9001 2015 Guidelines

1
9001 2015 Guidelines
Table of Contents
ISO 9001:2015Clause 04 Context of the Organization
The internal context may include,
Example internal issues could include
An interested party
Interested Parties & Requirements
Clause 4.3 Determining the scope of the quality management system
External issues
Internal issues
4. Risk-based approach
Risk Based Thinking ISO 9001 :2015
Risk as Currently Stated in ISO 9001:2015
Seven principles of Quality management
Understanding structure terminology and concept of ISO 9001:2015
Risk in ISO 9001:2015
Seven principles of Quality management as per ISO 9001:2015
committee draft
List of mandatory documents required by ISO 9001:2015
ISO 9001:2015Clause 04 Context of the Organization

Definition
As per ISO 9000, the definition of Context of the Organization is
business environment, combination of internal and external factors
and conditions that can have an effect on an organizations approach to
its products, services and investments and interested Parties.
The note states that this concept of Context of Organization is equally
applicable to Not for profit organization, public service organization and
governmental organization.
2
Also in normal language this concept is also known as business

environment, organizational environment , or ecosystem of an
organization.
Introduction:
The implementation of QMS should be the strategic decision of the
organization and is influenced by the context of the organisation and the
changes in that context. The changes in the context can be with respect
to its specific objectives, the risks associated with its context and
objectives, the needs and expectations of its customers and other
relevant interested parties, the products and services it provides, the
complexity of processes it employs and their interactions, the
competence of persons within or working on behalf of the organization
and its size and organizational structure.The context of an organization
will include internal factors such as organizational culture, and external
factors such as the socio-economic conditions under which it
operates.The scope of ISO DIS 9001:2015 states that organization needs
to demonstrate its ability to consistently provide products and services
that meet customer and applicable statutory and regulatory requirements
and aims to enhance customer satisfaction.
Any interested party which is not relevant to the quality management
system need not be considered and similarly any requirement of the
interested party not relevant to the quality management system need not
be considered. Determining what is relevant or not relevant is dependent
on whether or not it has an impact on the organizations ability to
consistently provide products and services that meet customer and
applicable statutory and regulatory requirements or the organizations
aim to enhance customer satisfaction. The organization can decide to
determine additional needs and expectations that will meet its quality
objectives. However, it is at the organizations discretion whether or not
to accept additional requirements to satisfy interested parties beyond
what is required by this Standard.
There are a new clause relating to the context of the organization,
Clause 4 Context of the organization
This clauses require the organization to determine the issues and
requirements that can impact on the planning of the quality management
3
system. Interested parties cannot go beyond the scope of ISO

9001.There is no requirement to go beyond interested parties that are
relevant to the quality management system. Consider impact on the
organizations ability to consistently provide products and services that
meet customer and applicable statutory and regulatory requirements or
the organizations aim to enhance customer satisfaction. Organizations
can go beyond the minimum requirements to determine additional needs
and expectations for interested parties that would not be relevant at the
discretion of organization and should be clear in quality management
system. The Context of Organization clause has four sub clauses ie
Clause 4.1 Understanding the Organization and its context
Clause 4.2 Understanding the needs and expectations of interested
parties
Clause 4.4 Quality management system and its processes
The organization should determine external and internal issues for the
organization relevant to its purpose, strategic planning and which affect
the organizations ability to achieve its objectives . The Organization
should monitor and review the information about external and internal
issues. Management Review required the monitoring of external and
internal issues. The organization must consider issues related to values,
culture knowledge and performance of the organization for
understanding of internal issues. The organization must consider issues
related to arising from legal, technological, competitive, market,
cultural, social, and economic environments, whether international,
national, regional or local for understanding of external context. For
considering internal context as well as external factors both positive as
well as negative factors must be considered.
An organizations context involves its operating environment. The
context must be determined both within the organization and external to
the organization. It is important to understand the unique context of an
organization before starting the strategic planning.To establish the
context means to define the external and internal factors that the
organizations must consider when they manage risks.
4
An organizations external context includes its outside stakeholders, its

local operating environment, as well as any external factors that
influence the selection of its objectives (goals and targets) or its ability
to meet its goals. An organizations internal context includes its
interested parties, its approach to governance, its contractual
relationships with its customers, and its capabilities and culture. An
organizations internal context is the internal environment within which
the organization seeks to achieve its sustainability goals.
The internal context MAY include,

Product and service offerings
Governance, organizational structure, roles, and accountability
Regulatory requirements
Policies and goals, and the strategies that are in place to achieve them,
Assets (e.g., facilities, property, equipment and technology)
Capabilities, understood in terms of resources and knowledge (e.g.,
capital, time, people, processes, systems, and technologies)
Information systems, information flows, and decision-making processes
(both formal and informal)
Relationships of the staff/volunteers/members and the perceptions and
values of their internal stakeholders including suppliers and partners
Organizations culture
Standards, guidelines, and models adopted by the organization and
Form and extent of the organizations contractual relationships.
Internal context can also be defined as anything within the organization
that may influence the way in which the organization manages its
internal risks. Once the internal context is understood, one can conduct
the macro-environmental external analysis using PEST (political,
economic, social and technological) analysis. This analysis determines
which factors are can influence how the organization operates. The
organization cannot control these factors, but they must seek to adapt to
them. The PEST factors can be classified as opportunities and threats in
a SWOT (strengths, weaknesses, opportunities and threats) analysis.
Alternatively, some organizations might use Porters Five Forces
Model. These methods are used to review a strategy or position or
5
direction of an organization. Completing a pest analysis is simple and

helps the individuals involved in the organization to understand and find
ways to deal with the context.
Political Factors
Ecological/Environmental Issues
Current legislation
Anticipated future legislation
International legislation (global influences)
Regulatory bodies and processes
Government policies, terms and change
Funding, grants, and initiatives
Market lobbying groups
Wars and conflicts
Economic Factors
National economies and trends
General taxation issues
Taxation to activities, products, services
Seasonality or other weather issues
Market and trade cycles
Specific sector factors
Customer/end-user drivers
Interest and exchange rates
International trade and monetary issues
Social Factors
Lifestyle trends
Demographics
Consumer attitudes and opinions
Media views
Law changes affecting social behaviors
Image of the organization
Consumer buying patterns
Fashion and role models
Major events and influences
Buying access and trends
6
Ethnic/Religious factors
Advertising and publicity
Ethical issues
Technology Factors
Competing technology development
Associated/Dependent technologies
Replacement technology/Solutions
Maturity of Technology
Information and communications
Consumer buying mechanisms
Technology legislation
Innovation potential
Technology access, licensing, patents
Intellectual property issues
Global communication
Social media use
Maturity of organizations products/ services
Example Porters Five Forces Model.

Although organizations cannot control macro-environment factors they
need to manage them to their advantage. They also need to protect
themselves from PEST factors which may increase operational costs or
affect their reputation.
The external contexts micro-environment consists of the organizations
immediate operations and how they affect its performance and decision-
making. These factors have a direct impact on the success of the
organization. It is important to have a full analysis of the micor-
environment before moving to strategy development.
Here are some of the micro-environmental context factors.
Customers:
Organizations must attract and retain customers by offering products
services that meet their needs along with providing excellent customer
service
Employees:
7
There must be availability of people with the motivation to remain as

contributing members of the organization and develop the skills
necessary to provide a competitive edge
Suppliers:
Suppliers provide organizations with the resources they need to carry out
their activities. If a supplier provides bad service, this affects the way the
organization operates. Close supplier relationships are an effective way
to remain competitive and secure the resources needed
Investors:
All organizations require investment to grow. They may borrow the
money from a bank or have people invest in their work. Relationships
with investors need to be managed carefully as problems can
detrimentally affect the long-term success of the organization
Media:
Positive media attention can bring success to the organization by
maintaining its reputational strength. Managing the media (including the
presence in social media) is a challenge.
Competitors:
Members of the organization need to have a sense of belonging.
Can the organization offer benefits that are better than those offered by
the competitors?
Is there a strong value proposition? Competitor analysis and monitoring
is crucial if an organization is to maintain or improve its position in the
competitive landscape of the community. The organization must always
be aware of its competitors activities. The landscape can change
quickly.
As in the case of the macro-environmental context, the organization
cannot always control its micro-environment factors. But they must be
carefully managed together and with the internal context understanding.
Both internal and external context can have influence over the
organization. Customer pressures and complaints can force
organizations to change various policies such as product returns and
customer and technical support. Technological changes can provide new
and more effective ways to handle communications, operations, shipping
and logistics. Cultural and religious differences may hinder product or
8
service entry into certain countries. Governments regulatory and trade

policies can play a significant role in determining how businesses
operate, especially in regard to international trade, taxation, and
regulations. The media, including social media, can have a huge impact
on a companys image and public relations. A bad news video or news
report can go viral pretty fast, and if your organization doesnt provide
an acceptable response, the negative publicity and effects can last a long
time. Sociological forces often drive what, where and how consumers
buy product and services. There is an increasing trend in the number of
consumers purchasing products online and reading reviews before
making a purchase. The multinational and multicultural trend in
workforce composition can cause significant changes in hiring and
retention of competent human resources. If the response to these
situations is unplanned, weak or untimely, it might have a dramatic
impact on the future of the business loss of customers, serious
production interruption or disruption, permanent loss of organizational
knowledge, even loss or bankruptcy of the business. Contextual issues
can have a positive impact, as it may present opportunities such as new,
improved or increased availability of previously scarce resources,
opening up of or access to new markets, availability of new technologies
leading to reduced costs, improved product quality, services and
operational efficiency. Many of these contextual issues can be viewed as
variables some changing faster, others slower, depending on whether the
organization is fast paced and leading edge or in a stable or mature
industry. Therefore variability in these issues depicts uncertainty about
their future behaviour. Such uncertainty can be quite diverse, complex
and at times highly unpredictable. This presents a dilemma to
organizations in terms of tracking and adapting to changes in these
issues. This uncertainty introduces the need for understanding and use of
risk evaluation, mitigation and management. Thus each organizational
contextual issue will have its own specific set of uncertainties with
different levels of complexity and risk and the need for specific controls
to mitigate or eliminate the risk.
Example internal issues could include, but are not limited to:
9
Structure of the organization limited flexibility when dealing with

varying demands
Roles within the organization Rigid, personnel willing to adopt to
demands?
Availability of reliable qualified and competent work force very good
(positive)
Stability of workforce Wage benchmarking is not consistent with
competitors
Staff retention very high (positive)
Impact of unionization Uncordial
Staff competency levels high(positive)
Contractual arrangements with customer-beneficial
Payment terms from customers-high credit
Solvency of customers -etc
Expansion of customer base-etc
Overall strength of business to support funding needs -etc
Relationship with investors . -etc
Credit terms available .-etc
Service level agreements with customers -etc
Culture within the organization etc
Example external issues could include, but are not limited to:
Political, economic, social, technological, legal and regulatory Laws
changing , affecting product conformity, minimum wage changing,
evolutions in more efficient machinery affecting price
Operating Permits becoming tighter on emission levels technology
demands
Overall economic performance in the country above EU norm
(positive)
Competitive environment overall low-cost of entry in to the market
Economic plans for future -etc
The nature and impact of economy on market -etc
Customer demographic -etc
General levels of consumer confidence -etc
Customer expectation -etc
10
Standardization and certification within the industry -etc

Regulation within the industry generally -etc
Trade associations and lobbying powers -etc
Impact on neighbors . -etc

parties
The organization shall determine relevant interested parties and relevant
requirements of relevant interested parties. Relevant interested parties to
be considered are those that could affect or potentially affect the
organizations ability to constantly provide products and services that
meet customer and applicable statutory and regulatory requirements.
Monitor and review information related to interested parties and relevant
requirements.
Firstly, the organization will need to determine external and internal
issues that are relevant to its purpose, i.e. what are the relevant issues,
both inside and out, that have an impact on what the organization does,
that would affect its ability to achieve the intended outcome(s) of its
management system. It should be noted that the term issue covers not
only problems, which would have been the subject of preventive action
in previous standards, but also important topics for the management
system to address, such as any market assurance and governance goals
that the organization might set for its management system. Next the
organization has to determine relevant interested parties and relevant
requirements of relevant interested parties.
An interested party is a person or organization that can affect, be

affected by, or perceive themselves to be affected by a decision or
activity thats within the scope of the management system. There will be
those external interested parties that impose specific legal, regulatory or
contractual requirements in an organization. There may also be
requirements specified by internal interested parties, for example
management and staff (permanent and temporary). Typically these
would include:
Shareholders
11
Owners
Management
Employees
Trade unions
Suppliers
Partners
Client
Government agencies
Media
Society
Any other person or organization interested in the organization
There is no requirement in this International Standard for the
organization to consider interested parties which have been determined
by the organization not to be relevant to its quality management system.
Similarly, there is no requirement to address a particular requirement of
a relevant interested party if the organization considers that the
requirement is not relevant. Determining what is relevant or not relevant
is dependent on whether or not it has an impact on the organizations
ability to consistently provide products and services that meet customer
and applicable statutory and regulatory requirements or the
organizations aim to enhance customer satisfaction. The organization
can decide to determine additional needs and expectations that will assist
it to meet its quality objectives. However, it is at the organizations
discretion whether or not to accept additional requirements to satisfy
interested parties beyond what is required by this International Standard.
Interested Parties & Requirements

Executive Board
Good financial performance, legal compliance/avoidance of fines
Local residents
No complaints relating to : noise, parking, health and safety, pollution,
waste, employment
Law enforcers/ Regulators
12
Identification of applicable statutory and regulatory requirements for the

products and services provided, understanding of the requirements,
application within the QMS, and update/ maintenance of them
Customers
Value for money, high quality, expectations for design innovation, on
time, low-cost, quick response, installation expertise, health and Safety /
EMS
Bank/Finance
Good financial performance
Employees
Professional development, prompt payment health and safety, work/ life
balance, employment security
Insurers
No claims / prompt payment / risk management
External providers
Prompt payment, health and safety, work relationship
Trade Unions
Compliance (employment law)
One tool which can be used for determining the relevant requirement of
relevant interested parties is Stakeholder analysis
Scope
The organization must establish scope of the quality management system
by determining the boundaries and applicability of the quality
management system. While determining the scope the organization must
consider the internal and external issues determined in 4.1.,the
requirements of relevant interested parties in 4.2. and the products and
services of the organization. Requirements from this International
standards that can be applied by the organization shall be applied within
the scope of the QMS. Requirements from this International standards
that cannot be applied by the organization and which does not affect the
organizations ability or responsibility to provide product and services
that meet the conformity of its product and services and enhancement of
the customer satisfaction. The organization must make available the
13
scope and must maintain scope as documented information stating the

