Re: Will ISO/TS16949 be aligned to ISO9001:2015 in the future?
Will IATF - AIAG ever align with the revision of ISO 9001 known as 2015, which is based upon ISO 31000, 31010, and Annex SL.
This is a tough one to answer, I would guess the real answer isit depends. ISO 9001:2015, and specifically most of the prescriptive MSS's under ISO are shifting to the Annex SL (High Level Structure) which is founded upon ISO 31000 (technical details in 31010). This can become a vast issue with Corporations and Businesses, especially in the United States.
Let me list some quotations from ISO 31010 and then discuss This topic:
From the Introduction to ISO 31010 - Identifying the Intended Scope of the application of Risk Management
1) Organizations of all types and sizes face a range of risks that may affect the achievement of their objectives. These objectives may relate to a range of the organization's activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of societal, environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts. All activities of an organization involve risks that should be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.
From section 4.2
2) A risk management framework provides the policies, procedures and organizational
arrangements that will embed risk management throughout the organization at all levels.
From section 4.3.3
3) For a specific risk assessment, establishing the context should include the definition of the external, internal and risk management context and classification of risk criteria:
b) Establishing the internal context involves understanding
capabilities of the organization in terms of resources and knowledge,
information flows and decision-making processes,
internal stakeholders,
objectives and the strategies that are in place to achieve them,
perceptions, values and culture,
policies and processes,
standards and reference models adopted by the organization, and
structures (e.g. governance, roles and accountabilities).
From section 4.3.4
4) Risks can be assessed at an organizational level, at a departmental level, for projects, individual activities or specific risks. Different tools and techniques may be appropriate in different contexts.
From ISO 9001:2015 section 4 - CD version
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues, that are relevant to its purpose and its strategic
direction and that affect its ability to achieve the intended outcome(s) of its quality management system.
The organization shall update such determinations when necessary.
When determining relevant external and internal issues, the organization shall consider those arising from:
changes and trends which can have an impact on the objectives of the organization;
b) relationships with, and perceptions and values of relevant interested parties;
c) governance issues, strategic priorities, internal policies and commitments; and
d) resource availability and priorities and technological change.
Note 1 Understanding the external context can be facilitated by considering issues arising from legal, technological,
competitive, cultural, social, economic and natural environment, whether international, national, regional or local.
Note 2 When understanding the internal context the organization could consider those related to perceptions, values
and culture of the organization.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine
a) the interested parties that are relevant to the quality management system, and
b) the requirements of these interested parties
The organization shall update such determinations in order to understand and anticipate needs or
expectations affecting customer requirements and customer satisfaction.
The organization shall consider the folloVving relevant interested parties:
a) direct customers;
b) end users;
c) suppliers, distributors, retailers or others involved in the supply chain;
d) regulators; and
e) any other relevant interested parties.
Note: Addressing current and anticipated future needs can lead to the identification of improvement and innovation
opportunities.
Now lets list some discussion points:
Since ISO9001:2015 is based upon ISO31000 and 31010 it leaves its scope of Quality management and takes on the scope of Business Risk Assessment (at all levels).
This revision of ISO 9001:2015 mentions that its risk based but leaves the door open to interpretation of what that specifically means, and does not mention but includes the texts of 31010. There are legal and structural ramifications to this standard which have not yet been discussed. Unless you have been deposed related to product liability, you might not have your thinking hat on concerning all the ramifications of this ISO MSS revision. Further, how many Quality people within most organizations have access to the governance documents of the business, or corporation. How many quality folks are familiar with the legal requirements and ramifications of partnership, LLC, C corp or S corp, or the SEC?
Looking at 31010 we see the words
1) All Activities
2) Organizational Activities including: Environmental, Safety, Security, Commercial, Financial, Economic, Political, etc. (very expanded scope)
3) Organizational Activities: Strategic Activities
4) Organizational Activities: Governance
5) Embedded at All levels
The only way anyone can understand the language of the ISO 9001:2015 revision, is to read the documents upon which it was founded (ISO 31000 and 31010). Not understanding these foundation documents could cause very serious consequences.
