ISO 9001:2015 FAQ. A3. Can you certify to 2008 version after 2015 has been released?

Transcription

1 ISO 9001:2015 FAQ The focus of this FAQ is to provide answers to questions that have been received to date, and asked at the ISO 9001:2015 Revision Training webinar held on October 29 th, A1. Where can the current DIS draft of ISO 9001:2015 be found? The current DIS draft of ISO 9001:2015 can be purchased from numerous organizations, including ISO and ASQ. Additional information may be obtained at. A2. What is the auditor certification process for ISO 9001:2015? Since the requirements of ISO9001:2015 are fundamentally different than ISO9001:2008,, DQS, Inc. auditors will be going through extensive training in 2015 after the release of the FDIS. Following the training, all auditors will be tested to validate their knowledge and understanding of the new requirements prior to them performing any audits. In particular, we will assess our program to ensure that our auditors and other relevant personnel demonstrate knowledge and understanding of: The requirements of the latest ISO 9001: 2015 Standard; The new risk-based thinking as part of the requirements of the revised standard; Definition of certification scope in light of the changed exclusion requirements; Performance of system document reviews in light of the reduced emphasis on mandatory requirements for documented procedures in the new standard. A3. Can you certify to 2008 version after 2015 has been released? After publication, there will be a three-year period during which certificates against the current standard will still be valid. All such, these certificates will expire on the third anniversary of the date of publication of ISO 9001:2015. On request of a client, DQS, Inc. may still issue new certificates against the current standard version (ISO 9001:2008) within a period of 24 months after the publication of the revised standard. However, clients shall note that these certificates get a restricted validity period, expiring on the third anniversary of the date of publication of ISO 9001:2015. To allow time for the positive certification decision, all upgrade audits will be required to be done at least 3 months prior to the expiration of the certificate (33 months from the issuance of the standard).

2 A4. For a company with recertification in December 2015, will they be able to go to the 2015 Standard? For registered clients, the most cost-effective way of transitioning will be to use their scheduled recertification audit for assessment against ISO 9001:2015. This is possible within the three year transition period announced by ISO. Should a registered organization wish to be assessed against ISO 9001:2015 prior to or after its scheduled reassessment, it may arrange a special audit for that purpose. The number of audit days for the special audit will be equivalent to a Recertification audit, as a minimum. A two-stage approach will be used for all upgrades, and will be composed of readiness review and system audit. Details of the transition plan will be covered again during our webinar of July 29, A5. Our triennial is in late Is it preferable to wait, and not transition right away in late 2015? Please refer to A4. The most cost-effective way is to do the transition during the Triennial audit. However, a client may decide to transition to the new standard during a regularly scheduled surveillance audit (or at any other time independent of any scheduled surveillance or recertification audit). In such cases, the number of audit days shall be equipvalent to a recertification audit as a mimimum. After a positive certification decision, the client will receive a new certificate with a validity of three years. A6. How will ISO 9001:2015 affect an organization that is certified as an Integrated Management System (ISM)? Conformance with the requirements of ISO9001:2015 is independent of the company s registration to any other quality management system standard. As such, clients with multiple registrations will have to show evidence that the requirements of ISO9001:2015 were effectively implemented and compliance with the requirements of the other standards is concurrently maintained. A7. If your quality manual is currently written to reflect the ISO 9001:2008 standard, does it have to be re-written to reflect the now 10 instead of 8 sections? No, assuming that the Quality Manual does not provide any contradictory information concerning the requirements of ISO9001:2015. However, the requirements of the two standards are significantly different. Upgrading the Quality Manual to comply with the requirements of the new standard may be a valuable effort to better identify the deficiencies within the organization and to have them addressed prior to the upgrade audit. Renumbering of the pages and/or sections is not essential as the new standard does not even require that a Quality Manual be maintained.