Products and services covered by the QMS and any Justification where a
requirement of this International standard cannot be applied.
An example of how a scope could be derived
Organizations purpose and strategic direction
Purpose:
As one of Indias leading Data Communications manufacturers,
installers and on-site managed service providers of ber optic cabling
(for Information Technology connectivity): as well as installer and on-
site managed service provider of copper cabling and IT cabinets; our
reason for being is a combination of our vision, mission, and values.
What is our vision?
To become the most trusted manufacturer, installer and service provider
of ber optic/copper cabling (IT cabling) and IT cabinets within India
and Europe.
What is our mission?
To expand our operations by Consistently meeting customers
expectations, and our legal requirements, which includes the
enhancement of customer satisfaction through the effective application
of our processes for continual improvement.
What are our values?
Sustainable business practices including: corporate social responsibility
( social, economical and environmental), responsible governance, and
equal opportunity are all expected values within our organization.
These are reenforced through sustainable ethics and workforce
integrity throughout all business operations. Co-operation and
collaboration are expected norms within the organizations management,
with recognition provided for all through regular appraisals. We
encourage and embrace any values which enforce the behaviors that
employees cherish.
Strategic Direction:
To open two new offices in India, and one new ofce in Germany, and
Spain this year. To implement and gain accredited certification to ISO
9001 and ISO 14001 in these new offices, within a year of the ofces
opening. To employ a motivated workforce that will embrace the
14
organizations values, and complement the co-operation and

collaboration needed to achieve the effective application of our
processes for continual improvement.
2. Organizations intended result(s) of its QMS
From the Scope of the Standard:
To demonstrate its ability to consistently provide products and services
that meet customer and applicable regulatory requirements
To enhance customer satisfaction through the:
Effective application of the QMS
Processes for continual improvement of the QMS
Assurance of conformity to customer and applicable statutory and
regulatory requirements specic to our organization:
Reduction in waste, during manufacturing, through reduced rejects,
effective corrective action and improvements in process understanding
and compliance
To assist in the creation of an effective knowledge database for the
consistent provision of product and service, and for business continuity
purposes
External issues
Contractual arrangements generally within the sector
Competitive environment overall low cost of entry into the market
Legislation, e.g. employment of non-nationals
Regulation within the industry generally
Overall competition within the recruitment sector
Overall economic climate in the country
Countries environmental requirements affecting products and service
Technology advances
Standardization and certification within the industry
Client consideration of bringing expertise in-house
Client working environment other trades working alongside us,
Client configuration changes during installation
Relationships with external interested parties
Perceptions/values of external interested parties
15
Key drivers and trends

Workforce culture within the sector and country
Construction delays
External inspections/audits
Competitors ceases trading
Availability of raw materials
Power cuts in countries
Availability of external providers machinery maintenance etc.
Internal issues
Structure of the organization
Roles within the organization
Availability of reliable, qualified and competent workforce
Stability of workforce
Staff retention
Staff training levels
External providers competence and availability
Availability and quality of candidates to fulfill our vacancies
Culture within the organization
Working hours
Staff morale
Internal politics
Governance, Policies, objectives
Strategies
Capabilities
Resources
Knowledge
General competence
Technologies
Information systems
Decision making processes
Relationships with interested parties
Perceptions/values of interested parties
Standards, guidelines and models adopted
Contractual relationships
16
Potential conicts
Processes for resolving conicts
Social customs
Managements abilities
Priorities
Database skills
Root cause analysis abilities
Improvement tools and abilities to apply
Ability to motivate workforce
Project management expertise new offices
Understanding and experience in implementing ISO 9001
Co-operation of workforce
Interested parties and relevant requirements
Interested Parties & their Requirements

Executive Board
Good financial performance, legal compliance/avoidance of fines,
sustainable, corporate and social responsible with a suitable governance
framework
Local residents
Local employment, good reputable employer
Law enforcers/ Regulators
Identification of applicable statutory and regulatory requirements for the
products and services provided, understanding of the requirements,
application within the QMS, and update/ maintenance of them,Legal
compliance, prompt responses to
investigations and enquiries
Customers
Value for money, high quality, expectations for design innovation, on
time, low-cost, quick response, installation expertise, legal compliance
Bank/Finance
Good financial performance and cash flow
Employees
17
Professional development, employment security and good employee

working relationships
Insurers
No claims/prompt payment/risk management
External providers
Clear, unambiguous contracts and scope of works, good working
relationship
Trade Unions
Compliance (applicable laws) and good working relationships with
management
Products and services of the organization
Fiber optic cable manufacture multimode

Conguring /layout/plans of cable routes within a client building
Installation of IT cabling on client site (ber optic and copper cabling)
Installation of IT cabinets and connect cabling to active IT equipments
Test connectivity and data performance
On-site conguration management moves and changes
On-site network incident management
Provision/management of on-site IT human resource
IT client disaster recovery service and help desk
Determined scope
The production, installation and on-site managed service of ber optic
cabling (for Information Technology connectivity), and the installation
and on-site managed service of copper cabling and IT cabinets, at client
sites in India, Germany and Spain.
Manufacturing sites/Offices:
India (Manufacturing)
Germany (Ofce)
Spain (Ofce)
Applicability:
18
All clause requirements are applicable to the above scope, except: 8.3
(Design and development of products and services). This is because the
organization does not design its products and services, but produces ber
cable (and installs IT cabinets, and cabling along routes) according to
established/dened standards and industry guidance. Clause 8.3 is
therefore not applicable to our Quality Management System.
End of example

Clause 4.4.1
The organization must establish, implement, maintain and continually
improve its quality management system as per the requirement of this
standards by determining the process needed and its application through
out the organization . While determining the processes, the organization
must determine the inputs required and the outputs expected from these
processes, the sequence and interaction of these processes,The
organization must control these processes to ensure its effective
operation. The organization must establish the criteria and methods
which include monitoring, measurements and other related performance
indicators to ensure the effective operation and control of these
processes. The organization must determine and ensure the availability
of the resources needed for effective operation of these processes.The
personnel having authorities and responsibilities for these processes
must be identified. As per clause 6.1, the organization must determine
risk and opportunities, analysis them and must take appropriate action to
address them. There must be methods for monitoring, measuring, as
appropriate, and evaluation of these processes. The organization must
make changes in its process if it fails to achieve intended result. The
organization must look opportunities for improve for these process and
for Quality management system as a whole.
Clause 4.4.2
The organization shall maintain documented information to the extent
necessary to support the operation of processes and retain documented
information to the extent necessary to have confidence that the processes
are being carried out as planned.
19
The primary focus of clause 4.4.1 requirements is to manage and

control all your QMS processes including processes for operations.
QMS includes processes for management(leadership) activities,
Planning which includes risk assessment, support processes (such
provision of resources, communication etc), Operation, performance
evaluation and Improvement as part of QMS.
Clause 4.4.1 requires the Process Approach to be used in defining
your QMS. Documentation of QMS processes and the need for and
detail of specific process documentation is determined by ISO 9001,
customer, regulatory and your own organizational requirements,
complexity of products and processes, effect on quality,risk of customer
dissatisfaction, economic risk,effectiveness and efficiency, competence
of personnel.Clause 4.4.2 requires you to have documents needed to
ensure the effective planning, operation and control for QMS processes.
Based on these factors, you must determine what processes need to be
documented and how you will document it. Not all processes need to be
documented; your documents must also include a description of the
interaction between your QMS processes. A number of different methods
can be used to document processes, such as graphical representations,
written instructions, checklists, flow charts, visual media, or electronic
methods, etc. Process flowcharts or block diagrams can show how
policies, objectives, influential factors, job functions, activities,
material, equipment, resources, information, people and decision making
interact and/or interrelate in a logical order. Procedures may be an
acceptable way to document processes provided they describe inputs and
outputs, appropriate responsibilities, controls and resources needed to
satisfy customer requirements. Regardless of whether or not you
document all of your processes, you must provide evidence of effective
implementation of all your QMS processes. Such evidence does not
necessarily need to be documented.
Clause 4.4 c requires you to determine criteria for effective process
operation and control. You could determine criteria to control inputs,
outputs and resources used. For example
Raw materials as an input to production would have acceptance criteria
that it must meet before it can be used.
20
Finished product as an output of the production process must meet

acceptance criteria before it can be shipped to the customer;
The equipment used to transform raw materials into finished product
may have set-up and capability criteria or parameters that it must meet in
order to produce conforming product.
These criteria (controls) must be established for each QMS process.
Note that such controls may also come from the customer, regulatory or
industry bodies. Equally important are the specific methods required for
effective operation and control of each process. These may include job
travelers; work instructions; in process inspection sheet; specifications
and drawings; SPC charts; set up checklist; machine manuals; etc. Note
these control methods may apply to any or all of inputs, outputs or
conversion activities.
This clause also requires you to monitor and measure your QMS
processes. Clause 9.1 provides requirements to plan and implement these
controls for monitoring and measuring conformity to process
performance criteria determined above. Ways to monitor and measure
QMS processes may include tracking against process parameters,
goals and objectives, using tools and records such as process check-
sheets; product acceptance criteria; SPC records; production records;
maintenance records; labor records, etc. More details on monitoring and
measuring controls are covered in clause 9.1.
Under 4.4.1d, resources for QMS processes may include facility,
material, equipment, labor, supplies, utilities etc. Every QMS process
will require a different combination of resources. Resource details may
be identified in specifications,production schedules, bill of materials,
production travelers or routers, work instructions, etc. Information for
QMS processes will vary from process to process and may include
-production schedules, bill of materials, product acceptance and process
performance criteria, production traveler or router, work instructions etc.
Use clause 7.5 and other relevant clauses to control process information.
Under 4.4.1 e the organization shall has to ensure that adequate
responsibilities and authorities are assigned as per as the requirements
given in the clause 5.3.
21
This promotes the use of risk based thinking. Risk is defined as the
effect of uncertainty. Notes in the definition further describe risk as a
deviation from the expected, either positive or negative. The term
uncertainty is defined as a lack of information or knowledge about a
potential event that can be expressed as a result of the likelihood and
consequence of such an event. A positive deviation arising from a risk
can provide an opportunity, but not all positive effects of risk result in
opportunities. Actions to address opportunities can also include
consideration of associated risks. Clause 4.4.1 f requires that when
planning its QMS, the top management must implement and promote a
culture of risk-based thinking throughout the organization to determine
and address the risks and opportunities associated with providing
assurance that the QMS can achieve its intended result(s); provide
conforming products and services, enhance customer satisfaction;
promote desirable effects and improvement; and prevent, or mitigate,
undesired effects.
Clause 4.4.1 g requires evaluate of QMS processes as per the
requirement given in clause 9.1.3 and evaluation may be done through a
review of measurement and monitoring records and performance
indicators for each process. These reviews must identify opportunities to
improve QMS processes, use of resources and product quality. Clause
4.4.1 h calls for improvement in process as per as the requirement given
in clause 10. When process nonconformities occur, then corrective
action is required to bring the QMS process under control. Remember,
the corrective action process is not just for product related
nonconformities. Processes must be continually improved through
setting of incrementally realistic, measurable objectives. Planning for
continual improvement requires a review of process data, resources and
controls to bring about the desired change.
Clause 4.4.1a 4.4.1h must be applied to all QMS processes. Note also
that many ISO 9001 clauses (e.g. clause 8.2; 8.4; 8.6; etc.), require
specific processes to be established within your QMS, These processes
must also be identified and controlled in your QMS.
ISO 9001:2015
22
ISO 9001:2015 was released 23 September 2015.

Following are the key changes in this standard from ISO 9001:2008:
1. New Structure
The new standard has 10 clauses(external link).
ISO is in process of harmonizing all management system standards. For
this a harmonized structure (Annex SL) has been developed. Some
standards such as ISO 30301:2011 (Information and documentation
Management systems for records), ISO 22301:2012 (Societal security
Business continuity management systems), ISO 20121:2012 (Event
sustainability management systems) have already been changed to this
new structure and some other are in process of being revised to this new
structure.
2. Process Approach
ISO 9001:2015 promotes the process approach beyond the existing
requirements of ISO 9001:2008.Clause 4.4 (Quality management system
and its processes provides specific requirements for adopting a process
approach.
3. Preventive Action vs Risk Management
One of the key purpose of implementing a quality management system is
to act as a preventive tool. As a result the formal requirement related to
preventive action is no more existing in the revised standard. This is
being replaced with risk based thinking.
Although it is required by the organization to determine and address
risks, there is no requirement for implementing a formal risk
management process.
4. Context of the Organization
Two new clauses have been added to the standard.
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties.
5. Quality Management Principles
So far the standard was based on eight quality management principles.
In this standard the earlier existing eight principles have been reduced to
seven quality management principles(external link). These are listed in
the clause 0.2 of the standard.
Comparison between ISO 9001:2008 and ISO 9001:2015
23
ISO 9001:2008 ISO 9001:2015 Remarks

0. Introduction 0. Introduction
1.1 General
1 Scope
1.2 Application
4.3 Determining the scope of the quality management system
2. Normative references
2 Normative references
3. Terms and definitions

3 Terms and definitions
4. Quality Management System

4 Context of the organization
4.1 General Requirements

4.4 Quality management system and its processes
4.2 Documentation Requirements

7.5 Documented information
Reduced requirements for documentation
4.2.1 General
7.5.1 General
4.2.2 Quality Manual

- Quality Manual not required
4.2.3 Control of Documents

7.5 Documented Information
Records and Documents are now "Documented Information "
4.2.4 Control of Records

7.5 Documented Information
24
Records and Documents are now "Documented Information "
5. Management Responsibility
5 Leadership
5.1 Management Commitment

5.1 Leadership and commitment
5.2 Customer Focus

5.1.2 Customer focus
5.3 Quality Policy

5.2 Policy
5.4 Planning
6 Planning
5.4.1 Quality Objectives

6.2 Quality objectives and planning to achieve them
5.4.2 Quality Management System Planning

6.3 Planning of changes
5.5 Responsibility, Authority, and Communication

5.3 Organizational roles, responsibilities and authorities
5.5.1 Responsibility and Authority

5.3 Organizational roles, responsibilities and authorities
5.5.2 Management Representative

- MR not required
5.5.3 Internal Communications

7.4 Communication
25
5.6 Management Review

9.3 Management Review
5.6.1 General
9.3.1 General
5.6.2 Review Input

9.3.2 Management Review Inputs
5.6.3 Review Output

9.3.3 Management Review Outputs
6. Resource Management
7.1 Resources
6.1 Provision of Resources

7.1 Resources
6.2 Human Resources

7.1.2 People
6.2.1 General
7.2 Competence
6.2.2 Competence, Training, and Awareness

7.2 Competence and 7.3 Awareness
6.3 Infrastructure
7.1.3 Infrastructure
6.4 Work Environment

7.1.4 Environment for the operation of processes
7. Product Realization
8 Operation
26
7.1 Planning of Product Realization

8.1 Operational planning and control
7.2 Customer-Related Processes

8.2 Requirements for products and services
7.2.1 Determination of Requirements Related to the Product

8.2.2 Determining of requirements related to products and services
7.2.2 Review of Requirements Related to the Product

8.2.3 Review of requirements related to products and services
7.2.3 Customer Communication

8.2.1 Customer communication
7.3 Design and Development

8.3 Design and development of products and services
7.3.1 Design and Development Planning

8.3.2 Design and development planning
7.3.2 Design and Development Inputs

8.3.3 Design and development inputs
7.3.3 Design and Development Outputs

8.3.5 Design and development outputs
7.3.4 Design and Development Review

8.3.4 Design and development controls
7.3.5 Design and Development Verification

7.3.6 Design and Development Validation

27
7.3.7 Control of Design and Development Changes

8.3.6 Design and development changes
7.4 Purchasing
8.4 Control of externally provided processes, products and services
7.4.1 Purchasing Process

