From ISO9001:2008 to ISO 9001: The likely impact

Transcription

1 From ISO9001:2008 to ISO 9001: The likely impact Title VI TM From ISO9001:2008 to ISO 9001: The likely impact Version 6 Author Michael Shuff Issue Date 13 Mar 2015 Page 1

2 Summary ISO 9001:2015 is set to be a far-reaching (and some would say controversial) revision to the well - established and respected standard: BS EN ISO 9001 Quality Management Systems - Requirements. A new common format has been adopted, really a standardized core text and structure for all ISO management system standards, widely known as Annex SL or the High Level Structure. In addition, while the fundamental objectives of the standard remain the same, i.e. "...to provide confidence in the organization s ability to consistently provide customers with conforming goods and services, and to enhance customer satisfaction" [BSI White Paper], this revision represents a big change to ISO The wording provides a foundation for the integration of a QMS with other management systems. For example, ISO Environmental Management Systems (an updated version of which is expected by the end of 2015) and ISO Information Security Management (a revised version based on Annex SL was published in 2013). It is a development that is often viewed with a degree of distrust by quality managers and consultants, who are concerned to maintain the integrity of the QMS. However, Annex SL is by no means the only change that the 2015 version will bring to the 9001 standard. ISO 9001:2015 also sets out to align the QMS policy and objectives with the organization's strategy. It places strong emphasis on the role of "top management" in ensuring that the company meets its quality objectives. The days of the "management representative" are passing, as the transfer of responsibility is moving upwards. Thanks in part to the introduction of Annex SL, there will be greater flexibility with Documentation. Even to the point where the Quality Manual is no longer mandated, providing an opportunity (if you choose to see it as such) to ask yourself the question "How should we document quality processes? Even this change, however, has caused fewer heated debates than that of "risk based thinking". Although the wording requires that risks and opportunities be "determined and addressed", there remains no requirement for formal risk management processes, such as those found in ISO Notwithstanding this fact, risk is considered qualitatively (and, depending on the organization s context), quantitatively from the beginning and throughout the standard; making, to quote the ISO, "preventive action part of strategic planning as well as operation and review". Risk-based thinking, therefore, means you must consider risk when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities. The problem that I envisage is simply that organizations may well have difficulty in demonstrating risk-based thinking to ISO 9001 assessors unless they have documented risk management processes. Page 2

3 Table of Contents 1 Introduction How will the new version affect ISO 9001:2008 registrations? What are the most notable changes in the 2015 version? High Level Structure Risk-based thinking Documented Information Knowledge management Training records Responsibility of Top Management The likely impacts of 'risk-based thinking' How does ISO 9001 help you to achieve your business goals? Why should your organization adopt Risk-based Thinking? What should you do in order to adopt "Risk-based thinking"? What 'documented information' is required by ISO 9001:2015? What does the 2014 committee draft of ISO 9001 actually say? Out with the old... in with the new ISO 9001 terms and definitions How should you manage your required documented information? Appendix: Sources referenced plus recommended reading Page 3

4 1 Introduction From its beginnings in the 1980s, each version of the ISO 9001 standard has tried to bring about changes. ISO 9001:2000 was a big paradigm shift, with important changes in emphasis on process, involvement of senior management, continuous improvement and customer satisfaction. The ISO 9001:2008 standard that followed was more of an evolution, with an emphasis on clarifying the requirements in its predecessor. What about the forthcoming ISO 9001:2015? What can we expect? Based on the Draft International Standard (DIS) published in May 2014, and information published in the form of white papers by leading standards organizations including BSI, this paper looks at the likely impact. 2 How will the new version affect ISO 9001:2008 registrations? According to BSI, publication of the new standard is likely to occur in September From the date of publication, organizations holding a valid ISO 9001:2008 certificate will have three years to make the transition to the new version of the standard. The old version will continue to be recognised and companies can be audited against it until the end of the three-year transition for ISO 9001:2015 (expected to last until September 2018). Some people have asked what to do in the interim, i.e. does it make sense in 2015 to certify to the 9001:2008 version? Most experts advise that it does. First, there is the 3-year transition period, which gives companies until 2018 to update their system to the new version. Second, it is possible to append the additional requirements from 9001:2015 to the current requirements. Third, the restructuring changes should remind all users that it is not a good idea to base a company's QMS just on the ISO structure, but rather it should map to the latter as appropriate. If you must use the ISO structure, then yes, it is better now to use that of 9001:2015. Another frequently asked question is should holders of 9001:2008 certificates re-certify to the 2015 version? There is no reason to do so in the short term, apart from the fact that they may want to look contemporary. Accredited Certification Bodies (e.g. BSI) will stop issuing new certificates to ISO 9001:2008 twelve months after ISO publish the 2015 version. This means that if you are developing a quality management system based on the requirements of the current, 2008, version of the standard, you have until late 2016 to gain a certificate issued to ISO 9001:2008. If your organization's QMS is already certified ISO 9001:2008 compliant, you may wish to look at your processes to see if they are in line with the new high-level structure. However, your system must remain compliant with ISO 9001:2008 until the release of ISO 9001:2015. Page 4

