ISO9001:2015 Upgrade Diary

[Icy Mountain]

Every time that I must tweak my QMS manual for a new revision of ISO9001, I agree a little more with He Who Shall Not Be Named that this certification business is a huge scam. Right now, there are hundreds of CB auditors (not the good ones) that have a list of "gotchas" where the most common mistakes will be made. Here's my list:

4.1 Understanding the organization and its context
Just wow. Really? Fortunately for the vague and ambiguous language here, my company already knows how to do this. We have four full day meetings per year with Executive Management and the folks that physically execute the elements required to achieve our strategic plan. Two meetings the Executives tell us the results of their analysis (i.e., The Strategic Plan). Two alternating meetings we tell the Executives what we shall do to make the plan possible and the ongoing results of those activities. We call these Strategic Alignment Meetings (SAM).

• 
  Need some vague and ambiguous verbiage in the QA Manual about this.

4.2 Understanding the needs and expectations of interested parties

• Need a to document a list of interested parties (e.g. stakeholders, customers, UL, CSA, etc.) in Management Review
• Need to point at documentation in the Product Development Control Process (PDCP) where requirements are determined
• Need to point at list of customers that require ISO certification

5.1 Leadership and commitment
5.1.1d) promoting the use of the process approach and risk-based thinking

• Need to coach Executives on specific Management Review Items where we have made risk/reward decisions
• Need to point to the process diagrams on every team metric board

6.1 Actions to address risks and opportunities
6.1.2

• Need to point at the above mentioned PDCP and SAM

6.2 Quality objectives and how to achieve them
6.2.2 Fortunately, the previous version of ISO14001 already had this gem so

• Need to copy the ISO14001 ENVIRONMENTAL objectives list in Management Review of what will be done, what resources will be required, who will be responsible, when it will be completed and how the results will be evaluated and translate for my QUALITY objectives

7.4 Communication
Once again, ISO14001 is ahead on this one.

• Need to document relevant internal and external communications about the QMS: what will it communicate, when, with whom, how and who will do it

Then TC176 ran out of gas and shuffled around and reworded the Product Realization and Measurement, Analysis and Improvement sections of ISO9001:2008. So, any of you RAB certified auditors working for CB's want to share the gotcha list they gave you what they taught you for the 2015 upgrade?

 

[DRAMMAN]

Are you looking at this from just a pass the audit perspective? Is possible for the 2015 changes to add value to your management system?

For example..is there anything in Organizational Context that can be a beneficial input to your companies Strategic Planning process?

 

[Mike S.]

Icy! Long time no see -- glad to see you here!

Ignoring the elephant of reasons behind the constant revisions of standards for a moment....

Word I got from a registrar auditor is that the key "focus" areas are gonna be risks associated with key processes and leadership, commitment and accountability of top management. And ya know, I don't have a problem with them focusing there, especially in the latter areas, because I so often see those areas lacking.

 

[DRAMMAN]

I don't know if I would call the changes constant. It is just once every 7 years. If they did not revisit the standard it would become obsolete.

I would suggest to anyone that they talk to their CB auditor to understand what they will be looking for regarding compliance. All of the major CB's are offering free training webinars and classes at minimal costs. This will at least help alleviate concerns regarding what objective evidence you need to avoid NC's.

 

[Icy Mountain]

Are you looking at this from just a pass the audit perspective? Is possible for the 2015 changes to add value to your management system?

Since I haven't been on for a while, you probably don't know my background. I rarely do anything just to pass the audit. However, I don't like getting caught by some useless shall that is interpreted in the most arcane way by the registrar's auditor. I have been running an TS16949 system since 2005. I have a long history of running a "best for business" QMS. There are some requirements that can have an incredibly positive impact on any business (e.g. the entirity of Section 8, Operation). There are other requirements that are virtually useless. I have a record that tracks incidents of premium freight in Management Review. Of course, we were tracking it before in accounting but the auditor did not accept that the Finance Department's $$$ tracking of the % of premium freight vs. regular freight was tracking "incidents".