8.4.1 General
7.4.2 Purchasing Information

8.4.3 Information for external providers
7.4.3 Verification of Purchased Product

8.4.2 Type and extent of control and8.6 Release of products and services
7.5 Production and Service Provision

8.5 Production and service provision
7.5.1 Control of Production and Service Provision

8.5.1 Control of production and service provision
7.5.2 Validation of Processes for Production and Service Provision

7.5.3 Identification and Traceability

8.5.2 Identification and traceability
7.5.4 Customer Property

8.5.3 Property belonging to customers or external providers
7.5.5 Preservation of Product

8.5.4 Preservation
28
7.6 Control of Monitoring and Measuring Equipment

8. Measurement, Analysis, and Improvement

9.1 Monitoring, measurement, analysis and evaluation
8.1 General
9.1.1 General
8.2 Monitoring and Measurement

9.1.1 General
8.2.1 Customer Satisfaction

9.1.2 Customer satisfaction
8.2.2 Internal Audit

9.2 Internal Audit
8.2.3 Monitoring and Measurement of Processes

9.1.3 Analysis and evaluation
8.2.4 Monitoring and Measurement of Product

8.6 Release of products and services
8.3 Control of Nonconforming Product

8.7 Control of nonconforming outputs
8.4 Analysis of Data

9.1.3 Analysis and evaluation
8.5 Improvement
10 Improvement
8.5.1 Continual Improvement

10.3 Continual improvement
29
Continual deleted in CD, but is back in the revised standard
8.5.2 Corrective Action

10.2 Nonconformity and corrective action
8.5.3 Preventive Action

6.1 Actions to address risks and opportunities
PA is being replaced with risk based thinking

Understanding ISO 9001:2015
This post is a review of the Draft International Standard (DIS) of ISO
9001 published on 14th May 2014 and should be read along with my
post Seven principles of Quality management as per ISO 9001:2015
committee draft.The information presented in this post related to the
revision of ISO 9001 is not final and should not be used for making
changes to existing quality management systems. The contents of ISO
9001:2015 are subject to change and should not be used in any
contractual or legally binding agreements
1. Structure and terminology
The most significant change we will see in ISO 9001:2015 is the new
structure. The reason for the change is to adopt the common approach
outlined in Annex SL, the new document that all ISO management
system standards, including ISO 9001, ISO 14001 and the recently
released ISO 27001, must follow. Currently, ISO 9001 contains 8
sections, of which four attempt to approximate plan, do, check, act.
The new structure, based on Annex SL, has 10 sections four of which
also approximate to plan, do, check, act. All new management system
standards will have this common structure. Here is the new structure:
Scope
This section describes the scope of the management system standard and
will be unique to the individual standard.
Normative References
30
This section references other relevant standards, which are indispensable

for the application of the document and will also be unique.
Terms and Definitions
Section three contains definitions, and while some of these are common
terms related to Annex SL, other definitions will be unique to the
management system standard.
Context of the Organization

This part is about understanding the organizations purpose, the
management system and who the stakeholders are. It describes how to
set up the management system and is similar in some respects to the old
section 4 except that it explicitly requires a broader understanding of the
situation and needs of the business
4.1 Understanding the organization and its context.
A new requirement; One of several that might suggest a greater union
between the QMS and wider business planning activities. Requires
organisations to ascertain, monitor and review both internal and external
issues that are relevant to its purpose and strategic direction, and have
the ability to impact the QMS and its intended results.
A broadening of scope beyond just customers. Requires the organisation
to determine the relevant requirements of relevant interested parties
e.g. a person or organization that can affect, be affected by, or perceive
themselves to be affected by a decision or activity.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered.
4.4 The QMS and its processes.
A major change that specifies a number of factors to be considered when
planning the processes that make up the QMS. Although a process-
planning approach has been previously expressed in earlier standards,
this greatly reinforces the requirement.
Leadership
This section provides requirements for commitment, policy and
responsibilities. This section is similar to the old section 5 on
Management but the emphasis is perhaps more on leadership than just
31
management. This is a soft requirement and it will be interesting to see

how it develops.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top
management to demonstrate leadership and commitment, and suggests
that a more hands-on approach is expected.
5.2 Quality policy.
Policy requirements are enhanced. A requirement is introduced that the
quality policy is appropriate to the context of the organization, and that it
is applied throughout the organization.
5.3 Organizational roles, responsibilities and authorities.
The requirement for a Management representative is no longer specified.
The duties previously assigned to that role may now be assigned to any
role or split across several roles.
Planning
Planning is now a section on its own. Planning was always covered by
the current standard in sections 4.1, 6.1, 7.1 and 8.1 but the new
structure includes risk (which is now a clear requirement) and
opportunities, the setting of goals and objectives to achieve plans, and
resources. Interestingly, risk was introduced in AS9100 (the aerospace
version of ISO 9001) in a similarly limited manner. In the latest version
of AS9100, however, risk was expanded and defines a number of
specific requirements/activities for a risk process. It will be interesting to
see whether ISO will leave the requirement for risk as a general
requirement as defined in Annex SL or whether it will take ASs lead
and expand it. This planning section also requires a greater application
of goals and objectives to integrate with the management systems
planning and operation to generally facilitate success of the organization.
6.1 Actions to address risks and opportunities.
A major change introduced to require a risk-based approach. In addition
to this clause, reference to the terms risk and opportunity are made
throughout the standard.
6.2 Quality objectives and planning to achieve them.
Requirements for objective planning are tightened up. An objective
should include a description of who is responsible, what is the target,
32
when is it planned to be achieved. Progress must be monitored. Also,

requires objectives to be set for relevant processes.
6.3 Planning of changes.
The clause lists items to be considered in change management.
Support
The support section includes most of the expected support processes that
exist in an organization and which are covered in the current ISO
standard. Human resources is renamed as competence, and
communication, which will require a new approach in most
organizations, is given its own section rather than a mention as a
management responsibility. Finally, document control has been renamed
documented information. It now covers both procedure/document
control and records control.
7.1 Resources.
7.2 Competence.
7.3 Awareness.
There is an expansion of application from personnel to persons doing
work under the organizations control.
7.4 Communication.
Now includes external communication about the QMS.
7.5 Documented information.
New requirement to determine, make available, and maintain
knowledge. No requirement for quality manual or procedures.
Documents, Documentation and Records are combined to become
Documented information.
Requirements are expanded to mention issues such as confidentiality,
access, and (data) integrity. This suggests an adoption of information
security considerations in recognition of the increasing use of electronic
documents/data.
Operation
This is a relatively short section, which essentially says Do a good job
at whatever your management system is trying for. In the case of ISO
9001, that is quality and in the early drafts we have seen of ISO 9001,
significant familiar content is added here including design, customers,
purchasing and production/service (although many of the sections have
33
new titles).In a welcome change of terminology, the rather clumsy

Product realization becomes Operations
8.1 Operational planning and control.
8.2 Determination of requirements for products and services.
8.3 Design and development of products and services.
This may be interpreted that more organizations do some form of design
and development.
8.4 Control of externally provided products and services.
An expansion of scope from just suppliers to also include other
external providers of products and services. Purchasing and Purchased
product become Externally provided products and services.
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to
specify intended results, and to determine the nature and extent of any
post-delivery (after-sales) activities.
8.6 Release of products and services.
8.7 Control of nonconforming process outputs, products and services.
Performance Evaluation
The section on evaluation includes monitoring, measurement and
analysis, internal audits and management review. All familiar topics with
some subtle changes.
9.1 Monitoring, measurement, analysis and evaluation.
There is a new requirement to obtain information relating to customer
views and opinions of the organisation.
9.2 Internal audit.
Audit schedule must take customer feedback into account.
9.3 Management review.
Expanded requirements for management review inputs or agenda.
Improvement
Improvement covers nonconformity and corrective action, as well as
continual improvement, all of which are outlined in section 8 of the
current standard. There is no preventive action section any more as
effectively it is replaced by risk under planning improvement is now
defined as a proactive planning activity.
10.1 General.
34
10.2 Nonconformity and corrective action.

Specific reference to preventive action is removed.
Now includes an additional requirement to record the nature of
nonconformities.
On discovering a nonconformity, an explicit requirement is introduced
for organisations to determine whether other similar nonconformities
actually exist, or could potentially exist.
10.3 Continual improvement.
The structure is based on the mandate that Annex SL from the ISO
Directives be applied to management system standards.The clause
structure and some of the terminology in ISO 9001:2015 is different than
ISO 9001:2008 to improve alignment with other management system
standards.The structure is to provide a presentation of requirements. It is
not a model for document for documenting the organizations policies,
objectives and processes.There is no requirement for the structure of an
organizations quality management system documentation to mirror that
of this International Standard.
Major differences in terminology between ISO 9001:2008 and ISO
9001:2015
ISO 9001:2008 ISO 9001:2015 (Proposed)
Products Products and services
Exclusions Applications
Documentation, records Documented information
Work Environment Environment for the operation of processes
Purchased Product Externally provided products and services
Supplier External provider
2. Products and services
ISO 9001:2008 used product to include all output categories such as
products, services, processed materials, and hardware. In ISO 9001:2015
the term product have been replaced by term product and services and
includes all output categories such as hardware, services, software and
processed materials. The term services is to highlight the difference
between products and services in the application of some requirements.
In most cases, the terms are used together. In some cases, the word
product is only used to specify a certain requirement.
35
3. Context of the organization

the organization .To establish the context means to define the external
and internal factors that the organizations must consider when they
manage risks. An organizations external context includes its outside
stakeholders, its local operating environment, as well as any external
factors that influence the selection of its objectives (goals and targets) or
its ability to meet its goals. An organizations internal context includes
its internal stakeholders, its approach to governance, its contractual
relationships with its customers, and its capabilities and culture.
The internal context may include, but is not limited to:
Governance, organizational structure, roles, and accountability.
Policies and goals, and the strategies that are in place to achieve them.
Assets like facilities, property, equipment and technology
Capabilities, understood in terms of resources and knowledge like
capital, time, people, processes, systems, and technologies.
(both formal and informal).
values of their internal stakeholders including suppliers and partners.
Organizations culture.
immediate operations and how they affect its performance and decision-
making. Some of the micro-environmental context factors
Customers
service
Employees/Members/Volunteers
36

Suppliers
Suppliers provide organizations with the resources they need to carry
out their activities. If a supplier provides bad service, this affects the way
the organization operates. Close supplier relationships are an effective
way to remain competitive and secure the resources needed
Investors
detrimentally affect the long term success of the organization
Media
Competitors
Members of the organization need to have a sense of belonging. Can
the organization offer benefits that are better than those offered by the
competitors? Is there a strong value proposition? Competitor analysis
and monitoring is crucial if an organization is to maintain or improve its
position in the competitive landscape of the community. The
organization must always be aware of its competitors activities. The
landscape can change quickly.
There are two new clauses relating to the context of the organization, 4.1
Understanding the organization and its context and 4.2 Understanding
the needs and expectations of interested parties. Together these clauses
require the organization to determine the issues and requirements that
can impact on the planning of the quality management system.Interested
parties cannot go beyond the scope of ISO 9001.There is no requirement
to go beyond interested parties that are relevant to the quality
management system.Consider impact on the organizations ability to
consistently provide products and services that meet customer and
37
applicable statutory and regulatory requirements or the organizations

aim to enhance customer satisfaction.Organizations can go beyond the
minimum requirements to determine additional needs and expectations
for interested parties that would not be relevant at the discretion of
organization and should be clear in quality management system.
issues.Management Review required the monitoring of external and
national, regional or local for understanding of external context.
parties
The organization shall determine relevant interested parties and
requirements of relevant interested parties. Interested parties include
Customers, Partners,Persons in the organization, External providers.
Relevant interested parties to be considered are those that potentially
could impact the organizations ability to provide products and services
that meet requirements. Monitor and review information related to
interested parties and relevant requirements.Management Review
requires the monitoring of relevant interested parties.
by determining the the boundaries and applicability of the quality
services of the organization. Requirements that can be applied by the
organization shall be applied. Requirements that cannot be applied
38
cannot affect the organizations ability to provide product and services

that meet requirements. The organization must maintain scope as
documented information. stating the Products and services covered by
the QMS and any Justification where a requirement cannot be applied.
system need not be considered and similary any requirement of the
interested party need not be considered.Determining what is relevant or
not relevant is dependent on whether or not it has an impact on the
the organizations aim to enhance customer satisfaction. The
organization can decide to determine additional needs and expectations
that will meet its quality objectives. However, it is at the organizations
interested parties beyond what is required by this Standard.

Definition
As per ISO DIS 9000:2014, the definition of Context of the
Organization is business environment, combination of internal and
external factors and conditions that can have an effect on an
organizations approach to its products, services and investments and
interested Parties. The note states that this concept of Context of
Organization is equally applicable to Not for profit organization, public
service organization and governmental organization.Also in normal
language this concept is also know as business environment,
organizational environment or ecosystem of an organization.
Introduction:
The implementation of QMS should be the strategic decision of the
organization and is influenced by the context of the organisation and the
changes in that context. The changes in the context can be with respect
to its specific objectives, the risks associated with its context and
objectives, the needs and expectations of its customers and other
relevant interested parties, the products and services it provides, the
39
complexity of processes it employs and their interactions, the

competence of persons within or working on behalf of the organization
and its size and organizational structure.The context of an organization
will include internal factors such as organizational culture, and external
factors such as the socio-economic conditions under which it
operates.The scope of ISO DIS 9001:2015 states that organization needs
to demonstrate its ability to consistently provide products and services
that meet customer and applicable statutory and regulatory requirements
and aims to enhance customer satisfaction.
system need not be considered and similarly any requirement of the
interested party need not be considered.Determining what is relevant or
not relevant is dependent on whether or not it has an impact on the
the organizations aim to enhance customer satisfaction. The
organization can decide to determine additional needs and expectations
that will meet its quality objectives. However, it is at the organizations
interested parties beyond what is required by this Standard.
There are a new clause relating to the context of the organization,
Clause 4 Context of the organization
This clauses require the organization to determine the issues and
requirements that can impact on the planning of the quality management
system.Interested parties cannot go beyond the scope of ISO 9001.There
is no requirement to go beyond interested parties that are relevant to the
quality management system.Consider impact on the organizations
ability to consistently provide products and services that meet customer
and applicable statutory and regulatory requirements or the
organizations aim to enhance customer satisfaction.Organizations can
go beyond the minimum requirements to determine additional needs and
expectations for interested parties that would not be relevant at the
discretion of organization and should be clear in quality management
system.
40
issues.Management Review required the monitoring of external and
national, regional or local for understanding of external context.
parties
The organization shall determine relevant interested parties and
requirements of relevant interested parties. Interested parties include
Customers, Partners,Persons in the organization, External providers.
Relevant interested parties to be considered are those that potentially
could impact the organizations ability to provide products and services
that meet requirements. Monitor and review information related to
interested parties and relevant requirements. Management Review
requires the monitoring of relevant interested parties.
by determining the the boundaries and applicability of the quality
services of the organization. Requirements that can be applied by the
organization shall be applied. Requirements that cannot be applied
cannot affect the organizations ability to provide product and services
that meet requirements. The organization must maintain scope as
documented information. stating the Products and services covered by
the QMS and any Justification where a requirement cannot be applied.
41
The organization must establish, implement, maintain and continually