This means TC 176 left the door open for trained registrar auditors ( trained in ISO 31000 and 31010), to force risk management upon organizations based upon the ISO 31010 texts:
at ALL levels
across ALL Activities of the organization
Governance and Strategic
Quality folks need to understand that ISO 9001:2015 can be interpreted as no longer being a Quality Management System standard (MSS) and that it can be interpreted based upon its foundation documents, to be a Business Management Risk Standard, to be implemented at the Strategic or Governance level (the Board Level) of the business or corporation downward.
One of the question then becomes: are the folks at AIAG, ISO and the Registrars, ready to take on the Board members of a corporation and are the Quality Managers going to allow Registrars to dictate prescriptive requirements to the board level of their business? How do Executives and Mid level managers dictate to the Board level of the organization (corporate governance documents) the risk requirements intended from ISO 9001:2015, and defined in 31010?
Another question becomes: What are the legal ramifications which can be attached to implementing ISO 9001:2015 with its intent and thrust being risk management, which are based upon 31000 and 31010. With the level of intrusion that this new standard implies, its best that the organizations legal team become involved prior to anyone implementing this standard. The legal ramifications of this standard could be very damaging should product liability become an issue once a corporation becomes registered to ISO 9001:2015. Since US law is based upon the premise of "to know or have reason to know" and since ISO 9001:2015 is based upon 31000 and 31010, corporations have reason to know what those risk standards require. Product liability attorneys could therefore easily make the connection and use ISO 31000 and 31010 against any corporation, and at any level, for any activity, who are registered to ISO 9001:2015.
Another question becomes: How does a Quality Manager or an Executive limit the ISO 31010 statement of "all levels" and "across all activities". This would require some very specific and legal language for the QMS scope. (tip toe)
Another question becomes: Why have various standards (MSS's environmental, safety etc.) if the inclusion of all is retained within any one. Reading section 4 of ISO 9001:2015 it becomes clear that the intent of this MSS is no longer limited to Quality Management. If the intent of the High level structure (Annex SL) is to promote Risk management at all functions and all levels of a business or corporation and the language includes other aspects (environmental, safety, security, political, social etc.) then why have multiple MSS's?
Another question becomes: How will an organization embed risk management at all levels? and prove what was embedded is effective? Simply the vastness of this one activity could be extremely costly and daunting, especially without bounds in either the ISO 9001 MSS or ISO 31010.
With these specific things in mind it becomes clear that extreme caution be the order of the day before jumping on board with this new revision of what used to be a Quality management system standard. For the IATF & AIAG this standard becomes a challenge to their authority, can they step outside the scope of quality management at an organization level, and into the scope of business risk management at a board and investor level?
Some people have indicated that the IATF and AIAG simply have no choice but to adhere to ISO 9001:2015, but that is not exactly true. If ISO has expanded their authority past the scope of an organizations operational quality management, then each country's standards body has the ability to create their own operational system standards for quality, environmental, safety, security, etc., especially since all countries have some level of regulatory requirement for the same.
I don't think at this point, all of the ramifications related to the ISO paradigm shift from QMS at an operational level, to Business Risk Management at a board level, have been considered. IATF & AIAG most likely have cooled off due to the legal ramifications of ISO 9001:2015. I would additionally state that ISO TC 176, failed their own requirements of ISO 31000 and 31010, by not including interested parties and stakeholders (Corporate Executive and Board members, product liability attorneys etc.) in the design and scope change related to this MSS revision. I expect Many to take a wait and see attitude before before jumping "all in" related to ISO 9001:2015. There will be "gung ho" folks initially, but cooler minds will prevail once the full ramifications of this version of the ISO "quality" MSS are fully understood.
Will IATF - AIAG ever align with the revision of ISO 9001 known as 2015, which is based upon ISO 31000, 31010, and Annex SL.
