Surviving ISO 9001: 2015

Surviving ISO 9001:2015
A revision to ISO 9001 is now in Draft International stage.
The next revision of ISO 9001 is due in 2015, and the standard is being anticipated with more controversy than any previous edition. The document, now in its Draft International Standard (DIS) stage, is nearly a done deal, with very few changes likely before it progresses to its final release.
Despite some online bluster, the changes are not as significant as some would have you believe. Using simple word count comparison against the current 2008 version, we find that 74% of the changed wording was merely rephrasing of existing requirements, without any new requirements; of the remainder, 20% are new requirements mandated by ISO bureaucrats, and 6% is new wording introduced by TC 176. That is good news for those who don’t want to spend a lot of money “updating,” but bad news for anyone expecting ISO 9001 to evolve into a more modern, 21st century standard.

Annex SL
The mandated text comes by way of a document called “The Consolidated Supplement,” an internal ISO procedure which defines all the requirements on how ISO Technical Committees (TCs) must operate. It is published by the ISO Technical Management Board (TMB), the bureaucratic body that oversees all TC activities.  Normally, only TCs can produce ISO standards, since TCs are comprised of delegates assigned from ISO member nations; but in 2009, the TMB attempted to develop ISO Guide 83 to define a common “high level structure” for all ISO management system standards, such as 9001, 14001, etc. Guide 83 never made it out of draft, so the TMB then took the extraordinary – and somewhat clandestine – step of inserting Guide 83’s language into the mandatory internal Consolidated Supplement procedure, as “Annex SL”. This allowed the TMB to force the former Guide 83 rules on the TCs without the consensus of their delegates.
TC 176 was thus required to adopt the structure and language of Annex SL without being able to alter it. So a great deal of time was spent re-shuffling ISO 9001 clauses to align to the new Annex SL numbering scheme. Combined with pressure by ISO to publish by 2015, and a remarkably light schedule of physical meetings, there was simply was no time for TC 176 to move ISO 9001 to consider any newer best practices or modern advances in quality management.

Risk-Based Thinking
Much speculation has been had regarding the inclusion of “risk” in 9001. Contrary to TC 176 spin, the inclusion of risk did not come from user demand. Not only did risk rank fifth on a survey of ISO 9001 users’ wishes,  Annex SL had been mandated on TC 176 nearly a year before the User Survey was completed.
Lacking risk management professionals in its ranks, TC 176 was stuck interpreting a complex field of study on an impossibly compressed schedule. A concept called “risk based thinking” was developed which would simultaneously attempt to resolve problems with the old preventive action language, while satisfying the TMB mandate to include risk. The problem is that “risk based thinking” doesn’t exist in any known risk management discipline, has never appeared in any professional risk body of knowledge, and was invented entirely out of thin air by TC 176.  As a result, the risk requirements don’t actually require anything: there are no requirements for records, procedures, processes or resources. It even specifically says it is not risk management. You need merely “think” about risk, and you’re done. One of the members of ISO's own TC on risk management said that risk-based thinking is equivalent to "selling bottles of sound."
The other controversial aspect is that of “positive risk,” which ISO expects organizations to manage in the same way as negative risk. The idea of “positive risk” has polarized the risk management profession, and has been rejected by product safety professionals and those in finance and insurance. But nevertheless ISO fell in with the “positive risk” camp, and so it’s part of ISO 9001 now.
Other Changes
The other significant changes are: 
  • Context of the organization – a welcome change in that it will force companies to understand themselves before understanding how to apply ISO 9001.
  • Human factors – while not expressly labeled as such, the new language under work environment requires the company to manage “social and psychological” factors in the workplace. This is a disaster waiting to happen, as it requires quality professionals and auditors to become overnight psychologists.
  • Change control – finally, ISO 9001 adds language on ensuring changes to processes are done in a controlled manner.
  • Documented information – inexplicably, TC 176 has merged “documents” with “records” and lumped them together as “documented information.” Now it’s no longer clear where ISO 9001 requires a document or a record, nor what control rules apply to which. Despite some spin coming from TC 176, no, the document control rules still favor a system of printed binders and signatures. You will struggle to comply if you have moved to modern tools like wikis, SharePoint or Confluence.
  • Organizational knowledge – a new requirement that, like risk based thinking, doesn’t actually say anything, and since “knowledge” isn’t defined, it’s not at all clear what TC 176 wants here.
  • Less documentation – despite what some are saying, TC 176 did not do away with documentation, they just use different wording. Instead of explicitly calling for procedures, they now use the word “define” a lot, leading to the question of how do you “define” something without writing it down? As before, TC 176 has confused being generic with being ambiguous.
What’s missing:
  • It’s still overwhelmingly hardware biased – service providers will continue to be alienated by ISO 9001, and probably go off to pursue CMMI or other standards instead. TC 176 has proven itself incapable of solving this problem, and just needs to split the standard already.
  • No linking of processes and objectives – the standard still hasn’t firmly tied quality objectives to processes, and the process approach will still be confusing to people. A missed opportunity.
  • Flexible design model. ISO 9001 still mandates a design and development model which contradicts many modern models, such as Agile. It’s stuck in 1950.