improve its quality management system as per the requirement of this
standards by determining the process needed and its application
throughout the organization . While determining the processes, the
organization must determine the inputs required and the outputs
expected from these processes, the sequence and interaction of these
processes ,The organization must control these processes to ensure its
effective operation. The organization must establish the criteria and
methods which may include measurements and other related
performance indicators to control these processes. The organization must
ensure the availability of the resources needed for effective operation of
these processes.The personnel having authorities and responsibilities for
these processes must be identified. The organization must analysis these
organization for risk and analysis and must take appropriate action to
address them.There must be methods for monitoring, measuring, as
appropriate, and evaluation of these processes. The organization must
make changes in its process if it fails to achieve result. The organization
must look opportunities for improve for these process and for Quality
management system as a whole.The organization shall maintain
documented information to the extent necessary to support the operation
of processes and retain documented information to the extent necessary
to have confidence that the processes are being carried out as planned.
Understanding context
the organization. It is important to understand the unique context of an
organization before starting the strategic planning.To establish the
context means to define the external and internal factors that the
organizations must consider when they manage risks. An organizations
external context includes its outside stakeholders, its local operating
environment, as well as any external factors that influence the selection
of its objectives (goals and targets) or its ability to meet its goals. An
organizations internal context includes its interested parties, its
approach to governance, its contractual relationships with its customers,
and its capabilities and culture.An organizations internal context is the
42
internal environment within which the organization seeks to achieve its

sustainability goals. The internal context may include,
Governance, organizational structure, roles, and accountability
Policies and goals, and the strategies that are in place to achieve them,
Assets (e.g., facilities, property, equipment and technology)
Capabilities, understood in terms of resources and knowledge (e.g.,
capital, time, people, processes, systems, and technologies)
(both formal and informal)
values of their internal stakeholders including suppliers and partners
Organizations culture
Internal context can also be defined as anything within the organization
that may influence the way in which the organization manages its
internal risks. Once the internal context is understood, one can conduct
the macro-environmental external analysis using PEST (political,
economic, social and technological) analysis.This analysis determines
which factors are can influence how the organization operates. The
organization cannot control these factors, but they must seek to adapt to
them. The PEST factors can be classified as opportunities and threats in
a SWOT (strengths, weaknesses, opportunities and threats) analysis.
Alternatively, some organizations might use Porters Five Forces
Model. These methods are used to review a strategy or position or
direction of an organization. Completing a pest analysis is simple and
helps the individuals involved in the organization to understand and find
ways to deal with the context.
Political Factors
Ecological/Environmental Issues
Current legislation
Anticipated future legislation
International legislation
43
(global influences)
Regulatory bodies and processes
Government policies, terms and change
Funding, grants, and initiatives
Market lobbying groups
Wars and conflicts
Economic Factors
National economies and trends
General taxation issues
Taxation to activities, products, services
Seasonality or other weather issues
Market and trade cycles
Specific sector factors
Customer/end-user drivers
Interest and exchange rates
International trade and monetary issues
Technology Factors
Competing technology development
Associated/Dependent technologies
Replacement technology/Solutions
Maturity of Technology
Information and communications
Consumer buying mechanisms
Technology legislation
Innovation potential
Technology access, licensing, patents
Intellectual property issues
Global communication
Social media use
Maturity of organizations products / services
Social Factors
Lifestyle trends
44
Demographics
Consumer attitudes and opinions
Media views
Law changes affecting social behaviors
Image of the organization
Consumer buying patterns
Fashion and role models
Major events and influences
Buying access and trends
Ethnic/Religious factors
Advertising and publicity
Ethical issues
Although organizations cannot control macro-environment factors they

need to manage them to their advantage. They also need to protect
themselves from PEST factors which may increase operational costs or
affect their reputation. The external contexts micro-environment
consists of the organizations immediate operations and how they affect
its performance and decision-making. These factors have a direct impact
on the success of the organization. It is important to conduct a full
analysis of the micor-environment before moving to strategy
development. Here are some of the micro-environmental context factors.
Customers:
service
Employees:
Suppliers:
Suppliers provide organizations with the resources they need to carry out
their activities. If a supplier provides bad service, this affects the way the
organization operates. Close supplier relationships are an effective way
to remain competitive and secure the resources needed
45
Investors:
detrimentally affect the long term success of the organization
Media:
Competitors:
Members of the organization need to have a sense of belonging. Can the
organization offer benefits that are better than those offered by the
competitors? Is there a strong value proposition? Competitor analysis
and monitoring is crucial if an organization is to maintain or improve its
position in the competitive landscape of the community. The
organization must always be aware of its competitors activities. The
landscape can change quickly.
As in the case of the macro-environmental context, the organization
cannot always control its micro-environment factors. But they must be
carefully managed together and with the internal context understanding.
The main objectives of ISO 9001 is to provide confidence in the
organizations ability to consistently provide customers with conforming
goods and services and to enhance customer satisfaction. The concept of
risk in the context of ISO 9001 relates to the uncertainty in achieving
these objectives. This International Standard makes risk-based thinking
more explicit and incorporates it in requirements for the establishment,
implementation, maintenance and continual improvement of the quality
management system. Organizations can implement a formal risk
management program such as 31000, but there is no requirement to do
so. The concept of risk has always been implicit in ISO 9001 , this
revision makes it more explicit and builds it into the whole management
46
system. Risk-based thinking is already part of the process approach.

Risk-based thinking makes preventive action part of the routine. Risk-
based thinking can also help to identify opportunities. Organizations are
required to understand the context of the organization and any external
and internal issues (clause 4.1).Risks and opportunities are determined in
clause 6.1.One of the key purposes of a quality management system is to
act as a preventive tool.ISO 9001:2015 does not have a separate clause
titled preventive action. The concept of preventive action is controlled
through risk-based thinking and managing risks and opportunities
identified in clause 6.1
Clause 6.1 Actions to address risks and opportunities

Consider the issues determined in clause 4.1 and consider the
requirements for relevant interested. The organization should determine
risks and opportunities to assure that that the quality management
system can achieve its objective, prevent or reduced undesired
affects,and for continual improvement. Intended results cannot be
achieved.Organization shall plan actions to address risks and
opportunities which should be appropriate to the potential impact. The
action of risk and opportunities must be integrated and implemented into
the QMS processes. The effectiveness of these action must be evaluated.
NOTE: No formal risk management program is required.
5. Applicability
The revised standard will focus on application and not exclusions.There
are no limits to which clauses where application can be
determined.Justification will be required as documented information to
ensure that limited application does not affect the organizations ability
to provide for the provision of product and services. The application of
requirements may vary.Where a requirement can be applied within the
scope of its quality management system, the organization cannot decide
that it is not applicable.Where a requirement cannot be applied (for
example where the relevant process is not carried out) the organization
can determine that the requirement is not applicable. However, this non-
applicability cannot be allowed to result in failure to achieve conformity
of products and services or to meet the organizations aim to enhance
47
customer satisfaction.A manufacturing organization that does not have

any monitoring and measuring resources could determine requirements
in 7.1.5 do not apply.Organizations that build from a customer provided
design could determine requirements for design in 8.3 do not
apply.Organizations could not determine that requirements such as
competence are not applicable since this directly affects the ability to
provide product that meets requirements.
6 Documented information
The term documented procedure and record have both been replaced
by documented information. Where ISO 9001:2008 would have
referred to documented procedures (e.g. to define, control or support a
process) this is now expressed as a requirement to maintain documented
information. Where ISO 9001:2008 would have referred to records this
is now expressed as a requirement to retain documented information.The
current draft of ISO 9001 does not require a quality manual or
documented procedure as Annex SL does not require documented
procedures or a quality manual.The requirements in 7.5 are similar to
ISO 9001:2008 4.2.3 Control of documents and 4.2.4 Control of
Records.
7 Organisational knowledge
The organization shall determine the knowledge necessary for the
operation of the QMS, ensure conformity of products and services,
enhance customer satisfaction.The organization is responsible for
maintaining, protecting and making sure the knowledge is available (as
necessary).
Knowledge is to be considered when making changes to the
organization.Depending on the size and complexity of the
organization,the risks and opportunities it needs to address, the need for
accessibility of knowledge, the process for considering and controlling
past, existing and additional knowledge needs is to be considered. As
long as the conformity of products and services can be achieved,balance
between knowledge held by competent people and knowledge made
available by other means is at the discretion of the
organization.Consideration can be given to whether competent
employees have this knowledge
48
8 Control of externally provided products and services

The term Supplier and Outsourcing have been replaced by the term
external provider and includes Purchasing from suppliers,
Arrangement with an associate/sister company, Outsourcing of processes
and functions.The term Purchased products has been replaced with the
term externally provided products and services.Clause 8.4 Control of
externally provided products and services addresses all forms of external
provision, whether it is by purchasing from a supplier, through an
arrangement with an associate company, through the outsourcing of
processes and functions of the organization or by any other means.The
organization is required to take a risk-based approach to determine the
type and extent of controls appropriate to particular external providers
and externally provided products and services.

One of the key changes in the 2015 revision of ISO 9001 is to establish a
systematic approach to risk, rather than treating it as a single component
of a quality management system. In previous editions of ISO 9001, a
clause on preventive action was separated from the whole. Now risk is
considered and included throughout the standard. By taking a risk-based
approach, an organization becomes proactive rather than purely reactive,
preventing or reducing undesired effects and promoting continual
improvement. Preventive action is automatic when a management
system is risk-based.Risk-based thinking is something we all do
automatically and often sub-consciously. for e.g if I wish to cross a road
I look for traffic before I begin. I will not step in front of a moving car.
The concept of risk has always been implicit in ISO 9001 this revision
makes it more explicit and builds it into the whole management system.
The risk is considered from the beginning and throughout the standard,
making preventive action part of strategic planning as well as operation
and review. Risk-based thinking is already part of the process approach.
For e.g to cross the road I may go directly or I may use a nearby
footbridge. Which process I choose will be determined by considering
49
the risks. Risk-based thinking makes preventive action part of the

routine. Risk is often thought of only in the negative sense. Risk-based
thinking can also help to identify opportunities. This can be considered
to be the positive side of risk. Crossing the road directly gives me an
opportunity to reach the other side quickly, but there is an increased risk
of injury from moving cars. The risk of using a footbridge is that I may
be delayed. The opportunity of using a footbridge is that there is less
chance of being injured by a car. Opportunity is not always directly
related to risk but it is always related to the objectives. By considering a
situation it may be possible to identify opportunities to improve.The
opportunities for improvement: a subway leading directly under the
road, pedestrian traffic lights, or diverting the road so that the area has
no traffic. It is necessary to analyse the opportunities and consider which
can or should be acted on. Both the impact and the feasibility of taking
an opportunity must be considered. Whatever action is taken will change
the context and the risks and these must then be reconsidered.
The Main Objectives Of ISO 9001 to provide confidence in the

these objectives.
DEFINITIONS
ISO 9001:2015 defines risk as the effect of uncertainty on an expected
result.
Risk= Effect of uncertainty on an expected result
An effect is a deviation from the expected positive or negative.
Risk is about what could happen and what the effect of this happening
might be.
Risk also considers how likely it is.
The target of a management system is achieve conformity and customer
satisfaction.

50
ISO 9001:2015 uses risk-based thinking to achieve this in the following

way:
Clause 4 (Context) the organization is required to determine the risks
which may affect this.
Clause 5 (Leadership) top management are required to commit to
ensuring Clause 4 is followed.
Clause 6 (Planning) the organization is required to take action to identify
risks and opportunities.
Clause 8 (Operation) the organization is required to implement processes
to address risks and opportunities.
Clause 9 (Performance evaluation) the organization is required to
monitor, measure, analyse and evaluate the risks and opportunities.
Clause 10 (Improvement) the organization is required to improve by
responding to changes in risk.
ISO 9001:2015 subclause 4.4.2Process approach
The organization shall:
d) determine the risks to conformity of goods and services and customer
satisfaction if unintended outputs are delivered or process interaction is
ineffective;
Unintended outputs in ISO 9001:2015 can mean same as non
conforming products in ISO 9001:2008.
Unintended output from a process can be: reprocessed/rework,
scrapped, or sold at a discount. The risk of producing unintended output
should theoretically be set at zero or near zero but is rarely achieved; the
analogy would be a process operating at 4.5 sigma vs. 5 or higher. The
lower the parts per million, the lower the risk of producing unintended
output. However, one must not forget that depending on the industry
(e.g., medical vs. pencil manufacturers), these risks have different end-
user impact and costs.
5.1.2Leadership and commitment with respect to the needs and
expectations of customers
Top management shall demonstrate leadership and commitment with
respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and
customer satisfaction are identified and addressed;
51
This can be achieved by establishing process capabilities for each

process from manufacturing and assembly to packaging and product
delivery and installation. The computation of a simple indicator of
process capability (Cp) or the adjustment of the process capability
toward a specification (Cpk) would help managers quantify their process
risk. The objective would be to achieve the highest economically
feasible capability for each process, thus minimizing the risk of
producing so-called unintended output.
6.1Actions to address risks and opportunities
6.1.1 When planning for the quality management system, the
organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2(4.2 Understanding the needs and
expectations of interested parties) and determine the risks and
opportunities that need to be addressed to:
a) assure the quality management system can achieve its intended
outcome(s)
b) assure that the organization can consistently achieve conformity of
goods and services and customer satisfaction
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management
system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be
proportionate to the potential effects on conformity of goods and
services and customer satisfaction.
8.3Operational planning process
In preparing for the realization of goods and services, the organization

shall implement a process to determine the following, as appropriate:
52
b) actions to identify and address risks related to achieving conformity

of goods and services to requirements;
8.5.1Development processes
In determining the stages and controls for the development processes,

the organization shall take account of:
e) the determined risks and opportunities associated with the
development activities with respect to
1) the nature of the goods and services to be developed and potential
consequences of failure
2) the level of control expected of the development process by customers
and other relevant interested parties, and
3) the potential impact on the organizations ability to consistently meet
customer requirements and enhance customer satisfaction.
8.6.5Post delivery activities
The extent of post delivery activities that are required shall take
account of:
a) the risks associated with the goods and services
This sounds like a rephrasing of warranty-cost analysis; major

companies have done this for a long time, but I dont know about small
to medium-size companies.
9.1Monitoring, measurement, analysis and evaluation
The organization shall take into consideration the determined risks and
opportunities and shall:
There are important issues to address relating to inaccurate

measurements or insufficient measurements. Gauge repeatability and
reproducibility (Gauge R&R) addresses many if not most of these issues
and I dont see how adding the word risk brings any value to this
53
paragraph except that now one must think of the missed opportunities
for measuring (or rather, not measuring) and the associated risk.
9.2Internal audit

a) plan, establish, implement and maintain an audit program(s),
including the frequency, methods, responsibilities, planning
requirements and reporting. The audit program(s) shall take into
consideration the quality objectives, the importance of the processes
concerned, the related risks, and the results of previous audits;
Internal auditors would now have to assess the risk of failing to do

something or the risk of not following a procedure. This would be
challenging to quantify and assess. Potential risks would also have to be
assessed, which would be even more challenging.
10.2Improvement
The organization shall improve the quality management system,

processes and goods and services, as appropriate, through responding to:
c) changes in identified risk (see 6.1);
One could do failure mode effects and analysis (FMEA) to show that the
risk-priority number has decreased as a result of a process change. This
would not be difficult to do but full of uncertainties because FMEA is
based on subjective assessment.
Use of risk based thinking.
By considering risk based thinking throughout the organization the

likelihood of achieving stated objectives is improved, output is more
consistent and customers can be confident that they will receive the
expected product or service.
Risk-based thinking therefore:

54
builds a strong knowledge base

establishes a proactive culture of improvement
assures consistency of quality of goods or services
improves customer confidence and satisfaction
Risk-driven approach in organizational processes.
Identify what risks and opportunities are it depends on context. For

example If I cross a busy road with many fast-moving cars the risks are
not the same as if the road is small with very few moving cars. It is also
necessary to consider such things as weather, visibility, personal
mobility and specific personal objectives.
Analyse and prioritize your risks and opportunities.
What risk is acceptable, what is unacceptable? What advantages or

disadvantages are there to one process over another? for Example If I
need to safely cross a road to reach a meeting at a given time. It is
UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The
opportunity of reaching my goal more quickly must be balanced against
the likelihood of injury. It is more important that I reach my meeting
uninjured than it is for me to reach my meeting on time. It may be
ACCEPTABLE to delay arriving at the other side of the road by using a
footbridge if the likelihood of being injured by crossing the road directly
is high.I analyse the situation. The footbridge is 200 metres away and
will add time to my journey. The weather is good, the visibility is good
and I can see that the road does not have many cars at this time. I decide
that walking directly across the road carries an acceptably low level of
risk of injury and an opportunity to reach my meeting on time.
Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks? For
example I could eliminate risk of injury by using the footbridge but I
have already decided that the risk involved in crossing the road is
acceptable. Now I plan how to reduce the likelihood of injury and/or the
effect of injury. I cannot reasonably expect to control the effect of a car
55
hitting me. I can reduce the probability of being hit by a car. I plan to
cross at a time when there are no cars moving near me and so reduce the
likelihood of an accident. I also choose to cross the road at a place where
I have good visibility and can safely stop in the middle to re-assess the
number of moving cars, further reducing the probability of an accident
Implement the plan take action
For example I move to the side of the road, check there are no barriers to
crossing and that there is a safe place in the centre of the moving traffic.
I check there are no cars coming. I cross half of the road and stop in the
central safe place. I assess the situation again and then cross the second
part of the road.
Check the effectiveness of the actions does it work?
For Example I arrive at the other side of the road unharmed and on time:
this plan worked and undesired outcomes have been avoided.
Learn from experience continual improvement
For example I repeat the plan over several days, at different times and in
different weather conditions. This gives me data to understand that
changing context (time, weather, quantity of cars) directly affects the
effectiveness of the plan and increases the probability that I will not
achieve my objectives of being on time and avoiding injury. Experience
teaches me that crossing the road at certain times of day is very difficult
because there are too many cars.To limit the risk I revise and improve
my process by using the footbridge at these times. continue to analyse
the effectiveness of the processes and revise them when the context
changes. I also continue to consider innovative opportunities such as
Can I move the meeting place so that the road does not have to be
crossed? Can I change the time of the meeting so that I cross the road
when it is quiet? Can we meet electronically?
56

committee draft
Seven principles of Quality management
Introduction:
In my first post I had written about the Eight principles of quality

management on which the standard of ISO 9001:2008 was based. As we
are all aware that ISO 9001 is being revised by Technical committee of
ISO ISO/TC 176/SC 2-Quality Management and Quality Assurance/
Quality Systems also know as ISO/TC 176 in short. A draft of the ISO
9001 standard was released on September 2013. The proposed standard
is to be printed by the end of year 2015 and the standard is expected to
be implemented from the year 2016.ISO 9001 is currently at the Draft
International Stage (DIS), the fourth stage of a six stage process.
Organisations are granted a three-year transition period after the revision
has been published to migrate their quality management system to the
new edition of the standard.
The key changes in the standards are

There is no quality manual.
It emphasis on organization context and risk base management
There is no requirement of management representative
The standard does not include a specific clause for Preventive
Actions.
The terms document and records have been replaced with the term
documented information. Documented procedure in iso 9001:2008
have been replaced by maintained documented information and
Documented record in iso 9001:2008 have been replaced by retained
documented information.
In 2008 version of the standard the term product was used. This term
also included services. In the Committee Draft issued in 2013, this term
was proposed to be changed to Product and Services
The term continual improvement has been replaced with
improvement
57
The term product have been replaced by goods and services.

Outsourcing is now an external provision.The term purchased product
has been replaced with externally provided products and services.The
term supplier has been replaced with External provider.Control of
external provision of goods and services address all forms of external
provisions.
The new standard does not make any reference to the exclusions
The term work environment used in ISO 9001:2008 has been replaced
with Environment for the operation of processes.
The proposed ISO 9001:2015 standard is based on the following
Seven principles of Quality management.
1 Customer Focus
The primary focus of quality management is to meet customer
requirements and to strive to exceed customer expectations.
Rationale
Sustained success is achieved when an organization attracts and retains
the confidence of customers and other interested parties on whom it
depends. Every aspect of customer interaction provides an opportunity
to create more value for the customer. Understanding current and future
needs of customers and other interested parties contributes to sustained
success of an organization
Explanation:
This is the first of the Seven principles of Quality management and there
is no change in the heading of this principle. The Eight principle
definition stated Organizations depend on their customers and therefore
should understand current and future customer needs, should meet
customer requirements and strive to exceed customer expectations. The
Seven principle definition states The primary focus of quality
management is to meet customer requirements and to strive to exceed
customer expectations.. Customer focused means putting your energy
into satisfying customers and understanding that profitability comes
from satisfying customers. There should be researching ,establishing and
understanding current and future customer needs and expectations. The
organization should ensure that the objectives of the organization are
linked to customer needs and expectations. The top Management should
58
communicate customer needs and expectations throughout the

organization. There should be measuring customer satisfaction and
acting on the results. the organization should ensure a balanced
approach between satisfying customers and other interested parties.
2 Leadership
Leaders at all levels establish unity of purpose and direction and create
conditions in which people are engaged in achieving the quality
objectives of the organization.
Rationale
Creation of unity of purpose, direction and engagement enable an
organization to align its strategies, policies, processes and resources to
achieve its
objectives.
Explanation:
This is the second of the Seven principles of Quality management and
there is no change in the heading of this principle. The Eight principle
definition stated Leaders establish unity of purpose and direction of the
organization. They should create and maintain the internal environment
in which people can become fully involved in achieving the
organizations objectives. The Seven principle definition states
objectives of the organization.Leadership is providing role model
behaviors consistent with the values of the organization. Behavior that
will deliver the organizations objectives. Internal environment includes
the culture and climate, management style, shared, trust, motivation and
support. The leadership should Consider the needs of all interested
parties including customers, owners, employees, suppliers, financier,
local communities and society as whole. The leadership should establish
a clear vision of the organizations future. The leadership should set a
challenging goals and targets. The leadership should create and sustain a
shared values, fairness and ethical role models at all levels of the
organization. The leadership should Establish trust and eliminate fear.
The leadership should provide people with the required resources
59
training and freedom to act with responsibility and accountability. The

leadership should Inspire, encourage and recognize people
contributions.
3 Engagement of People
It is essential for the organization that all people are competent,
empowered and engaged in delivering value. Competent, empowered
and engaged people throughout the organization enhance its capability to
create value.
Rationale
To manage an organization effectively and efficiently, it is important to
involve all people at all levels and to respect them as individuals.
Recognition, empowerment and enhancement of skills and knowledge
facilitate the engagement of people in achieving the objectives of the
organization.
Explanation:
This is the third of the Seven principles of Quality management and the
term Involvement of People has been change to Engagement of
People. The Eight principle definition stated People at all levels are
the essence of an organization and their full involvement enables their
abilities to be used for the organizations benefit. The Seven principle
definition states It is essential for the organization that all people are
competent, empowered and engaged in delivering value. Competent,
empowered and engaged people throughout the organization enhance its
capability to create value. Engaging people means employees are
committed to their organisations goals and values, motivated to
contribute to organisational success, and are able at the same time to
enhance their own sense of well-being.An engaged employee
experiences a blend of job satisfaction, organisational commitment, job
involvement and feelings of empowerment. When we talk of
engagement of people it means that all the employees are competent,
empowered and they are delivering value. An engaged employee will
have a better perception of job importance. An engaged employee will
have better clarity of job expectation. There will be more improvement
opportunities. There will be regular feedback and dialog with
60
supervisors. The Quality of working relationships of an engaged

employee with peers, superiors, and subordinates is much improved.
There is effective employee communication.
4 Process Approach
Consistent and predictable results are achieved more effectively and
efficiently when activities are understood and managed as interrelated
processes that function as a coherent system.
Rationale
The quality management system is composed of interrelated processes.
Understanding how results are produced by this system, including all its
processes, resources, controls and interactions, allows the organization
to optimize its performance.
Explanation:
This is the fourth of the Seven principles of Quality management and
definition stated A desired result is achieved more efficiently when
activities and related resources are managed as a process. The Seven
principle definition states Consistent and predictable results are
achieved more effectively and efficiently when activities are understood
and managed as interrelated processes that function as a coherent
system. Processes are dynamic-they cause things to happen.processes
within an organization should be structured in order to achieve a certain
objective in the most efficient and effective manner.It helps us in
systematically defining the activities necessary to achieve/obtain desired
results.It helps us in establishing clear responsibility and accountability
for managing key activities.It helps us in analyzing and measuring of the
capabilities of key activities. It helps us in identifying the interfaces of
key activities within and between the functions of the organization.It
helps us in evaluating risks,consequences and impacts of activities on
customers,suppliers and other interested parties. Quality Management
System are constructed by connecting interrelated processes together to
deliver the system objectives which is the satisfaction of the interested
parties. This helps us in structuring a system to achieve the
organizations objectives in the most effective and efficient way and
61
understanding the interdependencies between the processes of the

system. It also helps us in providing a better understanding of the roles
and responsibilities necessary for achieving common objectives and
thereby reducing cross functional barriers and targeting and defining
how specific activities within a system should operate.
5 Improvement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels
of performance, to react to changes in its internal and external conditions
and to create new opportunities.
Explanation:
This is the fifth of the Seven principles of Quality management and can
be mapped to the sixth of the Eight Quality principle which is
Continual Improvement. The term Continual Improvement has
been change to Improvement. The fifth principle of the Eight Quality
principle System approach to management no longer exist in the
Seven principle of quality management.The Eight principle definition
stated Continual improvement of the organizations overall
performance should be a permanent objective of the organization. The
Seven principle definition states Successful organizations have an
ongoing focus on improvement. Improvement is the improvement in
organizational efficiency and effectiveness. The organization should
Employ a consistent organization-wide approach to improvement of the
organizations tools of improvement. The organization should Provide
people with the training in the methods and tools of improvement. The
organization should Make improvement of products, processes,and the
system an objective for every individual in the organization. The
organization should Establish the goals to guide and lead.
6 Evidence-based Decision Making.

Decisions based on the analysis and evaluation of data and information
are more likely to produce desired results.
Rationale
62
Decision-making can be a complex process, and it always involves some

uncertainty. It often involves multiple types and sources of inputs, as
well as their interpretation, which can be subjective. It is important to
understand cause and effect relationships and potential unintended
consequences. Facts, evidence and data analysis lead to greater
objectivity and confidence in decisions made.
Explanation:
This is the sixth of the Seven principles of Quality management and can
be mapped to the seventh of the Eight Quality principle which is
Factual approach to decision making . The term Factual approach to
decision making has been change to Evidence-based Decision
Making. The fifth principle of the Eight Quality principle System
approach to management no longer exist in the Seven principle of
quality management.The Eight principle definition stated Effective
decisions are based on the analysis of data
and information. The Seven principle definition states Decisions based
on the analysis and evaluation of data and information are more likely to
produce desired results. Evidence is information that shows or proves
that something exists or is true. Evidence can be collected by performing
observations, measurements, tests, or by using any other suitable
method. Any decision making should away be based on evidences. The
organization should ensuring that data/information is sufficiently
accurate and reliable. The organization should make data accessible to
those who need them. The organization should analyze data using
appropriate tools.The organization should make decision and take
actions based on analysis of data,balanced with experience and
intuition.
7 Relationship Management
For sustained success, organizations manage their relationships with
interested parties, such as suppliers.
Rationale
Interested parties influence the performance of an organization.
Sustained success is more likely to be achieved when an organization
manages relationships with its interested parties to optimize their impact
63
on its performance. Relationship management with its supplier and

partner network is often of particular importance
Explanation:
This is the seventh of the Seven principles of Quality management and
can be mapped to the eighth of the Eight Quality principle which is
Mutually beneficial supplier relationships . The term Mutually
beneficial supplier relationships has been change to Relationship
Management. The fifth principle of the Eight Quality principle System
quality management.The Eight principle definition stated An
organization and its suppliers are interdependent and a mutually
beneficial relationship enhances the ability of both to create value The
Seven principle definition states For sustained success, organizations
manage their relationships with interested parties, such as suppliers.An
interested party is a person or group that has a stake in the success or
performance of an organization. Interested parties may be directly
affected by the organization or actively concerned about its performance.
Interested parties can come from inside or outside of the organization.
Examples of interested parties include customers, suppliers, owners,
partners, employees, unions, bankers, or members of the general public.
Interested parties are also referred to as stakeholders. Relation
management with interested parties meaning sharing
knowledge,vision,values, understanding and suppliers are not treated as
adversaries.The organization establishes a relationships that balance
short-term gains with long term considerations. There is pooling of
expertise and resources with partners. The Organization identifying and
selecting key suppliers. There is clear and open communication with the
stake holders. There is sharing of information and future plans. The
organization establishes a joint development and improvement
activities. The organization inspiring,encourages and recognize
improvements and achievement by suppliers.