3 A8. Does the ISO 9001:2015 revision require a Quality Manual? Please refer to A7. A9. If a company has a manual based on standard requirements, won t they need to update to reflect process approach? There is no requirement for a quality manual in the draft for The new standard also requires that the processes be identified and that their interaction be defined. The internal audit process must use the process approach. The process approach requirement has not changed. However, although the Process Approach was noted in the ISO9001:2008 standard, the new standard explicitly requires the use of the Process Approach when implementing the Quality Management System. Furthermore, the new standard requires the top management to demonstrate leadership and commitment by promoting awareness of the Process Approach within the organization. Since a Quality Manual is no longer required, the documented information required by the standard may be in any media or format. A10. If we are concurrently certified to AS 9100, are there changes in ISO 9001:2015 that are not covered under the aerospace standard? We have not performed a one to one analysis at this time with the first draft. The IAQG is developing revisions to the AS9100 standard concurrently with the ISO 9001:2015 development and is currently targeted for release in April They have proceeded with the intent to retain the ISO 9001:2015 requirements with additional AS9100 additions. The IAQG had over 60 inputs into the ISO 9001:2015 draft. Please refer to Q6 as well in regard to integrated management systems. Information about the AS9100:2016 development process is available here: A11. For medical devices companies, if ISO 13485:2015 is going to align with ISO 9001:2008, how will that impact the transition to ISO 9001:2015? If an organization that is certified to ISO intends to remain certified to ISO 9001, the requirements of the 2015 version must still be met. Or an organization that is certified to ISO 13485:2015 and does not want to upgrade to the ISO 9001:2015 version will lose ISO 9001 certification once ISO 9001:2008 becomes obsolete. DQS, Inc. is prepared to audit to the additional requirements of ISO 9001:2015 in order to maintain both. A12. How does the transition period affect companies not yet certified? Please refer to A3.

4 A13. Will there be access to a gap analysis tool? For most of our clients, the extent of the revision to the Quality Management System will be dependent upon the maturity and effectiveness of the current management system, organizational structure and practices. Therefore, a Gap -audit or diagnostic might be useful in order to identify realistic resource and time implications. Such audits to verify the conformity status of organizations against the revised standard or draft standard may be scheduled at any time, independent or together with a scheduled audit. The purpose of these audits is to show clients their conformity status and to identify any actions required to assure a successful transition. The audit time will be depend on the desired depth (sampling or full conformity verification). To ensure availabiity of adequate resources, please contact your Customer Service Representative well in advance if you will be interested in scheduling a Gap assessment. Also, upon confirmation of a gap assessment and/or the Stage 1 assessment, we will make available a quality management system questionnaire designed to cover the major aspects of the changes and to assist clients in their identification and implementation of the changes. A14. You mentioned that a management representative is not required any more. How about MRM? Although the requirement for having a management representative has been removed, the new standard now allows for multiple individuals to be responsible for different aspects of the quality management system (Process owners, instead of just one person for the entire system). Management is now required to identify the responsibility and authority of the personnel affecting quality. Section 9.3 of the Standard clearly defines the requirements for the Management Review Process. It is an essential part of the PDCA cycle for performance evaluation. A15. What are some of the new requirements for Leadership and how will the new Standard be friendlier to service companies? Section 5 of the new Standard outlines the requirements for Leadership and Commitment within the organization. By requiring fewer Procedures and other non-prescriptive requirements, the new standard is generic in nature and the requirements are intended to be applicable to all organizations, regardless of type, size and product provided. A16. Are site extensions (process moved to a separate building, but still under the same management umbrella sharing the same QA manual, procedures QA manager, purchasing, shipping, etc.) allowed under the main location certificate? Under ISO 9001:2015, yes. Each program, such as AS9100, has its own specific requirements for identifying the nomenclature and method for determining days and combinations of locations/buildings. Site extensions are not allowed if your organization is registered to TS16949.

5 ISO 9001:2015 Auditor Training B1. Should auditors re-do external auditor training in regard to this change? Since the requirements of the new standard are significantly different than ISO9001:2008, all Internal Auditors should be deemed competent in conducting these audits. Although no external training has been mandated, it may be beneficial to have the auditors trained in the new approach. Upon release of FDIS, DQS, Inc. will be offering public seminars, webinars and on site informational sessions. Details on the availability of the additional services will be announced during our webinar of July 29, B2. Does the Lead Auditor for an organization have to recertify? Please refer to B1. Section 7.4 of the new Standard requires an organization to determine the necessary competence of person(s) doing work. As such, all auditors are required to be deemed competent by the organization. If adequate auditing can be done at the current level of competency, then no additional training may be needed. However, if additional competency is needed to ensure effective implementation of the requirements and for better understanding of the concept of the new standard, then external training may be beneficial. Inadequate coverage of the requirements, lack of understanding of process approach, and unfamiliarity with the organization s requirements may indicate the need for additional training of the auditors. B3. What will be the auditor training requirements? Please refer to B2. Competency requirements will have to be defined by the organization, and may be unique. DQS, Inc. is offering informational sessions, and additional information concerning this service will be provided by July 29, Should you be interested in receiving Auditor Training from DQS, Inc., please notify your Customer Service Representative so you could be kept advised of the training sessions as soon as they are announced.

