“A·poc·ry·pha
əˈpäkrəfə/
noun
·
writings or reports not considered genuine.”
In 2014, a well-respected
consultant on the ISO 9001 group asked for inputs related to so-called truths
about ISO 9001:2008. He formulated the ISO9001 Apocrypha, containing urban
legends and CB auditor mandates touted as requirements. For the 2015 version, I
am collecting similar urban legends, CB auditor mandates, and consultant/expert
opinions, interpretations, and proclamations as to what are and are not “requirements”.
This particular apocrypha is not
intended as a final version. It will evolve and grow. More and more people are asking questions about
the 2015 standard which should have been raised during the DIS days of 2014. As
it is, a certain learning-curve lag is expected, and I present a partial collection
of so-called requirements for your enjoyment.
Keep in mind that (most of) these
same so-called requirements apply to the AS91xx family of standards, since it
is based on the 2015 ISO9001 flavor, which we’re all stuck with until 2030 (at
least).
Disclaimer: This list has
been collected from publicly-available material, clearly posted without
copyright protection, and is presented without intent to defame the sources. Attempts
to threaten with so-called defamation of character lawsuits will be treated as frivolous
and without merit. If you wish to continue with such legal activity, the burden
of proof – and expense - is on you.
Risk and Risk-based
thinking
- Risk approach is now
formalized in the ISO 9001:2015.
- Risk-based thinking is defined and is
a requirement.
- An organization is no longer
permitted to use “preventive action” as a process under the new std.
- FMEA is the only acceptable
methodology for RCCA activities.
- Risk registers are required.
- Risk management is a formal
requirement in the new standard.
- A risk management process is
required.
- Auditors cannot accept
verbal evidence at the huge risk of being conned
- The current
interpretation of RBT is to replacing Preventive Action in the 2008 standard
- Risk records and
registers are required
- Risk-based thinking
has always been a requirement
- The auditor must
ensure the client comprehends and understands RBT
- RBT had been
implicit and it is a requirement to have evidence that you are doing it.
- The formal,
official, auditable definition of RBT (and any corresponding process or
practices) gets to be determined by the organization – based on its context and
its QMS.
- It is up the
organization’s Leadership to decide what "Risk Based Thinking" is
required to consistently meet the customer’s requirements
- Preventive Action is no longer
necessary. It is replaced by risk-based thinking.
- We have to create typical HIRA
Register (Hazard Identification and Risk Analysis) similar to what we follow in
EMS and OHSAS standards.
Scope
- A company's scope
will change going from the 2008 std to ISO 9001:2015
- The new standard
does state that it [the scope] can't be a generic type scope
- A simple
organization must establish at least three essential management systems and
four if it is energy consuming and five if they are dealing with information.
- The scope must
appear in the quality manual. If it is not, the CB auditor will issue a
finding. However, the quality manual is no longer required by the 2015 std.
Former “Quality” Manual
- No need for a
manual.
-
A
quality manual is not needed, even if the customer requires one.
-
An
org will receive an audit nonconformance finding from the CB auditor if it
deploys a “quality manual” to its customers under the new std.
- The QMS manual will
also define the various roles that are needed within the company such as who,
will do what, and how. For example, QMS Manager, but also what role unit
managers will play.
-
The QMS Manual drives the GAP Analysis.
Internal audits
- The internal audit
process has to be done by an external entity with higher competence
- An audit of the IA
process itself requires a much larger organization to see much value in that
- Top management
should participate as silent observers
- Extra-deep internal
audits are done ahead of surveillance audits in order to give the departments a
chance for improvement
- To do an audit on
audit process means we conduct assessment of auditor competency
- A simple
benchmarking effort could clearly show if an auditor from a registrar is
generating more findings than an internal auditor.
- Number of findings
as a metric of internal audit effectiveness
- Black Belts must
champion any "mini self audit program", they earn so well, after all,
it's all QMS improvement that's their job
- No separate audit
for internal audit process makes sense.
Miscellaneous
-
The
requirement for the management representative was removed. There is no longer
any need or use for a management representative. This facilitates ISO-mandated
downsizing.
-
Documents
and records are now required to be called “documented information”.
-
Going
ISO with the new standard is a long, hard, drawn-out effort.
-
Paper-based
document control is forbidden under the new standard.
-
Clause-by-clause
gap assessment/gap analysis is the only method allowed for transitioning to the
new standard. Economic justifications are required for the transition, based on
the gap assessments.
- An organization is no longer
permitted to retain the role of “management representative” under the new std.
No comments:
Post a Comment