That said, my system was written against the guidance in ISO9000 and ISO9004, not just "the standard". Please see the OP. My company is already so far ahead of this standard it's laughable. We have two global quality objectives: Keep warranty returns low and keep on time deliveries high. It looks like I only need to create the what, what, who, when, how for these so that there is a trail of breadcrumbs for the auditor. I know from experience that our day-to-day documentation of these items in support of our Environmental Objectives was not sufficient to satisfy the auditor. Yet, it was sufficient for us to achieve our objectives. Do you see the dichotomy?

Every team in my system has its own sub-goals that support both the global objectives and the strategic plan. Things like productivity, process yield, scrap, rework, utilization, etc. We have process diagrams, metric boards, continual improvement initiatives as requirements for all of these teams. We recognize and reward these teams with cash money for achieving their goals. My system is already exemplary, I don't need TC176 revising their thinking to help me improve my QMS. It merely subtracts from the time available to work on continual improvements that I know will benefit my company.

I don't know if I would call the changes constant. It is just once every 7 years. If they did not revisit the standard it would become obsolete.

Register to ISO9001, ISO14001, whatever it is now 16949 while also keeping up with the CS requirements and requirements for other standards like VDA and the changes are pretty much constant.

The vast majority of companies could implement a rather simple system that addresses the 9 pages of MIL-Q9858A (released 1963) or the simple the 18 sections of 10CFR50 Appendix B and have an extremely effective quality system. The rest of this is window dressing.

I would suggest to anyone that they talk to their CB auditor to understand what they will be looking for regarding compliance. All of the major CB's are offering free training webinars and classes at minimal costs. This will at least help alleviate concerns regarding what objective evidence you need to avoid NC's.

I started with my CB auditor. Most are not so helpful, lest they be suspected of "consulting". The Elsmar Cove is Quality Assurance and independent validation.

 

[Sidney Vianna]

Word I got from a registrar auditor is that the key "focus" areas are gonna be risks associated with key processes and leadership, commitment and accountability of top management.

Sounds like wishful thinking to me. There is a substantial percentage of 3[sup]rd[/sup] party auditors, which spend very little time with process owners and even less with "top management".

They overwhelmingly occupy their time with the "quality person" during an audit.

 

[DRAMMAN]

that is because prior ISO versions allowed for assigning the QMS to the MRQ. Now that there is no MRQ the intent is for the auditors to spend more time focuse don senior management.

 

[Icy Mountain]

Finally, as promised, my EFMEA form. Includes the trinity you need to prove that you have addressed in environmental aspects,the risks and opportunities in your Environmental Management System: EFMEA form, leads to Environmental Normative Reference and the Environmental Impacts Form. All three are reviewed and updated as necessary at Management Review.

P.S. Since we have been running a 16949 compliant system, DFMEA, PFMEA, the proprietary assessments of risk/reward that we do at the front end of APQP along with our comprehensive Management Review cover the whole identification of risks and opportunities for ISO9001. Not to mention the exhaustive Design Validation Plan and Reporting requirements to assure that products meet the design intent (all embedded in our Product Development and Control Process).

 

[Sidney Vianna]

that is because prior ISO versions allowed for assigning the QMS to the MRQ. Now that there is no MRQ the intent is for the auditors to spend more time focuse don senior management.

There was no "assigning" the QMS to the management representative function; the standard had clear responsibilities designated to the MR, but it was never intended that s/he would own the system. Previous versions of 9001 have always and clearly assigned ultimate responsibility of the QMS to top management. Auditors shy away from interfacing with top management for many reasons, but the standard was never a valid one.

 

[Mike S.]

Sounds like wishful thinking to me. There is a substantial percentage of 3[sup]rd[/sup] party auditors, which spend very little time with process owners and even less with "top management".

They overwhelmingly occupy their time with the "quality person" during an audit.

Maybe, maybe not. The registrar auditor who told me this works for our registrar so it may be more applicable to their customers than in general. I am sure some auditors will focus there, others will focus more elsewhere. Just sayin' what I heard.

IMO any additional focus on Top Management vs. the lower levels, even if only 5 minutes more per audit, is a good thing. YMMV