISO 9001:2015

69

10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the XXX management system.

Appendix 3

( informative )

Guidance on high level structure, identical core text, common terms and core definitions

Guidance on the high level structure, identical core text, common terms and core definitions is provided at the following URL: Annex SL Guidance documents (http://isotc.iso.org/livelink/ livelink?func=ll&objId=16347818&objAction=browse&viewType=1).

ISO 9001:2015 – Risk Based Thinking One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk,

rather than treating it as a single component of a quality management system. In previous editions of

ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and

included throughout the standard. By taking a risk-based approach, an organization becomes proactive

rather than purely reactive, preventing or reducing undesired effects and promoting continual

improvement. Preventive action is automatic when a management system is risk-based.

Risk-based thinking is something we all do automatically and often sub-consciously for e.g. if I wish to

cross a road I look for traffic before I begin. I will not step in front of a moving car. The concept of risk

has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole

management system. The risk is considered from the beginning and throughout the standard, making

preventive action part of strategic planning as well as operation and review. Risk-based thinking is

already part of the process approach. For e.g. to cross the road I may go directly or I may use a nearby

ISO 9001:2015

70

footbridge. Which process I choose will be determined by considering the risks. Risk-based thinking

makes preventive action part of the routine. Risk is often thought of only in the negative sense. Risk-

based thinking can also help to identify opportunities. This can be considered to be the positive side of

risk. Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an

increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The

opportunity of using a footbridge is that there is less chance of being injured by a car.

Opportunity is not always directly related to risk but it is always related to the objectives. By

considering a situation it may be possible to identify opportunities to improve.

The opportunities for improvement: a subway leading directly under the road, pedestrian traffic lights,

or diverting the road so that the area has no traffic. It is necessary to analyses the opportunities and

consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity

must be considered. Whatever action is taken will change the context and the risks and these must

then be reconsidered.

Identify what your risks are – it depends on context

Example:

If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with

very few moving cars. It is also necessary to consider such things as weather, visibility, personal

mobility and specific personal objectives.

Understand your risks

What is acceptable, what is unacceptable? What advantages or disadvantages are there to one

process over another?

Example:

Objective: I need to safely cross a road to reach a meeting at a given time.

It is UNACCEPTABLE to be injured.

It is UNACCEPTABLE to be late.

Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important

that I reach my meeting uninjured than it is for me to reach my meeting on time.

It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the

likelihood of being injured by crossing the road directly is high. I analyses the situation. The footbridge

is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I

can see that the road does not have many cars at this time. I decide that walking directly across the

road carries an acceptably low level of risk of injury and will help me reach my meeting on time.

ISO 9001:2015

71

The Main Objectives of ISO 9001 to provide confidence in the organization’s ability to consistently

provide customers with conforming goods and services and to enhance customer satisfaction. The

concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.

Plan actions to address the risks How can I avoid or eliminate the risk? How can I mitigate risks? Example: I could eliminate risk of injury caused by being hit by a vehicle if I use the footbridge but I

have already decided that the risk involved in crossing the road is acceptable. Now I plan how to

reduce either the likelihood or the impact of injury. I cannot reasonably expect to control the impact

of a car hitting me. I can reduce the probability of being hit by a car. I plan to cross at a time when

there are no cars moving near me and so reduce the likelihood of an accident. I also plan to cross the

road at a place where I have good visibility.

Implement the plan – take action

Example:

I move to the side of the road, check there are no barriers to crossing. I check there are no cars

coming. I continue to look for cars whilst crossing the road.

Check the effectiveness of the action – does it work?

Example:

I arrive at the other side of the road unharmed and on time: this plan worked and undesired effects

have been avoided.

Learn from experience – improve

Example:

I repeat the plan over several days, at different times and in different weather conditions. This gives

me data to understand that changing context (time, weather, quantity of cars) directly affects the

effectiveness of the plan and increases the probability that I will not achieve my objectives (being on

time and avoiding injury). Experience teaches me that crossing the road at certain times of day is very

difficult because there are too many cars. To limit the risk I revise and improve my process by using

the footbridge at these times. I continue to analyze the effectiveness of the processes and revise them

when the context changes. I also continue to consider innovative opportunities:

ISO 9001:2015

72

can I move the meeting place so that the road does not have to be crossed?

can I change the time of the meeting so that I cross the road when it is quiet?

can we meet electronically?

DEFINITIONS

ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.

1. An effect is a deviation from the expected – positive or negative.

2. Risk is about what could happen and what the effect of this happening might be.

3. Risk also considers how likely it is.

The target of a management system is achieve conformity and customer satisfaction.

Explanation: Risk is the possibility of events or activities impeding the achievement of an organization’s strategic

and operational objectives. It is the volatility of potential outcomes. Risk can be defined by two

parameters

Severity (This is the Seriousness of the harm)

Probability (This is the Probability that the harm will occur)

ISO 9001:2015

73

Risk as Currently Stated in ISO 9001:2015

ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

Clause 4 (Context) the organization is required to determine the risks which may affect this.The

organization is also required to determine its QMS processes and to address its risks and

opportunities

Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.

Top management is required to

Promote awareness of risk-based thinking

Determine and address risks and opportunities that can affect product /service

conformity

Clause 6 (Planning) The organization is required to identify risks and opportunities related to QMS

performance and take appropriate actions to address them

Clause 7 (Support) the organization is required to determine and provide necessary resources (risk

is implicit whenever “suitable” or “appropriate” is mentioned)

Clause 8 (Operation)the organization is required to manage its operational processes (risk is

implicit whenever “suitable” or “appropriate” is mentioned). The organization is required to

implement processes to address risks and opportunities.

Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and

evaluate the risks and opportunities.

Clause 10 (Improvement) the organization is required to correct, prevent or reduce undesired

effects and improve the QMS and update risks and opportunities.

ISO 9001:2015 sub-clause 4.4.1—QMS and it processes “The organization shall establish, implement, maintain and continually improve a quality

management system, including the processes needed and their interactions, in accordance with the

ISO 9001:2015

74

requirements of this International Standard.