5 3 What are the most notable changes in the 2015 version? 3.1 High Level Structure A key fact to know about the ISO 9001:2015 DIS draft document is that the text has been prepared using the new high-level structure (i.e. clause sequence, common text and terminology) provided in Annex SL, Appendix 2 of the ISO/IEC Directives, Part 1, Consolidated ISO Supplement, ISO intends for this to enhance alignment among ISO s management system standards, and to facilitate their implementation for organizations that need to meet the requirements of two or more standards simultaneously. Annex SL defines the framework for what is a generic management system. All new ISO management system standards (MSS) will adhere to this framework and all current MSS will migrate at their next revision. The major clause numbers and titles of all MSS will be identical. They are: Introduction Page 5 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement. Referencing the DIS, the following structure comparison chart illustrates some of the differences between ISO 9001:2015 and the ISO 9001:2008 standard: ISO/DIS 9001:2015 ISO 9001: Scope Scope 2. Nominative References Nominative References 3. Terms and definitions Terms and definitions 4. Context of the organization Quality Management System 5. Leadership Management responsibility 6. Planning Resource management 7. Support Product realization 8. Operation Measurement, analysis, and improvement 9. Performance evaluation 10. Improvement Table 1: Structure Comparison Chart

6 The new harmonised approach that ISO 9001:2015 will fit into allows for the addition of disciplinespecific (in this case quality-specific) text, applied in the wording of the DIS through the following: a) Specific quality management system requirements considered essential to meet the scope of the ISO 9001 standard; b) Text to reflect the use of the Quality Management Principles that form the basis for ISO s quality management system standards; c) Requirements and notes to clarify and ensure consistent interpretation and implementation of the common text in the context of a quality management system. You should keep the Annex SL changes to the 2008 structure in mind when building your quality management system processes in the future. The familiar Plan-Do-Check-Act (PDCA) methodology will continue in the new version of the standard; however, there will be an overall focus on Riskbased thinking" aimed at preventing undesirable outcomes - see below. 3.2 Risk-based thinking There will be a much greater emphasis in ISO 9001:2015 on risk-based thinking incorporated in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. ISO 9001:2015, like its cousin ISO 27001:2013, does not mandate a particular risk assessment method - not even ISO 31000! 3.3 Documented Information Following Annex SL, gone are the terms documents, documentation and records. In comes 'Documented Information'. However, the requirements for the management of documented information are not new or excessive. Section Control of documents in the 2008 version has effectively moved to Section 7.5 Documented Information, under Section Creating and updating and Control of documented Information. The list of six mandatory procedures has gone but it will still be necessary to document the required processes. Management of the processes and the system as a whole can be achieved using a Plan- Do-Check-Act (PDCA) methodology (see 0.4) with an overall focus on Risk-based thinking" aimed at preventing undesirable outcomes (see 0.5). However, we should always remember that processes have to be controlled, which will mean creating and maintaining documented information. The term "documented information" in this regard is repeated throughout the draft version. Section 4.4 makes the need for a QMS less explicit. That has begged the question in discussion forums: "What is a QMS anyway?. For some, the Quality Manual describes the quality management system in the form of a printed document in a ring binder. For others, it is one of many documents in an electronic document management system (DMS). How best to 'do the QMS' is a more central issue now. The graphical QMS developed by CogniDox is one answer to this need. Page 6