6 Risk-Based Approach C1. The concept of risk management is raising concerns in our organization. If no risk register or formal assessment is required, could you describe what would be required? What would the risk-based thinking process look like for a small company? The concept of Risk-Based Thinking is noted in section 0.5 of the Standard. Risk is defined as the effect of uncertainty on an expected result. Every organization has risks to consider in order to fulfill its commitments to its stakeholders and to ensure customer satisfaction. C2. What is the number of risk documents you suggest we review? ISO Risk Management will be helpful but not mandated. C3. Can you give an example of a risk based approach and how it would work in practice? An excellent example of Risk in ISO9001:2015 is provided in Document N1222 (July 2014) published by ISO/TC 176/SC2. A link to the document and related N1221 Risk- Based Thinking presentation is provided below. Under section 1, please select A paper on ISO9001 and Risk for more information. C4. Can you give an example of what risk might mean in a manufacturing setting? Examples include availability of skilled labor, limited resource materials, union conditions, unemployment rate, transportation conditions, seasonal natural events and outdated equipment. Risk based thinking occurs at all levels in all processes. Please refer to C3 as well. C5. Without a risk registry, how will the auditors be able to determine if we have identified and addressed risks? The new standard does not require the use of a risk registry. However, that may be an effective way of demonstrating that the risks have been considered. Other methods will be equally acceptable if all applicable Risks are clearly identified.

7 C6. Does risk analysis have an acronym rule of thumb, i.e. plan, act, do, check? None has been identified at this time. However, this International Standard makes riskbased thinking more explicit and incorporates it in requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. Essentially, risk can be associated with all aspects of the PDCA cycle. C7. Will there be any recommended tools for conducting a risk analysis? ISO Risk Management will be helpful but not mandated. Also, please see C3. C8. Is there a note on how long you have to maintain risk based approach in your organization before you are considered ready to get a 3 rd party audit? No specific timing requirements have been identified for evidence of risk-based thinking / approach. Evidence will need to demonstrate that risks and opportunities have been identified, actions have been planned and implemented to minimize the most significant risks and that the effectiveness of these actions has been checked. C9. Are PEARs a good way to deal with the proof of risk analysis? PEARs are an evaluation of the process effectiveness and do not address risk, risk assessment or any actions taken to mitigate risk.

8 TS and ISO 9001:2015 D1. When will the TS standard be revised and will the auto industry follow ISO 9001:2015 changes or stick with ISO 9001:2008? The following was posted on the IATF website on December 5, 2014 The IATF has established a work team consisting of IATF member organizations to develop a design specification for the revision of ISO/TS to align with the ISO 9001:2015 based structure and requirements. D2. If we are certified to TS 16949, should we wait to make changes and do training until the TS update comes out? If your organization is dual registered to ISO 9001 and ISO/TS 16949, system upgrades will be needed to meet the ISO 2015 requirements for your ISO registration. There is no information on the transition plan for the new TS. D3. Would it be possible / recommended for TS companies to upgrade to new ISO certifications before TS upgrades, or just wait? TS16949 may be updated by 4Q, All ISO9001 registered organizations, regardless of their registration to other standards, will be required to meet the requirements of ISO9001:2015 as noted in A3. If published on time, 2017 may be a good year to upgrade to both at the same time. Or, they may be upgraded individually. D4. How will current TS customers be audited in the transition time between ISO 9001:2015 and TS revision? If you are not dual certified with ISO 9001, there will be no concerns until the new TS is published. If you are certified to ISO 9001 and wish to maintain that certification, please see D3.