Understanding ISO 9001:2015
64
This post is a review of the Draft International Standard (DIS) of ISO 9001
published on 14th May 2014 and should be read along with my post Seven
principles of Quality management as per ISO 9001:2015 committee draft.The
information presented in this post related to the revision of ISO 9001 is not final
and should not be used for making changes to existing quality management
systems. The contents of ISO 9001:2015 are subject to change and should not be
used in any contractual or legally binding agreements
1. Structure and terminology
The most significant change we will see in ISO 9001:2015 is the new structure.
The reason for the change is to adopt the common approach outlined in Annex
SL, the new document that all ISO management system standards, including ISO
9001, ISO 14001 and the recently released ISO 27001, must follow. Currently,
ISO 9001 contains 8 sections, of which four attempt to approximate plan, do,
check, act. The new structure, based on Annex SL, has 10 sections four of which
also approximate to plan, do, check, act. All new management system standards
will have this common structure. Here is the new structure:
Scope
This section describes the scope of the management system standard and will be
unique to the individual standard.
Normative References
This section references other relevant standards, which are indispensable for the
application of the document and will also be unique.
Terms and Definitions
Section three contains definitions, and while some of these are common terms
related to Annex SL, other definitions will be unique to the management system
standard.
This part is about understanding the organizations purpose, the management
system and who the stakeholders are. It describes how to set up the management
system and is similar in some respects to the old section 4 except that it explicitly
requires a broader understanding of the situation and needs of the business
4.1 Understanding the organization and its context.
A new requirement; One of several that might suggest a greater union between the
QMS and wider business planning activities. Requires organisations to ascertain,
monitor and review both internal and external issues that are relevant to its
65
purpose and strategic direction, and have the ability to impact the QMS and its
intended results.
A broadening of scope beyond just customers. Requires the organisation to
determine the relevant requirements of relevant interested parties e.g. a person
or organization that can affect, be affected by, or perceive themselves to be
affected by a decision or activity.
4.3 Determining the scope of the QMS.
The scope statement must state the products and services covered.
4.4 The QMS and its processes.
A major change that specifies a number of factors to be considered when planning
the processes that make up the QMS. Although a process-planning approach has
been previously expressed in earlier standards, this greatly reinforces the
requirement.
Leadership
This section provides requirements for commitment, policy and responsibilities.
This section is similar to the old section 5 on Management but the emphasis is
perhaps more on leadership than just management. This is a soft requirement
and it will be interesting to see how it develops.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top
management to demonstrate leadership and commitment, and suggests that a
more hands-on approach is expected.
5.2 Quality policy.
Policy requirements are enhanced. A requirement is introduced that the quality
policy is appropriate to the context of the organization, and that it is applied
throughout the organization.
5.3 Organizational roles, responsibilities and authorities.
The requirement for a Management representative is no longer specified. The
duties previously assigned to that role may now be assigned to any role or split
across several roles.
Planning
Planning is now a section on its own. Planning was always covered by the current
standard in sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which
is now a clear requirement) and opportunities, the setting of goals and objectives
66
to achieve plans, and resources. Interestingly, risk was introduced in AS9100 (the
aerospace version of ISO 9001) in a similarly limited manner. In the latest version
of AS9100, however, risk was expanded and defines a number of specific
requirements/activities for a risk process. It will be interesting to see whether ISO
will leave the requirement for risk as a general requirement as defined in Annex
SL or whether it will take ASs lead and expand it. This planning section also
requires a greater application of goals and objectives to integrate with the
management systems planning and operation to generally facilitate success of the
organization.
6.1 Actions to address risks and opportunities.
A major change introduced to require a risk-based approach. In addition to this
clause, reference to the terms risk and opportunity are made throughout the
standard.
6.2 Quality objectives and planning to achieve them.
Requirements for objective planning are tightened up. An objective should
include a description of who is responsible, what is the target, when is it planned
to be achieved. Progress must be monitored. Also, requires objectives to be set for
relevant processes.
6.3 Planning of changes.
The clause lists items to be considered in change management.
Support
The support section includes most of the expected support processes that exist in
an organization and which are covered in the current ISO standard. Human
resources is renamed as competence, and communication, which will require a
new approach in most organizations, is given its own section rather than a
mention as a management responsibility. Finally, document control has been
renamed documented information. It now covers both procedure/document
control and records control.
7.1 Resources.
7.2 Competence.
7.3 Awareness.
There is an expansion of application from personnel to persons doing work
under the organizations control.
7.4 Communication.
Now includes external communication about the QMS.
67
7.5 Documented information.

New requirement to determine, make available, and maintain knowledge. No
requirement for quality manual or procedures. Documents, Documentation
and Records are combined to become Documented information.
Requirements are expanded to mention issues such as confidentiality, access, and
(data) integrity. This suggests an adoption of information security considerations
in recognition of the increasing use of electronic documents/data.
Operation
This is a relatively short section, which essentially says Do a good job at
whatever your management system is trying for. In the case of ISO 9001, that is
quality and in the early drafts we have seen of ISO 9001, significant familiar
content is added here including design, customers, purchasing and
production/service (although many of the sections have new titles).In a welcome
change of terminology, the rather clumsy Product realization becomes
Operations
8.1 Operational planning and control.
8.2 Determination of requirements for products and services.
8.3 Design and development of products and services.
This may be interpreted that more organizations do some form of design and
development.
8.4 Control of externally provided products and services.
An expansion of scope from just suppliers to also include other external
providers of products and services. Purchasing and Purchased product become
Externally provided products and services.
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify
intended results, and to determine the nature and extent of any post-delivery (after-
sales) activities.
8.6 Release of products and services.
8.7 Control of nonconforming process outputs, products and services.
Performance Evaluation
The section on evaluation includes monitoring, measurement and analysis,
internal audits and management review. All familiar topics with some subtle
changes.
9.1 Monitoring, measurement, analysis and evaluation.
68
There is a new requirement to obtain information relating to customer views and

opinions of the organisation.
9.2 Internal audit.
Audit schedule must take customer feedback into account.
9.3 Management review.
Expanded requirements for management review inputs or agenda.
Improvement
Improvement covers nonconformity and corrective action, as well as continual
improvement, all of which are outlined in section 8 of the current standard. There
is no preventive action section any more as effectively it is replaced by risk
under planning improvement is now defined as a proactive planning activity.
10.1 General.
10.2 Nonconformity and corrective action.
Specific reference to preventive action is removed.
Now includes an additional requirement to record the nature of nonconformities.
On discovering a nonconformity, an explicit requirement is introduced for
organisations to determine whether other similar nonconformities actually exist, or
could potentially exist.
10.3 Continual improvement.
The structure is based on the mandate that Annex SL from the ISO Directives be
applied to management system standards.The clause structure and some of the
terminology in ISO 9001:2015 is different than ISO 9001:2008 to improve
alignment with other management system standards.The structure is to provide a
presentation of requirements. It is not a model for document for documenting the
organizations policies, objectives and processes.There is no requirement for the
structure of an organizations quality management system documentation to
mirror that of this International Standard.
Major differences in terminology between ISO 9001:2008 and ISO
9001:2015
ISO 9001:2008 ISO 9001:2015 (Proposed)
Products =Products and services
Exclusions = Applications
Documentation, records= Documented information
Work Environment = Environment for the operation of processes
Purchased Product = Externally provided products and services
69
Supplier = External provider

2. Products and services
ISO 9001:2008 used product to include all output categories such as products,
services, processed materials, and hardware. In ISO 9001:2015 the term product
have been replaced by term product and services and includes all output
categories such as hardware, services, software and processed materials. The term
services is to highlight the difference between products and services in the
application of some requirements. In most cases, the terms are used together.In
some cases, the word product is only used to specify a certain requirement.
3. Context of the organization
An organizations context involves its operating environment. The context must
be determined both within the organization and external to the organization.To
establish the context means to define the external and internal factors that the
organizations must consider when they manage risks. An organizations external
context includes its outside stakeholders, its local operating environment, as well
as any external factors that influence the selection of its objectives (goals and
targets) or its ability to meet its goals. An organizations internal context includes
its internal stakeholders, its approach to governance, its contractual relationships
with its customers, and its capabilities and culture.
The internal context may include, but is not limited to:
Governance, organizational structure, roles, and accountability.
Policies and goals, and the strategies that are in place to achieve them.
Assets like facilities, property, equipment and technology
Capabilities, understood in terms of resources and knowledge like capital, time,
people, processes, systems, and technologies.
Information systems, information flows, and decision-making processes (both
formal and informal).
Relationships of the staff/volunteers/members and the perceptions and values of
their internal stakeholders including suppliers and partners.
Organizations culture.
70

immediate operations and how they affect its performance and decision-making.
Some of the micro-environmental context factors
Customers Organizations must attract and retain customers by offering products
services that meet their needs along with providing excellent customer service
Employees/Members/Volunteers There must be availability of people with the
motivation to remain as contributing members of the organization and develop the
skills necessary to provide a competitive edge
Suppliers Suppliers provide organizations with the resources they need to carry
out their activities. If a supplier provides bad service, this affects the way the
organization operates. Close supplier relationships are an effective way to remain
competitive and secure the resources needed
Investors All organizations require investment to grow. They may borrow the
money from a bank or have people invest in their work. Relationships with
investors need to be managed carefully as problems can detrimentally affect the
long term success of the organization
Media Positive media attention can bring success to the organization by
maintaining its reputational strength. Managing the media (including the presence
in social media) is a challenge.
Competitors Members of the organization need to have a sense of belonging.
Can the organization offer benefits that are better than those offered by the
competitors? Is there a strong value proposition? Competitor analysis and
monitoring is crucial if an organization is to maintain or improve its position in the
competitive landscape of the community. The organization must always be aware
of its competitors activities. The landscape can change quickly.
There are two new clauses relating to the context of the organization, 4.1
Understanding the organization and its context and 4.2 Understanding the needs
and expectations of interested parties. Together these clauses require the
71
organization to determine the issues and requirements that can impact on the
planning of the quality management system.Interested parties cannot go beyond
the scope of ISO 9001.There is no requirement to go beyond interested parties that
are relevant to the quality management system.Consider impact on the
organizations ability to consistently provide products and services that meet
customer and applicable statutory and regulatory requirements or the
organizations aim to enhance customer satisfaction.Organizations can go beyond
the minimum requirements to determine additional needs and expectations for
interested parties that would not be relevant at the discretion of organization and
should be clear in quality management system.
organization relevant to its purpose, strategic planning and which affect the
organizations ability to achieve its objectives . The Organization should monitor
and review the information about external and internal issues.Management
Review required the monitoring of external and internal issues. The organization
must consider issues related to values,
culture knowledge and performance of the organization for understanding of
internal issues. The organization must consider issues related to arising from legal,
technological, competitive, market, cultural, social, and economic environments,
whether international, national, regional or local for understanding of external
context.
Clause 4.2 Understanding the needs and expectations of interested parties
The organization shall determine relevant interested parties and requirements of
relevant interested parties. Interested parties include Customers, Partners,Persons
in the organization, External providers. Relevant interested parties to be
considered are those that potentially could impact the organizations ability to
provide products and services that meet requirements. Monitor and review
information related to interested parties and relevant requirements.Management
Review requires the monitoring of relevant interested parties.
The organization must establish scope of the quality management system by
determining the the boundaries and applicability of the quality management
72
system. While determining the scope the organization must consider the internal
and external issues determined in 4.1.,the requirements of relevant interested
parties in 4.2. and the products and services of the organization. Requirements that
can be applied by the organization shall be applied. Requirements that cannot be
applied cannot affect the organizations ability to provide product and services that
meet requirements. The organization must maintain scope as documented
information. stating the Products and services covered by the QMS and any
Justification where a requirement cannot be applied.
Any interested party which is not relevant to the quality management system need
not be considered and similarly any requirement of the interested party need not
be considered . Determining what is relevant or not relevant is dependent on
whether or not it has an impact on the organizations ability to consistently provide
products and services that meet customer and applicable statutory and regulatory
requirements or the organizations aim to enhance customer satisfaction. The
organization can decide to determine additional needs and expectations that will
meet its quality objectives. However, it is at the organizations discretion whether
or not to accept additional requirements to satisfy interested parties beyond what is
required by this Standard.
The main objectives of ISO 9001 is to provide confidence in the organizations
ability to consistently provide customers with conforming goods and services and
to enhance customer satisfaction. The concept of risk in the context of ISO 9001
relates to the uncertainty in achieving these objectives. This International
Standard makes risk-based thinking more explicit and incorporates it in
requirements for the establishment, implementation, maintenance and continual
improvement of the quality management system. Organizations can implement a
formal risk management program such as 31000, but there is no requirement to do
so. The concept of risk has always been implicit in ISO 9001 , this revision makes
it more explicit and builds it into the whole management system. Risk-based
thinking is already part of the process approach. Risk-based thinking makes
preventive action part of the routine. Risk-based thinking can also help to identify
opportunities. Organizations are required to understand the context of the
organization and any external and internal issues (clause 4.1).Risks and
opportunities are determined in clause 6.1.One of the key purposes of a quality
73
management system is to act as a preventive tool.ISO 9001:2015 does not have a

separate clause titled preventive action. The concept of preventive action is
controlled through risk-based thinking and managing risks and opportunities
identified in clause 6.1
Clause 6.1 Actions to address risks and opportunities
Consider the issues determined in clause 4.1 and consider the requirements for
relevant interested. The organization should determine risks and opportunities to
assure that that the quality management system can achieve its objective, prevent
or reduced undesired affects,and for continual improvement. Intended results
cannot be achieved.Organization shall plan actions to address risks and
opportunities which should be appropriate to the potential impact. The action of
risk and opportunities must be integrated and implemented into the QMS
processes. The effectiveness of these action must be evaluated.
NOTE: No formal risk management program is required.
5. Applicability
The revised standard will focus on application and not exclusions.There are no
limits to which clauses where application can be determined.Justification will be
required as documented information to ensure that limited application does not
affect the organizations ability to provide for the provision of product and
services. The application of requirements may vary.Where a requirement can be
applied within the scope of its quality management system, the organization
cannot decide that it is not applicable.Where a requirement cannot be applied (for
example where the relevant process is not carried out) the organization can
determine that the requirement is not applicable. However, this non-applicability
cannot be allowed to result in failure to achieve conformity of products and
services or to meet the organizations aim to enhance customer satisfaction.A
manufacturing organization that does not have any monitoring and measuring
resources could determine requirements in 7.1.5 do not apply.Organizations that
build from a customer provided design could determine requirements for design
in 8.3 do not apply.Organizations could not determine that requirements such as
competence are not applicable since this directly affects the ability to provide
product that meets requirements.
74
6 Documented information
The term documented procedure and record have both been replaced by
documented information. Where ISO 9001:2008 would have referred to
documented procedures (e.g. to define, control or support a process) this is now
expressed as a requirement to maintain documented information. Where ISO
9001:2008 would have referred to records this is now expressed as a requirement
to retain documented information.The current draft of ISO 9001 does not require
a quality manual or documented procedure as Annex SL does not require
documented procedures or a quality manual.The requirements in 7.5 are similar to
ISO 9001:2008 4.2.3 Control of documents and 4.2.4 Control of Records.
7 Organisational knowledge
The organization shall determine the knowledge necessary for the operation of the
QMS, ensure conformity of products and services, enhance customer
satisfaction.The organization is responsible for maintaining, protecting and
making sure the knowledge is available (as necessary).
Knowledge is to be considered when making changes to the
organization.Depending on the size and complexity of the organization,the risks
and opportunities it needs to address, the need for accessibility of knowledge, the
process for considering and controlling past, existing and additional knowledge
needs is to be considered. As long as the conformity of products and services can
be achieved,balance between knowledge held by competent people and
knowledge made available by other means is at the discretion of the
organization.Consideration can be given to whether competent employees have
this knowledge
8 Control of externally provided products and services
The term Supplier and Outsourcing have been replaced by the term external
provider and includes Purchasing from suppliers, Arrangement with an
associate/sister company, Outsourcing of processes and functions.The term
Purchased products has been replaced with the term externally provided
products and services. Clause 8.4 Control of externally provided products and
services addresses all forms of external provision, whether it is by purchasing
from a supplier, through an arrangement with an associate company, through the
75
outsourcing of processes and functions of the organization or by any other means.