7 3.4 Knowledge management Section talks about Organizational Knowledge. This requires an organization to ensure that it has or obtains the knowledge resources necessary to respond to changing business environments, changing customer and interested party needs and expectations and, where applicable, related improvement initiatives. It points to important issues affecting quality, as for example how the organization accesses internal knowledge, and how the organization's IP is stored and protected. 3.5 Training records One of the popular "crystallizations" of the 2008 version was the training records register. It's not clear to me whether Section 7.2 Competence requires the same. The catch-all mandate in 7.2 d) to "retain appropriate documented information as evidence of competence" would suggest that it does; although we will have to wait and see just how this is interpreted. 3.6 Responsibility of Top Management ISO 9001:2015 signals more of a hands-on role for top management. Section 5 Leadership makes it clear that there is now a responsibility for top management to take accountability for the effectiveness of the QMS. New requirements for leadership and accountability include ensuring that: a) quality policy and objectives are compatible with strategic direction; b) quality policy is applied, not just communicated and understood; c) quality system requirements are integrated into business processes. Top management will be actively involved in the operation of the QMS. The removal of all references to the role of management representative reinforces a need to see the QMS embedded into your routine business operations. The days of the QMS operating as an independent system in its own right with its own dedicated management structure are numbered. 4 The likely impacts of 'risk-based thinking' Risk-based thinking and the resulting actions to address risk are what business is arguably all about. Now it is officially a requirement of ISO 9001 in the much-anticipated revised version due to be published in Just to recap: among the key changes almost certain to be coming in the ISO 9001:2015 quality management system standard, and available to read in the Draft International Standard (DIS) published in May 2014, are: The emphasis on leadership The focus on risk management Page 7

8 There are many good reasons for your organization to invest in a quality system. I suggest that the 'top ten' reasons are: Page 8 1. Cutting costs 2. Saving time 3. Increasing customer satisfaction 4. Developing better business processes 5. Improving product quality 6. Reducing response times 7. Creating competitive advantage through investment in quality 8. Utilizing best practice through collaboration and focus 9. Helping you grow your business (as opposed to fighting fires) And, yes Reducing risk 4.1 How does ISO 9001 help you to achieve your business goals? The central purpose of a quality management system (QMS) is to provide confidence in the organization s consistent ability to provide customers with conforming goods and services. The concept of risk in the context of ISO 9001:2015 relates to the uncertainty in achieving these objectives. By giving much greater emphasis to risk and opportunity management, the approach is in line with the current thinking of many senior managers. Risk, as Clause 0.5 of the Introduction to the DIS states, "...is the effect of uncertainty on an expected result and the concept of risk-based thinking has always been implicit in ISO 9001." ISO 9001:2015 permits organizations to choose whether they develop a more extensive risk-based approach than is required. The ISO Risk Management standard is referenced as being able to provide "guidelines on formal risk management which can be appropriate in certain organizational contexts", however, it is not mandated. You choose the method/s by which you assess risks and opportunities. The new version of the standard recognises that not all the processes of the quality management system represent the same level of risk in terms of the organization s ability to meet its objectives. The consequences of process, product, service or system nonconformities are not the same for all organizations. In particular contexts, the consequences of delivering nonconforming products and services can result in minor inconvenience to the customer; in others, the consequences can be farreaching, and even fatal. Risk-based thinking" means "...considering risk qualitatively (and, depending on the organization s context, quantitatively) when defining the rigour and degree of formality needed to plan and control the quality management system, as well as its component processes and activities." [Clause 0.5]. I suspect this could potentially cause problems during the audit when objective evidence of riskbased thinking in the form of documented information cannot be produced. After all, although the

9 risks and opportunities will have to be determined and addressed, there is no requirement for any formal risk management process. All that is needed is an "...overall focus on "Risk-based thinking" aimed at preventing undesirable outcomes (see 0.5)" [Source: 0.3 Process Approach, line 258 of the DIS]. So how will thinking be assessed? The FDIS (final draft international standard) may contain a clearer definition of risk-based thinking and there is of course the question of whether the range of ISO 9000 Guidance documents to be published (presumably in 2015?) will address the auditing of this requirement? I watch with interest. No doubt, so will you - and your ISO assessors! 4.2 Why should your organization adopt Risk-based Thinking? Well, if "thinking" in this context means adequately assessing risk for the purposes of planning and control (and I think it does!), then the result should be to: improve customer confidence and satisfaction assure consistency of quality of goods and services establish a proactive culture of prevention and improvement. The key point being: successful companies take a risk-based approach. Not everyone agrees that there is sufficient evidence to support this statement, but the popularity of risk management as a discipline in both the public and private sectors is a phenomenon that is hard for industry to ignore. Personally, I would like to know exactly what evidence should be collected and maintained in documented information about whatever type of risk is being assessed. The rigour of documenting your risk assessment process and recording, as they are made, the management decisions to address those risks will be of more practical value than simply thinking about the risks. Documented information of this kind properly controlled and updated in a document management system has its uses in decision-making processes. In Clause 4, Context of the organization, the requirement is to determine the issues that can affect the organization's ability to meet its quality objectives: "The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system." It could be argued here that "issues" are not necessarily "risks"; however, the Notes in this Clause would suggest that our "understanding" of the organization's external and internal context is necessary in assessing risk: NOTE 1 Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local. Page 9