9 February 18, 2015 Webinar Questions Q1 What is the current difference between element approach and process approach? Explanation of Process Approach was included in slides ISO9001:2015 requires all Processes (value-added activities of the organization) be identified and managed as a process. Element-based standards just outline the requirements. Q2 What do you mean by the standard now requires min 17 "documented information" Retain Documented Information appears 17 times in the Standard. Namely, in sections 4.4, 6.2.1, 7.1.5, 7.2, 8.1.e), 8.2.3, 8.3.5, 8.3.6, 8.4.1, 8.5.2, 8.5.6, 8.6, 8.7, 9.1.1, 9.2.2, and This is equivalent to the current Quality Records requirement, where the information can be in any media or format. For clarification, please note that Maintain documented information is equivalent to the current Documented Procedure requirement. Q3 What does PDCA stand for? Plan-Do-Check-Act. Please refer to slides Q4 How do I obtain training in Risk Management? Where do I go to learn more? Will the ISO9000:2015 numbering align with ISO14k and the OHSAS18k? We will be covering Risk Management as part of our March 25 Webinar. Yes, the numbers will align for all ISO standards, but not necessarily for some industry based standards such as TS16949 and AS9100 at this time. Those changes are made by the governing organizations of those standards. Please refer to slides All new ISO standards will be utilizing the same High Level Structure that is noted in Annex SL. Actual clause numbers may vary but core definitions and structure will be consistent. Q5 Sessions on April 19th or April 29th? The next webinars have been scheduled for March 25, April 29 and May 26. Also, the final webinar will be held after the issuance of FDIS, on August 19, Please register on our website once more for access to the next four free webinars. Q6 What will be the deadline to update documentation to the 2015 standard after release? If we just got re-certified, will we have to do it again, or can we do it at the next 3 year cycle? Please refer to slides and FAQ question A5.

10 Q7 The ISO 176 link is no longer valid. Can you supply the new link? As of February 22, 2015, the link is still active. Q8 Can you provide the FAQ location again? Q9 I missed the link to the Risk based thinking document. What is it? Please refer to slide 53. The correct link is Q10 How is transition audit schedule affected for those clients duel certified by other standards such as ISO/TS if those standards haven't been modified yet? Don't the changes to this standard put you in a noncompliance with the other standard before they are changed? There don t seem to be any contradictory requirements between ISO/TS16949:2009 and ISO9001:2015. Nonetheless, the additional requirements in ISO9001:2015 will have to be addressed. Please refer to FAQ questions D1, D2, D3 and D4. As of , the following was posted on the IATF website : The IATF assigned work team will be seeking stakeholder inputs on potential enhancements to the ISO/TS standard. Additionally, customer requirements are being analyzed for potential inclusion in the future standard. Completion of the revised quality management system standard is targeted for Q Posted on 16 Feb 2015 Q11 When is the deadline to upgrade to 2015? Please refer to slide 57. Current certificates will have to be upgraded within three years of issuance of the revised Standard. Additional information concerning the transition process will be presented during our webinar of July 29, Q12 You showed several examples of "not a process map" and one bad process map. Could you explain what a good process map looks like, requires, etc.? ISO9001:2015 requires all processes to be identified. Furthermore, clause 4.4b requires the sequence and interaction of the process be defined. A process map is not required, but is a good way of showing compliance to these three requirements. A good process map should identify the processes, show their sequence and interaction. Slides comply with these requirements. Additional information on this subject will be provided on March 25th as part of the review of section 4 requirements.

11 Q13 Is presentation (not only slides_ will be recorded? I would like to show this to my PMs. The entire session was recorded, and is now available on our website () Q14 Can I download it? or I will be able to see it only online? You will be able to download the powerpoint slides but the video will only be online. Q15 Related to the above question, is this Online Webinar Program -Free? or what is the Pricing? In an effort to assist our currently registered clients, all information provided on the webinars will be free of charge. Q16 So we will have to re-do our internal auditor certifications that we currently have? Not necessarily. Please see FAQ questions B1, B2 and B3. Q17 Why change to ISO 9001:2015, just stay at ISO 9001:2008 ISO committee is made up of 163 member countries, each with a single vote. All ISO standards are normally reviewed every five years to assure that they are still relevant and adequate in an ever changing world. In the case of ISO 9001, the increasing diversity of ISO 9001 users had to be considered, including the increased interest in the service industries as well. It was also necessary to verify the impact of the new developments in knowledge and technologies which have changed significantly during the last few years, broader user interests and changes in industries. In 2010 and 2011, ISO conducted an extensive web-based user survey, asking about the need for a revision and the future needs and interests of the standard users. The answers were evaluated and the majority asked for changes to be made to consider the above factors and for ease of applying the standard to all types or organizations and industries. In 2011 the responsible ISO committee, the Technical Committee 176, started the systematic review of the standard and decided in March of 2012 to have it revised. The changes are intended to better assist organizations in meeting customer requirements and enhancing customer satisfaction. Also, the new requirements are meant to be easier to implement. All current certificates to ISO9001:2008 will be required to be upgraded to ISO9001:2015 within three years of issuance of the new standard. Q18 Will TS Auditor training likely be required? Or, will ISO 9001 training be adequate? TS16949 training requirements are governed by IATF. Any training requirement will be announced by them.

