2017: A Year of Transitions in ISO-related Standards
The most important thing is not to simply meet the requirements but to identify how and why the requirements work to make organizations better.
In 2017, much of the ISO standards user community, as well as the supporting third party certification industry, was left with the same question. What standards/specifications aren’t changing right now? ISO 9001, ISO 14001, ISO 13485, AS9100-series and ISO/TS 16949 documents have all undergone structure revisions and are already moving rapidly into user adoption, and finally supporting certification phases. When these types of changes happen, users are always left scrambling, counting the number of shalls (again) or trying to get their hands on appropriate “delta” matrices but often are some of the underlining theme changes—which organizations ultimately need to know—are missed. This article will focus on some of these underlining theme changes with specifically the ISO 9001:2015 (previous ISO 9001:2008), AS9100D (previous AS9100C) and IATF 16949:2016 (previous ISO/TS 16949:2009) standards.
By its very clause structure (as defined in Annex A), ISO 9001:2015 users are now introduced to a 10-clause versus the previous eight-clause supporting outline. As users adapt to this change in standard structure, there are three important themes to focus on, including organizational context, top management ownership and risk-based thinking.
Organizational context is an important centerpiece of the ISO 9001:2015 standard in that it’s broken into considerations for both internal and external review of issues (ref. ISO 9001:2015, clause 4.1). Organizational context is what allows the organization the appropriate latitude to scope their business into the ISO 9001:2015 standard. In this regard, no two contexts should ever be the same. An organization that considers this clause, not only for its requirement, but for its very appropriate value can build an effective tool for fitting these considerations into the risk-based thinking demands of the new standard.
Accountability from top management is something that contextually has always had some place within the ISO 9001 previous versions, but within ISO 9001:2015, the application of top management involvement and leadership of the quality management system (QMS) is expanded. Under ISO 9001:2015; clause 5 “Leadership”; in addition to previous top management responsibilities for the quality policy (provision of resources) there is now communication (ref. ISO 9001:2015, clause 5.1.1f) and expanded customer focus requirements (ref. ISO 9001:2015, clause 5.2). These changes are not subtle, nor are they intended to simply be a discussion, but rather observed with clear evidence that top management has responsibility for the overall effectiveness of the QMS.
ISO 9001:2015 users are now introduced to a 10-clause versus the previous 8-clause supporting outline.
And last—risk-based thinking. Much has been made publicly about risk-based thinking with the release of the ISO 9001:2015 standard. However, risk-based thinking, in a majority of business models, has always been there. For instance, many organizations must consider the risk with a new product/service release or the risk involved with appropriately training their employees to work within a particular set of requirements specific to the production of a given product or service set. Two examples where risk-based thinking relative to the ISO 9001:2015 standard are often taken for granted are:
- Risk-based thinking now includes both risk (negative) and opportunity (positive).
- Actions that address risk and opportunity must be “proportionate” to the potential impact on product and service conformity (ref. ISO 9001:2015, clause 6.1.2).
Many times, we think of risk-based thinking in only the negative, and we can overly manage risk requirements where it may not be needed or appropriate.
As the ISO 9001:2015 standard evolved, the AS9100-series was forced to follow suit (given the change in the supporting ISO 9001 clause structure) as these standards use the ISO 9001 framework with additional appropriate Aerospace, Space and Defense (ASD) requirements. The supporting International Aerospace Quality Group (IAQG) 9100 Series Team went to great lengths to not only support the AS9100D standard’s adoption into this ISO 9001 clause structure but also to ensure that the at-large ASD community of users could extract the industry stakeholder’s additional requirements for operating an effective aerospace QMS. Within the additional ASD requirements in the AS9100D standard, there are two themes worth addressing: configuration management and human factors.
Configuration management is an important tool for controlling the revisions of for any given organization. A definition of configuration management can be found within ISO 10007 (‘Quality management systems – Guidelines for configuration management’) as the following, “… coordinated activities to direct and control the interrelated functional and physical characteristics of a product [as] defined in the requirements for product design, realization, verification, operation and support.” This definition can be daunting, but the key item to focus on is the “activities” to the which the organization identifies and manages with any supporting configuration changes as well as under AS9100D, adopting into this program the appropriate stakeholder expectations with managing change controls.
One area of change within the AS9100D standard that has garnered much discussion is human factors, specifically human factors as a consideration within the root cause analysis of nonconformities (ref. AS9100D, clause 10.2). The aerospace industry has long recognized that social, psychological and physical factors play a significant role in the design of processes (in fact many examples were built into past revisions within the AS9110 or Maintenance, Repair and Operations standard). To this end, a natural extension of this same philosophy can be found within the nonconformity and corrective action activity. For example, when considering how to solve a problem, the organization is now required to consider the extent to which human factors played a role in nonconformance. Clearly, “operator error” is still not the appropriate root cause that displays human factors but rather the associated factors that allowed the “operator error” to occur in the first place.
The IATF 16949:2016 standard is intended to be an additional, automotive-specific requirement on top of ISO 9001:2015. As subscribing certified organizations to ISO/TS 16949:2009 (soon becoming IATF 16949:2016) can attest, the changes are extensive. Some highlights of these changes include: increased prevalence of product safety requirements, authorization requirements for nonconforming product, increased requirements for Total Productive Maintenance (TPM), addition of “whistle blowing” corporate responsibilities, expanded supplier selection requirements, new warranty management processes and more clearly defined error proofing methodologies. However, the significant underlying theme that organizations must consider carefully lies within the detailed and defined competencies for both internal and second party auditors.
In the past with internal and second party auditors (typically supplier auditors), the organization was left to largely define the competency requirement achievement for their auditor trainings. Most organizations would send their supporting lead, or even an entire team of auditors to an appropriate and often lengthy training session. Nevertheless, IATF 16949:2016 now defines the competencies which must be achieved (ref. IATF 16949:2016, 7.2.3 and 7.2.4) and furthermore, these competencies are now also inclusive of supporting Core Tool as well as appropriate Customer Specific Requirements (CSRs) knowledge. Aligned in the same mold as certification body auditor competencies required for third party auditing, the expectation is that organizations will achieve this requirement as part of their IATF 16949:2016 transition.
Nobody likes change. However, with change comes innovation, and while some may argue that with some of the individual changes in these standards (such as some of the items noted above) we’ve possibly added more complexity to the requirements or created more work for ourselves, the changes are evolutions to these standards that allow us to better meet the needs of stakeholders.. Therefore, as we accept these transition challenges the most important thing in the end is not to simply meet the requirements but to identify how and why the requirements work to make organizations better.