10 Page 10 NOTE 2 Understanding the internal context can be facilitated by considering issues related to values, culture knowledge and performance of the organization. Clause 5, Leadership requires that top management commit to ensuring Clause 4 is followed - so they will need status and progress reports based on documented information from the management system to achieve this. A graphical presentation of key management information, updated in real time from a document management system saves a lot of report writing! Clause 8, Operation requires the organization to "plan, implement and control" processes 6.1 Actions to address risks and opportunities - see further down. "The organization shall plan, implement and control the processes, as outlined in 4.4, needed to meet requirements for the provision of products and services and to implement the actions determined in 6.1" [Source: 8.1 Operational planning and control]. Unsurprisingly, references to "processes" continues to be a dominant feature of ISO 9001:2015, both in lines retained from the 2008 standard and the blue text additions. But note the use of the term in the list below: Processes for planning and consideration of risks and opportunities (Clause 6) Processes for support, including resources, people and information (Clause 7) Operational processes related to customers and products and services (Clause 8) Processes for performance evaluation (Clause 9) Processes for improvement (Clause 10). Risk-based thinking is considered integral to an ISO 9001:2015 QMS. "This International Standard makes risk-based thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system." [Clause 0.5] ISO 9001:2015 is about managing change processes in your business, based on an understanding the risks and challenges which may impact on your organization's ability to meet customer requirements and taking a preventative approach supported by relevant documented information. Effective planning and consideration of risks and opportunities will be a key (critical?) factor for successful certification to ISO 9001:2015. Senior management should be able to demonstrate that they understand the business risks and opportunities, and how they could impact. They will need to ensure that the management system can achieve its intended results (6.1.1 a), prevent or reduce undesired effects ( b), achieve continual improvement ( c); and, that actions to address risks and opportunities are integrated into processes (see 4.4); and their effectiveness evaluated. Wikipedia says that Risk management "...is the identification, assessment, and prioritization of risks (defined in ISO as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to maximize the realization of opportunities". Clause 9, Performance Evaluation, includes a requirement that top management shall "review the organization's quality management system". The management review has to take into consideration:

11 "... the effectiveness of actions taken to address risks and opportunities (see clause 6.1);" Surely, in order to evaluate (a) whether the actions (i.e. the selected controls) are still applicable and effective, and (b) whether the possible risk-level in the business environment has changed since the last review, senior management will need to see the results from a 'risk analysis'? How otherwise could they assess the effectiveness of actions taken to address risks (threats) and opportunities? Unless they are simply content to do so based on opinions and/or anecdotal evidence? Maybe this will be acceptable to managers in some 'low risk' environments, but not in high risk ones like product design, development and manufacturing such as silicon, military software, the aerospace industry... the list will be a very long one! Clause 10, Improvement does not specifically mention risk; however, BSI says in one of their white papers that... "In Clause 10 the organization is required to improve by responding to changes in risk." [Source: ISO 9001 White Paper: The importance of risk in quality management- Approaching change, BSI Group, July 2014] When a nonconformity occurs, the organization is required to evaluate the need for action to eliminate the cause(s), by reviewing the nonconformity; determining its causes, and "determining if similar nonconformities exist, or could potentially occur" - Risk-based thinking again? Clause 6.1 Actions to address risks and opportunities reads like 'risk management' to many people on that basis - me included! Clause 6.1 Actions to address risks and opportunities is where the what, who, how and when' concept of this risk management is defined. The organization should plan the actions that are necessary to address these risks and opportunities as well as working out how to integrate and implement actions into management system processes. In achieving this, they need to ensure actions are "proportionate to the potential impact on the conformity of products and services", and evaluate their effectiveness. Risk-based thinking in ISO 9001:2015 will extend to your organization's supply chain: a risk-based approach is required to determine the type and extent of the "controls appropriate to particular external providers and externally provided products and services". You will need to identify risk wherever it arises and have the necessary controls in place to manage it. This means that senior managers will need to be able to demonstrate an understanding of the wider business environment, social, cultural and regulatory and how that impacts or could impact on the organization s ability to meet customer requirements. They will also need to have a grasp of the organization s internal strengths and weaknesses and how these could impact on its ability to deliver quality products or services. ISO 9001:2015 will serve to strengthen business process management by underlining the need to (1) allocate specific responsibilities for processes, (2) demonstrate an understanding of the key risks associated with each process and the approach taken to 'manage, reduce or transfer the risk'. Page 11