12 Q19 When will you be offering the internal auditor training? Additional information concerning the Internal Auditor Training Program will be made available during the July 29, 2015 Webinar. All future webinars will continue to be provided free of charge. Q20 How do we register for the internal auditor training? The link is Q21 Do you accept other training certificate from other organization, e.g. the XXX Group. Is formal internal auditor training required? Please refer to FAQ questions D1, D3 and D4. Q22 Will there be any webinars in the coming months that deal with any changes to the TS standard? Yes, part of our commitment to assisting our clients, future changes will be communicated as well. It is a bit early now for those webinars to be scheduled as the changes are currently being worked on. Q23 What is the ballpark cost for the internal auditor certification? Additional information concerning the Internal Auditor Training Program will be made available during the July 29, 2015 Webinar Q24 Is it a requirement to recertify client internal auditor? Are you saying internal auditors need to be certified for ISO 9001:2015? No. However, all auditors must be deemed competent to conduct these audits in line with the Process approach requirements. Please refer to FAQ questions D1, D2 and D4. Q25 Is it required to attend the internal audit training at UL's selected place of training Will the on-line training module AND the 2 day training session both be required Internal Auditor Training program is an optional new service that we will be offering to ensure our clients know what our auditors know. We will be using the same Auditor Training process that our auditors will have to complete prior to conducting any audits to ISO9001:2015. To obtain auditor certification, completion of the on line module and attendance of the two day training session will be mandatory. Although completion of this extensive training may be optional for our clients, all DQS, Inc. auditors will be required to complete this training prior to conducting any audits to ISO9001:2015.

13 Q26 For family owned companies, involvement of management is very rare and the real actions are really limited to the doers in the company. I am afraid that to be able to implement the new requirements On the contrary, the new requirements have been defined so as to make them easier to implement in smaller organizations. With reduced need for documentation, the ISO9001:2015 is less prescriptive. Please attend our upcoming webinars where we will discuss in detail each of the requirements and show ways of complying with those requirements. The focus may be different now, but ways to comply with the new requirements are practically endless.

14 March 25, 2015 Webinar Questions Q27 Slide 8 of the presentation material for part 1 cross-referenced ISO9001:2008 sections to 2015 sections. I found many errors. You may want to revisit it. The references are as outlined in document N1224 by TC176/SC2. A copy of this document can be obtained at titled ISO 9001Correlation_Matrices.doc. Please note that the intent of the current requirements may be in the new standard, but not necessarily in the same familiar wording or format. Q28 Can we assume the terms of definitions in the draft of ISO9001:2005 will be the definitions in ISO9000 s next revision. ISO9000 Vocabulary is currently under revision as well. The next update to ISO9000 is expected to include the definitions currently included in ISO9001:2015. ISO currently does not include all the definitions currently included in DIS ISO9001:2015. Q29 The corrective action must eliminate the cause. If the cause is an operator do we need to get rid of the operator? Getting rid of an operator may not be the real solution. If the root cause is not eliminated, any other operator will face the same challenges and pose risk to your customers. Please note that in a very limited number of cases, operator error is the true root cause. Additional training may be needed to further strengthen their skills and mistake-proofing concepts may be used to eliminate the possibility of the problem from occurring in the first place. The question to consider is how the process allowed the error to be made by the operator in the first place and drive root cause from there. Q30 Will this new definition for corrective action imply that the bar will be raised by auditors on the results expected on the determination of the cause of each nonconformity detected internally and/or externally? The definition for corrective action has not changed. The intent is to eliminate the root cause and prevent problems from happening in the first place. Correction to stop the continuation of the problem should be done as soon as possible. Once this is accomplished, then, root cause of why it occurred should be done. The corrective action requirements apply to all internal and external nonconformities. Q31 Is the Context Of The Organization directed only towards the Quality Management System or the Entire Business Management System. With respect to the context of the organization, the Quality Management System requirements are to be considered in meeting customer requirements. Furthermore, those requirements will have to be integrated into the Business Management System of the organization. There is some guidance in ISO that may be helpful when looking at risk and considering the context of the organization.