The organization shall determine the processes needed for the quality management system and their

application throughout the organization and shall determine: organization shall:

f) address the risks and opportunities as determined in accordance with the requirements of 6.1″

The organization must integrate the actions to address risks and opportunities into its QMS processes

using the PDCA cycle. Not all processes of a quality management system represent the same level of

risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty are not

the same for all organizations. Each organization is therefore responsible for the extent it applies

risk-based thinking and the actions it takes to address risk, including whether or not to retain

documented information as evidence of its determination of risks. 5.1.2—Leadership and

commitment with respect to the needs and expectations of customers

ISO 9001:2015 sub-clause 5.1.1—General under leadership and commitment “Top management shall demonstrate leadership and commitment with respect to the

quality management system by: d) promoting the use of the process approach and risk-based

thinking;”

ISO 9001:2015, requires that when planning its QMS, the top management must implement and

promote a culture of risk-based thinking throughout the organization to determine and address the

risks and opportunities associated with providing assurance that the QMS can achieve its intended

result(s); provide conforming products and services, enhance customer satisfaction; promote desirable

effects and improvement; and prevent, or mitigate, undesired effects.

ISO 9001:2015 sub-clause 5.1.2—Customer focus “Top management shall demonstrate leadership and commitment with respect to customer focus by

ensuring that:

b) The risks and opportunities that can affect conformity of products and services and ability to enhance

customer satisfaction are determined and addressed;”

This can be achieved by establishing process capabilities for each process from manufacturing and

assembly to packaging and product delivery and installation. The computation of a simple indicator of

process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would

help managers quantify their process risk. The objective would be to achieve the highest economically

feasible capability for each process, thus minimizing the risk of producing so-called unintended output.

6.1—Actions to address risks and opportunities

ISO 9001:2015

75

6.1.1 “When planning for the quality management system, the organization shall consider the issues

referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that

need to be addressed to:

a) giving assurance that the quality management system can achieve its intended result(s)

b) enhance desirable effects

c) prevent, or reduce, undesired effects, and

d) achieve improvement.”

6.1.2 “The organization shall plan:

a) Actions to address these risks and opportunities, and

b) How to

1) Integrate and implement the actions into its quality management system processes (see 4.4), and

2) evaluate the effectiveness of these actions.

Any actions taken to address risks and opportunities shall be proportionate to the potential impact on

conformity of goods and services and customer satisfaction.”

The organization must integrate the actions to address these risks and opportunities into its QMS

processes using the PDCA cycle. Not all processes of a quality management system represent the same

level of risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty

are not the same for all organizations. Each organization is therefore responsible for the extent it

applies risk-based thinking and the actions it takes to address risk, including whether or not to retain

documented information as evidence of its determination of risks. When planning its QMS, the

organization must consider the risks and opportunities presented by external and internal issues as

well as the needs and expectations of interested parties, relevant to its purpose and strategic

direction Means to address risks may include avoiding risk, taking risk in order to avail an opportunity,

removing the source of the risk, changing the likelihood or consequences, sharing the risk, or making

an informed decision to retain the risk. Opportunities can derive from favorable circumstances that

can lead to the use of new practices, launch new products, enter new markets, address new clients,

reduce waste or improve productivity, grow relationships, use new technology and other desirable and

viable opportunities to facilitate the organization in achieving its strategic direction and enhance

customer satisfaction.

9.1.3 – Analysis and evaluation “The organization shall analyze and evaluate appropriate data and information arising from

monitoring and measurement.

ISO 9001:2015

76

The results of analysis shall be used to evaluate:

e) The effectiveness of actions taken to address risks and opportunities;”

Planning also requires monitoring and measuring these actions and gathering, analyzing and evaluating

appropriate data and information to determine the effectiveness of such actions.

9.3.2 – Management review Inputs ” The management review shall be planned and carried out taking into consideration: e) the

effectiveness of actions taken to address risks and opportunities (see 6.1)“

This planning must be periodically reviewed and updated as necessary when taking corrective actions

or at management reviews. These actions must be proportional to the potential impact on the

conformity of products and services.

10.2.1- Non Conformity and Corrective action “When a nonconformity occurs, including any arising from complaints, the organization shall:

e) update risks and opportunities determined during planning, if necessary;”

One could do failure mode effects and analysis (FMEA) to show that the risk-priority number has

decreased as a result of a process change. This would not be difficult to do but full of uncertainties

because FMEA is based on subjective assessment.

Use of risk based thinking.

By considering risk based thinking throughout the organization the likelihood of achieving stated

objectives is improved, output is more consistent and customers can be confident that they will

receive the expected product or service.

Risk-based thinking therefore:

builds a strong knowledge base

establishes a proactive culture of improvement

assures consistency of quality of goods or services

improves customer confidence and satisfaction

ISO 9001:2015

77

Use of Risk Register

The risk register or risk log becomes essential as it records identified risks, their severity, and the

actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the

most effective format is a table. A table presents a great deal of information in just a few

pages. There is no standard list of components that should be included in the risk

register. Some of the most widely used components are:

Dates: As the register is a living document, it is important to record the date that risks are identified or

modified. Optional dates to include are the target and completion dates.

Description of the Risk: A phrase that describes the risk.

Risk Type (business, project, stage): Business risks relate to delivery of achieved benefit;, project risks

relate to the management of the project such as timeframes and resources, and stage risks are risks

associated with a specific stage of the plan.

Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples

are: L-Low >30%)(, M-Medium (31- 70%), H-High (>70%).

Severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have

on the project.

Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include

production of contingency plans.

Owner: The individual responsible for ensuring that risks are appropriately engaged with

countermeasures undertaken.

Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project.

Example classifications are: C-current or E-ended.

Other columns such as quantitative value can also be added if appropriate.

Risk-driven approach in organizational processes.

Identify what risks and opportunities are – it depends on context. For example If I cross a busy road

with many fast-moving cars the risks are not the same as if the road is small with very few moving

cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific

personal objectives.