The organization is required to take a risk-based approach to determine the type
and extent of controls appropriate to particular external providers and externally
provided products and services.

of a quality management system. In previous editions of ISO 9001, a
clause on preventive action was separated from the whole. Now risk is
considered and included throughout the standard. By taking a risk-based
approach, an organization becomes proactive rather than purely reactive,
preventing or reducing undesired effects and promoting continual
improvement. Preventive action is automatic when a management
system is risk-based.Risk-based thinking is something we all do
automatically and often sub-consciously. for e.g if I wish to cross a road
I look for traffic before I begin. I will not step in front of a moving car.
The concept of risk has always been implicit in ISO 9001 this revision
makes it more explicit and builds it into the whole management system.
The risk is considered from the beginning and throughout the standard,
making preventive action part of strategic planning as well as operation
and review. Risk-based thinking is already part of the process approach.
For e.g to cross the road I may go directly or I may use a nearby
the risks. Risk-based thinking makes preventive action part of the
routine. Risk is often thought of only in the negative sense. Risk-based
thinking can also help to identify opportunities. This can be considered
to be the positive side of risk. Crossing the road directly gives me an
opportunity to reach the other side quickly, but there is an increased risk
of injury from moving cars. The risk of using a footbridge is that I may
be delayed. The opportunity of using a footbridge is that there is less
chance of being injured by a car.Opportunity is not always directly
related to risk but it is always related to the objectives. By considering a
situation it may be possible to identify opportunities to improve.The
opportunities for improvement: a subway leading directly under the
76
road, pedestrian traffic lights, or diverting the road so that the area has
no traffic. It is necessary to analyse the opportunities and consider which
can or should be acted on. Both the impact and the feasibility of taking
an opportunity must be considered. Whatever action is taken will change
The Main Objectives Of ISO 9001 to provide confidence in the

these objectives.
DEFINITIONS

result.
An effect is a deviation from the expected positive or negative.

Risk is about what could happen and what the effect of this happening
might be.
Risk also considers how likely it is.
satisfaction.

way: Clause 4 (Context) the organization is required to determine the
risks which may affect this.
77
Clause 9 (Performance evaluation) the organization is required to

Clause 10 (Improvement) the organization is required to improve by
ISO 9001:2015 subclause 4.4.2Process approach

d) determine the risks to conformity of goods and services and customer
satisfaction if unintended outputs are delivered or process interaction is
ineffective;
Unintended outputs in ISO 9001:2015 can mean same as non
conforming products in ISO 9001:2008.Unintended output from a
process can be: reprocessed/rework, scrapped, or sold at a discount. The
risk of producing unintended output should theoretically be set at zero or
near zero but is rarely achieved; the analogy would be a process
operating at 4.5 sigma vs. 5 or higher. The lower the parts per million,
the lower the risk of producing unintended output. However, one must
not forget that depending on the industry (e.g., medical vs. pencil
manufacturers), these risks have different end-user impact and costs.
5.1.2Leadership and commitment with respect to the needs and

expectations of customers
Top management shall demonstrate leadership and commitment with

respect to customer focus by ensuring that:
a) the risks which can affect conformity of goods and services and
customer satisfaction are identified and addressed;
This can be achieved by establishing process capabilities for each

process from manufacturing and assembly to packaging and product
delivery and installation. The computation of a simple indicator of
process capability (Cp) or the adjustment of the process capability
toward a specification (Cpk) would help managers quantify their process
risk. The objective would be to achieve the highest economically
78
feasible capability for each process, thus minimizing the risk of

producing so-called unintended output.
6.1Actions to address risks and opportunities
6.1.1 When planning for the quality management system, the

organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2(4.2 Understanding the needs and
expectations of interested parties) and determine the risks and
opportunities that need to be addressed to:
a) assure the quality management system can achieve its intended
outcome(s)
b) assure that the organization can consistently achieve conformity of
goods and services and customer satisfaction
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.
6.1.2 The organization shall plan:
a) actions to address these risks and opportunities, and
b) how to
1) integrate and implement the actions into its quality management
system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be
proportionate to the potential effects on conformity of goods and
services and customer satisfaction.
8.3Operational planning process
In preparing for the realization of goods and services, the organization

shall implement a process to determine the following, as appropriate:
b) actions to identify and address risks related to achieving conformity
of goods and services to requirements;
8.5.1Development processes
79
In determining the stages and controls for the development processes,

the organization shall take account of:
e) the determined risks and opportunities associated with the
development activities with respect to
1) the nature of the goods and services to be developed and potential
consequences of failure
2) the level of control expected of the development process by customers
and other relevant interested parties, and
3) the potential impact on the organizations ability to consistently meet
customer requirements and enhance customer satisfaction.
8.6.5Post delivery activities
The extent of post delivery activities that are required shall take
account of:
a) the risks associated with the goods and services
This sounds like a rephrasing of warranty-cost analysis; major

companies have done this for a long time, but I dont know about small
to medium-size companies.
9.1Monitoring, measurement, analysis and evaluation
The organization shall take into consideration the determined risks and
opportunities and shall:
There are important issues to address relating to inaccurate

measurements or insufficient measurements. Gauge repeatability and
reproducibility (Gauge R&R) addresses many if not most of these issues
and I dont see how adding the word risk brings any value to this
paragraph except that now one must think of the missed opportunities
for measuring (or rather, not measuring) and the associated risk.
9.2Internal audit
80

a) plan, establish, implement and maintain an audit program(s),
including the frequency, methods, responsibilities, planning
requirements and reporting. The audit program(s) shall take into
consideration the quality objectives, the importance of the processes
concerned, the related risks, and the results of previous audits;
Internal auditors would now have to assess the risk of failing to do

something or the risk of not following a procedure. This would be
challenging to quantify and assess. Potential risks would also have to be
assessed, which would be even more challenging.
10.2Improvement
The organization shall improve the quality management system,

processes and goods and services, as appropriate, through responding to:
c) changes in identified risk (see 6.1);
One could do failure mode effects and analysis (FMEA) to show that the
risk-priority number has decreased as a result of a process change. This
would not be difficult to do but full of uncertainties because FMEA is
based on subjective assessment.
Use of risk based thinking.
By considering risk based thinking throughout the organization the

likelihood of achieving stated objectives is improved, output is more
consistent and customers can be confident that they will receive the
expected product or service.

Risk-driven approach in organizational processes.
81
Identify what risks and opportunities are it depends on context. For

example If I cross a busy road with many fast-moving cars the risks are
not the same as if the road is small with very few moving cars. It is also
Analyse and prioritize your risks and opportunities.
What risk is acceptable, what is unacceptable? What advantages or
disadvantages are there to one process over another? for Example If I
need to safely cross a road to reach a meeting at a given time. It is
UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The
opportunity of reaching my goal more quickly must be balanced against
the likelihood of injury. It is more important that I reach my meeting
uninjured than it is for me to reach my meeting on time. It may be
ACCEPTABLE to delay arriving at the other side of the road by using a
footbridge if the likelihood of being injured by crossing the road directly
is high.I analyse the situation. The footbridge is 200 metres away and
will add time to my journey. The weather is good, the visibility is good
and I can see that the road does not have many cars at this time. I decide
that walking directly across the road carries an acceptably low level of
risk of injury and an opportunity to reach my meeting on time.
How can I avoid or eliminate the risk? How can I mitigate risks? For
example I could eliminate risk of injury by using the footbridge but I
acceptable. Now I plan how to reduce the likelihood of injury and/or the
effect of injury. I cannot reasonably expect to control the effect of a car
hitting me. I can reduce the probability of being hit by a car. I plan to
cross at a time when there are no cars moving near me and so reduce the
likelihood of an accident. I also choose to cross the road at a place where
I have good visibility and can safely stop in the middle to re-assess the
number of moving cars, further reducing the probability of an accident
For example I move to the side of the road, check there are no barriers to
crossing and that there is a safe place in the centre of the moving traffic.
I check there are no cars coming. I cross half of the road and stop in the
82
central safe place. I assess the situation again and then cross the second
part of the road.
For Example I arrive at the other side of the road unharmed and on time:
this plan worked and undesired outcomes have been avoided.
For example I repeat the plan over several days, at different times and in
different weather conditions. This gives me data to understand that
changing context (time, weather, quantity of cars) directly affects the
effectiveness of the plan and increases the probability that I will not
achieve my objectives of being on time and avoiding injury. Experience
teaches me that crossing the road at certain times of day is very difficult
because there are too many cars.To limit the risk I revise and improve
my process by using the footbridge at these times. continue to analyse
the effectiveness of the processes and revise them when the context
changes. I also continue to consider innovative opportunities such as
Can I move the meeting place so that the road does not have to be
crossed? Can I change the time of the meeting so that I cross the road
when it is quiet? Can we meet electronically?
ISO/TC 176/SC2 Document N1222, July 2014

Risk in ISO 9001:2015
1. Objective of this paper
- to explain how risk is addressed in ISO 9001
- to explain what is meant by opportunity in ISO 9001
- to address the concern that risk-based thinking replaces the process
approach
- to address the concern that preventive action has been removed from
ISO 9001
- to explain in simple terms each element of a risk-based approach
2. Overview
of a quality management system.
83
In previous editions of ISO 9001, a clause on preventive action was

separated from the whole. Now risk is considered and included
throughout the standard.
By taking a risk-based approach, an organization becomes proactive
rather than purely reactive, preventing or reducing undesired effects and
promoting continual improvement. Preventive action is automatic when
a management system is risk-based.
3. What is risk-based thinking?
Risk-based thinking is something we all do automatically.
Example: If I wish to cross a road I look for traffic before I begin. I will
not step in front of a moving car.
Risk-based thinking has always been in ISO 9001 this revision builds
it into the whole management system.
In ISO 9001:2015 risk is considered from the beginning and throughout
the standard, making preventive action part of strategic planning as well
as operation and review.
Risk-based thinking is already part of the process approach.
Example: To cross the road I may go directly or I may use a nearby
the risks.
Risk is commonly understood to be negative. In risk-based thinking
opportunity can also be found this is sometimes seen as the positive
side of risk.
Example:
Crossing the road directly gives me an opportunity to reach the other
side quickly, but there is an increased risk of injury from moving cars.
The risk of using a footbridge is that I may be delayed. The opportunity
of using a footbridge is that there is less chance of being injured by a car.
Opportunity is not always directly related to risk but it is always related
to the objectives. By considering a situation it may be possible to
identify opportunities to improve.
Example:
Analysis of this situation shows further opportunities for improvement:
- a subway leading directly under the road
- pedestrian traffic lights, or
84
- diverting the road so that the area has no traffic

It is necessary to analyse the opportunities and consider which can or
should be acted on. Both the impact and the feasibility of taking an
opportunity must be considered. Whatever action is taken will change
4. Where is risk addressed in ISO 9001:2015?
INTRODUCTION
The concept of risk-based thinking is explained in the introduction of
ISO 9001:2015.
DEFINITIONS
result.
1. An effect is a deviation from the expected positive or negative.
2. Risk is about what could happen and what the effect of this happening
might be
3. Risk also considers how likely it is
satisfaction.
way:
Clause 4 (Context) the organization is required to determine the risks
which may affect this.
In Clause 9 (Performance evaluation) the organization is required to
In Clause 10 (Improvement) the organization is required to improve by
5. Why use risk-based thinking?
By considering risk throughout the organization the likelihood of
achieving stated objectives is improved, output is more consistent and
85
customers can be confident that they will receive the expected product or
service.
Successful companies intuitively take a risk-based approach
6. How do I do it?
Use a risk-driven approach in your organizational processes.
Identify what YOUR risks and opportunities are it depends on context
Example
If I cross a busy road with many fast-moving cars the risks are not the
same as if the road is small with very few moving cars. It is also
Analyse and prioritize your risks and opportunities
What is acceptable, what is unacceptable? What advantages or
disadvantages are there to one process over another?
Example
Objective: I need to safely cross a road to reach a meeting at a given
time.
It is UNACCEPTABLE to be injured.
It is UNACCEPTABLE to be late.
The opportunity of reaching my goal more quickly must be balanced
against the likelihood of injury. It is more important that I reach my
meeting uninjured than it is for me to reach my meeting on time.
It may be ACCEPTABLE to delay arriving at the other side of the road
by using a footbridge if the likelihood of being injured by crossing the
road directly is high.
I analyse the situation. The footbridge is 200 metres away and will add
time to my journey. The weather is good, the visibility is good and I can
see that the road does not have many cars at this time.
I decide that walking directly across the road carries an acceptably low
level of risk of injury and an opportunity to reach my meeting on time.
86

How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury by using the footbridge but I
acceptable.
Now I plan how to reduce the likelihood of injury and/or the effect of
injury. I cannot reasonably expect to control the effect of a car hitting
me. I can reduce the probability of being hit by a car.
I plan to cross at a time when there are no cars moving near me and so
reduce the likelihood of an accident. I also choose to cross the road at a
place where I have good visibility and can safely stop in the middle to
re-assess the number of moving cars, further reducing the probability of
an accident.
Example
I move to the side of the road, check there are no barriers to crossing and
that there is a safe place in the centre of the moving traffic. I check there
are no cars coming. I cross half of the road and stop in the central safe
place. I assess the situation again and then cross the second part of the
road.
Example
I arrive at the other side of the road unharmed and on time: this plan
worked and undesired outcomes have been avoided.
Example
I repeat the plan over several days, at different times and in different
weather conditions.
This gives me data to understand that changing context (time, weather,
quantity of cars) directly affects the effectiveness of the plan and
increases the probability that I will not achieve my objectives (being on
time and avoiding injury).
Experience teaches me that crossing the road at certain times of day is
very difficult because there are too many cars.
87
To limit the risk I revise and improve my process by using the footbridge
at these times.
I continue to analyse the effectiveness of the processes and revise them
when the context changes.
I also continue to consider innovative opportunities:
- can I move the meeting place so that the road does not have to be
crossed?
- can I change the time of the meeting so that I cross the road when it is
quiet?
- can we meet electronically?
7. Conclusion
risk-based thinking is not new
risk-based thinking is something you do already
risk-based thinking is continuous
risk-based thinking ensures greater knowledge and preparedness
risk-based thinking increases the probability of reaching objectives
risk-based thinking reduces the probability of poor results
risk-based thinking makes prevention a habit
Useful documents
ISO 31000:2009 Risk Management Principles and guidelines
PD ISO/TR 31004:2013. Risk management - Guidance for the
implementation of ISO 31000