This is a tough one to answer, I would guess the real answer isit depends. ISO 9001:2015, and specifically most of the prescriptive MSS's under ISO are shifting to the Annex SL (High Level Structure) which is founded upon ISO 31000 (technical details in 31010). This can become a vast issue with Corporations and Businesses, especially in the United States.
Let me list some quotations from ISO 31010 and then discuss This topic:
From the Introduction to ISO 31010 - Identifying the Intended Scope of the application of Risk Management
1) Organizations of all types and sizes face a range of risks that may affect the achievement of their objectives. These objectives may relate to a range of the organization's activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of societal, environmental, technological, safety and security outcomes, commercial, financial and economic measures, as well as social, cultural, political and reputation impacts. All activities of an organization involve risks that should be managed. The risk management process aids decision making by taking account of uncertainty and the possibility of future events or circumstances (intended or unintended) and their effects on agreed objectives.
From section 4.2
2) A risk management framework provides the policies, procedures and organizational
arrangements that will embed risk management throughout the organization at all levels.
From section 4.3.3
3) For a specific risk assessment, establishing the context should include the definition of the external, internal and risk management context and classification of risk criteria:
b) Establishing the internal context involves understanding
capabilities of the organization in terms of resources and knowledge,
information flows and decision-making processes,
internal stakeholders,
objectives and the strategies that are in place to achieve them,
perceptions, values and culture,
policies and processes,
standards and reference models adopted by the organization, and
structures (e.g. governance, roles and accountabilities).
From section 4.3.4
4) Risks can be assessed at an organizational level, at a departmental level, for projects, individual activities or specific risks. Different tools and techniques may be appropriate in different contexts.
From ISO 9001:2015 section 4 - CD version
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues, that are relevant to its purpose and its strategic
direction and that affect its ability to achieve the intended outcome(s) of its quality management system.
The organization shall update such determinations when necessary.
When determining relevant external and internal issues, the organization shall consider those arising from:
changes and trends which can have an impact on the objectives of the organization;
b) relationships with, and perceptions and values of relevant interested parties;
c) governance issues, strategic priorities, internal policies and commitments; and
d) resource availability and priorities and technological change.
Note 1 Understanding the external context can be facilitated by considering issues arising from legal, technological,
competitive, cultural, social, economic and natural environment, whether international, national, regional or local.
Note 2 When understanding the internal context the organization could consider those related to perceptions, values
and culture of the organization.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine
a) the interested parties that are relevant to the quality management system, and
b) the requirements of these interested parties
The organization shall update such determinations in order to understand and anticipate needs or
expectations affecting customer requirements and customer satisfaction.
The organization shall consider the folloVving relevant interested parties:
a) direct customers;
b) end users;
c) suppliers, distributors, retailers or others involved in the supply chain;
d) regulators; and
e) any other relevant interested parties.
Note: Addressing current and anticipated future needs can lead to the identification of improvement and innovation
opportunities.
Now lets list some discussion points:
Since ISO9001:2015 is based upon ISO31000 and 31010 it leaves its scope of Quality management and takes on the scope of Business Risk Assessment (at all levels).
This revision of ISO 9001:2015 mentions that its risk based but leaves the door open to interpretation of what that specifically means, and does not mention but includes the texts of 31010. There are legal and structural ramifications to this standard which have not yet been discussed. Unless you have been deposed related to product liability, you might not have your thinking hat on concerning all the ramifications of this ISO MSS revision. Further, how many Quality people within most organizations have access to the governance documents of the business, or corporation. How many quality folks are familiar with the legal requirements and ramifications of partnership, LLC, C corp or S corp, or the SEC?