12 Is this risk-based thinking new to ISO 9001:2015? I would argue not. It is true that ISO 9001:2008 does NOT include requirements specific to other management systems such as "risk management. However, 0.1 General clearly states that the design and implementation of an organization's quality management system is influenced by: "a) its organizational environment, changes in that environment, and the risks associated with that environment," Hence, in designing and implementing your organization's quality management system, you are thinking about the risks. The risk-based approach to drafting this International Standard has also had a beneficial effect in that it facilitated some reduction in prescriptive requirements and their replacement by performance-based requirements. Many people, including myself, think there has always been an element of risk-based thinking in ISO 9001, and that it is now just more explicit. Not every critic of ISO agrees with that, however. 4.3 What should you do in order to adopt "Risk-based thinking"? I would suggest the following... Analyse and prioritize the risks and opportunities in your organization: What is acceptable? What is unacceptable? Then plan actions to address the risks. Ask yourself: How can I avoid or eliminate the risk? How can I mitigate the risk? Then... Implement the plan take action Check the effectiveness of the actions does it work? Learn from experience continual improvement To gain a better appreciation of the extent of these important changes and the effect on your existing quality management system, you should read the FDIS. 5 What 'documented information' is required by ISO 9001:2015? An Executive Summary could read as follows... Page 12

13 Page 13 ISO 9001:2015 will probably merge documents and records under the term 'documented information' and there will be no mandatory quality manual, procedures or quality records. These significant changes may lead to much greater flexibility in how information is managed within the quality management system, but some envisage a potential downside; i.e.... Newcomers to ISO 9001:2015 may be confused about where to start documenting their system; also, exactly what they need to record and document in relation to the requirements of the standard; and hence, when their organization's documented information is ready for audit? 5.1 What does the 2014 committee draft of ISO 9001 actually say? The Draft BS EN ISO 9001 Quality Management Systems - Requirements published in May 2014 (the 'DIS') defines documented information as that which is "required to be controlled and maintained by the organization". The Notes make it clear that this documented information can be in any format and media and from any source. It can refer to the quality management system (3.33), including related processes (3.12), or it can be information (3.50) created for the organization (3.01) to operate (i.e. documentation). It can also be evidence of results achieved (records). The source for the above references is ISO DIS 9000:2014, ISO 9001:2008 was designed to allow an organization greater flexibility in the way it chooses to document its quality management system (QMS). Clause General provided an explanation of what quality management system documentation and records were required; specifically: a) documented statements of a quality policy and quality objectives; b) a quality manual c) documented procedures required by this International Standard d) documents needed by the organization to ensure the effective planning, operation and control of its processes, and e) records required by this International Standard; In 2012, the ISO Document ISO/TC 176/SC 2/N 525R2, titled: ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008, asked the question 'What is a "document"?' and defined at least some of the main objectives of an organization's documentation. These were: f) Communication of Information g) Evidence of conformity h) Knowledge sharing