The good news is that because the new standard is filled with vague, half-baked ideas subject to interpretation, you get to interpret it. Under 9001:2015, “tailoring” is the critical key to survival.
Rather than write an inane Quality Manual, companies should create a policy document which defines its interpretation of each of the 9001 requirements, clause by clause.  These can be single-sentence policies that would then point to any supporting procedures. It sounds like the traditional Quality Manual, but would look entirely different. This document would then be useful for training and – most of all – providing to third party assessors.
These policy statements should then be aligned with the company’s processes, so that each process falls subject to at least one such statement (if not many.) Then, objectives for each process can be developed (at least one per process), which support those policy statements and provide a means of assessing if each process is effective. This might be a good time to get rid of dopey process maps and those horrid Turtles.
Next, companies should defend their interpretation when challenged, specifically by certification body auditors. Unless a Certified Body (CB) auditor can find a nonconformity with the interpretation, and firmly fix it to an actual requirement, they must accept the company’s interpretation. In the past companies have sought interpretation guidance from the CBs, which is backwards; they are there to assess your interpretation, not assess their own.

Finally, companies will have to be ready to exercise their rights to appeal, complain and escalate complaints when the inevitable clash happens with CBs. The CB industry is loath to pay for any training of their auditors, and they are unlikely to start now, especially regarding the complex discipline of risk management.  Companies will have to go back and point to their interpretation document, and defend it when challenged. More than ever, this means companies will need to read ISO 17021 and ISO 19011, the rules for auditors, and be ready to use those rules to defend themselves.
The end result will be more organic quality management systems, properly aligned to each organization’s processes, and more effectively measuring those processes to ensure the final product or service is outstanding. But all of this will come despite ISO 9001, not because of it, and relies on taking advantage of the deeply flawed, vague language that TC 176 has released on the world.
Silver lining, and all that.
What is your company doing to prepare for ISO 9001:2015? What are your concerns? Please comment below or on LinkedIn: MasterControl ComplianceAccelerated LinkedIn Group.  
Christopher Paris is VP Operations of Oxebridge Quality Resources, and an expert on ISO 9001 and AS9100. He is a former Lead Auditor and member of the US Technical Advisory Group to ISO TC 176. Prior to that he worked in chemical manufacturing. Oxebridge clients have included SpaceX, Lufthansa, Northrup Grumman, L3, and JetBlue. A satirist, he is the author of Eyesore 9000, the world’s only parody of ISO 9001, which has been downloaded nearly a quarter of a million times. He is a vocal advocate for the rights of standards users worldwide. He currently lives in Lima, Peru. You may reach him via his website at