15 Q32 At what level of the organization will the standard expect that the 4.1 requirements of understanding of the organization and the context can be explained to an external or internal auditor? Meaning is this requirement OK if Upper Management and Middle Management can explain how the organization is and its context? Or will the standard require that at least a basic explanation of the organization could be given by the plant operator or a mechanic at the shop floor. Determining the Context of the Organization is a Leadership responsibility and is noted under section 4.0. Once the context is considered, policies will have to be put in place to address the requirements of interested parties. Operators are expected to know the policies as they apply to them, but not necessarily the overall context of the organization. The context of the organization should be what is important to the organization given its business needs to meet stakeholder requirements to operate its business per its policies and objectives. Q33 Are you suggesting that the company will now need process maps for each identified process? Will A process map is not required, but is a good way of identifying the processes and showing their sequence and interaction. Other methods will be equally acceptable if they cover items a-h of section 4.4. These requirements apply to all processes of the organization supporting the quality management system requirements of ISO9001:2015. Many organizations have seen benefit in using process maps since it is a more visual way to increase understanding. However there may be other ways that are just as effective based on the organization context and needs. Q34 Can the processes be grouped? For example, can the manufacturing processes be grouped together with generic inputs, outputs, measures, responsibilities, etc. or does each specific process need to have each item listed in clause 4.4. Items a-h of section 4.4 has to be addressed for all processes. If a generic map is used for the top level process map, then sub-process maps will have to clearly define items a-h for the process under consideration. Identification of those items are needed to define the process and to show improvement. Q35 We have the processes explained in written documents where the information required by 4.4 can be found. Some of the requirements are in different documents as for example the indicator and its target value. Do we have to go to a more graphic approach for process definition as the turtle diagram or equivalent when we certify to ISO9001:2015. The turtle diagrams and process maps were all examples of how the requirements of the standard may be met. Other methods will equally meet the requirements of the standard as long as items a-h of section 4.4 has been addressed for all processes.

16 Q36 Is the ISO9001:2015 standard still on track to be released by this September. The current timeline for FDIS publication is July 15, 2015 and for the final Standard by September Any changes to these dates will be communicated during the upcoming webinars. Q37 If the company has multiple sites in which sections is excluded, can those sites lose certification if main company don t maintain those exclusions. That may depend on the type of certification being sought. For single site registrations, ISO9001:2015 will continue to be site-specific. If, at a specific site, a requirement does not apply, then it must be identified as exclusion. In case of Corporate Registrations covering various plants, any requirement that may not be applicable to the entire organization may be identified as exclusion. If a company is design responsible and seeking corporate registration, then the design activity cannot be excluded from the scope. However, if the scope of registration is only limited to one plant and a sister plant is responsible for design, then design may be excluded.

17 April 29, 2015 Webinar Questions Q38 In 7.1.5, it is noted to do assessment if equipment is found to be defective. Would this include out of tolerance conditions as well. Defective is defined in 3.40 as a nonconformity related to an intended or specified use. If the equipment is found to be out of tolerance during the calibration process, it is essentially considered defective as its validity to meet its intended use. Therefore an impact assessment will have to be done to analyze the effect of this out of calibration condition on the products since the last known valid calibration. In the industry the potential variance is know as variable data. Q39 Do you feel audits will take longer due to evaluation of risk assesment evidence? While it is not intended for the overall number of audit-days to change significantly because of the recent changes to the ISO9001:2015 Standard, it is recognized that this will depend on how the organization intends to change their system to conform to the revised Standard. Please keep in mind that upgrade audits will be done in two stages. Stage 1 is required to ensure full understanding of the new requirements, implementation of process approach, risk-based thinking, identification of interested parties, along with a review of the other requirements, and is expected to be half or one day in duration. The number of audit days for upgrade audit itself will likely be equivalent to the number of recertification or initial certification days depending on system changes for conformance to the revised standard. By performing the stage 1 we can confirm audit days in the most effective way to meet your needs. The transition process was covered in February, and additional information concerning this process will be presented during the upcoming webinar of July 29, 2015.

18 May 26, 2015 Webinar Questions Q40 How should we address the exclusion of design process in our organization. Clause 4.3 requires justification for any instance where a requirement of ISO9001:2015 cannot be applied to be maintained as documented Information. If your organization is not design responsible, the exclusion and justification must be defined in any document, or any media. It could be beneficialto include it where the other processes are identified for section 4.4 (i.e. a process map). Q41 Is traceability back to a specific gage number required for product acceptance? Section does require the design and development outputs to include or reference monitoring and measuring requirements, and acceptance criteria, but not monitoring and measuring equipment. Apologies for the oversight and misstatement. Q42 On Slide 30, what do the yellow balloons reference to? The yellow balloons were intended to show the logical sequence of auditing a process. On slide 30, it would be best to start the process audit by verifying the responsibilities and authorities (1), followed by the quality objectives (2), the finished products (3) and so on. Q43 Regarding Internal Audits, another registrar is offering it as an outsourced process. Does DQS, Inc. also offer this service as an outsourced process? Based on the accreditation requirements defined in ISO/IEC 17021, a registrar can only perform internal audits for an organization that they do not provide 3 rd party certification to. A minimum of two years from the internal audit and certification is allowed if impartiality cannot be maintained Q44 Will element-based audits definitely not meet the requirements of the standard? Coverage of elements alone during the internal audits will not meet the requirements of ISO9001:2015. With the explicit need for implementation of process approach within the organization, the audits will have to cover compliance of those processes with the requirements of ISO9001:2015, the company s stated requirements and ensure effectiveness of those processes. Also, completing one audit checklist for all processes will not meet the intent of the standard as each process is required to be audited to ensure compliance with the applicable requirements.

19 Q45 When is the readiness audit (Stage 1) done? Stage 1 audits should be scheduled 2 to 3 months prior to the Stage 2 audit. Consideration should also be given to the impact the revision has had on the management system in determining the timing. The Stage 1 must be conducted within 6 months of the Stage 2 audit or the Stage 1 audit will need to be repeated. Q46 Is Stage 1 something that needs to be scheduled separate from an annual audit? Only the upgrade audit will require a Stage 1 and it will be scheduled separate from the Stage 2 portion of the assessment. Annual assessments, if not part of the upgrade audit, will not require a Stage 1. Q47 Will Risk Analysis need to be done to processes such as Purchasing, Human Resources, Training, etc.? Clause 4.4, item (f) requires that the risks and opportunities be determined for all processes. Clause 6.1 requires the risks to be addressed. Also, actions taken to address risks and opportunities may be proportional to the potential impact on the conformity of the products and offered services.

20 June 29, 2015 Webinar Questions Q48 How does the Mission and Vision statements relate to the Organizational Context? Our vision statement states who we are and what we want to accomplish. Does that satisfy the Organizational Context Requirements? The requirements related for Context of the organizationa re defined in sections 4.1 to 4.4, and described in detail in our webinar of March 25, 2015 (slides 33-44). Depending on the content of the Mission and Vision statements, they may be adequate to demonstrate that the organization has determined external and internal issues that are relevant to its purpose and strategic direction and that can affect its ability to achieve the intended results of its quality management system (4.1). Additional information may be needed if the Mission and Vision statements do not clearly address this requirement. Q49 If documented information is not required for Context and Interested Parties, how will DQS, Inc. train their auditors on how to audit this without documented information? Or will you require your clients to have something documented? Please refer to question A2. The mandatory procedures are noted in the standard for having documented information available. The standard does not prohibit having a document to describe the context and interested parties. If it will be easier to demonstrate compliance with this requirement, a procedure may be established. However, the standard does not require documented information for this section. Evidence of compliance may be collected during the audits by interviewing top management in lieu of availability of documented information, in line with our normal auditing techniques. Q50 What is DQS, Inc. understanding of Risk-Based Thinking versus a formal risk management program? It is my understanding that a formal program to manage risk is not required, but we should be able to show that risk and opportunities are evaluated and responded to. The requirements for Risk-Based Thinking were presented in detail during our webinar of April 29, 2015 (slides 26-59). A formal risk management system, such as ISO31000, is not required, but desired. Q51 With the terms Risk and Opportunity, lots of consultants are talking about the use of SWOT analysis. Is this tool recommended by ISO? No preferred method is described in ISO9001:2015. Standard requires that the Risks and Opportunities be identified, and SWOT analysis is one form of doing that. Other methods, such as FMEA, Risk Register, or formal risk management programs may be adequate as well.

21 Q52 Will an ISO transition guidance document be issued? If so, when? Since every organization s registration is unique, we do not have a plan to publish an external guidance document at this time. Nonetheless, an internal guidance document is in place and you Customer Service Representatives will be happy to discuss your transition plans to ensure that the guidelines are being followed.. Q53 We are a TS16949 and ISO9001 certified company. Will a new TS16949 standard come out with the updated ISO9001:2015? Please refer to questions D1 to D4. Q54 Is it OK to maintain ISO13485:2003 hence no ISO13485 upgrade to the 2015 version is required? The ISO13485 Standard is currently under revision and is expected to be released as noted in question A11. However, the upgrade is based on the core requirements of ISO9001:2008 and not ISO9001:2015. Therefore, upgrade to ISO9001:2015 is not required if your organization is registered to ISO13485 only. However, if it also registered to ISO9001:2008, then the new requirements will have to be implemented in accordance with the transition plan. In this case, additional audit time will be added to review the requirements of ISO13485 that is based on ISO9001:2008 and the new requirements of ISO9001:2015. Please contact your Customer Service Representative for additional information. Q55 Can we take the on-line review even if we don t plan to attend the 2 day Internal audit class? The online review is currently intended for use during the 2 day Informational Sessions. We don t have any plans to make it available by itself at this time. Q56 For companies on a sampling plan, do all sites need to complete a stage 1 and stage 2 before the certificate is issued? Or will the normal sampling plan be applied like when we first received our certificate? The normal sampling plan will apply to all upgrade audits for companies that are on a sampling plan. However, as part of the Stage 1 process, we will be seeking information about the organization s ISO9001:2015 implementation plan to ensure that all affected sites are upgraded, even if they are not subject to audit during the current cycle. Evidence of completed Internal Audits at all locations may be one way of demonstrating that the changes have been implemented and verified at all locations.

22 Q57 Please explain the rational why there is emphasis on risks. In ISO9001:2008 the risks is addressed via the Preventive Action. Does it mean that risk identified by auditor will become a minor finding? Risk-based Thinking is one of the major changes from the previous edition. This subject was covered in detail in our webinar of April 29, 2015 (slides 31-59). The biggest difference is that in ISO9001:2008, Preventive Action was in the ACT section of the PDCA cycle. Now, it is moved to the PLAN section to identify the risks during the planning process. Q58 Do you have any recommendations for an ISO9001/TS16949 registered company that is getting pressure to need ISO13485 certification? The need for registration is customer driven and not mandatory. The decision to pursue ISO13485 may depend on the benefits of registration to the organization. Q59 Many of the changes seem have been addressed in TS What are the most significant adds beyond what is covered in TS. Does FMEA work cover Risk Analysis? Can we just apply TS processes and activities for ISO if we are ISO/TS dual registered? We don t have a one-to-one comparison of ISO9001:2015 and TS16949:2009 at this time. However, the changes are significant and registration to TS16949 will not automatically guarantee registration to ISO9001:2015. In the automotive industry, FMEA is typically used during the product design and manufacturing phases only. ISO9001:2015 requires that the risks be identified for all processes, such as Purchasing, HR, maintenance, etc. Please refer to questions D1-D3 and Q10 for further information. Q60 We are ISO9001/AS9100 Certified, with our recertification assessment planned for this fall. How do you recommend we manage our Internal Audit process during the transition period to ISO9001:2015 and AS9100D? Continue auditing against ISO9001:2008 and AS9100C until internal transition is complete, or start auditing against new standards once AS9100D is released to help identify gaps? Internal Audits are required to be done to ensure compliance with the requirements of the registered standard. For example, in order to maintain ISO9001:2008, internal audits will be required to ensure compliance with the requirements of the said standard. During the transition phase, internal audits to the revised standard will be needed to confirm that the changes have been made to the quality management system to address the requirements of the revised standard. Customer requirements should be considered when updating the quality management system for conformance with the new standards.

23 This document will be updated periodically. Please your questions to and we will provide an answer as part of the next update. Updates will be available at : under the ISO9001:2015 Revision banner.