14 In terms of category a), both the type and extent of documentation depended on "the nature of the organization s products and processes, the degree of formality of communication systems and the level of communication skills within the organization, and the organizational culture". [Ibid, page 1]. 5.2 Out with the old... in with the new ISO 9001 terms and definitions Which terms and definitions are likely to be defined and used when ISO 9001:2015 is published? Moreover, does it matter? For a start, due to the introduction of Annex SL, the requirements for documents and records (documented information) are now contained within each of the clauses numbered 4 through 10 in the new structure. See further down. At the same time, familiar document references will be erased from the standard. As mentioned, one of the most notable deletions is "Quality Manual". This might be a 'shocker' for those whose QM careers date all the way back to the introduction of ISO 9001 in Yet this is only one among a number of changes that set ISO 9001:2015 apart as a "major revision" of the QMS Standard. Documented information now means both documents and records. A.6 Documented information explains, [due to the introduction of Annex SL common management system framework] a "common clause on 'Documented Information' has been adopted without significant change or addition". This means that the terms documented procedure and record have been replaced in ISO 9001 with "documented information". I counted the text "documented information" appearing 34 times in the committee draft of ISO 9001 between Clauses 4 to 10. From that figure alone, you can appreciate that ISO 9001:2015 will require the creation / maintenance of a sizeable number of documents! 5.3 How should you manage your required documented information? The wording in the DIS sets out requirements for creating and updating: identification and description (e.g. a title, date, author, or reference number); format (e.g. language, software version, graphics) and media (e.g. paper, electronic); review and approval for suitability and adequacy. Documented information should also be controlled to ensure: a) it is available and suitable for use, where and when it is needed; b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity). To address these requirements, the following activities are necessary: Page 14

15 a) distribution, access, retrieval and use; b) storage and preservation, including preservation of legibility; c) control of changes (e.g. version control); d) retention and disposition. You should also identify and control documented information of "external origin" which is necessary for the planning and operation of your QMS. It is - and will continue to be - necessary to regularly review documents to make sure they are up-todate, suitable and reflect your practices. Review processes should also check for changes in relevant standards, regulations, specifications and other external documented information. Documented information will be used to support the operation of processes and be retained "to the extent necessary to have confidence that the processes are being carried out as planned" [4.4 Quality management system and its processes]. Audit criteria will include a set of policies (3.07), documented information (3.11) or requirements used as a reference against which audit evidence (3.61) is compared. What are the questions that you need to ask to ensure that your documented information meets the requirements? - Here are just a few suggestions: Who in your organization approves documented information for release? How do you know that the documented information has been approved? What are the steps in your process for reviewing, updating and re-approving documented information? Does it include a regular review of changes and who is responsible for the different parts of this process? How do you identify changes? How do you manage your documented information so that you know which version you are looking at, and whether it is the current version? Who has access to the documented information and is the current version available where it is needed, for example by teams operating in the field? What means are used to provide access (e.g. document management system on the organization's server, cloud application, paper documents)? Who is responsible for distributing documented information to where it is needed - both electronically (e.g. via intranet access, document attachments, download links, etc.) and in paper form? Is documented information from external sources, such as relevant standards, current legislation, product specifications from your suppliers, being reviewed, updated and made available via controlled processes? Are you deleting, destroying, or obsoleting old documented information so that only the current version is in use? Moreover, who is responsible for checking that end users only have access to the current version? How will you archive and segregate obsolete documented information that you want retain? Which items of documented information contain confidential data? What information security measures are you taking to protect data? Once again, this is not an exhaustive list, but it does highlight the complexity of the task of managing the documented information. Page 15

16 You can find a further discussion of this topic on an earlier CogniDox blog; see: Document Control, ISO 9001 and CogniDox DMS Mark Hammar's post on the excellent 'ISO 9001 Blog' (dated May 20, 2014) has some helpful advice on ISO 9001 document control: Some Tips to make Document Control more useful for your QMS Given the sheer number of new documents that are likely to be required, a document management system (DMS) hosted on your server or in the cloud is worth considering before you transition. In our earlier post (see above) on the subject of using a DMS versus other approaches, we showed how CogniDox maps to the list in Mark Hammar's post to give you much greater control over your documented information. Mark's useful tips will help to make your controls better suited to your organization's needs. He lists them under the following seven categories: 1. Approve for Adequacy (who is responsible for approving this) 2. Review/Update and Re-Approve 3. Changes and Revision Status identified 4. Relevant Versions at point of use 5. Legible and identifiable. 6. Control of External Documents 7. Prevent use of Obsolete Documents As we said on May 28, 2014: "To rattle through a quick mapping of tips to CogniDox features, we would find that the ability to create workflows with mandatory approvers delivers #1. The review and notification process takes care of #2. Version history and the event log provide #3. A clear link to latest and approved-latest versions solves #4 (as does the ability to hide any version other than the approved-latest one). Tip #5 is supported by embedded metadata in the documents, so readers can see what they are using. We d look to limited partner access and/or the extranet portal functionality for #6. Finally, tip #7 can be achieved by marking the document as obsolete." Increased flexibility in terms of the documented information required by ISO 9001:2015 will not lessen the daunting challenge of controlling the large amount of data contained within your quality management system. A DMS can greatly improve the efficiency and effectiveness of your QMS. However, regardless of how you manage documented information, it looks like it will soon be time to say a heartfelt 'Hasta la vista!' to your trusty Quality Manual. Page 16

