Overview of Current Quality Management System
The current QMS should be reviewed to determine its overall efficiency and health under the current ISO 9001:2008 standard. Certain questions need to be asked and answered regarding the current status of the QMS. Among these questions are: Have all (if any) non-conformance finding(s) from the re-certification or surveillance audit been addressed and closed? Does your company already have a system for defining and allowing for or mitigating risk, as defined under section 6.1 of the ISO 9001:2015 standard? How is the company structured? Does it have a strong management presence? These are but a few of the type of questions that need to be answered for the initial steps of transitioning to occur.
Documentation of the QMS should be reviewed to determine what procedures are currently in place and which may be utilized in the ISO 2015 QMS. The determination should include what your organization determines to be necessary to describe its QMS and relevant functions. This should also aid in determining how the new ISO 9001:2015 additions (context of the organization, listing of interested parties, defining risk, management of change, etc.) should be documented by the organization for the most effective operation of the QMS.
The overview should be conducted as a gap analysis exercise and therefore you should begin to prepare checklists that include all aspects of the current ISO 2008 requirements, as well as, the new additions of the ISO 9001:2015 standard. While it may be obvious that several of the new additions do not exist under an ISO 2008 QMS, it should be noted what, if any, data or information is present that can be defined or designated as data relevant to or compliant with the new ISO 2015 additions.
Examples of the above may include procedural language or actions that account for risk or delineate the relationship risks between process steps or parties (i.e. customers, suppliers, etc.).
Meeting with leadership on understanding the new ISO 9001:2015
It is highly recommended that a meeting, or series of meetings, should be scheduled with the leadership to introduce and discuss the transition process. New requirements and radical (to some) language has been introduced by the new ISO 2015 standard and leadership needs to be instructed properly to understand and appreciate the requirements, and ramifications, of this language.
The introduction meeting should include not only the new additions but a detailed definition of each new section and how it applies to the organization’s QMS. By properly defining (and use of example language or charts) what each section means and what is required of leadership to be compliant are vital for the operation of transitioning to be successful.
It should be remembered that leadership (previously referred to simply as management under ISO 2008) is tasked with a far greater responsibility under the new standard then what was previously required of management. Leadership has specific, required functions and must demonstrate its leadership and commitment to the QMS by several required steps (section 5.1 Leadership and commitment, a-j). It must be made clear to leadership that the ISO 2015 standard is more flexible as to QMS authorship and implementation, but it has more defined responsibilities for each and every part of the organization’s QMS and leadership, in particular.
Defining the meaning and intent of the language of the new ISO 2015 can be difficult and may evolve from a person’s own experience with ISO based systems, other standards (API, Nuclear, etc.), as well as, peer opinions and/or research results from professional papers or articles. Leadership should be made aware of this language defining effort and have direct input into this process. However, as a quality professional, one must be able to ably articulate what he or she determines to be the best definition for the organization to operate its QMS effectively.
Perhaps the hardest to define and understand (at least, initially) is the concept of “risk-based thinking”. Leadership will have their own way of defining risk (either from experience or opinion) and the organization should be prepared to set forth a well-defined set of parameters that it uses to determine what risk-based thinking is and how it should be applied.
Sections 4.1 and 4.2 of ISO 9001:2015 lay the groundwork for risk to be defined and addressed by an organization. Context of the organization (4.1) and understanding (and defining) the needs and expectations of interested parties (4.2) MUST be considered when determining risks and opportunities that need to be addressed by the organization (6.1 Actions to address risks and opportunities).
Procedural templates and spreadsheets can be efficient aids to introduce leadership to the above required additions of the new standard. These aids can also ease the transition process by providing a starting place or foundation for leadership to build (or re-build) its QMS.
An analysis list should be prepared that tracks the new ISO 2015 sections and used for determining gaps in the organization’s current QMS related to compliance requirements under ISO 9001:2015. This will not be a routine gap analysis in that the analysis will be measuring weaknesses or gaps in a QMS that was designed under another standard and its requirements. Attention to what is being observed and how it may be used or conformed to the new standard should be the main concern during this process.
The analysis should look for language or process steps that may already exist that either define or show awareness of language contained in the new ISO 2015 standard. For example, your organization may already have a method (or procedure) for defining risk or risk processes. Additionally, an organization may define or have a list of parties (suppliers?) that it may have defined as having special requirements or contractual obligations – this could be an example of an interested party with the organization’s relationship (and risk association) to this particular party being defined and already existing within that organization’s QMS Software.
Emphasis can be placed on known areas of the organization that have had a history of non-conformance and corrective action, especially in process steps. This history may be a good jumping off spot for risk assessment to be defined and implemented under the new QMS structure.
Gaps will exist in ISO 2008 procedural language (as well as the obvious sectional numbering) but special emphasis should be placed on process steps and where risk may be assessed within these steps.