Introduction:
In my first post I had written about the Eight principles of quality
management on which the standard of ISO 9001:2008 was based. As we
are all aware that ISO 9001 is being revised by Technical committee of
ISO ISO/TC 176/SC 2-Quality Management and Quality Assurance/
Quality Systems also know as ISO/TC 176 in short. A draft of the ISO
9001 standard was released on September 2013. The proposed standard
is to be printed by the end of year 2015 and the standard is expected to
be implemented from the year 2016.ISO 9001 is currently at the Draft
International Stage (DIS), the fourth stage of a six stage process.
Organisations are granted a three-year transition period after the revision
88
has been published to migrate their quality management system to the

new edition of the standard.
The key changes in the standards are
There is no quality manual.
It emphasis on organization context and risk base management
There is no requirement of management representative
The standard does not include a specific clause for Preventive
Actions.
The terms document and records have been replaced with the term
documented information. Documented procedure in iso 9001:2008
have been replaced by maintained documented information and
Documented record in iso 9001:2008 have been replaced by retained
documented information.
In 2008 version of the standard the term product was used. This term
also included services. In the Committee Draft issued in 2013, this term
was proposed to be changed to Product and Services
The term continual improvement has been replaced with
improvement
The term product have been replaced by goods and services.
Outsourcing is now an external provision.The term purchased product
has been replaced with externally provided products and services.The
term supplier has been replaced with External provider.Control of
external provision of goods and services address all forms of external
provisions.
The new standard does not make any reference to the exclusions
The term work environment used in ISO 9001:2008 has been replaced
with Environment for the operation of processes.
The proposed ISO 9001:2015 standard is based on the following
Seven principles of Quality management.
1 Customer Focus
The primary focus of quality management is to meet customer
requirements and to strive to exceed customer expectations.
Rationale
Sustained success is achieved when an organization attracts and retains
the confidence of customers and other interested parties on whom it
89
depends. Every aspect of customer interaction provides an opportunity

to create more value for the customer. Understanding current and future
needs of customers and other interested parties contributes to sustained
success of an organization
Explanation:
This is the first of the Seven principles of Quality management and there
is no change in the heading of this principle. The Eight principle
definition stated Organizations depend on their customers and therefore
should understand current and future customer needs, should meet
customer requirements and strive to exceed customer expectations. The
Seven principle definition states The primary focus of quality
management is to meet customer requirements and to strive to exceed
customer expectations.. Customer focused means putting your energy
into satisfying customers and understanding that profitability comes
from satisfying customers.There should be researching ,establishing and
understanding current and future customer needs and expectations. The
organization should ensure that the objectives of the organization are
linked to customer needs and expectations. The top Management should
communicate customer needs and expectations throughout the
organization. There should be measuring customer satisfaction and
acting on the results. the organization should ensure a balanced
approach between satisfying customers and other interested parties.
2 Leadership
objectives of the organization.
Rationale
Creation of unity of purpose, direction and engagement enable an
organization to align its strategies, policies, processes and resources to
achieve its objectives.
Explanation:
This is the second of the Seven principles of Quality management and
definition stated Leaders establish unity of purpose and direction of the
organization. They should create and maintain the internal environment
90
in which people can become fully involved in achieving the

organizations objectives. The Seven principle definition states
objectives of the organization.Leadership is providing role model
behaviors consistent with the values of the organization. Behavior that
will deliver the organizations objectives. Internal environment includes
the culture and climate, management style, shared, trust, motivation and
support. The leadership should Consider the needs of all interested
parties including customers, owners, employees, suppliers, financier,
local communities and society as whole. The leadership should establish
a clear vision of the organizations future. The leadership should set a
challenging goals and targets. The leadership should create and sustain a
shared values, fairness and ethical role models at all levels of the
organization. The leadership should Establish trust and eliminate fear.
The leadership should provide people with the required resources
training and freedom to act with responsibility and accountability. The
leadership should Inspire, encourage and recognize people
contributions.
3 Engagement of People
It is essential for the organization that all people are competent,
empowered and engaged in delivering value. Competent, empowered
and engaged people throughout the organization enhance its capability to
create value.
Rationale
To manage an organization effectively and efficiently, it is important to
involve all people at all levels and to respect them as individuals.
Recognition, empowerment and enhancement of skills and knowledge
facilitate the engagement of people in achieving the objectives of the
organization.
Explanation:
This is the third of the Seven principles of Quality management and the
term Involvement of People has been change to Engagement of
People. The Eight principle definition stated People at all levels are
the essence of an organization and their full involvement enables their
91
abilities to be used for the organizations benefit. The Seven principle

definition states It is essential for the organization that all people are
competent, empowered and engaged in delivering value. Competent,
empowered and engaged people throughout the organization enhance its
capability to create value. Engaging people means employees are
committed to their organisations goals and values, motivated to
contribute to organisational success, and are able at the same time to
enhance their own sense of well-being.An engaged employee
experiences a blend of job satisfaction, organisational commitment, job
involvement and feelings of empowerment. When we talk of
engagement of people it means that all the employees are competent,
empowered and they are delivering value. An engaged employee will
have a better perception of job importance. An engaged employee will
have better clarity of job expectation. There will be more improvement
opportunities. There will be regular feedback and dialog with
supervisors. The Quality of working relationships of an engaged
employee with peers, superiors, and subordinates is much improved.
There is effective employee communication.
4 Process Approach
Consistent and predictable results are achieved more effectively and
efficiently when activities are understood and managed as interrelated
processes that function as a coherent system.
Rationale
The quality management system is composed of interrelated processes.
Understanding how results are produced by this system, including all its
processes, resources, controls and interactions, allows the organization
to optimize its performance.
Explanation:
This is the fourth of the Seven principles of Quality management and
definition stated A desired result is achieved more efficiently when
activities and related resources are managed as a process. The Seven
principle definition states Consistent and predictable results are
achieved more effectively and efficiently when activities are understood
and managed as interrelated processes that function as a coherent
92
system. Processes are dynamic-they cause things to happen.processes

within an organization should be structured in order to achieve a certain
objective in the most efficient and effective manner.It helps us in
systematically defining the activities necessary to achieve/obtain desired
results.It helps us in establishing clear responsibility and accountability
for managing key activities.It helps us in analyzing and measuring of the
capabilities of key activities. It helps us in identifying the interfaces of
key activities within and between the functions of the organization.It
helps us in evaluating risks,consequences and impacts of activities on
customers,suppliers and other interested parties. Quality Management
System are constructed by connecting interrelated processes together to
deliver the system objectives which is the satisfaction of the interested
parties. This helps us in structuring a system to achieve the
organizations objectives in the most effective and efficient way and
understanding the interdependencies between the processes of the
system. It also helps us in providing a better understanding of the roles
and responsibilities necessary for achieving common objectives and
thereby reducing cross functional barriers and targeting and defining
how specific activities within a system should operate.
5 Improvement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels
of performance, to react to changes in its internal and external conditions
and to create new opportunities.
Explanation:
This is the fifth of the Seven principles of Quality management and can
be mapped to the sixth of the Eight Quality principle which is
Continual Improvement. The term Continual Improvement has
been change to Improvement. The fifth principle of the Eight Quality
principle System approach to management no longer exist in the
Seven principle of quality management.The Eight principle definition
stated Continual improvement of the organizations overall
performance should be a permanent objective of the organization. The
Seven principle definition states Successful organizations have an
93
ongoing focus on improvement. Improvement is the improvement in

organizational efficiency and effectiveness. The organization should
Employ a consistent organization-wide approach to improvement of the
organizations tools of improvement. The organization should Provide
people with the training in the methods and tools of improvement. The
organization should Make improvement of products, processes,and the
system an objective for every individual in the organization. The
organization should Establish the goals to guide and lead.
6 Evidence-based Decision Making.
Decisions based on the analysis and evaluation of data and information
are more likely to produce desired results.
Rationale
Decision-making can be a complex process, and it always involves some
uncertainty. It often involves multiple types and sources of inputs, as
well as their interpretation, which can be subjective. It is important to
understand cause and effect relationships and potential unintended
consequences. Facts, evidence and data analysis lead to greater
objectivity and confidence in decisions made.
Explanation:
This is the sixth of the Seven principles of Quality management and can
be mapped to the seventh of the Eight Quality principle which is
Factual approach to decision making . The term Factual approach to
decision making has been change to Evidence-based Decision
Making. The fifth principle of the Eight Quality principle System
quality management.The Eight principle definition stated Effective
decisions are based on the analysis of data
and information. The Seven principle definition states Decisions based
on the analysis and evaluation of data and information are more likely to
produce desired results. Evidence is information that shows or proves
that something exists or is true. Evidence can be collected by performing
observations, measurements, tests, or by using any other suitable
method. Any decision making should away be based on evidences. The
organization should ensuring that data/information is sufficiently
accurate and reliable. The organization should make data accessible to
94
those who need them. The organization should analyze data using
appropriate tools.The organization should make decision and take
actions based on analysis of data,balanced with experience and
intuition.
7 Relationship Management
For sustained success, organizations manage their relationships with
interested parties, such as suppliers.
Rationale
Interested parties influence the performance of an organization.
Sustained success is more likely to be achieved when an organization
manages relationships with its interested parties to optimize their impact
on its performance. Relationship management with its supplier and
partner network is often of particular importance
Explanation:
This is the seventh of the Seven principles of Quality management and
can be mapped to the eighth of the Eight Quality principle which is
Mutually beneficial supplier relationships . The term Mutually
beneficial supplier relationships has been change to Relationship
Management. The fifth principle of the Eight Quality principle System
quality management.The Eight principle definition stated An
organization and its suppliers are interdependent and a mutually
beneficial relationship enhances the ability of both to create value The
Seven principle definition states For sustained success, organizations
manage their relationships with interested parties, such as suppliers.An
interested party is a person or group that has a stake in the success or
performance of an organization. Interested parties may be directly
affected by the organization or actively concerned about its performance.
Interested parties can come from inside or outside of the organization.
Examples of interested parties include customers, suppliers, owners,
partners, employees, unions, bankers, or members of the general public.
Interested parties are also referred to as stakeholders. Relation
management with interested parties meaning sharing
knowledge,vision,values, understanding and suppliers are not treated as
adversaries.The organization establishes a relationships that balance
95
short-term gains with long term considerations. There is pooling of

expertise and resources with partners. The Organization identifying and
selecting key suppliers. There is clear and open communication with the
stake holders. There is sharing of information and future plans. The
organization establishes a joint development and improvement
activities. The organization inspiring,encourages and recognize
improvements and achievement by suppliers.
List of mandatory documents required by ISO 9001:2015

Since the publication of the new revision of ISO 9001 last month, many
people have been wondering what documents are mandatory in this new
2015 revision. How many documents are required? So, here is the list
-below you will see not only mandatory documents, but also the most
commonly used documents for ISO 9001 implementation.
Mandatory documents and records required by ISO 9001:2015
Here are the documents you need to produce if you want to be compliant
with ISO 9001:2015. (Please note that some of the documents will not
be mandatory if the company does not perform relevant processes.):
Scope of the QMS (clause 43)
Quality policy (clause 5.2)
Quality objectives (clause 6.2)
Criteria for evaluation and selection oI'suppliers (clause K.4.1)
And. here are the mandatory records (note that records marked with* arc
only mandatory' in cases when the relevant clause is not excluded):
Monitoring and measuring equipment calibration records* (clause
7.1.5.1)
Records of training, skills, experience and qualilications (clause 7.2)
Product/service requirements review records(clause 8.2.3.2)
Record about design and devetopment outputs review* (clause 8.3.2)
Records about design and development inputs* (clause 8.3.3)
Records of design and development controls* (clause 8.3.4)
Records of design and devektpment outputs "(clause 8.3.5)
Design and development changes records* (clause 8.3.6)
Characteristies of product to be produced and service to be provided
(claase 8.5.1)
96
Records about customer property (clause 8.5.3)

Product km'service provision change control records (claase 8.5.6)
Record of conformity of product'service with acceptance criteria
(clause 8.6)
Record of nonconforming outputs (claase 8.7.2)
Monitoring and measurement results (claase 9.1.1)
Internal audit program (clause 9.2)
Results of internal audits (clause 9.2)
Results of the management review (clause 9.3)
Results of corrective actions (clause 10.1)
Non-mandatory documents
There are numerous non-mandatory documents that can be used for ISO
9001 implementation. However.
I lind these non-mandatory documents to Ik most commonly used:
Procedure for determining contest of the organization and interested
parties (clauses 4.1 and 4.2)
Procedure for addressing risks and opportunities (clause 6.1)
Procedure for competence, training andawareness(clauses7.1.2,7.2
and 7.3)
Procedure for equipment maintenance and measuring equipment
(clause 7.1.5)
Procedure for document and record control (clause 7.5)
Sales procedure (clause 8.2)
Procedure for design and development (clause 8.3)
Procedure for production and service provision (clause 8.5)
Warehousing procedure (clause 8.5.4)
Procedure for management of nonconformities and corrective actions
(clauses 8.7 and 10.2)
Procedure for monitoring customer satisfaction (clause 9.1.2)
Procedure for internal audit (clause 9.2)
Procedure for management review (clause 9.3)

9001 2015 Guidelines

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

9001 2015 Guidelines

Enviado por

Direitos autorais:

Formatos disponíveis

1

9001 2015 Guidelines

ISO 9001:2015Clause 04 Context of the Organization

Also in normal language this concept is also known as business

system. Interested parties cannot go beyond the scope of ISO

An organizations external context includes its outside stakeholders, its

The internal context MAY include,

direction of an organization. Completing a pest analysis is simple and

Example Porters Five Forces Model.

There must be availability of people with the motivation to remain as

service entry into certain countries. Governments regulatory and trade

Structure of the organization limited flexibility when dealing with

Standardization and certification within the industry -etc

Clause 4.2 Understanding the needs and expectations of interested

An interested party is a person or organization that can affect, be

Interested Parties & Requirements

Identification of applicable statutory and regulatory requirements for the

scope and must maintain scope as documented information stating the

organizations values, and complement the co-operation and

Key drivers and trends

Interested parties and relevant requirements

Interested Parties & their Requirements

Professional development, employment security and good employee

Products and services of the organization

Fiber optic cable manufacture multimode

Clause 4.4 Quality management system and its processes

The primary focus of clause 4.4.1 requirements is to manage and

Finished product as an output of the production process must meet

ISO 9001:2015 was released 23 September 2015.

ISO 9001:2008 ISO 9001:2015 Remarks

3. Terms and definitions

4. Quality Management System

4.1 General Requirements

4.2 Documentation Requirements

4.2.2 Quality Manual

4.2.3 Control of Documents

4.2.4 Control of Records

Records and Documents are now "Documented Information "

5.1 Management Commitment

5.2 Customer Focus

5.3 Quality Policy

5.4.1 Quality Objectives

5.4.2 Quality Management System Planning

5.5 Responsibility, Authority, and Communication

5.5.1 Responsibility and Authority

5.5.2 Management Representative

5.5.3 Internal Communications

5.6 Management Review

5.6.2 Review Input

5.6.3 Review Output

6.1 Provision of Resources

6.2 Human Resources

6.2.2 Competence, Training, and Awareness

6.4 Work Environment

7.1 Planning of Product Realization

7.2 Customer-Related Processes

7.2.1 Determination of Requirements Related to the Product

7.2.2 Review of Requirements Related to the Product

7.2.3 Customer Communication

7.3 Design and Development

7.3.1 Design and Development Planning

7.3.2 Design and Development Inputs

7.3.3 Design and Development Outputs

7.3.4 Design and Development Review