17 Appendix: Sources referenced plus recommended reading The following sources are useful in understanding the development process that has led to the publication of the ISO 9001 Committee Draft (the 'DIS'), including the much debated topic of 'riskbased thinking'. Firstly, the Draft International Standard (DIS) issued for public comment: Draft BS EN ISO 9001 Quality Management Systems - Requirements, Date: 14 May 2014, which is available from the ISO Store, BSI Shop, IT Governance Ltd, and other distributors worldwide. Even though the FDIS (final draft international standard) is expected soon, the ISO/DIS 9001 draft issued in May 2014 makes for interesting and necessary reading, - especially the Clause 0.5 'Riskbased thinking' and the schematic (Figure 2 on page 9) with the box labelled 'Plan the Process - (Extent of planning depends on RISK)'! For those looking for straightforward answers to the simple questions regarding the 2015 version and transition process, I recommend BSI's FAQ on ISO 9001:2015 in the ISO Revisions series - see reference below: ISO 9001:2015 Revision, Frequently Asked Questions - Approaching change, BSI Group, July 2014 [PDF] For a more detailed discussion about the importance of risk in quality management and why this idea is not new, BSI's white paper is useful: ISO 9001 Whitepaper, The importance of risk in quality management - Approaching change, BSI Group, December 2014 [PDF] The BSI White Paper 'ISO 9001: Understanding the changes' from ISO Revisions is also of value in explaining the likely impact of ISO 9001:2015: ISO 9001 Whitepaper, Understanding the changes, Approaching change, BSI Group, July 2014 [PDF] I also recommend an earlier white paper by Evgeny Avanesov, D.B.A., Prof. at TEST-St.-Petersburg, and (as stated on the document in 2009) a Member of Russian delegation in ISO/TC 176, ISO/TC 207, - see the link: Risk Management in ISO 9000 Series Standards [PDF] Although this document was published in 2009, it is interesting to revisit because it came out when the common concepts and ideas for "future activities ISO/TC 176 on the revision of ISO 9001" were being formulated. The author provides "Examples of the requirements of ISO 9001:2008, indirectly associated with the risk management". The Table on page 6 of 11 is worth reading whether you believe that 'risk-based Page 17

18 thinking' is a new idea, or something that you do already (see the Conclusion of BSI's 2014 white paper - and the ISO's white paper titled 'ISO 9001 and Risk'). For the ISO's own (easily digested) explanation of Risk-based thinking, view their slideshare presentation at: Note slide 4 of 12: What is "risk-based thinking"? which features a version of the statement found in the DIS, Clause 0.5, "Risk-based thinking"; i.e. "the concept of risk has always been implicit in ISO this revision makes it more explicit and builds it into the whole management system". The ISO white paper on the same subject of ISO 9001 and Risk can be downloaded from 'Public' information on the ISO TC/176/SC2 Home Page: Note the frequently quoted line: "Risk-based thinking has always been in ISO this revision builds it into the whole management system." [Source: ISO Document N1222, July 2014, page 2], - which appears, in a longer and more detailed form, in the committee draft of the standard. Watch the video of the Google hangout where Nigel Croft, Chair of the ISO subcommittee responsible for ISO 9001 talks to us about how the revision is progressing: This addresses the thorny subject of risk-based thinking, which as he points out, does not necessarily mean using formal risk management. In small, low-risk organizations, the 'risk-based thinking' may simply be "intuitive"; in others, a full risk management process may be appropriate. Nigel covers other relevant topics in an equally transparent, friendly way. Page 18

19 Company Information Registered Office: Cognidox Limited St John s Innovation Centre Cowley Road Cambridge CB4 0WS UK Registered in England and Wales N o salesinfo@cognidox.com Telephone +44 (0) Smart Document Management CogniDox helps teams in Engineering, Marketing, Sales, Operations and other departments to capture, share and publish product and design documentation. This easy-to-use tool helps break down the barriers to find information, share solutions and enjoy a faster, more productive development workflow inside your company. In addition, CogniDox helps you manage and publish documents and other content to licensed customers. It reduces technical support load and accelerates your customers' time to market. Page 19