Implementation The New ISO 9001:2015 Standard
The initial process of ISO 9001:2015 implementation should begin with the creation of a work-flow outline. The outline will have key dates of the transitioning process and designate key personnel for undertaking, managing and monitoring the resulting QMS. This outline should be discussed with the leadership of the Organization and leadership’s input should be recorded and kept as improvement actions.
The key dates are to be determined by the Organization’s make-up and the maturity level of its’ current ISO 9001:2008 QMS. If the Organization is seeking its’ first certification under ISO 9001:2015, then the process will probably take longer to initiate, due to the lack of previous ISO experience. The dates should encompass all aspects of the transition process, including the scheduling of one or more gap analysis during the monitoring period to ensure compliance of the new system to the standard.
The documentation process for the new QMS should be of paramount importance. One of the most obvious changes are the numbering of the various sections of the new standard. If the transitioning Organization has previously numbered its’ QMS by the sections of ISO 9001:2008, the process will be one of matching the new standard numbers to that of the previous standard. In addition, references contained in the body of procedures will need to be changed – this process will and is time consuming, but necessary for compliance purposes, as well as, properly documenting required conduct under the new standard. It is highly recommended that if an Organization has procedures and work instructions, they should be kept and amended, as necessary. This will help to ensure a smoother transition and be a familiar process for documenting conduct and QMS compliance.
New procedures/work instructions should be created for the new sections of ISO 9001:2015, namely: 4.1 Context of the Organization; 4.2 Interested Parties; 6.1 Risk, 6.3 Management of Change and 7.1.6 Organizational Knowledge. These procedures should set forth the required conduct of the Organization and its’ leadership.
Context of the Organization should spell out the internal and external issues that are relevant to the Organization’s purpose and strategic direction. Additionally, all factors that may affect the Organization’s ability to achieve the intended results of its’ QMS.
These issues can be more specifically elaborated by defining the roles and associations of Interested Parties (section 4.2). Not only must an Organization create and maintain a list of Interested Parties and describe the relationship the Organization has with said party, but should further describe what risk that association poses to the Organization. These relationships can be segregated by their particular positioning as either Internal or External to the Organization. Additionally, the Organization should list risk factors pertaining to the operation of the Organization (i.e. labor issues, weather issues, economic issues, etc.). These can also be categorized by Internal and External designations.
Risk (section 6.1) offers the most daunting challenge for most organizations to undertake with the new requirements of ISO 9001:2015. After defining the Organizational context and the roles of Interested Parties, the Organization needs to address risks and opportunities that give assurance the QMS can achieve intended results, enhance desired effects, prevent, or reduce undesired effects and achieve improvement. While this could present a massive effort, an Organization needs to create a method for identifying risk, assigning the risk priority number (RPN), performing a root cause analysis, and finally, mitigating the risk and keeping a record of the risk history.
One manner of such a task may be to create a spreadsheet that identifies the various processes of the Organization and sets forth the risk associated with any particular activity of a given process. Remember, an Organization should be able to justify the risk priority number (RPN) assigned to a given process step or activity. This justification should describe what input thoughts or practices were used to determine not only the associated risk but what mitigating factors exist to justify the RPN.
Management of Change (section 6.3) is a new requirement of the ISO 9001:2015 standard and stipulates that any changes affecting the QMS should be managed and proper records kept of the changes. A procedure or work instruction on initiating and capturing change issues should be created to manage the process.
Organizational Knowledge (section 7.1.6) is new and a procedure on how the Organization will designate, store, disseminate and manage Organizational Knowledge should be created. The process should include how the Organization will disseminate requested knowledge and define what the Organization deems to be “knowledge” within its scope of operations.
Leadership of the Organization should be actively involved in the creation and implementation of these new procedures and data should be provided on a routine basis for leadership to have the tools necessary for active participation in the new QMS.
Monitoring the QMS processes and operations
The Organization should operate for at least four to six months prior to ISO 9001:2015 certification. This time period will allow for sufficient data on QMS operations to be gathered and assimilated and a “history” of the Organization as an operating ISO 9001:2015 company has been realized.
Areas to monitor include non-conformance reporting on product and operations, inspection reporting, analytics and risk identification and steps to mitigate said risk. Additionally, the overall QMS efficiency should be monitored to identify any weaknesses (i.e. gap analysis) to the QMS and its new additions.