1. Analyze and prioritize your risks and opportunities.

ISO 9001:2015

78

What risk is acceptable, what is unacceptable? What advantages or disadvantages are there to one

process over another? For Example If I need to safely cross a road to reach a meeting at a given

time. It is UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The opportunity of reaching

my goal more quickly must be balanced against the likelihood of injury. It is more important that I

reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE

to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured

by crossing the road directly is high. I analyze the situation. The footbridge is 200 meters away and

will add time to my journey. The weather is good, the visibility is good and I can see that the road

does not have many cars at this time. I decide that walking directly across the road carries an

acceptably low level of risk of injury and an opportunity to reach my meeting on time.

2. Plan actions to address the risks How can I avoid or eliminate the risk? How can I mitigate risks? For example I could eliminate risk

of injury by using the footbridge but I have already decided that the risk involved in crossing the

road is acceptable. Now I plan how to reduce the likelihood of injury and/or the effect of injury.

I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of

being hit by a car. I plan to cross at a time when there are no cars moving near me and so reduce

the likelihood of an accident. I also choose to cross the road at a place where I have good visibility

and can safely stop in the middle to re-assess the number of moving cars, further reducing the

probability of an accident

3. Implement the plan – take action For example I move to the side of the road, check there are no barriers to crossing and that there

is a safe place in the center of the moving traffic. I check there are no cars coming. I cross half of

the road and stop in the central safe place. I assess the situation again and then cross the second

part of the road.

4. Check the effectiveness of the actions – Does it work? For Example I arrive at the other side of the road unharmed and on time: this plan worked and

undesired outcomes have been avoided.

5. Learn from experience – Continual Improvement For example I repeat the plan over several days, at different times and in different weather

conditions. This gives me data to understand that changing context (time, weather, quantity of cars)

directly affects the effectiveness of the plan and increases the probability that I will not achieve my

ISO 9001:2015

79

objectives of being on time and avoiding injury. Experience teaches me that crossing the road at

certain times of day is very difficult because there are too many cars.

To limit the risk I revise and improve my process by using the footbridge at these times. Continue

to analyze the effectiveness of the processes and revise them when the context changes. I also

continue to consider innovative opportunities such as Can I move the meeting place so that the

road does not have to be crossed? Can I change the time of the meeting so that I cross the road

when it is quiet? Can we meet electronically?

QUALITY RISK MANAGEMENT

ISO 9001:2015

80

INTRODUCTION Risk management principles are effectively utilized in many areas of business and government

including finance, insurance, occupational safety, public health, pharmaceutical, pharmacovigilance,

and by agencies regulating these industries. Risk is defined as the combination of the probability of

occurrence of harm and the severity of that harm. However, achieving a shared understanding of the

application of risk management among diverse stakeholders is difficult because each stakeholder

might perceive different potential harms, place a different probability on each harm occurring and

attribute different severities to each harm.

PRINCIPLES OF QUALITY RISK MANAGEMENT Two primary principles of quality risk management are:

The evaluation of the risk to quality should be based on scientific knowledge and

The level of effort, formality and documentation of the quality risk management process should

be commensurate with the level of risk.

GENERAL QUALITY RISK MANAGEMENT PROCESS Quality risk management is a systematic process for the assessment, control, communication and

review of risks to the quality of product across the product life-cycle. A model for quality risk

management is outlined in the diagram. Other models could be used.

The emphasis on each component of the framework might differ from case to case but a robust process

will incorporate consideration of all the elements at a level of detail that is commensurate with the

specific risk.

ISO 9001:2015

81

Overview of a typical quality risk management process

Decision nodes are not shown in the diagram above because decisions can occur at any point in the

process. These decisions might be to return to the previous step and seek further information, to adjust

the risk models or even to terminate the risk management process based upon information that

supports such a decision. Note: “unacceptable” in the flowchart does not only refer to statutory,

legislative, or regulatory requirements, but also to indicate that the risk assessment process should be

revisited.

Responsibilities Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams.

When teams are formed, they should include experts from the appropriate areas such as quality unit,

business development, engineering, regulatory affairs, production operations, sales and marketing,

legal, statistics, in addition to individuals who are knowledgeable about the quality risk management

process.

ISO 9001:2015

82

Decision makers should

take responsibility for coordinating quality risk management across various functions and departments of their

organization and

ensure that a quality risk management process is defined, deployed, and reviewed and that adequate resources are

available.

Initiating a Quality Risk Management Process Quality risk management should include systematic processes designed to coordinate, facilitate and

improve science-based decision making with respect to risk. Possible steps used to initiate and plan a

quality risk management process might include the following:

Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk

Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the

risk assessment

Identify a leader and critical resources

Specify a timeline, deliverables, and appropriate level of decision making for the risk management process

Risk Assessment Risk assessment consists of the identification of hazards and the analysis and evaluation of

risks associated with exposure to those hazards. Quality risk assessments begin with a well-defined

problem description or risk question. When the risk in question is well defined, an appropriate risk

management tool and the types of information that will address the risk question will be more readily

identifiable. As an aid to clearly defining the risk for risk assessment purposes, three fundamental

questions are often helpful:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?

3. What are the consequences (severity)?

Risk identification Risk identification is a systematic use of information to identify hazards referring to the risk question

or problem description. Information can include historical data, theoretical analysis, informed

opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?”

question, including identifying the possible consequences. This provides the basis for further steps in

the quality risk management process.

Risk analysis

ISO 9001:2015

83

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or

quantitative process of linking the likelihood of occurrence and severity of harms. In some risk

management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.

Risk evaluation Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations

consider the strength of evidence for all three of the fundamental questions. In doing an effective risk

assessment, the robustness of the data set is important because it determines the quality of the

output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this

output and/or help identify its limitations. Uncertainty is due to combination of incomplete knowledge

about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps

in knowledge, gaps in process understanding, sources of harm (e.g., failure modes of a process, sources

of variability), and probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of

a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk

can be expressed using qualitative descriptors, such as “high,” “medium,” or “low,” which should be

defined in as much detail as possible. Sometimes a risk score is used to further define descriptors in

risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific

consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful

for one particular consequence at a time. Alternatively, some risk management tools use a relative risk

measure to combine multiple levels of severity and probability into an overall estimate of relative risk.

The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.

Risk Control Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to

reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional

to the significance of the risk. Decision makers might use different processes, including benefit-cost

analysis, for understanding the optimal level of risk control. Risk control might focus on the following

questions:

Is the risk above an acceptable level?

What can be done to reduce or eliminate risks?

What is the appropriate balance among benefits, risks and resources?

Are new risks introduced as a result of the identified risks being controlled?

ISO 9001:2015

84

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds

a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and

probability of harm. Processes that improve the detectability of hazards and quality risks might also be

used as part of a risk control strategy. The implementation of risk reduction measures can introduce

new risks into the system or increase the significance of other existing risks. Hence, it might be

appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after

implementing a risk reduction process.

Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the

residual risk or it can be a passive decision in which residual risks are not specified. For some types of

harms, even the best quality risk management practices might not entirely eliminate risk. In these

circumstances, it might be agreed that an appropriate quality risk management strategy has been

applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable

level will depend on many parameters and should be decided on a case-by-case basis.

Risk Communication Risk communication is the sharing of information about risk and risk management between

the decision makers and others. Parties can communicate at any stage of the risk management process.

The output/result of the quality risk management process should be appropriately communicated and

documented. Communications might include those among interested parties (e.g., regulators,

industry, within a company, industry, or regulatory authority). The included information might relate

to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or

other aspects of risks to quality. Communication need not be carried out for each and every risk

acceptance. Between the industry and regulatory authorities, communication concerning quality risk

management decisions might be effected through existing channels as specified in regulations and

guidance.

Risk Review Risk management should be an ongoing part of the quality management process. A mechanism to

review or monitor events should be implemented. The output/results of the risk management process

should be reviewed to take into account new knowledge and experience. Once a quality risk

management process has been initiated, that process should continue to be utilized for events that

might impact the original quality risk management decision, whether these events are planned (e.g.,

results of product review, inspections, audits, change control) or unplanned (e.g., root cause from

failure investigations, recall). The frequency of any review should be based upon the level of risk. Risk

review might include reconsideration of risk acceptance decisions.

ISO 9001:2015

85

RISK MANAGEMENT METHODS AND TOOLS Quality risk management supports a scientific and practical approach to decision making. It provides

documented, transparent, and reproducible methods to accomplish steps of the quality risk

management process based on current knowledge about assessing the probability, severity, and,

sometimes, detectability of the risk. Traditionally, risks to quality have been assessed and managed in

a variety of informal ways (empirical and/or internal procedures) based on, for example, compilation

of observations, trends, and other information. Such approaches continue to provide useful

information that might support topics such as handling of complaints, quality defects, deviations, and

allocation of resources. An organization can can assess and manage risk using recognized risk

management tools and/or internal procedures (e.g., standard operating procedures). Below is a non-

exhaustive list of some of these tools

1. Basic Risk Management Facilitation Methods Some of the simple techniques that are commonly used to structure risk management by organizing

data and facilitating decision making are:

Flowcharts

Check Sheets

Process Mapping

Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram)

2. Failure Mode Effects Analysis (FMEA) FMEA provides for an evaluation of potential failure modes for processes and their likely effect on

outcomes and/or product performance. Once failure modes are established, risk reduction can be

used to eliminate, contain, reduce, or control the potential failures. FMEA relies on product and

process understanding. FMEA methodically breaks down the analysis of complex processes into

manageable steps. It is a powerful tool for summarizing the important modes of failure, factors

causing these failures, and the likely effects of these failures. FMEA can be used to prioritize risks

and monitor the effectiveness of risk control activities. FMEA can be applied to equipment and

facilities and might be used to analyze a manufacturing operation and its effect on product or

process. It identifies elements/operations within the system that render it vulnerable. The output/

results of FMEA can be used as a basis for design or further analysis or to guide resource

deployment.

ISO 9001:2015

86

Attachment 02: FMEA

Quality Tools

Failure Mode and Effects Analysis

Description Instructions Learn More

ISO 9001:2015

87

This template illustrates a Failure Mode and

Effects Analysis (FMEA), also referred to as

a

Potential Failure Mode and Effects Analysis

(PFMEA) or Failure Modes, Effects and

Criticality Analysis (FMECA). A detailed

discussion can be found at www.ASQ.org

Please follow the link for detailed To learn

more about other quality tools, visit the ASQ

Learn instructions for data entry About

Quality web site.

● Initiate action to reduce the RPN

● Re-evaluate the RPN value after

completion of the recommended

actions

ISO 9001:2015

88

Item:

Model:

Core Team:

FAILURE MODE AND EFFECTS ANALYSIS

Drill Hole Responsibility: J. Doe FMEA number: 123456

Current Prepared by: J. Doe Page : 1 of 1

J. Doe (Engineering), J. Smith (Production), B. Jones (Quality) FMEA Date (Orig): 1/1/2008 Rev:

1

Process

Function

Potential

Failure

Mode

Potential

Effect(s) of

Failure

S

e

v

C

l

a

s

s

Potential

Cause(s)/

Mechanis

m(s) of

Failure

O

c

c

u

r

Current

Process

Controls

D

e

t

e

c

R

P

N

Recommended

Action(s)

Responsibility and

Target

Completion

Date

Action

Results

Actions

Taken

S

e

v

O

c

c

D

e

t

R

P

N

Drill Blind

Hole

Hole to

deep

Break

through

bottom of

plate

7

Improper

machine

set up

3

Operator

training and

instructions

3 63

0

Hole not

deep

enough

Incomplete

thread

form

5

Improper

machine

set up

3

Operator

training and

instructions

3 45

0

5

Broken

Drill 5 None 9 225

Install Tool

Detectors J. Doe 3/1/2008 5 5 1 25

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

0 0

SYDNEY WATER

FMEA Procedure

(This is a general procedure. Specific details may vary with standards of your organization or industry.)