Looking at 31010 we see the words
1) All Activities
2) Organizational Activities including: Environmental, Safety, Security, Commercial, Financial, Economic, Political, etc. (very expanded scope)
3) Organizational Activities: Strategic Activities
4) Organizational Activities: Governance
5) Embedded at All levels
The only way anyone can understand the language of the ISO 9001:2015 revision, is to read the documents upon which it was founded (ISO 31000 and 31010). Not understanding these foundation documents could cause very serious consequences.
This means TC 176 left the door open for trained registrar auditors ( trained in ISO 31000 and 31010), to force risk management upon organizations based upon the ISO 31010 texts:
at ALL levels
across ALL Activities of the organization
Governance and Strategic
Quality folks need to understand that ISO 9001:2015 can be interpreted as no longer being a Quality Management System standard (MSS) and that it can be interpreted based upon its foundation documents, to be a Business Management Risk Standard, to be implemented at the Strategic or Governance level (the Board Level) of the business or corporation downward.
One of the question then becomes: are the folks at AIAG, ISO and the Registrars, ready to take on the Board members of a corporation and are the Quality Managers going to allow Registrars to dictate prescriptive requirements to the board level of their business? How do Executives and Mid level managers dictate to the Board level of the organization (corporate governance documents) the risk requirements intended from ISO 9001:2015, and defined in 31010?
Another question becomes: What are the legal ramifications which can be attached to implementing ISO 9001:2015 with its intent and thrust being risk management, which are based upon 31000 and 31010. With the level of intrusion that this new standard implies, its best that the organizations legal team become involved prior to anyone implementing this standard. The legal ramifications of this standard could be very damaging should product liability become an issue once a corporation becomes registered to ISO 9001:2015. Since US law is based upon the premise of "to know or have reason to know" and since ISO 9001:2015 is based upon 31000 and 31010, corporations have reason to know what those risk standards require. Product liability attorneys could therefore easily make the connection and use ISO 31000 and 31010 against any corporation, and at any level, for any activity, who are registered to ISO 9001:2015.
Another question becomes: How does a Quality Manager or an Executive limit the ISO 31010 statement of "all levels" and "across all activities". This would require some very specific and legal language for the QMS scope. (tip toe)
Another question becomes: Why have various standards (MSS's environmental, safety etc.) if the inclusion of all is retained within any one. Reading section 4 of ISO 9001:2015 it becomes clear that the intent of this MSS is no longer limited to Quality Management. If the intent of the High level structure (Annex SL) is to promote Risk management at all functions and all levels of a business or corporation and the language includes other aspects (environmental, safety, security, political, social etc.) then why have multiple MSS's?
Another question becomes: How will an organization embed risk management at all levels? and prove what was embedded is effective? Simply the vastness of this one activity could be extremely costly and daunting, especially without bounds in either the ISO 9001 MSS or ISO 31010.
With these specific things in mind it becomes clear that extreme caution be the order of the day before jumping on board with this new revision of what used to be a Quality management system standard. For the IATF & AIAG this standard becomes a challenge to their authority, can they step outside the scope of quality management at an organization level, and into the scope of business risk management at a board and investor level?
Some people have indicated that the IATF and AIAG simply have no choice but to adhere to ISO 9001:2015, but that is not exactly true. If ISO has expanded their authority past the scope of an organizations operational quality management, then each country's standards body has the ability to create their own operational system standards for quality, environmental, safety, security, etc., especially since all countries have some level of regulatory requirement for the same.
I don't think at this point, all of the ramifications related to the ISO paradigm shift from QMS at an operational level, to Business Risk Management at a board level, have been considered. IATF & AIAG most likely have cooled off due to the legal ramifications of ISO 9001:2015. I would additionally state that ISO TC 176, failed their own requirements of ISO 31000 and 31010, by not including interested parties and stakeholders (Corporate Executive and Board members, product liability attorneys etc.) in the design and scope change related to this MSS revision. I expect Many to take a wait and see attitude before before jumping "all in" related to ISO 9001:2015. There will be "gung ho" folks initially, but cooler minds will prevail once the full ramifications of this version of the ISO "quality" MSS are fully understood.
Last edited: