Blog Archive

Saturday, February 4, 2017

An ISO 9001:2015 Apocrypha




“A·poc·ry·pha

əˈpäkrəfə/

noun

·         writings or reports not considered genuine.”

In 2014, a well-respected consultant on the ISO 9001 group asked for inputs related to so-called truths about ISO 9001:2008. He formulated the ISO9001 Apocrypha, containing urban legends and CB auditor mandates touted as requirements. For the 2015 version, I am collecting similar urban legends, CB auditor mandates, and consultant/expert opinions, interpretations, and proclamations as to what are and are not “requirements”.

This particular apocrypha is not intended as a final version. It will evolve and grow. More and more people are asking questions about the 2015 standard which should have been raised during the DIS days of 2014. As it is, a certain learning-curve lag is expected, and I present a partial collection of so-called requirements for your enjoyment.

Keep in mind that (most of) these same so-called requirements apply to the AS91xx family of standards, since it is based on the 2015 ISO9001 flavor, which we’re all stuck with until 2030 (at least).

Disclaimer: This list has been collected from publicly-available material, clearly posted without copyright protection, and is presented without intent to defame the sources. Attempts to threaten with so-called defamation of character lawsuits will be treated as frivolous and without merit. If you wish to continue with such legal activity, the burden of proof – and expense - is on you.


Risk and Risk-based thinking
-       Risk approach is now formalized in the ISO 9001:2015.
-       Risk-based thinking is defined and is a requirement.
-       An organization is no longer permitted to use “preventive action” as a process under the new std.
-       FMEA is the only acceptable methodology for RCCA activities.
-       Risk registers are required.
-       Risk management is a formal requirement in the new standard.
-       A risk management process is required.
-       Auditors cannot accept verbal evidence at the huge risk of being conned
-       The current interpretation of RBT is to replacing Preventive Action in the 2008 standard
-       Risk records and registers are required
-       Risk-based thinking has always been a requirement
-       The auditor must ensure the client comprehends and understands RBT
-       RBT had been implicit and it is a requirement to have evidence that you are doing it.
-       The formal, official, auditable definition of RBT (and any corresponding process or practices) gets to be determined by the organization – based on its context and its QMS.
-       It is up the organization’s Leadership to decide what "Risk Based Thinking" is required to consistently meet the customer’s requirements
-       Preventive Action is no longer necessary. It is replaced by risk-based thinking.
-       We have to create typical HIRA Register (Hazard Identification and Risk Analysis) similar to what we follow in EMS and OHSAS standards.

Scope
-       A company's scope will change going from the 2008 std to ISO 9001:2015
-       The new standard does state that it [the scope] can't be a generic type scope
-       A simple organization must establish at least three essential management systems and four if it is energy consuming and five if they are dealing with information.
-       The scope must appear in the quality manual. If it is not, the CB auditor will issue a finding. However, the quality manual is no longer required by the 2015 std.


Former “Quality” Manual
-       No need for a manual.
-       A quality manual is not needed, even if the customer requires one.
-       An org will receive an audit nonconformance finding from the CB auditor if it deploys a “quality manual” to its customers under the new std.
-       The QMS manual will also define the various roles that are needed within the company such as who, will do what, and how. For example, QMS Manager, but also what role unit managers will play.
-       The QMS Manual drives the GAP Analysis.

Internal audits
-       The internal audit process has to be done by an external entity with higher competence
-       An audit of the IA process itself requires a much larger organization to see much value in that
-       Top management should participate as silent observers
-       Extra-deep internal audits are done ahead of surveillance audits in order to give the departments a chance for improvement
-       To do an audit on audit process means we conduct assessment of auditor competency
-       A simple benchmarking effort could clearly show if an auditor from a registrar is generating more findings than an internal auditor.
-       Number of findings as a metric of internal audit effectiveness
-       Black Belts must champion any "mini self audit program", they earn so well, after all, it's all QMS improvement that's their job
-       No separate audit for internal audit process makes sense.

Miscellaneous
-       The requirement for the management representative was removed. There is no longer any need or use for a management representative. This facilitates ISO-mandated downsizing.
-       Documents and records are now required to be called “documented information”.
-       Going ISO with the new standard is a long, hard, drawn-out effort.
-       Paper-based document control is forbidden under the new standard.
-       Clause-by-clause gap assessment/gap analysis is the only method allowed for transitioning to the new standard. Economic justifications are required for the transition, based on the gap assessments.
-       An organization is no longer permitted to retain the role of “management representative” under the new std.
 





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)