ISO 9001:2015 was created as a High Level System (HLS). By virtue of being a HLS, the design of the new standard is for other standards to align themselves accordingly by integrating the elements and changes within the context of the principles required in the elements for 9001. There are several other quality-oriented standards that are used to certify companies to those standards or to augment existing quality system conformance to the supporting compendial guidelines for 9001.
As an HLS, the ISO 9001 standards series has seven guiding principles that drive what other standards can and are beginning to incorporate as a core direction for organizational improvement.
These seven principles are:
Customer focus: understand the needs of existing and future customers and align organizational objectives with customer needs and expectations.
Leadership: establish a vision and direction for the organization, set challenging goals, equip and empower employees, etc.
Engagement of people: ensure that people’s abilities are used and valued, ensure accountability, evaluate performance, enable learning and knowledge sharing, etc.
Process approach: manage activities as processes, measure the capability of activities, deploy resources effectively, etc.
Improvement: improve organizational performance and capabilities, align improvement activities, empower people to make improvements, measure and celebrate improvements, etc.
Evidence-based decision making: ensure the accessibility of accurate and reliable data, use appropriate methods to analyze data, make decisions based on analysis, etc.
Relationship management: identify and select suppliers to manage costs, optimize resources, and create value; establish short and long term relationships; share expertise, resources, information, and plans with partners; and call on improvement and development activities.
Any quality systems, whether the intent is for data security or project management or health and safety, are reorienting their conventions to the 9001: 2015 content. In doing that, each one of these principles are covered by virtue of using the convention prescribed in 9001:2015.
For instance, the data security standard ISO 27001 is the standard for how to certify that any software system (whether legacy or newly purchased) and the use of the hardware for controlling it under that standard, would then incorporate the seven principles and the convention of the 9001. A good example is the transition of ISO 27001 to the 9001:2015 standard.
With the changes in technology and software, data integrity and security has become a mainstream concern for quality departments. Companies can certify that their business has the appropriate systems in place to maintain quality according to ISO 27001. They can achieve this by having a separate policy document from the quality policy that is specific and unique to data integrity and security. This takes into account such policies as controlling an employee who uses a company laptop at home. For instance, this person takes their laptop home loaded with confidential company data and logs on to their personal internet connection. The question is: are there the appropriate controls in place to allow the employee to do that safely and securely? The seven principles will apply in order for the policy to be consistent for quality management and subsequently deployed.
In the health and safety environment, the standard is now ISO 45000 (revised from the 18001 standard). An example here would be the way a company conducts its annual OSHA training and how they handle incident (as risk and opportunity analysis) reporting. Reporting would be done differently using the new standard, exercising the seven principles.
The underlying concept that is the major driver for all of this is risk-based management. A health and safety example is the reporting of an incident based on the level of an injury. A company would treat the reporting of an incident where an employee was maimed from their use of equipment on the factory floor very differently than an employee slipping and falling on a wet floor. The company would have a matrix or assessment associated with the nature of the incidences and how they are handled based on the event analysis (e.g., bow-tie analysis). That is a risk-based approach.
All of this is predicated on the ability of a company and its employees to use critical-thinking skills, which are risk-based. The reason for that is because a quality system of any kind is centered on its ability to evaluate an event and escalate the event accordingly based on data and the associated risk. That will then determine the need for decisions that are made around the event(s) and the ability to use a common language in resolution of that event. Hence the need for critical-thinking processes.
That cuts across any quality standard under the principles of the revised ISO 9001 “HLS”. This approach will have an effect of the compendial guideline improvements for ISO 9001. They are the set of ISO 10000 series which include:
Quality management -- Guidelines for quality plans
ISO 10006:2003 (now ISO 21500)
Quality management systems -- Guidelines for quality management in projects
Quality management systems -- Guidelines for configuration management
Measurement management systems -- Requirements for measurement processes and measuring equipment
Quality management -- Guidelines for training
In the consideration of the critical-thinking skills aspect of deploying these standards and guidelines, the key five in this set are:
- Analysis of a situation good or bad (SRA)
- Analysis of root cause (RCA)
- Making a risk-based decision (DMA)
- Analysis of the plan action(s) (PLA)
- Innovation of ideas for design of actions (InnoOPS)
So the language and analytics of how we think about the way we think is as critical as the governance for improvement using risk and opportunity analysis. In all of this, the pervasive rationale is that the use of process and systematic thinking is now auditable around the ability to show actionable planning! While planning is easy, execution leaves a lot to be desired, so using such processes incorporates the outcomes that are decisive and effective for solid risk-based management.