1. A

Assemble a cross-functional team of people with diverse knowledge about the process, product or service and

customer needs. Functions often included are: design, manufacturing, quality, testing, reliability, maintenance,

purchasing (and suppliers), sales, marketing (and customers) and customer service.

2. I

Identify the scope of the FMEA. Is it for concept, system, design, process or service? What are the boundaries?

How detailed should we be? Use flowcharts to identify the scope and to make sure every team member

understands it in detail. (From here on, we’ll use the word “scope” to mean the system, design, process or service

that is the subject of your FMEA.)

3. F

Fill in the identifying information at the top of your FMEA form. Figure shows a typical format. The remaining steps

ask for information that will go into the columns of the form.

4. I

Identify the functions of your scope. Ask, “What is the purpose of this system, design, process or service? What

do our customers expect it to do?” Name it with a verb followed by a noun. Usually you will break the scope into

separate subsystems, items, parts, assemblies or process steps and identify the function of each.

5. F

For each function, identify all the ways failure could happen. These are potential failure modes. If necessary, go

back and rewrite the function with more detail to be sure the failure modes show a loss of that function.

6. F

For each failure mode, identify all the consequences on the system, related systems, process, related processes,

product, service, customer or regulations. These are potential effects of failure. Ask, “What does the customer

experience because of this failure? What happens when this failure occurs?”

7. D

Determine how serious each effect is. This is the severity rating, or S. Severity is usually rated on a scale from 1

to 10, where 1 is insignificant and 10 is catastrophic. If a failure mode has more than one effect, write on the FMEA

table only the highest severity rating for that failure mode.

8. F

For each failure mode, determine all the potential root causes. Use tools classified as cause analysis tool, as well

as the best knowledge and experience of the team. List all possible causes for each failure mode on the FMEA

form.

9. F

For each cause, determine the occurrence rating, or O. This rating estimates the probability of failure occurring for

that reason during the lifetime of your scope. Occurrence is usually rated on a scale from 1 to 10, where 1 is

extremely unlikely and 10 is inevitable. On the FMEA table, list the occurrence rating for each cause.

SYDNEY WATER

10. F

For each cause, identify current process controls. These are tests, procedures or mechanisms that you now have

in place to keep failures from reaching the customer. These controls might prevent the cause from happening,

reduce the likelihood that it will happen or detect failure after the cause has already happened but before the

customer is affected.

11. F

or reach control, determine the detection rating, or D. This rating estimates how well the controls can detect either

the cause or its failure mode after they have happened but before the customer is affected. Detection is usually

rated on a scale from 1 to 10, where 1 means the control is absolutely certain to detect the problem and 10 means

the control is certain not to detect the problem (or no control exists). On the FMEA table, list the detection rating

for each cause.

12.

(Optional for most industries) Is this failure mode associated with a critical characteristic? (Critical characteristics

are measurements or indicators that reflect safety or compliance with government regulations and need special

controls.) If so, a column labeled “Classification” receives a Y or N to show whether special controls are needed.

Usually, critical characteristics have a severity of 9 or 10 and occurrence and detection ratings above 3.

13.

Calculate the risk priority number, or RPN, which equals S × O × D. Also calculate Criticality by multiplying severity

by occurrence, S × O. These numbers provide guidance for ranking potential failures in the order they should be

addressed.

14.

Identify recommended actions. These actions may be design or process changes to lower severity or occurrence.

They may be additional controls to improve detection. Also note who is responsible for the actions and target

completion dates.

15.

As actions are completed, note results and the date on the FMEA form. Also, note new S, O or D ratings and new

RPNs.

SYDNEY WATER

1. Failure Mode, Effects, and Criticality Analysis (FMECA)

FMEA might be extended to incorporate an investigation of the degree of severity of

the consequences, their respective probabilities of occurrence, and their detectability,

thereby becoming a Failure Mode, Effects, and Criticality Analysis (FMECA). In order for such an

analysis to be performed, the product or process specifications should be established. FMECA can

identify places where additional preventive actions might be appropriate to minimize risks.

FMECA application should mostly be utilized for failures and risks associated with manufacturing

processes; however, it is not limited to this application. The output of an FMECA is a relative risk

“score” for each failure mode, which is used to rank the modes on a relative risk basis.

SYDNEY WATER

Attachment 03: FMECA Procedure Example

Procedure

Failure Mode Effects and Criticality Analysis (FMECA)

1. Overview

1.1. Objective Sydney Water’s maintenance objective is to ensure that assets achieve their design service requirements within acceptable

risk at lowest life cycle costs. The purpose of this procedure is to document the procedure for undertaking Failure Mode

Effects and Criticality Analysis for Sydney Water’s facility assets. The objective is to identify the items where

modification to the design or the operating, inspection, or maintenance strategies may be required to reduce the severity of

the effect of specific failure modes. It can be performed to meet a variety of different objectives, for example, to identify

weak areas in the design, the safety-critical components, or critical maintenance and test procedures.

1.2. Scope Failure mode effect and criticality Analysis shall be undertaken at:

• Concept stage

• Detail design stage

• Commissioning stage and

• Operational and Maintenance stage when significant changes have taken place in the operating context or asset

component configuration or every ten years whichever is the lesser.

1.3. Summary This procedure is based on:

• US MIL-STD-1629A, Procedures for Performing a Failure Mode, Effects and Criticality Analysis, It provides a

qualitative approach.

• British Standard BS 5760, that provides a quantitative approach

Failure modes, effects and criticality analysis (FMECA) is generally undertaken to determine critical maintenance or

renewal required for any asset. It can also be used to determine the critical failure mode and the consequences of a failure

for SWC assets. (FMECA) is an extension of FMEA which aims to rank each potential failure mode according to the

combined influence of its severity classification and probability of failure based on the best available data. By determining

the critical failure mode of an asset it is possible to target and refine maintenance plans, capital expenditure plans, and

investigative activities, to address the potential failure.

SYDNEY WATER

Risk Priority Number (RPN) is obtained by quantifying the severity, probability and detectability score. This is used to

prioritize asset remedial activities.

Issue Date: June 2010

Page 1 of 11

2. Procedure to conduct FMECA

2.1. Basic information required for the FMEA process. What does the System do? Mission.

What is its function? Function

How could it fail to perform its function? Failure Mode.

What happens if it fails? Effect of Failure.

What is the Likelihood of failure? Occurrence (O) What is the consequence of failure? Severity (S) What is the predictability of failure? Detectability (D) What is the Risk Priority Number (RPN)? RPN = O x S x D

2.2. General requirements for FMECA

• FMECA Team shall consist of Designers, Planners, Operators, and Maintainers.

• Identify the critical Asset / Maintainable Unit (Top 20 % failures using Pareto principle)

• Apply FMECA to develop the most cost effective maintenance for the Asset / Maintainable Unit. The Asset /

Maintainable Unit is regarded as the maintainable unit this is the lowest level of disaggregation over which we have

control over its maintenance.

2.3. Steps involved in EMECA

1. Define system boundaries for analysis. Identify the Asset / Maintainable Unit or system being analysed.

2. Understand system/Asset / Maintainable Unit/item requirements and function. Collect information on the Asset / Maintainable Unit/item, its process disaggregation, failure history, Manuals, P & I Diagrams etc. Conduct Pareto analysis of the failure frequencies and select the top 20% failure of the most frequent fail classes.

3. Define failure/success criteria for the system/ Asset / Maintainable Unit/item.

4. Determine each Asset / Maintainable Unit /item potential failure modes,

5. Determine the causes of the failures for each mode

6. Determine the effects and consequence of the failure for each mode.

7. Establish Asset / Maintainable Unit/item failure mode severity Severity (S) score of the failure consequence.

8. Determine item failure mode (frequency) occurrence (O) score.

SYDNEY WATER

9. Determine item failure mode detectability (D) score

10. Assess the risk priority for each failure mode.

11. Risk Priority Number (RPN) Score – S x F x D

12. Review actions, currently being taken, for dealing with the failure modes.

13. Develop remedial measures to eliminate or mitigate the potential fault or failure. This may require:

i. Maintenance method changes including preventive maintenance, tooling, spares provision, Asset / Maintainable Unit replacement, condition monitoring.

ii. Changes in operating procedure;

iii. Production process changes

iv. Support procedure changes; and

v. Design changes;

14. Re-assess a revised risk priority for the failure modes.

The template to undertake this FMECA exercise is given in Table-1 below.

2.4. Ranking of Severity, Probability and Detectability

Severity. Severity is an assessment of the seriousness of the effect of the potential failure mode to the next component,

subsystem, system or customer if it occurs. Severity applies to the effect only. A reduction in Severity Ranking index can

be effected only through a design change. Severity should be estimated on a “1” to “5” scale. See Severity Rating Table

below

Severity Ranking

Severity Asset /

Maintainable Unit

System /

mission

People Enterprise

5

CATASTROPHIC

Definite or presumed

destruction or

degradation of other

functional Asset /

Maintainable Unit

Complete

loss of

capability

Loss of life Major plant and production

loss Enterprise survival

doubtful

SYDNEY WATER

4

CRITICAL

Complete failure of or

damage to functional

Asset / Maintainable

Unit under

consideration

40 % to 80 %

loss of

capability

Severe injury and

long term

damage

Moderate plant and

production loss

3

MODERATE

Important degradation

of functional Asset /

Maintainable Unit

under consideration or

substantial increase in

operator workload

10 % to 40 %

loss of

capability

Moderate

injury with

full

recovery

Significant production loss

2

MARGINAL

Minor degradation of

functional Asset /

Maintainable Unit

under consideration

Less than 10

% loss of

capability

Minor injury Minor production loss

1

MINOR

Negligible effect on

performance of

functional Asset /

Maintainable Unit

under consideration

No or

negligible

effect on

success

No injury No or negligible production

loss

Examples of failure effect severity scales (Ref BS 5760)

Occurrence (Event frequency). Occurrence is how frequently a specific failure cause/mechanism is projected to occur.

The likelihood of occurrence ranking number has a meaning rather than a value.

Removing or controlling one or more of the causes/mechanisms of the failure mode through a design change is the only

way a reduction in the occurrence ranking can be effected.

Estimate the likelihood of occurrence of potential failure cause/mechanism on a “1” to “5” scale. Only occurrences

resulting in the failure mode should be considered for this ranking; failuredetecting measures are not considered here. See

Occurrence Rating Table below

Range Estimates of failure probability can be used to rank probabilities of occurrence or, alternatively, item failure rates

may be employed. Frequency ranges for process Asset / Maintainable Unit typically:

Rank Occurrence Criteria Occurrence

Rates (Cycles,

Hrs etc.) - Ref Dodson

Reliability HB

Failures per year in Process

industry – Ref Moss

Reliability Assessment

1 - Unlikely Unlikely Unreasonable to expect this

failure mode to occur

1/100,000 -

2 -Very Low Isolated – Based on similar designs

having a low number of failures

1/10,000 <0.0l

SYDNEY WATER

3- Low Sporadic – Base on similar designs that

have experienced occasional failures

1/1,000 0.01 to 0.1

4- Medium Conceivable – Based on similar designs

that have caused problems

1/100 0.1 to 1.0

5-High Recurrent – Certain that failures will

ensure

1/10 > 1

Examples of failure occurrence scales

If available from a similar process, statistical data should be used to determine the occurrence ranking.

Detection is the ability to detect the cause/mechanism/weakness of actual or potential failure. In Design FMEA, this must

occur before the component, subsystem, or system is released for production. In Process/Service FMEA it must occur in

time to prevent distribution in case of a product or catastrophe in case of an Asset / Maintainable Unit. In order to achieve

a lower ranking, generally the planned control (eg, preventative activities) has to be improved. See Detection Ranking

Table below.

When assessing the probability that the current controls will prevent or detect the cause of the failure mode; do not assume

that the detection rating will be low because the occurrence rating is low.

SYDNEY WATER

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

BMIS Number: AMQ0006 Version 03 Issue Date: June 2010 Document Owner: Manager, Strategic

Asset Management Page 79 of 709

SYDNEY WATER

Detection Ranking (Ref Dodson Reliability Handbook)

Rank Detection Criteria Probability %

1 Very High Probability of detecting the failure before it occurs.

Almost always preceded by a warning

80 – 100

2 High Probability of detecting the failure before it occurs. Preceded

by a warning most of the time

60 – 80

3 Moderate Probability of detecting the failure before it occurs.

About 50%chance of getting a warning

40 – 60

4 Low Probability of detecting the failure before it occurs. Always

comes with little of no warning

20 – 40

5 Remote Probability of detecting the failure before it occurs. Always

without a warning

0 - 20

Examples of failure detection scales

Risk Priority Number (RPN). The Risk Priority Number is the product of the Severity, Occurrence, and

Detection rankings.

Risk Priority Number = Severity x Occurrence x Detection

The RPN, as the product S x O x D, is a measure of design/process risk. This value should be used to rank

order the concerns in the Design/Process (e.g., in Pareto fashion). The RPN will be between 1 and 125. For

higher RPNs the team must undertake efforts to reduce this calculated risk through corrective action(s). In

general practice, regardless of the resultant RPN, special attention should be given when severity is high.

If the RPN Number is more than 33 you need to investigate the possibility to renew or replace the asset

based on

• Condition (Poor grade 4),

• Total Maintenance cost in last 5 yrs > than 60 % of replacement value

• Remaining Life less than 5 yrs

• Spares availability (long lead time, obsolescence)

SYDNEY WATER

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

BMIS Number: AMQ0006 Version 03 Issue Date: June 2010 Document Owner: Manager, Strategic

Asset Management Page 79 of 709

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

BMIS Number: AMQ0006 Version 03 Issue Date: June 2010

Document Owner: Manager, Strategic Asset Management Page 6 of 11

2.5. Clarification of Failure modes, problems or

symptoms Example for a Submersible Pump Failure:

Symptom Detected

(Failure Mode) or Problem at Maintainable unit

level

Cause at Hardware or Part level of

maintainable unit’s

Increase in pump down time Choke

Pump failed to start Jam

Pump unable to start when called for by level signal Broken shaft

Pump unable to start when called for by level signal Bearing failure

Water found in oil chamber Seal failure

Increase in pump down time Incorrect seating

Increase in pump down time Wear Ring Failure

Water found in oil chamber O-ring fault

Leakage / low pumping rate Damaged/cracked casing

Noise Loose impeller

Low pumping rate Impeller damaged

General Common Problems or Symptoms

SYDNEY WATER

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

BMIS Number: AMQ0006 Version 03 Issue Date: June 2010 Document Owner: Manager, Strategic

Asset Management Page 77 of 709

ν

ν

ν

ν

ν

ν

ν

ν

ν

ν

ν

ν

ν

Dirt or foreign matter in mechanism, pipe Breakage or jamming due to overloading or misapplied load Breakage due to wear

and tear

Lubricant lacking, deteriorated or dirty

Securing or mounting nut/bolt/fastener loose or missing

Foundations not firm or

secure

Corrosion, rust

Balance (vibration)

Filter blocked or dirty

Alignment incorrect

Power supply failure

Fire damage

Design or manufacture

fault

ν

ν

ν

ν

ν

ν

ν

ν

ν

ν

Overheating due to lack of coolant, or cooling surface blocked

Fracture of pipe or vessel due to welding fault, thermal stress or fatigue Loss of hydraulic fluid

Incorrect assembly

Part missing, loose or falls off

Seal leaking

Leak in pipe, valve, tap, etc.

Hose damaged

Vermin – e.g. rat chews through insulation, bird makes nest in air inlet,

Flood / water damage

ν

ν

ν

ν

ν

ν

ν

ν

ν

Drain blocked

Electrical

insulation failure Electrical connection failure Consumable not replenished, e.g., lubricant Catalyst regeneration required

Balance incorrect

(

Vandalism Water supply failure

Protective device

failed

SYDNEY WATER

Table –1: Template to undertake FMECA.

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS. BMIS Number: AMQ0006 Version 03 Issue Date: June 2010

Document Owner: Manager, Strategic Asset Management Page 8 of 11

3. Context

3.1. Definitions

Term Definition

Current Controls. Current design or process controls are descriptions of the controls

that either prevent to the extent possible the failure mode from

occurring or detect the failure mode should it occur.

Detection This is the ability to detect the cause/mechanism/weakness of actual

or potential failure.

Occurrence (Event frequency). Occurrence is how frequently a specific failure cause/mechanism is projected to occur. The likelihood of occurrence ranking number has a meaning rather than

a value.

Potential Cause(s)/Mechanism Potential Cause of Failure is defined as how the failure could of Failure occur, described in terms of something that can be corrected or

can be controlled, or an indication of a design weakness, the consequence of which is the failure mode.

Potential Effect(s) of Failure Potential Effects of Failure are defined as the effects of the failure

mode on the function, as perceived by the customer. The customer in

this context could be the next operation, subsequent operations or

locations. Each must be considered when assessing the potential

effect of a failure.

Potential Failure Mode. A Potential Failure Mode is defined as a manner in which a

component, subsystem, system or process could potentially fail to

meet the design intent and/or the process requirements.

Recommended Action(s) Corrective action should be first directed at the highest ranked

concerns and critical items.

Revised Risk Analysis After the corrective actions have been identified, estimate and record the resulting severity, occurrence and detection ratings.

Calculate and record the resulting RPN.

Risk Priority Number (RPN). Provides a quantitative measure of risk. The Risk Priority Number is

the product of the Severity, Occurrence, and Detection rankings.

Severity Severity is an assessment of the seriousness of the effect of the

potential failure mode to the next component, subsystem, system or

customer if it occurs.

3.2. Responsibilities The FMECA procedure shall be conducted at:

• Concept stage by the designers and planners

• Detail design stage by designers.

• Commissioning stage by the contractor.

• Operation stage by the operators, planners and maintainers to review the maintenance requirements

Position Responsibility

Manager - Strategic Asset Management (SAM) Procedure owner

Maintenance Strategy Leader – SAM Procedure development and review

Planners, Designers, Contractors & Operators Procedure implementation

Management System

Administrator

Policy publishing (in BMIS); initiating

scheduled policy review cycles and

incorporating of amendments

3.3. References

Document type Title

Legislation • Occupational Health & Safety Act

Other documents • US MIL-STD-1629A, Procedures for Performing a

Failure Mode, Effects and Criticality Analysis, It provides a qualitative approach.

• British Standard BS 5760, that provides a quantitative approach

4. Document control

Procedure title: Failure Mode Effects and Criticality Analysis (FMECA) procedure

Effective date: 18-06-2010 Review Period: As Required Registered file: N/A

BMIS file name: AMQ0006

Procedure Owner Manager, Strategic Asset Management (SAM)

Prepared by: SAM - Maintenance Strategy Leader

Approved by: SAM - Asset Strategy Manager Wastewater

5. Revision control chart

Please refer to Sydney Water’s Business Management Information System (BMIS) for version control details.

2. Fault Tree Analysis (FTA)

The FTA tool is an approach that assumes failure of the functionality of a product or process. This

tool evaluates system (or subsystem) failures one at a time but can combine multiple causes of

failure by identifying causal chains. The results are represented pictorially in the form of a tree of

fault modes. At each level in the tree, combinations of fault modes are described with logical

operators (AND, OR, etc.). FTA relies on the experts’ process understanding to identify causal

factors.

FTA can be used to establish the pathway to the root cause of the failure. FTA can be used

to investigate complaints or deviations in order to fully understand their root cause and to

ensure that intended improvements will fully resolve the issue and not lead to other issues (i.e.

solve one problem yet cause a different problem). Fault Tree Analysis is an effective tool for

evaluating how multiple factors affect a given issue. The output of an FTA includes a visual

representation of failure modes. It is useful both for risk assessment and in developing monitoring

programs.

Hazard Analysis and Critical Control Points (HACCP)

HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and

safety). It is a structured approach that applies technical and scientific principles to analyze, evaluate,

prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design, development,

production, and use of products.

HACCP consists of the following seven steps:

1. conduct a hazard analysis and identify preventive measures for each step of the process

2. determine the critical control points

3. establish critical limits

4. establish a system to monitor the critical control points

5. establish the corrective action to be taken when monitoring indicates that the critical control

points are not in a state of control

6. establish system to verify that the HACCP system is working effectively

7. establish a record-keeping system

HACCP might be used to identify and manage risks associated with physical, chemical, and biological

hazards (including microbiological contamination). HACCP is most useful when product and process

understanding is sufficiently comprehensive to support identification of critical control points. The

output of a HACCP analysis is risk management information that facilitates monitoring of critical points

not only in the manufacturing process but also in other lifecycle phases.

Hazard Operability Analysis (HAZOP) HAZOP is based on a theory that assumes that risk events are caused by deviations from the design or

operating intentions. It is a systematic brainstorming technique for identifying hazards using so-called

guide words. Guide words (e.g., No, More, Other Than, Part of) are applied to relevant parameters

(e.g., contamination, temperature) to help identify potential deviations from normal use or design

intentions. HAZOP often uses a team of people with expertise covering the design of the process or

product and its application.

HAZOP can be applied to manufacturing processes, including outsourced production and formulation

as well as the upstream suppliers, equipment and facilities for drug substances and drug products. It

has also been used primarily in the pharmaceutical industry for evaluating process safety hazards. As

is the case with HACCP, the output of a HAZOP analysis is a list of critical operations for risk

management. This facilitates regular monitoring of critical points in the manufacturing process.

1. Preliminary Hazard Analysis (PHA)

PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to

identify future hazards, hazardous situations and events that might cause harm, as well as

to estimate their probability of occurrence for a given activity, facility, product, or system. The tool

consists of:

1. the identification of the possibilities that the risk event happens,

2. the qualitative evaluation of the extent of possible injury or damage to health that could result,

3. a relative ranking of the hazard using a combination of severity and likelihood of occurrence,

and

4. the identification of possible remedial measures

PHA might be useful when analyzing existing systems or prioritizing hazards where circumstances

prevent a more extensive technique from being used. It can be used for product, process and facility

design as well as to evaluate the types of hazards for the general product type, then the product

class, and finally the specific product. PHA is most commonly used early in the development of a

project when there is little information on design details or operating procedures; thus, it will often

be a precursor to further studies. Typically, hazards identified in the PHA are further assessed with

other risk management tools such as those in this section.

2. Risk Ranking and Filtering

Risk ranking and filtering is a tool for comparing and ranking risks. Risk ranking of complex systems

typically involves evaluation of multiple diverse quantitative and qualitative factors for each risk.

The tool involves breaking down a basic risk question into as many components as needed to

capture factors involved in the risk. These factors are combined into a single relative risk score that

can then be used for ranking risks. “Filters,” in the form of weighting factors or cut-offs for risk

scores, can be used to scale or fit the risk ranking to management or policy objectives.

Risk ranking and filtering can be used to prioritize manufacturing sites for inspection/audit

by regulators or industry. Risk ranking methods are particularly helpful in situations in which

the portfolio of risks and the underlying consequences to be managed are diverse and difficult to

compare using a single tool. Risk ranking is useful for management to evaluate both quantitatively-

assessed and qualitatively-assessed risks within the same organizational framework.

Supporting Statistical Tools

Statistical tools can support and facilitate quality risk management. They can enable effective data

assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision

making. A listing of some of the principal statistical tools commonly used is provided:

Control charts, for example Acceptance control charts, control charts with arithmetic average and

warning limits, Cumulative sum charts , Shewhart control charts, Weighted moving average.

Design of experiments (DOE)

Histograms

Pareto charts

Process capability analysis