UNDERSTANDING QMS

ISO 9001:2015

Abstract
ISO 9001 is the international standard that specifies requirements for a quality
management system (QMS). Organizations use the standard to demonstrate the
ability to consistently provide products and services that meet customer and
regulatory requirements. This Document helps you to understand the new
standard and ease transition.

Eng. Akram Malkawi

[email protected]
 ISO 9001:2015

A. Understanding ISO 9001:2015

ISO 9001 is the international standard that specifies requirements for a quality management system
(QMS). Organizations use the standard to demonstrate the ability to consistently provide products
and services that meet customer and regulatory requirements. It is the most popular standard in the
ISO 9000 series and the only standard in the series to which organizations can certify. Successful
businesses understand the value of an effective Quality Management System that ensures the
organization is focused on meeting customer requirements and they are satisfied with the
products and services that they receive. ISO 9001 is the world’s most recognized management
system standard and is used by over a million organizations across the world. The new version has
been written to maintain its relevance in today’s marketplace and to continue to offer organizations
improved performance and business benefits.

ISO 9001 was first published in 1987 by the International Organization for Standardization (ISO), an
international agency composed of the national standards bodies of more than 160 countries. The
current version of ISO 9001 was released in September 2015. ISO 9001:2015 applies to any
organization, regardless of size or industry. More than one million organizations from more than 160
countries have applied the ISO 9001 standard requirements to their quality management
systems. Organizations of all types and sizes find that using the ISO 9001 standard helps them
organize processes, improve the efficiency of processes and continually improve. With the 2015
version of ISO 9001 you can have an integrated approach with other management system
standards. Bring quality and continual improvement into the heart of the organization. Increase
involvement of the leadership team. Introduce risk and opportunity management. It’s much less
prescriptive than the 2008 version and can be used as a more agile business improvement tool. This
means that you can make it relevant to the requirements of your own organization to
gain sustainable business improvements. One of the major changes to ISO 9001 is that it brings
quality management and continual improvement into the heart of an organization. This means that
the new standard is an opportunity for organizations to align their strategic direction with their
quality management system. The starting point of the new version of ISO 9001 is to identify internal
and external parties who support the QMS. This means that it can be used to help enhance and
monitor the performance of an organization. The new standard will help you become a more
consistent competitor in the marketplace. It will provide better quality management that helps you
to meet present and identify future customer needs. It increases efficiency that will save you time,
money and resources. It improves operational performance that will cut errors and improves profits.
It will motivate, engage and involve staff with more efficient internal processes. It will help you win
more high value customers, and achieve improved customer retention with better customer service.
1

It will broaden business opportunities by demonstrating compliance

 ISO 9001:2015

All ISO management system standards are subject to a regular review under the rules by which they
are written. Following a substantial user survey the committee decided that a review was
appropriate and created the following objectives to maintain its relevance in today’s marketplace:

 Integrate with other management systems

 Provide an integrated approach to organizational management
 Provide a consistent foundation for the next 10 years
 Reflect the increasingly complex environments in which organizations’ operate
 Ensure the new standard reflects the needs of all potential user groups
 Enhance an organization’s ability to satisfy its customers

1. Structure and terminology

The most significant change we will see in ISO 9001:2015 is the new structure. ISO 9001:2015 is
based on Annex SL – the new high level structure. This is a common framework for all
ISO management systems. This helps to keep consistency, align different management system
standards, offer matching sub-clauses against the top level structure and apply common language
across all standards. It will be
easier for organizations to incorporate their QMS into core business processes and get more
involvement from senior management. The Plan-Do-Check-Act (PDCA) cycle can be applied to all
processes and to the quality management system as a whole. The reason for the change is to adopt
the common approach outlined in Annex SL, the new document that all ISO management system
standards, including ISO 9001, ISO 14001 and the recently released ISO 27001, must follow.
Currently, ISO 9001 contains 8 sections, of which four attempt to approximate “Plan, Do, Check, And
Act.” The new structure, based on Annex SL, has 10 sections four of which also approximate to “plan,
do, check, and act.” All new management system standards will have this common structure.
2
 ISO 9001:2015

New structure:

1. Scope
This section describes the scope of the management system standard and will be unique to the
individual standard. Clause 1 details the scope of the standard and there has been very little
change to this clause from ISO 9001:2008.

2. Normative References
This section references other relevant standards, which are indispensable for the application of
the document and will also be unique. ISO 9000, Quality Management System – Fundamental
and vocabulary is referenced and provides valuable guidance.

3. Terms and Definitions

Section three contains definitions, and while some of these are common terms related to Annex
SL, other definitions will be unique to the management system standard. All the terms and
definitions are contained in ISO 9000:2015 – Quality Management – Fundamentals and
vocabulary.

4. Context of the Organization

This part is about understanding the organization’s purpose, the management system and who
the stakeholders are. It describes how to set up the management system and is similar in some
respects to the old section 4 except that it explicitly requires a broader understanding of the
situation and needs of the business. This is a new clause that establishes the context of the QMS
and how the business strategy supports this. The ‘context of the organization’ is the clause that
underpins the rest of the new standard. It gives an organization the opportunity to identify and
3
 ISO 9001:2015

understand the factors and parties in their environment that support the quality management
system. Firstly, the organization will need to determine external and internal issues that are
relevant to its purpose, i.e. what are the relevant issues, both inside and out, that have an impact
on what the organization does, or that would affect its ability to achieve the intended outcome(s)
of its management system. It should be noted that the term “issue” covers not only
problems which would have been the subject of preventive action in previous standards, but also
important topics for the management system to address, such as any market assurance and
governance goals that the organization might set. Secondly an organization will also need to
identify the “interested parties” that are relevant to their QMS. These groups could
include shareholders, employees, customers, suppliers, and even pressure groups and regulatory
bodies. Each organization will identify their own unique set of “interested parties” and over time
these may change in line with the strategic direction of the organization. Next the scope of the
QMS must be determined. This could include the whole of the organization or specific identified
functions. Any outsourced functions or processes will also need to be considered in the
organization’s scope if they are relevant to the QMS. The final requirement of Clause 4 is to
establish, implement, maintain and continually improve the QMS in accordance with
the requirements of the standard. This requires the adoption of a process approach and although
every organization will be different, documented information such as process diagrams or
written procedures could be used to support this
4.1 Understanding the organization and its context.
A new requirement; one of several that might suggest a greater union between the QMS and
wider business planning activities. Requires organizations to ascertain, monitor and review both
internal and external issues that are relevant to its purpose and strategic direction, and have the
ability to impact the QMS and its intended results.
4.2 Understanding the needs and expectations of interested parties.
A broadening of scope beyond just customers. Requires the organization to determine “the
relevant requirements” of “relevant interested parties” e.g. a person or organization that can
affect, be affected by, or perceive themselves to be affected by a decision or activity.

4.3 Determining the scope of the QMS.

The scope statement must state the products and services covered.
4.4 The QMS and its processes.
A major change that specifies a number of factors to be considered when planning the processes
that make up the QMS. Although a process-planning approach has been previously expressed in
earlier standards, this greatly reinforces the requirement.
4
 ISO 9001:2015

5. Leadership
This section provides requirements for commitment, policy and responsibilities. This section is
similar to the old section 5 on Management but the emphasis is perhaps more on leadership than
just management. This clause places requirements on “top management” which is the person or
group of people who directs and controls the organization at the highest level. It is no longer the
responsibility of an individual or to have a “Management Representative” who is responsible for
the QMS. There is an increased emphasis on people “owning” the QMS rather than one individual.
The purpose of these requirements is to demonstrate leadership and commitment by leading
from the top. Top management now have greater involvement in the management system and
must ensure that the requirements of it are integrated into the organization’s processes and that
the policy and objectives are compatible with the strategic direction of the organization.
The quality policy should be a living document, at the heart of the organization. To ensure this,
top management are accountable and have a responsibility to ensure the QMS is made available,
communicated, maintained and understood by all parties. There is also a greater focus on top
management to enhance customer satisfaction by identifying and addressing risks
and opportunities that could affect this. Top management need to demonstrate consistent
customer focus by showing how they meet customer requirements, regulatory and statutory
requirements, and also how the organization maintains enhanced customer satisfaction. In the
same context, they need to have a grasp of the organization’s internal strengths and weaknesses
and how these could have an impact to deliver products or services. This will strengthen
the concept of business process management. In addition, top management need to demonstrate
an understanding of the key risks associated with each process and the approach taken to
manage, reduce or transfer the risk. Finally, the clause places requirements on top management
to assign QMS relevant responsibilities and authorities, but must
remain accountable for the effectiveness of the QMS.
5.1 Leadership and commitment.
Greater emphasis is placed on the role of top management. Requires top management to
“demonstrate leadership and commitment”, and suggests that a more hands-on approach is
expected.
5
 ISO 9001:2015

5.2 Policy.
Policy requirements are enhanced. A requirement is introduced that the quality policy is
appropriate to the context of the organization, and that it is applied throughout the organization.
5.3 Organizational roles, responsibilities and authorities.
The requirement for a Management representative is no longer specified. The duties previously
assigned to that role may now be assigned to any role or split across several roles.

6. Planning
Planning is now a section on its own. Planning was always covered by the current standard in
sections 4.1, 6.1, 7.1 and 8.1 but the new structure includes risk (which is now a clear
requirement) and opportunities, the setting of goals and objectives to achieve plans, and
resources. Interestingly, risk was introduced in AS9100 (the aerospace version of ISO 9001) in a
similarly limited manner. In the latest version of AS9100, however, risk was expanded and defines
a number of specific requirements/activities for a risk process. It will be interesting to see whether
ISO will leave the requirement for risk as a general requirement as defined in Annex SL or whether
it will take AS’s lead and expand it. This planning section also requires a greater application of
goals and objectives to integrate with the management system’s planning and operation to
generally facilitate success of the organization.

Planning has always been a familiar element of ISO 9001, but now there is an increased focus on
ensuring that it is considered with Clause 4.1 ‘context of the organization’ and Clause 4.2
‘interested parties’. The first part of this clause concerns risk assessment whilst the second part is
concerned with risk treatment. When determining actions to identify risks and opportunities
these need to be proportionate to the potential impact they may have on the conformity of
products and services. Opportunities could for example include new product launches,
geographical expansion, new partnerships, or new technologies. The organization will need to
plan actions to address both risks and opportunities, how to integrate and implement the actions
into its management system processes and evaluate the effectiveness of these actions. Actions
must be monitored, managed and communicated across the organization. Another key element of
this clause is the need to establish measurable quality objectives. This clause retains some of
the requirements contained in Clause 5.4 of the 2008 version but is more specific. Quality
objectives now need to be consistent with the quality policy, relevant to the conformity of
products and services as well as enhancing customer satisfaction. The last part of the clause
considers planning of changes which must be done in a planned and systemic manner. There is a
need to identify the potential consequences of changes, determine who is involved, when
6

changes are to take place, what resource needs to be allocated.

 ISO 9001:2015

6.1 Actions to address risks and opportunities.

A major change introduced to require a risk-based approach. In addition to this clause, reference
to the terms ‘risk’ and ‘opportunity’ are made throughout the standard.
6.2 Quality objectives and planning to achieve them.
Requirements for objective planning are tightened up. An objective should include a description
of who is responsible, what is the target, when is it planned to be achieved. Progress must be
monitored. Also, requires objectives to be set for relevant processes.
6.3 Planning of changes.
The clause lists items to be considered in change management.

7. Support
The support section includes most of the expected support processes that exist in an organization
and which are covered in the current ISO standard. Clause 7 ensures there are the right resources,
people and infrastructure to meet the organizational goals. It requires an organization to
determine and provide the necessary resources to establish, implement, maintain and continually
improve the QMS. Simply expressed, this is a very powerful requirement covering all QMS
resource needs and now covers both internal and external resources. Clause 7.1 builds on Clauses
6.1, 6.2, 6.3 and 7.6 from 2008 and splits into 5 sub-clauses. There are additional requirements to
meet applicable statutory and regulatory requirements. The sub-clauses continues to cover
requirements for infrastructure and environment for the operation of processes. Monitoring and
measuring has been changed to include resources, such as personnel or training. Organizational
knowledge is a new requirement which deals with requirements for competence, awareness, and
communication of the QMS. Personnel must not only be aware of the quality policy, but they
must also understand how they contribute to it and what the implications of not conforming
are. There is a key requirement to maintain the knowledge held by an organization to ensure
conformity of products and services. This could include the knowledge held by an individual as
well as for example, the intellectual property of an organization. Organizations are required to
examine whether the current knowledge they have is sufficient when planning changes and
whether any additional knowledge is required. Finally there are the requirements for
“documented information”. This is a new term, which replaces the references in the 2008
standard to “documents” and “records”. Organizations need to determine the level of
documented information necessary to control the QMS. This will differ between organizations due
to size and complexity. In line with the increased importance of information security
in organizations, there is also greater emphasis on controlling access to documented information
such as use of passwords. Organizations should also have systems in place to provide a back-up
should IT systems crash. Human resources is renamed as “competence”, and communication,
7

which will require a new approach in most organizations, is given its own section rather than a
 ISO 9001:2015

mention as a management responsibility. Finally, document control has been renamed

“documented information.” It now covers both procedure/document control and records control.
7.1 Resources.
7.2 Competence.
7.3 Awareness.
There is an expansion of application from “personnel” to “persons doing work under the
organization’s control”.
7.4 Communication.
Now includes external communication about the QMS.
7.5 Documented information.
New requirement to determine, make available, and maintain knowledge. No requirement for
quality manual or procedures. “Documents”, “Documentation” and “Records” are combined to
become “Documented information”.
Requirements are expanded to mention issues such as confidentiality, access, and (data) integrity.
This suggests an adoption of information security considerations in recognition of the increasing
use of electronic documents/data.

8. Operation
This is a relatively short section, which essentially says “Do a good job” at whatever your
management system is trying for. This clause deals with the execution of the plans and processes
that enable the organization to meet customer requirements and design products and services. It
includes much of what was previously referred to in Clause 7 of the 2008 version, but there is
greater emphasis on the control of processes especially planned changes and review of
the consequences of unintended changes, and mitigating any adverse effects as necessary. The
revised version of the standard acknowledges the trend towards greater use of subcontractors and
outsourcing. This is demonstrated by the requirement to establish criteria for monitoring the
performance of these parties in addition to keeping records used to establish selection criteria. The
Clauses continue to cover ‘Requirements for products and services’ which remains largely
unchanged from the 2008 version. However, it now requires communication with regards to
contingency actions where required and also the treatment of customer property. A
new requirement for communicating with ‘potential’ customers is also included, useful for bringing
new offerings or solutions to the market. There are more explicit requirements in terms of the
standards or codes of practice that the organization has committed to implement; internal and
external resource needs for the design and development of products and services and finally the
potential consequences of failure due to the nature of products and services. There is also a new
clause which covers post-delivery activities. This could include activities such as maintenance
8
 ISO 9001:2015

programmes or work carried out under warranty, and activities covering final disposal or recycling
of the product.

When determining the extent of these activities organizations must consider the risks associated
with a product or service, customer requirements, customer feedback, and any
statutory requirements. In a welcome change of terminology, the rather clumsy ‘Product
realization’ becomes ‘Operations’
8.1 Operational planning and control.
8.2 Requirements for products and services.
8.3 Design and development of products and services.
This may be interpreted that more organizations do some form of design and development.
8.4 Control of externally provided processes, products and services.
An expansion of scope – from just suppliers to also include other external providers of products
and services. Purchasing” and “Purchased product” become “Externally provided products and
services”.
8.5 Production and service provision.
An expansion on previous requirements e.g. documented information to specify intended results,
and to determine the nature and extent of any post-delivery (after-sales) activities.
8.6 Release of products and services.
8.7 Control of nonconforming outputs.

9. Performance Evaluation
The section on evaluation includes monitoring, measurement and analysis, internal audits and
management review. All familiar topics with some subtle changes. Performance evaluation covers
many of the areas previously featured in Clause 8 of the 2008 version. Requirements for monitoring,
measurement, analysis and evaluation are covered and you will need to consider what needs to be
measured, methods employed, when data should be analysed and reported on and at
what intervals. Documented information that provides evidence of this must be retained. There is
now an emphasis on directly seeking out information that relates to how customers view the
organization. Organizations must actively seek out information on customer perception. This can
be achieved in a number of ways including satisfaction surveys, analysis of market share, and
through complaints logged. There is now an explicit requirement that organizations must show how
the analysis and evaluation of this data is used, especially with regards to the need for
improvements to the QMS. Internal audits must also be conducted and this is largely unchanged
from those in the 2008 version.
9
 ISO 9001:2015

There are additional requirements relating to defining the ‘audit criteria’ and ensuring the results
of the audits are reported to ‘relevant’ management’. Management reviews are still required but
there are additional requirements including the consideration of changes in external and internal
issues that are relevant to the QMS.

Documented information must be retained as evidence of management reviews.

9.1 Monitoring, measurement, analysis and evaluation.
There is a new requirement to obtain information relating to customer views and opinions of the
organization.
9.2 Internal audit.
Audit schedule must take customer feedback into account.
9.3 Management review.
Expanded requirements for management review inputs or agenda.

10.Improvement
Improvement covers nonconformity and corrective action, as well as continual improvement, all
of which are outlined in section 8 of the current standard. There is no preventive action section
any more as effectively it is replaced by “risk” under planning – improvement is now defined as a
proactive planning activity. This clause starts with a new section that organizations
should determine and identify opportunities for improvement such as improved processes to
enhance customer satisfaction. There is also a need to actively look for opportunities to improve
processes, products and services, and the QMS, especially with future customer requirements in
mind. Due to the new way of handling preventive actions, there are no preventive action
requirements in this clause. However, there are some new corrective action requirements. The
first is to react to the nonconformities and take action, as applicable, to control and
correct the nonconformities and deal with the consequences. The
second is to determine whether similar nonconformities exists or
could potentially occur. The requirement for continual improvement has been extended to cover
the suitability and adequacy of the QMS as well as its effectiveness, but it no longer specifies how
an organization achieves this.
10.1 General.
10.2 Nonconformity and corrective action.
Specific reference to preventive action is removed.
Now includes an additional requirement to record the nature of nonconformities.
On discovering a nonconformity, an explicit requirement is introduced for organizations to
determine whether other similar nonconformities actually exist, or could potentially exist.
10

10.3 Continual improvement.


B. Comparison between ISO 9001:2015 and ISO 9001:2008 & Interpretations
ISO 9001:2015
4 Context of the organization
4.1 Understanding the
organization and its context
4.2 Understanding the needs and
expectations of interested parties
4.3 Determining the scope of the
quality management system
4.4 Quality management system
and its processes
5 Leadership
5.1 Leadership and commitment
5.1.1 General
5.1.2 Customer focus
5.2 Policy
5.2.1 Developing the quality
policy
5.2.2 Communicating the quality
policy
5.3 Organizational roles,
responsibilities and authorities
6 Planning
6.1 Actions to address risks and
opportunities
6.2 Quality objectives and
planning to achieve them
6.3 Planning of changes
7 Support
7.1 Resources
7.1.1 General
7.1.2 People
7.1.3 Infrastructure
7.1.4 Environment for the
operation of processes
7.1.5 Monitoring and measuring
resources
11
7.1.6 Organizational knowledge
ISO 9001:2015
ISO 9001:2008
1.0 Scope
1.1 General
1.1 General
1.2 Application
4.2.2 Quality manual
4 Quality management system
4.1 General requirements
5 Management responsibility
5.1 Management commitment
5.1 Management commitment
5.2 Customer focus
5.3 Quality policy
5.5.1 Responsibility and authority
5.5.2 Management
representative
5.4.2 Quality management
system planning
5.4.2 Quality management
system planning
8.5.3 Preventive action
5.4.1 Quality objectives
5.4.2 Quality management
system planning
6 Resource management
6 Resource management
6.1 Provision of resources
6.1 Provision of resources
6.3 Infrastructure
6.4 Work environment
7.6 Control of monitoring and
measuring equipment
New

7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented
Information
8 Operation
8.1 Operational planning and
control
8.2 Requirements for products
and services
8.2.1 Customer communication
8.2.2 Determination of
requirements related to products
and services
8.2.3 Review of requirements
related to the products and
services
8.2.4 Changes to requirements
for product and services
8.3 Design and development of
products and services
8.3.1 General
8.3.2 Design and development
planning
8.3.3 Design and development
inputs
8.3.4 Design and development
controls
8.3.5 Design and development
outputs
8.3.6 Design and development
changes
12
8.4 Control of externally provided 7.4.1 Purchasing process and
processes, products
ISO 9001:2015
6.2.1 General
6.2.2 Competence, training and
awareness
6.2.2 Competence, training and
awareness
5.5.3 Internal communication
4.2 Documentation requirements
4.2.1 General
4.2.3 Control of documents
4.2.4 Control of records
4.2.3 Control of documents
4.2.4 Control of records
7 Product realization
7.1 Planning of product
realization
7.2 Customer-related processes
7.2.3 Customer communication
7.2.1 Determination of
requirements related to the
product
7.2.2 Review of requirements
related to the product
7.3 Design and development
New
7.3.1 Design and development
planning
7.3.2 Design and development
inputs
7.3.4 Design and development
review
7.3.5 Design and development
verification
7.3.6 Design and development
validation
7.3.3 Design and development
outputs
7.3.7 Control of design and
development changes
services

8.4.1 General
8.4.2 Type and extent of control
8.4.3 Information for external
providers
8.5 Production and service
provision
8.5.1 Control of production and
service provision
8.5.2 Identification and
traceability
8.5.3 Property belonging to
customers or external providers
8.5.4 Preservation
8.5.5 Post-delivery activities
8.5.6 Control of changes
8.6 Release of products and
services
8.7 Control of nonconforming
outputs
9 Performance evaluation
9.1 Monitoring, measurement,
analysis and evaluation
9.1.1 General
9.1.2 Customer satisfaction
9.1.3 Analysis and evaluation
9.2 Internal audit
9.3 Management review
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review
outputs
10 Improvement
10.1 General
10.2 Nonconformity and
corrective action
10.3 Continual Improvement
13
ISO 9001:2015
7.4.1 Purchasing process
7.4.1 Purchasing process
7.4.3 Verification of purchased
product
7.4.2 Purchasing information
7.5 Production and service
provision
7.5.1 Control of production and
service provision
7.5.3 Identification and
traceability
7.5.4 Customer property
7.5.5 Preservation of product
7.5.1 Control of production and
service provision
7.3.7 Control of design and
development changes
8.2.4 Monitoring and
measurement of processes
7.4.3 Verification of purchased
product
8.3 Control of nonconforming
product
New
8 Measurement, analysis and
improvement
8.1 General
8.2.1 Customer satisfaction
8.4 Analysis of data
8.2.2 Internal audit
5.6 Management review
5.6.1 General
5.6.2 Review inputs
5.6.3 Review outputs
8.5 Improvement
8.5.1 Continual improvement
8.3 Control of nonconforming
product
8.5.2 Corrective action
8.5.1 Continual improvement
 ISO 9001:2015

The structure is based on the mandate that Annex SL from the ISO Directives be applied to
management system standards. The clause structure and some of the terminology in ISO 9001:2015 is
different than ISO 9001:2008 to improve alignment with other management system standards. The
structure is to provide a presentation of requirements. It is not a model for document for documenting
the organization’s policies, objectives and processes. There is no requirement for the structure of an
organization’s quality management system documentation to mirror that of this International
Standard.

Major differences in terminology between ISO 9001:2008 and ISO 9001:2015

ISO 9001:2008 ISO 9001:2015

Products Products and services
Exclusions Applications
Documentation, Documented information
records
Work Environment Environment for the operation of
processes
Purchased Product Externally provided products and services
Supplier External provider

2. Products and services

ISO 9001:2008 used product to include all output categories such as products, services, processed
materials, and hardware. In ISO 9001:2015 the term product have been replaced by term product and
services and includes all output categories such as hardware, services, software and processed
materials. The term services is to highlight the difference between products and services in the
application of some requirements. In most cases, the terms are used together. In some cases, the word
product is only used to specify a certain requirement.

3. Context of the organization

An organization’s context involves its “operating environment.” The context must be determined both
within the organization and external to the organization. To establish the context means to define the
external and internal factors that the organizations must consider when they manage risks. An
organization’s external context includes its outside stakeholders, its local operating environment, as
well as any external factors that influence the selection of its objectives (goals and targets) or its ability
to meet its goals. An organization’s internal context includes its internal stakeholders, its approach to
governance, its contractual relationships with its customers, and its capabilities and culture.
14

The internal context may include, but is not limited to:

 ISO 9001:2015

 Product and service offerings

 Governance, organizational structure, roles, and accountability.
 Regulatory requirements
 Policies and goals, and the strategies that are in place to achieve them.
 Assets like facilities, property, equipment and technology
 Capabilities, understood in terms of resources and knowledge like capital, time, people, processes,
systems, and technologies.
 Information systems, information flows, and decision-making processes (both formal and informal).
 Relationships of the staff/volunteers/members and the perceptions and values of their internal
stakeholders including suppliers and partners.
 Organization’s culture.
 Standards, guidelines, and models adopted by the organization and
 Form and extent of the organization’s contractual relationships.
The external context’s micro-environment consists of the organization’s immediate operations and
how they affect its performance and decision-making. Some of the micro-environmental context
factors

 Customers – Organizations must attract and retain customers by offering products services that
meet their needs along with providing excellent customer service
 Employees/Members/Volunteers – There must be availability of people with the motivation to
remain as contributing members of the organization and develop the skills necessary to provide a
competitive edge
 Suppliers – Suppliers provide organizations with the resources they need to carry out their
activities. If a supplier provides bad service, this affects the way the organization operates. Close
supplier relationships are an effective way to remain competitive and secure the resources needed
 Investors – All organizations require investment to grow. They may borrow the money from a bank
or have people invest in their work. Relationships with investors need to be managed carefully as
problems can detrimentally affect the long term success of the organization
 Media – Positive media attention can bring success to the organization by maintaining its
reputational strength. Managing the media (including the presence in social media) is a challenge.
 Competitors – Members of the organization need to have a sense of belonging. Can the
organization offer benefits that are better than those offered by the competitors? Is there a strong
value proposition? Competitor analysis and monitoring is crucial if an organization is to maintain or
improve its position in the competitive landscape of the community. The organization must always
be aware of its competitor’s activities. The landscape can change quickly.
There are two new clauses relating to the context of the organization, 4.1 Understanding the
15

organization and its context and 4.2 Understanding the needs and expectations of interested parties.
 ISO 9001:2015

Together these clauses require the organization to determine the issues and requirements that can
impact on the planning of the quality management system. Interested parties cannot go beyond the
scope of ISO 9001.There is no requirement to go beyond interested parties that are relevant to the
quality management system. Consider impact on the organization’s ability to consistently provide
products and services that meet customer and applicable statutory and regulatory requirements or
the organization’s aim to enhance customer satisfaction. Organizations can go beyond the minimum
requirements to determine additional needs and expectations for interested parties that would not be
“relevant” at the discretion of organization and should be clear in quality management system.

Clause 4.1 Understanding the Organization and its context

The organization should determine external and internal issues for the organization relevant to its
purpose, strategic planning and which affect the organization’s ability to achieve its objectives. The
Organization should monitor and review the information about external and internal issues.
Management Review required the monitoring of external and internal issues. The organization must
consider issues related to values, culture knowledge and performance of the organization for
understanding of internal issues. The organization must consider issues related to arising from legal,
technological, competitive, market, cultural, social, and economic environments, whether
international, national, regional or local for understanding of external context.

Clause 4.2 Understanding the needs and expectations of interested parties

The organization shall determine relevant interested parties and requirements of relevant interested
parties. Interested parties include Customers, Partners, Persons in the organization, External providers.
Relevant interested parties to be considered are those that potentially could impact the organization’s
ability to provide products and services that meet requirements. Monitor and review information
related to interested parties and relevant requirements. Management Review requires the monitoring
of relevant interested parties.

Clause 4.3 determining the scope of the quality management system

The organization must establish scope of the quality management system by determining the
boundaries and applicability of the quality management system. While determining the scope the
organization must consider the internal and external issues determined in 4.1, the requirements of
relevant interested parties in 4.2. And the products and services of the organization.

Requirements that can be applied by the organization shall be applied. Requirements that cannot be
applied cannot affect the organization’s ability to provide product and services that meet
requirements. The organization must maintain scope as documented information. Stating the Products
16

and services covered by the QMS and any Justification where a requirement cannot be applied.
 ISO 9001:2015

Any interested party which is not relevant to the quality management system need not be considered
and similarly any requirement of the interested party need not be considered. Determining what is
relevant or not relevant is dependent on whether or not it has an impact on the organization’s ability
to consistently provide products and services that meet customer and applicable statutory and
regulatory requirements or the organization’s aim to enhance customer satisfaction. The organization
can decide to determine additional needs and expectations that will meet its quality objectives.
However, it is at the organization’s discretion whether or not to accept additional requirements to
satisfy interested parties beyond what is required by this Standard.

4. Risk-based approach
The main objectives of ISO 9001 is to provide confidence in the organization’s ability to consistently
provide customers with conforming goods and services and to enhance customer satisfaction. The
concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.
This International Standard makes risk-based thinking more explicit and incorporates it in
requirements for the establishment, implementation, maintenance and continual improvement of the
quality management system. Organizations can implement a formal risk management program such
as 31000, but there is no requirement to do so. The concept of risk has always been implicit in ISO
9001, this revision makes it more explicit and builds it into the whole management system. Risk-based
thinking is already part of the process approach. Risk-based thinking makes preventive action part of
the routine. Risk-based thinking can also help to identify opportunities. Organizations are required to
understand the context of the organization and any external and internal issues (clause 4.1).Risks and
opportunities are determined in clause 6.1.One of the key purposes of a quality management system
is to act as a preventive tool.

ISO 9001:2015 does not have a separate clause titled preventive action. The concept of preventive
action is controlled through risk-based thinking and managing risks and opportunities identified in
clause 6.1

Clause 6.1 Actions to address risks and opportunities

Consider the issues determined in clause 4.1 and consider the requirements for relevant interested.
The organization should determine risks and opportunities to assure that that the quality
management system can achieve its objective, prevent or reduce undesired effects, and for continual
improvement. Intended results cannot be achieved. Organization shall plan actions to address risks
and opportunities which should be appropriate to the potential impact. The action of risk and
opportunities must be integrated and implemented into the QMS processes. The effectiveness of
these action must be evaluated.
17

NOTE: No formal risk management program is required.

 ISO 9001:2015

5. Applicability
The revised standard will focus on application and not exclusions. There are no limits to which
clauses where application can be determined. Justification will be required as documented
information to ensure that limited application does not affect the organization’s ability to provide for
the provision of product and services. The application of requirements may vary. Where a
requirement can be applied within the scope of its quality management system, the organization
cannot decide that it is not applicable. Where a requirement cannot be applied (for example where
the relevant process is not carried out) the organization can determine that the requirement is not
applicable. However, this non-applicability cannot be allowed to result in failure to achieve
conformity of products and services or to meet the organization’s aim to enhance customer
satisfaction. A manufacturing organization that does not have any monitoring and measuring
resources could determine requirements in 7.1.5 do not apply. Organizations that build from a
customer provided design could determine requirements for design in 8.3 do not apply.
Organizations could not determine that requirements such as competence are not applicable since
this directly affects the ability to provide product that meets requirements.

6 Documented information
The term “documented procedure” and “record” have both been replaced by “documented
information”. Where ISO 9001:2008 would have referred to documented procedures (e.g. to define,
control or support a process) this is now expressed as a requirement to maintain documented
information. Where ISO 9001:2008 would have referred to records this is now expressed as a
requirement to retain documented information. The current draft of ISO 9001 does not require a
quality manual or documented procedure as Annex SL does not require documented procedures or a
quality manual. The requirements in 7.5 are similar to ISO 9001:2008 – 4.2.3 Control of documents and
4.2.4 Control of Records.

As discussed earlier, documents and records now come under documented information.
The requirements for documented information are spread throughout the standard. In summary
they are:

 4.3 Scope of the QMS

 4.2 Support operation of its processes and needed for confidence.
 5.2.2 a) Quality policy
 6.2.1 Quality objectives
 7.1.5.1 Monitoring and measuring resource – fitness for purpose
 7.1.5.2 Basis used for calibration or verification
18

 7.2 d) Evidence of competence

 ISO 9001:2015

 7.5.1 b) Documented information determined by the organization as being necessary for the
effectiveness of the QMS
 8.1 e) Extend necessary (for confidence in processes and product/service conformity)
 8.2.3.2 Review of requirements related to products and services
 8.2.4 Amended documented information
 8.3.2 Design and development requirements met
 8.3.3 Design and development inputs
 8.3.4 Design and development control activities
 8.3.5 Design and development outputs
 8.3.6 Design and development changes/results of reviews etc.
 8.4.1 Results of evaluations, monitoring, re-evaluations of external providers
 8.5.1 a) Characteristics of the products/services, activities to be performed , and result achieved.
 8.5.2 Maintain traceability
 8.5.3 Reports on what has occurred
 8.5.6 Control of changes – results of reviews, personnel authorizing, necessary actions
 8.6 Release of products and services – traceability of person(s) authorizing release, evidence of
conformity
 8.7.2 Describes nonconformity, actions taken, concessions, authority
 9.1.1 Evidence of the monitoring and measurement results
 9.2 f) Evidence of the audit programme (s) and the audit results
 9.3.3 Evidence of the results of management reviews
 10.2.2 Evidence of the results of any corrective action and the, nature of the nonconformity.

7. Organizational knowledge
The organization shall determine the knowledge necessary for the operation of the QMS, ensure
conformity of products and services, and enhance customer satisfaction. The organization is
responsible for maintaining, protecting and making sure the knowledge is available (as
necessary). Knowledge is to be considered when making changes to the organization. Depending on
the size and complexity of the organization, the risks and opportunities it needs to address, the need
for accessibility of knowledge, the process for considering and controlling past, existing and additional
knowledge needs is to be considered. As long as the conformity of products and services can be
achieved, balance between knowledge held by competent people and knowledge made available by
other means is at the discretion of the organization. Consideration can be given to whether competent
employees have this knowledge

8. Control of externally provided products and services

19
 ISO 9001:2015

The term “Supplier” and “Outsourcing” have been replaced by the term “external provider” and
includes Purchasing from suppliers, Arrangement with an associate/sister company, Outsourcing of
processes and functions. The term “Purchased products” has been replaced with the term “externally
provided products and services”. Clause 8.4 Control of externally provided products and services
addresses all forms of external provision, whether it is by purchasing from a supplier, through an
arrangement with an associate company, through the outsourcing of processes and functions of the
organization or by any other means. The organization is required to take a risk-based approach to
determine the type and extent of controls appropriate to particular external providers and externally
provided products and services.

C. Seven principles of Quality management

Introduction:
This fifth edition (ISO 9001:2015) cancels and replaces the fourth edition ( ISO 9001:2008). This
document was being prepared by Technical committee of ISO “ISO/TC 176/SC 2-Quality Management
and Quality Assurance/ Quality Systems” also known as ISO/TC 176 in short. The process of preparing
the ISO 9001:2015 went through a six stage process. Organizations have been granted a three-year
transition period after the revision has been published to migrate their quality management system to
the new edition of the standard.
The key changes in the standards are

1. There is no quality manual.

2. It emphasis on organization context and risk based thinking,
3. There is no requirement of management representative
4. The standard does not include a specific clause for “Preventive Actions”.
5. The terms “document” and “records” have been replaced with the term “documented
information”. Documented procedure in iso 9001:2008 have been replaced by maintained
documented information and Documented record in iso 9001:2008 have been replaced by
retained documented information.
6. In 2008 version of the standard the term “product” was used. This term also included services.
This term has been changed to Product and Services
7. In addition to the term “continual improvement” another term “improvement” have been
introduced
8. Outsourcing is now an external provision.The term “purchased product” has been replaced with
“externally provided products and services”.The term “supplier” has been replaced with “External
20

provider”.Control of external provision of goods and services address all forms of external
provisions.
 ISO 9001:2015

9. The new standard does not make any reference to the exclusions which was for only for clause 7
in ISO 9001:2008, but in ISO 9001:2015 after proper justification any of the requirement of this
international standards may not be included in the scope, provided it does not affect the
organization’s ability or responsibility to ensure the conformity of its product and services and the
enhancement of customer satisfaction
10. The term “work environment” used in ISO 9001:2008 has been replaced with “Environment for
the operation of processes”.
The ISO 9000:2015 and ISO 9001:2015 standard is based on the following seven principles of QMS.

1 – Customer Focus
The primary focus of quality management is to meet customer requirements and to strive to exceed
customer expectations.
Rationale
Sustained success is achieved when an organization attracts and retains the confidence of customers
and other interested parties on whom it depends. Every aspect of customer interaction provides an
opportunity to create more value for the customer. Understanding current and future needs of
customers and other interested parties contributes to sustained success of an organization
21
 ISO 9001:2015

Explanation:
This is the first of the seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “Organizations depend on their customers and
therefore should understand current and future customer needs, should meet customer requirements
and strive to exceed customer expectations.” The Seven principle definition states “The primary focus
of quality management is to meet customer requirements and to strive to exceed customer
expectations. “. Customer focused means putting your energy into satisfying customers and
understanding that profitability comes from satisfying customers.
There should be researching, establishing and understanding current and future customer needs and
expectations. The organization should ensure that the objectives of the organization are linked to
customer needs and expectations. The top Management should communicate customer needs and
expectations throughout the organization. There should be measuring customer satisfaction and acting
on the results.
The organization should ensure a balanced approach between satisfying customers and other
interested parties.

2 – Leadership
Leaders at all levels establish unity of purpose and direction and create conditions in which people
are engaged in achieving the quality objectives of the organization.
Rationale
Creation of unity of purpose, direction and engagement enable an organization to align its strategies,
policies, processes and resources to achieve its objectives.

Explanation:
This is the second of the Seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “Leaders establish unity of purpose and direction
of the organization. They should create and maintain the internal environment in which people can
become fully involved in achieving the organization’s objectives.” The Seven principle definition states
“Leaders at all levels establish unity of purpose and direction and create conditions in which people are
engaged in achieving the quality objectives of the organization. “Leadership is providing role model
behaviors consistent with the values of the organization. Behavior that will deliver the organizations
objectives. Internal environment includes the culture and climate, management style, shared, trust,
motivation and support. The leadership should consider the needs of all interested parties including
customers, owners, employees, suppliers, financier, local communities and society as whole. The
leadership should establish a clear vision of the organization’s future. The leadership should set a
challenging goals and targets. The leadership should create and sustain a shared values, fairness and
22

ethical role models at all levels of the organization. The leadership should Establish trust and eliminate
 ISO 9001:2015

fear. The leadership should provide people with the required resources training and freedom to act
with responsibility and accountability. The leadership should Inspire, encourage and recognize people
contributions.
3 – Engagement of People
It is essential for the organization that all people are competent, empowered and engaged in
delivering value. Competent, empowered and engaged people throughout the organization
enhance its capability to create value.
Rationale
To manage an organization effectively and efficiently, it is important to involve all people at all levels
and to respect them as individuals. Recognition, empowerment and enhancement of skills and
knowledge facilitate the engagement of people in achieving the objectives of the organization.

Explanation:
This is the third of the seven principles of Quality management and the term “Involvement of
People” has been change to “Engagement of People“. The Eight principle definition stated “People at
all levels are the essence of an organization and their full involvement enables their abilities to be
used for the organization’s benefit.” The Seven principle definition states “It is essential for the
organization that all people are competent, empowered and engaged in delivering value. Competent,
empowered and engaged people throughout the organization enhance its capability to create
value.” Engaging people means employees are committed to their organization’s goals and values,
motivated to contribute to organizational success, and are able at the same time to enhance their own
sense of well-being. An engaged employee experiences a blend of job satisfaction, organizational
commitment, job involvement and feelings of empowerment. When we talk of engagement of people
it means that all the employees are competent, empowered and they are delivering value. An engaged
employee will have a better perception of job importance. An engaged employee will have better
clarity of job expectation. There will be more improvement opportunities. There will be regular
feedback and dialog with supervisors. The Quality of working relationships of an engaged employee
with peers, superiors, and subordinates is much improved. There is effective employee
communication.
4 – Process Approach
Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system.
Rationale
The quality management system is composed of interrelated processes. Understanding how results
are produced by this system, including all its processes, resources, controls and interactions, allows
the organization to optimize its performance.
23
 ISO 9001:2015

Explanation:
This is the fourth of the seven principles of Quality management and there is no change in the heading
of this principle. The Eight principle definition stated “A desired result is achieved more efficiently when
activities and related resources are managed as a process.” The Seven principle definition states
“Consistent and predictable results are achieved more effectively and efficiently when activities are
understood and managed as interrelated processes that function as a coherent system.” Processes are
dynamic-they cause things to happen. Processes within an organization should be structured in order
to achieve a certain objective in the most efficient and effective manner.
 It helps us in systematically defining the activities necessary to achieve/obtain desired results.
 It helps us in establishing clear responsibility and accountability for managing key activities.
 It helps us in analyzing and measuring of the capabilities of key activities.
 It helps us in identifying the interfaces of key activities within and between the functions of the
organization.
 It helps us in evaluating risks, consequences and impacts of activities on customers, suppliers
and other interested parties.
Quality Management System are constructed by connecting interrelated processes together to deliver
the system objectives which is the satisfaction of the interested parties.
 This helps us in structuring a system to achieve the organizations objectives in the most
effective and efficient way and understanding the interdependencies between the processes
of the system.
 It also helps us in providing a better understanding of the roles and responsibilities necessary
for achieving common objectives and thereby reducing cross functional barriers and targeting
and defining how specific activities within a system should operate.

5 – Improvement
Successful organizations have an ongoing focus on improvement.
Rationale
Improvement is essential for an organization to maintain current levels of performance, to react to
changes in its internal and external conditions and to create new opportunities.
24
 ISO 9001:2015

Explanation:
This is the fifth of the seven principles of Quality management and can be mapped to the sixth of the
Eight Quality principle which is “Continual Improvement”. The term “Continual Improvement” has
been change to “Improvement“. The fifth principle of the Eight Quality principle “System approach to
management” no longer exist in the seven principle of quality management. The Eight principle
definition stated “Continual improvement of the organization’s overall performance should be a
permanent objective of the organization.” The Seven principle definition states “Successful
organizations have an ongoing focus on improvement.” Improvement is the improvement in
organizational efficiency and effectiveness. The organization should employ a consistent organization-
wide approach to improvement of the organizations’ tools of improvement. The organization should
provide people with the training in the methods and tools of improvement. The organization should
make improvement of products, processes, and the system an objective for every individual in the
organization.
“The organization should establish the goals to guide and lead”

6 – Evidence-based Decision Making

Decisions based on the analysis and evaluation of data and information are more likely to produce
desired results.
Rationale
Decision-making can be a complex process, and it always involves some uncertainty. It often involves
multiple types and sources of inputs, as well as their interpretation, which can be subjective. It is
important to understand cause and effect relationships and potential unintended consequences. Facts,
evidence and data analysis lead to greater objectivity and confidence in decisions made.

Explanation:
This is the sixth of the seven principles of Quality management and can be mapped to the seventh of
the Eight Quality principle which is “Factual approach to decision making “. The term “Factual
approach to decision making “has been change to “Evidence-based Decision Making“. The fifth
principle of the Eight Quality principle “System approach to management” no longer exist in the
seven principle of quality management. The Eight principle definition stated “Effective decisions are
based on the analysis of data
and information” The Seven principle definition states “Decisions based on the analysis and
evaluation of data and information are more likely to produce desired results.” Evidence is
information that shows or proves that something exists or is true.
Evidence can be collected by performing observations, measurements, tests, or by using any other
25

suitable method. Any decision making should away be based on evidences. The organization should
 ISO 9001:2015

ensuring that data/information is sufficiently accurate and reliable. The organization should make data
accessible to those who need them. The organization should analyze data using appropriate tools. The
organization should make decision and take actions based on analysis of data, balanced with
experience and intuition.
7 – Relationship Management
For sustained success, organizations manage their relationships with interested parties, such as
suppliers.
Rationale
Interested parties influence the performance of an organization. Sustained success is more likely to be
achieved when an organization manages relationships with its interested parties to optimize their
impact on its performance. Relationship management with its supplier and partner network is often
of particular importance.

Explanation:
This is the seventh of the seven principles of Quality management and can be mapped to the eighth of
the Eight Quality principle which is “Mutually beneficial supplier relationships “. The term “Mutually
beneficial supplier relationships “has been change to “Relationship Management“. The fifth principle
of the eight Quality principle “System approach to management” no longer exist in the seven principle
of quality management.
The Eight principle definition stated “An organization and its suppliers are interdependent and a
mutually beneficial relationship enhances the ability of both to create value“ The Seven principle
definition states “For sustained success, organizations manage their relationships with interested
parties, such as suppliers. “An interested party is a person or group that has a stake in the success or
performance of an organization. Interested parties may be directly affected by the organization or
actively concerned about its performance. Interested parties can come from inside or outside of the
organization. Examples of interested parties include customers, suppliers, owners, partners,
employees, unions, bankers, or members of the general public. Interested parties are also referred to
as stakeholders. Relation management with interested parties meaning sharing knowledge, vision,
values, understanding and suppliers are not treated as adversaries. The organization establishes a
relationships that balance short-term gains with long term considerations. There is pooling of expertise
and resources with partners. The Organization identifying and selecting key suppliers. There is clear
and open communication with the stake holders. There is sharing of information and future plans. The
organization establishes a joint development and improvement activities. The organization inspiring,
encourages and recognize improvements and achievement by suppliers.

Process Approach
26
 ISO 9001:2015

Introduction
All organizations use processes to achieve their objectives. As per ISO definition
“A process:
set of interrelated or interacting activities that use inputs to deliver an intended result
NOTE: Inputs and outputs may be tangible (e.g. materials, components or equipment) or intangible
(e.g. data, information or knowledge).”
The process approach is the foundation upon which your QMS must be developed. The ISO 9001
Standard promotes the adoption of a process approach when developing, implementing and
improving the effectiveness of a quality management system, to enhance customer satisfaction by
meeting customer requirements. ISO 9001:2008 promoted the adoption of a process approach when
developing, implementing and improving the effectiveness of a quality management system. ISO
900:2015 makes this more explicit (in 4.4) by expanding the requirements around QMS Processes –
specifying requirements considered essential to the adoption of a process approach. For example,
determining the inputs required and outputs expected from these processes , then after determining
the-risks and opportunities and plans to address these in 6.1 – integrate these into its QMS
processes(4.1.f – plan and implement actions), related performance indicators (4.4.1c.), assignment
of responsibilities and authorities for these processes (4.4.1 e).
For an organization to function effectively, it has to identify and manage numerous linked activities.
Any activity, using resources and managed in order to enable the transformation of inputs into
outputs, can be considered a process. Often the output from one process directly forms the input to
the next. The application of a system of processes within an organization, together with the
identification and interactions of these processes, and their management, can be referred to as the
“process approach”.
An advantage of the process approach is the ongoing control that it provides over the linkage
between the individual processes within the system of processes, as well as over their combination
and interaction.
When used within a quality management system, such an approach emphasizes the importance of:
 An understanding of the intended results and requirements
 Consideration of processes in terms of adding Value and effective performance
 Improvement of processes based on evaluation of data and information
 Consistent and predictable results
 Meeting requirements and customer satisfaction
 Activity understanding and management of interrelated processes
27
 ISO 9001:2015

The model of a process-based quality management system shown in figure illustrates the process
linkages presented in clauses 4 to 10. This illustration shows that customers’ requirements, the needs
and expectations of relevant interested parties along with the organization and its context plays a
significant role in defining requirements as inputs. The output of the process is the result of the QMS
that includes product and service the organization provides, which should result in Customer
satisfaction. The model shown in figure covers all the requirements of this Standard, but does not show
processes at a detailed level.
Understanding Process :
Let’s understand some basics about processes.

 All work generally involves a process – things go in (inputs); get worked upon (conversion); and
come out differently (output). The value-adding conversion activity within a process transforms
inputs into outputs, e.g. takes raw materials (the input) and manufactures (the value-adding
conversion activity using various resources) a product (the output).
 Process inputs and outputs can be tangible such as raw materials or finished product or
intangible like INFORMATION – e.g. computerized drawing or specification.
 All processes have a supplier and a customer. These suppliers and customers may be internal
processes or external to your organization. Each process must have an accountable owner, i.e.,
having defined responsibility and authority to operate, control and improve their process.
 All processes require the use of resources, e.g. – people, equipment, materials, technology etc.
These resources can be used as inputs (raw materials or information such as a customer
28

specification) as well as for the value-adding conversion activity (e.g. use of machinery, equipment,
 ISO 9001:2015

computers, technology, people, etc.) to transform raw material (input) into finished product
(output).
 All processes must meet customer, organizational and applicable regulatory requirements. The
performance of all processes can be monitored and measured. Gather performance data that can
be analyzed to determine process effectiveness and whether any corrective action or improvement
is needed.
As an example, the below process contains a set of activities that are interrelated (showing links
from/to), interacting (showing inputs/ outputs), and the transformation of process inputs into

process outputs.
29
 ISO 9001:2015

Schematic Representation of the elements of single process

Procedures are typically used to control deviation where risk/hazards are present. It is defined as a
specified way to carry out an activity or a process’, which may be a documented set of instructions,
or simply an established way of doing a specific task that itself forms part of a larger process. In ISO
9001:2015 this might be considered captured, in the main, by’the availability of documented
information that defines: the characteristics of the products to be produced, the services to be
provided, or the activities to be performed.
An organization’s QMS processes may be grouped or categorized in many ways. One logical way
would include the following:
30
 ISO 9001:2015

Customer Oriented Processes (COP’s):

These are product realization processes that determine customer requirements (inputs), design, make,
deliver and service product (outputs) to customers and determine customer satisfaction. These
processes generally have the greatest degree of interaction with external customers. COP’s includes
marketing and sales, design and development, production, shipping, packaging, servicing/ warranty,
customer satisfaction etc., whether performed onsite or off-site.

Support Oriented Processes (SOP’s):

These processes provide the necessary resources to COP’s to facilitate product realization. These
processes generally have the greatest degree of interaction at an operational level with COP’s and to
a lesser degree with other internal QMS processes. SOP’s includes human resources, information
technology, purchasing and receiving, laboratory, maintenance, tooling, facility management etc.,
whether performed onsite or off-site.

Management Oriented Processes (MOP’s)

These processes provide the commitment, leadership, resources, review and decision-making by top
management. These processes generally interact with all QMS processes at the QMS planning and
review level. MOP’s includes business planning, management review, quality planning, resource
planning, communication, etc., whether performed offsite or on-site.

Quality Management Processes (QMP’s):

It includes all process which are used to document, measure, analyze and improve all processes. These
processes provide quality management support to and interact with all QMS processes. QMP’s includes
document control, records control, monitoring and measurement of processes and product, internal
audits, control of nonconforming product, corrective and preventive action, continual improvement,
etc. whether performed onsite or off-site.

Outsourced Processes (OP’s):

An “outsourced process” is a process that the organization has identified as being needed for its quality
management system (QMS), but one which it has chosen to be carried out by an external party outside
the managerial control of your facility and not subject to the your QMS. These could include MOP’s,
COP’s or SOP’s. They may be performed onsite or off-site. These processes may include – strategic
planning done at head office; purchasing or design done at head office or another location; heat
treating; painting; welding, calibration; testing; sort; HR; etc., done by an outside organization.
31
 ISO 9001:2015

Implementing QMS using Process Approach

QMS is made up of a network of these value-adding processes that link, combine and interact with one
another to collectively provide product or service. These processes are inter-dependent and can be
defined by complex interactions. For example, any of the COP processes, could interact with some or
all of the MOP’s, SOP’s, QMP’s. Also note that resources (SOP’s) and QMP’s may also be applied to all
other processes.
Interactions between QMS processes may occur at any of the three process stages (input, output or
conversion activity). The interaction may occur in many different ways – physical, documentary, verbal,
electronic, etc. For each process, we must identify these interactions, assess the risks of problems that
may occur and implement appropriate controls to prevent them, e.g., if orders are communicated
verbally by sales personnel to production, what is the risk that production errors will occur?
Therefore, in general, in order to plan and implement your QMS using the ‘Process Approach’, you
must:

 Identify the processes needed for the QMS.

 Determine their sequence and interaction(show the sequence and interaction of your COP’s). There
are many ways to document this, e.g., a high level flowchart or a process map.
 Determine the application of QMS processes throughout the organization (show how MOP’s; SOP’s
and QMP’s are applied to each COP and to each other). There are many ways of documenting this.
A popular way is through graphical representation, e.g. process maps.
 Determine (plan) the criteria, methods, information, controls and resources needed for each QMS
process.
 Identify the internal/external customer-required output.
 Describe the process activity that produces the output.
 Identify the resources needed for the process activity.
 Identify the inputs for the process – information, materials, supplies, etc.
 Define the process methods, procedures, forms etc., that may be needed to produce the output.
 Define the controls to prevent or eliminate risk of errors, omissions, or nonconformities in process
activity. controls may come from the IS standards; customer; regulatory and your own
organizational requirements
 Interaction with sources that provide the inputs (internal process or external supplier), uses the
output (internal process or external customer), or provide the resources (internal support process)
to perform the process activity.
 Implement your QMS according to your plan.
 Monitor, measure and improve each QMS process and its interaction with other processes.
Performance indicators to monitor and measure process performance may come from the IS
32
 ISO 9001:2015

standard, customer, regulatory and your own organizational requirements.Performance indicators

may relate to the process output as well as the process activity.
 Performance indicators for process output must focus on meeting customer and regulatory
requirements. Performance indicators for process activity should focus on measuring process
effectiveness and efficiency.
It is useful to point out that while we do need to identify all QMS processes and describe their
interaction, not all identified QMS processes need to be documented or documented in the detail
described above.

PLAN-DO-CHECK-ACT (PDCA)

In addition, the methodology known as “Plan-Do-Check-Act” (PDCA) can be applied to all processes.
PDCA can be briefly described as follows.
Plan: Establish the objectives and processes necessary to deliver results in accordance with customer
requirements and the organization’s policies.
Do: Implement the processes
Check: Monitor and check processes and product against policies, objectives and requirements for
the product and report the results
Act: Take actions to continually improve process performance

PLAN-DO-CHECK-ACT (PDCA) is a very effective tool for business management and the ISO 9001
standard strongly recommends its use.
PDCA is a dynamic cycle that can be applied to each of the organization’s processes, and also to the
system of processes as a whole. It may be used to plan, implement, control and continually improve
both product realization and other QMS processes.
Maintenance and continual improvement of QMS processes can be achieved by applying PDCA to
processes at all levels within the organization right from the executive high-level strategic processes,
33
 ISO 9001:2015

as business planning or management review to operational processes such as product realization or

calibration.
PLAN :
For each QMS process you must establish:

 Process owner and his/her accountability.

 Process inputs, outputs, value adding or conversion activities and sequence/interaction of these
activities (sub-processes) within the process. Many of the COP’s and SOP’s may have sub-
processes.
 Process policies, responsibilities and accountability.
 Process objectives and performance indicators and methods to monitor and measure process
performance to these objectives and indicators.
 Resources such as facility, equipment, labor, materials, time, etc needed.
 Preventive and detective controls needed for process activity, input, output and resources used.
 Process documentation such as procedures, forms, work instructions, specification, etc.
 The nature, method, frequency and timing of interaction with other processes and where this
interaction will occur – input, output, use of resources, conversion activity, etc.
 You must pay a lot of attention to this stage of your QMS development. Planning must also
consider how you will meet customer, applicable regulatory, and your own organizational
requirements, in addition to ISO 9001 requirements.
DO:
Deploy and implement your QMS processes and manage and control them according to your plan as
documented above.
34
 ISO 9001:2015

CHECK:
Monitor and measure the effectiveness of your QMS processes against policies and objectives that
you established under PLAN. Monitoring and measuring activity may focus on any or all of a process’s
inputs; outputs; use of resources for conversion; and interaction with other processes.

ACT:
Collect and analyze your monitoring and measurement information and use it to determine the
effectiveness of each process as well as your overall QMS in meeting requirements. Use the
information to correct problems and continually improve individual processes.

CONTINUOUS IMPROVEMENT PROCESS MODEL

The above figure shows the macro level application of the PDCA model to an entire organization. The
organization’s QMS as depicted by the processes within the circle is used to PLAN the controls over all
inputs, resources, value-adding activities and outputs. We DO implement our plan by using various
resources to convert customer inputs (requirements) into outputs (product) that meet customer
requirements. We CHECK – by monitoring and measuring QMS performance and through customer
feedback. We ACT by using this information to continually improve QMS effectiveness. At the micro
level, this same model can be applied to each QMS process.

The process approach in ISO 9001:2015

**(Taken from white paper at ISO.org website)
35
 ISO 9001:2015

The process approach includes establishing the organization’s processes to operate as an integrated
and complete system.

 The management system integrates processes and measures to meet objectives

 Processes define interrelated activities and checks, to deliver intended outputs
 Detailed planning and controls can be defined and documented as needed, depending on the
organization’s context.
These three concepts together form an integral part of the ISO 9001:2015 standard. Risks that
may impact on objectives and results must be addressed by the management system. Risk‐based
thinking is used throughout the process approach to:

 Decide how risk (positive or negative) is addressed in establishing the processes to improve process
outputs and prevent undesirable results
 Define the extent of process planning and controls needed (based on risk)
 improve the effectiveness of the quality management system
 maintain and manage a system that inherently addresses risk and meets objectives
PDCA can be used to manage processes and systems.

 Plan: set the objectives of the system and processes to deliver results (“What to do” and “how to
do it”)
 Do: implement and control what was planned
 Check: monitor and measure processes and results against policies, objectives and requirements
and report results
 Act: take actions to improve the performance of processes
PDCA operates as a cycle of continual improvement, with risk‐based thinking at each stage.
36

STEPS IN THE PROCESS APPROACH WHAT TO DO? GUIDANCE

 ISO 9001:2015

Define the context of the The organization should Gather, analyze and determine
organization identify its responsibilities,
external and internal
the relevant interested responsibilities of the
parties and their relevant organization to satisfy the
requirements, needs & relevant requirements, needs
expectations to define the and expectations of the relevant
organization’s intended interested parties. Monitor or
purpose. communicate frequently with
these interested parties to
ensure continual understanding
of their requirements, needs and
expectations.
Define the scope, objectives and Based on the analysis of The organization shall determine
policies of the the requirements, needs the scope, boundaries and
organization and expectations establish applicability of its management
the scope, objectives and system taking into consideration
policies that are relevant the internal and external context
for the organization’s and interested party
quality management requirements. Decide which
system. markets the organization should
address. Top management
should then establish objectives
and policies for the desired
outcomes.
Determine the processes in the Determine the processes Management shall determine
organization needed to meet the the processes needed for
objectives and policies and achieving the intended outputs.
to produce the intended These processes include
outputs. management, resources,
operations, measurement,
analysis and improvement.
Determine the sequence of the Determine how the Define and describe the network
processes processes flow in of processes and their
sequence and interaction. interaction. Consider the
following:
 The inputs and outputs of
each process (which may be
internal or external).
 Process interaction and
interfaces on which
processes depend or enable.
 Optimum effectiveness and
efficiency of the sequence.
 Risks to the effectiveness of
37

process interaction.

Define people who take process
ownership and accountability
Define the need for documented
information
38
Assign responsibility and
authority for each process.
Determine those
processes that need to be
formally defined and how
they are to be
documented.
ISO 9001:2015
Note: As an example, realization
processes (such as those needed
to provide the products or
services delivered to a customer)
will interact with other processes
(such as the management,
measurement, procurement in
the provision of resources).
Process sequences and their
interactions may be developed
using tools such as modeling,
diagrams, matrices
and flowcharts.
Top Management should
organize and define ownership,
accountability, individual roles,
responsibilities, working groups,
remits, authority and ensure the
competence needed for the
effective definition,
implementation, maintenance
and improvement of each
process and its interactions. Such
individuals or remits are usually
referred to as the Process
Owners. To manage process
interactions it may be useful to
also establish a management
system team that has a system
overview across all the processes
and may include representatives
from the interacting processes
and functions.
Processes exist within the
organization. They may be formal
or informal. There is no catalogue
or list of processes that have to
be formally defined. The
organization should determine
which processes need to be
documented on the basis of risk‐
based thinking, including, for
example:
 ISO 9001:2015

 The size of the organization

and its type of activities.
 The complexity of its
processes and their
interactions.
 The criticality of the
processes.
 The need for formally
accountability of
performance.
Processes can be formally
documented using a number of
methods such as graphical
representations, user
stories, written instructions,
checklists, flow charts, visual
media or electronic methods
including graphics and
systemization. However, the
method or the technology
chosen are not the goals. They
can be used to describe
processes, which are the means
to achieve the goals. Effective
and organized processes can
then deliver consistent and
accountable operations and the
desired objectives and results
which can then be improved.

Define the Determine the Define the required outputs and

interfaces, risks activities needed to inputs of the process.
and activities achieve the intended Determine the risks to
within the outputs of the conformity of products, services
process process and risks of and customer satisfaction if
unintended outputs. unintended outputs are
delivered.
Determine the activities,
measures and inherent
controls required to transform
the inputs into the desired
outputs. Determine and define
the sequence and interaction of
the activities within the
39

process. Determine how each

 ISO 9001:2015

activity will be performed.

Ensure that the management
system as a whole takes account
of all material risks to the
organization and users.
Note: In some cases the
customer may specify
requirements not only for the
outputs but also for the
realization of a process.
Define the Determine where and Identify the validation necessary
monitoring and how monitoring and to assure effectiveness and
measurement measuring should be efficiency of the processes and
requirements applied. This should system. Take into account such
be both for control factors as:
and improvement of  Monitoring and measuring
the processes and the criteria.
intended process  Reviews of performance
outputs. Determine the  Interested parties satisfaction.
need for recording results.  Supplier performance.
 On time delivery and lead
times.
 Failure rates and waste.
 Process costs.
 Incident frequency.
 Other measures of conformity
with requirements.
Implement Implement actions The organization should perform
necessary to achieve activities, monitoring, measures
planned activities and and controls of defined processes
results. and procedures
(which may be automated),
outsourcing and other
methods necessary to achieve
planned results.
Define the Determine the Examples of resources include:
resources resources needed for  Human resources.
needed the effective  Infrastructure.
operation of each  Environment.
process.  Information.
 Natural resources (including
knowledge).
 Materials.
 Financial resources.
40
 ISO 9001:2015

Verify the Confirm that the The organization should

process against process is effective compare outputs against
its planned and that the objectives to verify that all the
objectives characteristics of the requirements are
processes are satisfied. Processes are needed
consistent with the to gather data. Examples include
purpose of the measurement, monitoring,
organization. reviews, audits and
performance analysis.

D. Annex SL
Introduction:

Annex SL is not a standard, but rather a guide to help standards developers write management systems
standards. It forms part of the ‘ISO Directives, Part 1 — Consolidated ISO Supplement — Procedures
specific to ISO document, which is currently in its 6th edition. ISO has over the years published many
management system standards for topics ranging from quality and environment to information
security, business continuity management and records management. Despite sharing common
elements, ISO management system standards come in many different shapes and structures. The guide
was developed in response to standard users criticism that while current standards have many
common components, they are not sufficiently aligned, making it difficult for organizations
to rationalize their systems and to interface and integrate them. This, in turn, results in some confusion
and difficulties at the implementation stage .Many organizations have implemented multiple
management system standards such as ISO 9001 along with ISO 14001 and ISO 18001, or ISO 9001
along with ISO 27001 and ISO 20000 or ISO 9001 along with TS 16949. This has led to the need to easily
combine or integrate them in an effective and efficient manner. To date subtle and not so subtle
differences in requirements and terminology across Management Standard System have made such
integration difficult. ISO has produced Annex SL with the objective of delivering consistent and
compatible management system standards in an attempt to make this process easier. Annex SL
describes the framework for a generic management system. However, it will require the addition of
discipline-specific requirements to make a fully functional quality, environmental, service
management, food safety, business continuity, information security and energy management system
standard. Annex SL is freely available; it is contained within the ISO Supplement, Procedures specific
to ISO.

In future all new management system standards will have the same overall ‘look and feel’.
Current management system standards will migrate during their next revision. This should be
completed within the next few years. For management system implementers this will provide an
41

overall management system framework within which they can pick and choose what discipline-specific
 ISO 9001:2015

standards they wish to include. Gone will be the conflicts and duplication, confusion and
misunderstanding arising from different management system standards. In future all ISO management
system standards should be consistent and compatible. For management system auditors, it will mean
that for all audits there will be a core set of generic requirements that need to be addressed no matter
which discipline is being examined.

Overview
The HLS (High Level Structure) is the outcome of the work of the ISO/TMB/JTCG ‘Joint
technical Coordination Group on MSS’.
The structure has been mandated by the ISO TECHNICAL MANAGEMENT BOARD (TMB) (based on
ISO/TMB Resolution 18/2012) and the belief is that this will enhance consistency, make it
more generic and more easily applicable to service industries. Accordingly, ISO 9001:2015 has adopted
this. The HLS is based on published information related to Annex SL and not directly the result of
any particular published study or survey. ‘The aim of the HLS is to enhance the consistency and
alignment of ISO MSS by providing a unifying and agreed upon high level structure, identical core text
and common terms and definitions. The aim being that all ISO Type A MSS (Requirements) and Type B
where appropriate (Guidance) are aligned and the compatibility of these standards is enhanced. It is
envisaged that individual MSS will add additional ‘discipline-specific’ requirements as required. The
intended audience of this HLS is the ISO Technical Committees (TC), Subcommittees (SC) and Project
Committees (PC) and others involved in the development of MSS.'(SL 9.1). This approach is intended
to increase value of such standards to users: particularly those operating multiple MSS simultaneously
contained within one MSS (Integrated) The HLS forms the nucleus of future and revised ISO Type ‘A’
MSS and Type ‘B’ MSS (where possible). The primary intention is for organizations to have one
management system (ISO supports this approach). Annex SL, Appendix 2 will make it easier to work
with more than one management.

System standard simultaneously; as it has standardized terminology and requirements

for fundamental Management Systems and provides a l0-clause high-level structure,
common definitions and text for all management system standards. Annex SL addresses the
requirements for proposals for management system standards. It consists of 9 clauses and 3
appendices. The audience for this annex is primarily ISO technical committees who develop
management system standards; however the impact of Appendix 2 of Annex SL will be felt by all users
of management system standards in the future. Appendix 2 is in three parts:

• High level structure,

• Identical core text,
42

• Common terms and core definitions.

 ISO 9001:2015

In future all management system standards will need to have these elements. In addition, there will
be less confusion and inconsistency because common terms will all have the same definition and there
will be common requirements across all the management system standards, for example the
requirement to establish, implement, maintain and continually improve the management system. So
what changes can and cannot be made? The high level structure (i.e. major clause numbers and titles)
cannot be changed, however sub-clauses can be added. Discipline-specific text can also be added;

For example:
• New bullets
• Discipline-specific explanatory text (e.g. Notes or Examples)
• Discipline-specific new paragraphs to sub-clauses
• Adding text that enhances (but does not modify) the existing requirements

The common terms and core definitions cannot be changed. However, terms and definitions may
be added as needed and Notes may be added or modified to serve the purpose of each standard. To
facilitate the adoption of the core text the device ‘XXX’ is used. Throughout Annex SL for ‘XXX’ the
appropriate reference needs to be inserted; for example in ISO 22000 ‘XXX’ needs to be replaced by
“food safety” and in ISO 14001 the ‘XXX’ needs to be replaced by “environmental”. In addition the term
discipline is used to describe the nature of the management system i.e. quality, environmental, service
management, food safety, business continuity, information security or energy.

This Annex applies to all Management System Standards – full ISO standards, Technical Specifications
(TS) and Publicly Available Specifications (PAS) – but not to International Workshop Agreements (IWA).
Examples of standards that it applies to are:

 ISO 14001:2004 Environmental management systems – Requirements with guidance for use.
 ISO/TS 16949:2009 Quality management systems – Particular requirements for the application of
ISO 9001:2008 for automotive production and relevant service part organizations
Examples of standards that it does not apply to are:

 ISO 19011:2011 Guidelines for auditing management systems

 IWA 2:2007 Quality management systems – Guidelines for the application of ISO 9001:2000 in
education.
High level structure
The major clause numbers and titles of all management system standards will be identical They are:
43
 ISO 9001:2015

Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement.
Example of identical definitions:

 Organization
 Interested party
 Policy
 Objective
 Competence
 Conformity
Example of identical requirements:

 “Establish, implement, maintain and continually improve the management system.”

 “Top management shall ensure that the responsibilities and authorities for relevant roles are
assigned and communicated within the organization.”
The Introduction, Scope and Normative references will have content that are specific to each discipline
and each standard can have its own bibliography. Overall there is a reorganizing of management
system requirements into this structure that may be unfamiliar to those using and assessing current
MSS. However, some management system standards (such as ISO 22301:2012 Societal security –
Business continuity management systems – Requirements) have already successfully migrated to this
new structure.

For management system auditors, it will mean that for all audits there will be a core set of generic
requirements that need to be addressed, no matter which discipline. There are subtle language
changes such as the change from document and records to documented information. The new text
recognizes the use of the broad concept of risk and the need to understand risk in the context of the
management system. It also encourages everyone to view preventive action as a broader concept than
44

simply preventing an incident from occurring. The term preventive action has been replaced
 ISO 9001:2015

with “actions to address, risks and opportunities” and features earlier in the standard. The concept of
preventive actions is very much embedded in the risk assessment. The new HLS does not require an
organization to renumber existing documents’

Identical core text

There are 45 “shall” statements (generating 84 requirements) in Annex SL Appendix 2,
therefore there must be at least 45 “shall” statements with 84 requirements in all future
management system standards. Obviously each discipline will have their own requirements, so the
total for any new standard will have more – this is the minimum.

The detailed content is:

1. Scope
The Scope should define what the ‘intended outcome(s)’ are of the discipline. The term ‘expected
outcome’ will not be used. Auditors should expect alignment between what the organization has
determined in clause 4 with what is stated here.The scope sets out the intended outcomes of the
management system. The outcomes are industry specific and should be aligned with the context of
the organization

Clause 2: Normative references

Provides details of the reference standards or publications relevant to the particular standard.

Clause 3: Terms & definitions

Details terms and definition applicable to the specific standard in addition to any formal related
terms and definitions standard.

4. Context of the organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the XXX management system
4.4 XXX management system
As the flagstone of a management system, clause 4 determines why the organization is here. As part
of the answer to this question, the organization needs to identify internal and external issues that can
impact on its intended outcomes, as well as all interested parties and their requirements. It also needs
to document its scope and set the boundaries of the management system – all in line with the business
45

objectives. At first glance, clause 4 is radical and daunting, but on further consideration it makes sense
 ISO 9001:2015

in practice. The organization will have already have completed this thinking before even
considering implementing any ISO management system. This is the flagstone of the management
system – why the organization is here. The organization needs to determine its relevant issues, both
inside and outside, that have an impact on what it is trying to achieve, its intended outcomes. Also,
who are the relevant interested parties (the preferred term to stakeholders) and what are their
requirements? The organization needs to determine and document its own scope where are the
boundaries of the management system? What’s in and what’s out? This must be needs to be
appropriate to the organization and it objectives. Finally, the organization needs to build, operate and
improve its management system; nothing new or difficult there. The issues and requirements
identified here will be addressed in clause 6 – Planning. Auditors should now have a clear and concise
list of objective evidence to identify and confirm. It will include the organizations goals and intended
outcomes, internal and external issues, the relevant stakeholders and their requirements and the
management system scope. Collectively this will provide a key insight into the organization. This should
not be just a tick-list, but the entirety will provide a key insight into the organization – it should provide
illumination and clarity.

5. Leadership
5.1 Leadership and commitment
5.2 Policy
5.3 organizational roles, responsibilities and authorities

The new high level structure places particular emphasis on leadership, not just management as set
out in previous standards. This means top management now has greater accountability and
involvement in the organization’s management system. They need to integrate the requirements of
the management system into the organization’s core business process, ensure the management
system achieves its intended outcomes and allocate the necessary resources. Top management is also
responsible for communicating the importance of the management system and heighten employee
awareness and involvement.

At first glance, clause 5 appears to be just a reiteration of what’s gone before –policy, organizational
roles, responsibilities and authorities etc. However, there is an emphasis on leadership, not just
management. On further examination there is more here; top management now have to have a
greater involvement in the management system. They have to make sure that the requirements of the
management system are integrated into the organization’s business processes – the management
system is not just a bolt-on. The ‘business’ is whatever activities are at the heart of the organization’s
reason for existing. In addition, they have to demonstrate their commitment by making sure that the
46

management system achieves its intended outcome(s) and has adequate resources. Additionally they
 ISO 9001:2015

have to inform everyone that management system is important and that everyone should participate
in its effective implementation. The involvement of top management in the management system is
now explicit and hands-on. The ‘XXX’ policy has also been strengthened. It has to include commitments
to satisfy applicable requirements and continually improve the management system. As well as being
communicated internally it has to be made available to interested parties. Auditors should now find it
easier to audit management commitment – the requirements are much more specific and tangible and
the evidence required should be more obvious.

6.Planning
6.1 Actions to address risks and opportunities
6.2 XXX objectives and planning to achieve them

Clause 6 brings risk-based thinking to the front. Once the organization has highlighted risks and
opportunities in clause 4, it needs to stipulate how these will be addressed through planning. The
planning phase looks at what, who, how and when these risks must be addressed. This proactive
approach replaces preventative action and reduces the need for corrective actions later on. Particular
focus is also placed on the objectives of the management system. These should be measurable,
monitored, communicated, aligned to the policy of the management system and updated when
needed.

After much deliberation, the decision to make risk explicit has been made – here it is in clause 6. Having
highlighted the issues and requirements in clause 4, now it is time to address the risks
and opportunities the organization faces through planning. How will the organization prevent, or
reduce, undesired effects? How will the organization ensure that it can achieve its intended outcomes
and continual improvement? It will do it here in planning. Planning will address what, who, how and
when. Not difficult. This proactive approach is easier to understand than preventive action and should
reduce the need for correction and corrective action at a later date. The requirements around the ‘XXX’
objectives have also been made more detailed. They are to be consistent with the ‘XXX’ policy,
measurable (if practicable), monitored, communicated, and updated as appropriate. They have to be
established at relevant functions and levels. Clause 6 puts a greater emphasis on the organization’s
47

XXX’ planning which is integral to the business. Auditors should be familiar with risk – the
 ISO 9001:2015

consequences of an event and the associated likelihood of occurrence – and how to avoid, eliminate,
minimize or mitigate it. They also need to focus on the positive aspect – opportunities for the business
and how to optimize them. The risks and opportunities identified will lead to policies and objectives.
Auditors should be able to identify and follow a clear path from issues and requirements through risks
and opportunities, policies and objectives.

7. Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating
7.5.3 Control of documented information
After addressing the context, commitment and planning, organizations will have to look at the support
needed to meet their goals and objectives. This includes resources, targeted internal and external
communications, as well as documented information that replaces previously used terms such
as documents, documentation and records. The organization needs to supply competent resource to
deliver its goods and services. Again, nothing new here, awareness has been strengthened so now
everyone needs to know the implications of not conforming to the management
system requirements. The organization needs to consider the need for both internal and external
communications relevant to the management system – what, when and with whom it will
communicate. The final support requirement is going to generate a lot of heat but not much light –
documented information. Gone are the terms documents, documentation and records. However
the requirements for the management of documented information are not new, exceptional
or excessive. One skeleton which is finally laid to rest is the idea that everyone needs work instructions
no matter how experienced or senior they are in the organization (check out the Note in clause 7.5.1).
Auditing awareness and communication should be easier; the requirements are crisper – the 3 W’s.
Again, auditors should find the consistent definition of and requirements for competence
a benefit. Auditors will need to understand and use the term ‘documented information’. Although
there will be a lot of confusion and misunderstanding as everyone transitions from the old terms, in
the long run auditors should benefit from the greater clarity and consistency.

8. Operation
8.1 Operational planning and control
48
 ISO 9001:2015

The bulk of the management system requirements lies within this single clause. Clause 8 addresses
both in-house and outsourced processes, while the overall process management includes adequate
criteria to control these processes, as well as ways to manage planned and unintended change.
Whatever the organization is in business to achieve, clause 8 is it. At its core, the organization needs
to “…plan, implement and control the processes needed…”. This addresses both in-house and any
outsourced processes. This overall process management includes having process criteria, controlling
the processes within the criteria, controlling planned change and addressing unintended change as
necessary. This is the shortest clause because this is where the bulk of each discipline – the ‘XXX’ –
requirements will be. It is also where the need for a discipline-specific management system model
will come from. So where will all the requirements go that don’t fall easily into the High level
Structure and Identical core text? For example in ISO 9001:2008 7.3.4 Design and development
review and in ISO 14001: 2004 4.4.7 Emergency preparedness and response. Whatever is at the heart
of the ‘XXX’ management system – ‘the business’ – then this is what goes into clause 8. The auditor
will have to have a good understanding of process management before getting involved in assessing
the discipline-specific requirements. This is where an understanding of the business context of clause
4 will bear fruit – the sharp end of the business operations.

9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Having “done the business” in clause 8 it is time to check performance. The usual suspects appear here.
The organization determines what, how and when things are to be monitored, measured, analyzed
and evaluated. Add internal audit and management review to the mix and everything expected is
addressed. Internal audits provide information on whether the management system conforms to
the requirements of the organization and the standard and is effectively implemented and
maintained. Management review addresses the question: ‘is the management system suitable,
adequate and effective?’ Once again, the auditor should benefit from a consistent set of requirements
for checking results against plan. There is a long list of objective evidence that can be identified and
confirmed: metrics, schedules, evaluations, nonconformities and corrective actions, monitoring
and measurement results, and audit and management review results.

10. Improvement
10.1 Nonconformity and corrective action
10.2 Continual improvement
Occasionally undesired things occur; now it’s time to address nonconformity and corrective action.
49

And to make things better there’s continual improvement. The requirements here are familiar and well
 ISO 9001:2015

understood. But what about preventive action? It does not appear. As some have argued for many
years, one of the objectives of a management system is preventive action. The requirements in clause
4.1 to “…determine external and internal issues that are relevant to its purpose and that affect its
ability to achieve the intended outcome(s) of its XXX management system” and in clause 6.1 to
“determine the risks and opportunities that need to be addressed to assure the XXX management
system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual
improvement.” not only address preventive action but go beyond. And in the end auditors will look
back at the management system established in clause 4.4, reviewed in clause 9.3 and now continually
improved. Finally, although there remains a requirement for processes (check out clause 4.4) there is
no mention anywhere of procedures, documented or otherwise. If a discipline considers that they
are required then they will appear in the ‘XXX’ standard, probably in clause 8 – Operations. However, if
they are not a requirement but the organizations themselves consider they need them then that will
be their decision.

Attachment 01: ISO/IEC Directives, Part 1

ISO/IEC
Directives, Part 1
Consolidated ISO Supplement —
Procedures specific to ISO
Directives ISO/IEC, Partie 1
Supplément ISO consolidé — Procédures spécifiques à l’ISO
50
 ISO 9001:2015

Sixth edition, 2015

[Based on the eleventh edition (*corrected version 2015) of the ISO/IEC Directives, Part 1]

* Clause 1.8 corrected to align with the IEC’s eleventh edition of the ISO/IEC Directives

© ISO/IEC 2015
Annex SL
(normative)

Proposals for management system standards

SL.1 General
Whenever a proposal is made to prepare a new management system standard (MSS), including sectoral applications of
generic MSS, a justification study (JS) shall be carried out in accordance with Appendix 1 to this Annex SL.
NOTE No JS is needed for the revision of an existing MSS whose development has already been approved ( unless it was
not provided during its first development ).

To the extent possible, the proposer shall endeavour to identify the full range of deliverables which will constitute the new or
revised MSS family, and a JS shall be prepared for each of the deliverables.

SL.2 Obligation to submit a JS

All MSS proposals and their JS must be identified by the relevant TC/SC/PC leadership and must be sent to the ISO/TMB (or
its MSS task force) for evaluation before the NWI ballot takes place. It is the responsibility of the relevant TC/SC/PC secretariat
to identify all MSS proposals, without exception, so that there will be no MSS proposals which fail (with knowledge or without
knowledge) to carry out the JS or which fail to be sent to the ISO/TMB for evaluation.
NOTE No JS is required for a Type B MSS providing guidance on a specific Type A MSS for which a JS has already been
submitted and approved. For example, ISO/IEC 27003:2010 (Information technology — Security techniques — Information
security management system implementation guidance) does not need to have JS submitted as ISO/IEC 27001:2013
(Information technology — Security techniques — Information security management systems — Requirements) has already
had a JS submitted and approved.

SL.3 Cases where no JS have been submitted

MSS proposals which have not been submitted for ISO/TMB evaluation before the NWI ballot will be sent to the ISO/TMB for
evaluation and no new ballot should take place before the ISO/TMB decision (project on hold). It is considered good practice
that the TC/SC/PC members endorse the JS prior it is sent to the ISO/TMB.
NOTE Already published MSS which did not have a JS submitted will be treated as new MSS at the time of revision, i.e. a JS
is to be presented and approved before any work can begin.

SL.4 Applicability of Annex SL

The above procedures apply to all ISO deliverables including IWAs.
SL.5 Terms and definitions
For the purposes of this Annex SL, the following terms and definitions apply.
SL.5.1
management system
51

See definition contained in Appendix 2 (clause 3.4) of this Annex SL.

 ISO 9001:2015

SL.5.2
Management System Standard
MSS
Standard for management systems (SL.5.1).
Note to entry: For the purposes of this document, this definition also applies to other ISO deliverables (e.g. TS, PAS).

SL.5.3
Type A MSS
MSS providing requirements
EXAMPLES

— Management system requirements standards (specifications).

— Management system sector-specific requirements standards.

SL.5.4
Type B MSS
MSS providing guidelines
EXAMPLES

— Guidance on the use of management system requirements standards.

— Guidance on the establishment of a management system.

— Guidance on the improvement/enhancement of a management system.

SL.5.5
High Level Structure
HLS
outcome of the work of the ISO/TMB/JTCG “Joint technical Coordination Group on MSS” which
refers to high level structure (HLS), identical sub-clause titles, identical text and common terms
and core definitions. See Appendix 2 to this Annex SL.

SL.6 General principles

All projects for new MSS (or for MSS which are already published but for which no JS was completed) must undergo a JS
(see SL.1 and Note to SL.3). The following general principles provide guidance to assess the market relevance of proposed
MSS and for the preparation of a JS. The justification criteria questions in Appendix 1 to this Annex SL are based on these
principles. The answers to the questions will form part of the JS. An MSS should be initiated, developed and maintained only
when all of the following principles are observed.
1) Market relevance — Any MSS should meet the needs of, and add value for, the primary users and other affected parties.

2) Compatibility — Compatibility between various MSS and within an MSS family should be maintained.
3) Topic coverage — An MSS should have sufficient application coverage to eliminate or minimize the need for
sector-specific variances.

4) Flexibility — An MSS should be applicable to organizations in all relevant sectors and cultures and of every size. An MSS
should not prevent organizations from competitively adding to or differentiating from others, or enhancing their
management systems beyond the standard.

5) Free trade — An MSS should permit the free trade of goods and services in line with the principles included in
the WTO Agreement on Technical Barriers to Trade.

6) Applicability of — The market need for first-, second- or third-party conformity assessment, conformity assessment or
52

any combination thereof, should be assessed. The resulting MSS should clearly address the suitability of use for conformity
assessment in its scope. An MSS should facilitate joint audits.
 ISO 9001:2015

7) Exclusions — An MSS should not include directly related product (including services) specifications, test methods,
performance levels (i.e. setting of limits) or other forms of standardization for products produced by the implementing
organization.

8) Ease of use — It should be ensured that the user can easily implement one or more MSS. An MSS should be easily
understood, unambiguous, free from cultural bias, easily translatable, and applicable to businesses in general.

SL.7 Justification study process and criteria

SL.7.1 General
This clause describes the justification study (JS) process for justifying and evaluating the market relevance of proposals for
an MSS. Appendix 1 to this Annex SL provides a set of questions to be addressed in the justification study.

SL.7.2 Justification study process

The JS process applies to any MSS project and consists of the following:
a) the development of the JS by (or on behalf of) the proposer of an MSS project;

b) an approval of the JS by the ISO/TMB (or ISO/TMB MSS task force).

The JS process is followed by the normal ISO balloting procedure for new work item approval as appropriate.

SL.7.3 Justification study criteria

Based on Annex C of the ISO/IEC Directives, Part 1, 2012, and the general principles stated above, a set of questions (see
Appendix 1 to this Annex SL) must be used as criteria for justifying and assessing a proposed MSS project and must be
answered by the proposer. This list of questions is not exhaustive and any additional information that is relevant to the case
should be provided. The JS should demonstrate that all questions have been considered. If it is decided that they are not
relevant or appropriate to a particular situation, then the reasons for this decision should be clearly stated. The unique aspect
of a particular MSS may require consideration of additional questions in order to assess objectively its market relevance.
SL.8 Guidance on the development process and structure of an MSS

SL.8.1 General
The development of an MSS will have effects in relation to
— the far-reaching impact of these standards on business practice,
— the importance of worldwide support for the standards,
— the practical possibility for involvement by many, if not all, ISO Member Bodies, and
— the market need for compatible and aligned MSS.
This clause provides guidance in addition to the procedures laid down in the ISO/IEC Directives, in order to take these effects
into account.
All MSS (whether they are Type A or Type B MSS) shall, in principle, use consistent structure, common text and terminology
so that they are easy to use and compatible with each other. The guidance and structure given in Appendix 2 to this Annex
SL shall, in principle, also be followed (based on ISO/TMB Resolution 18/2012).
A Type B MSS which provides guidance on another MSS of the same MSS family should follow the same structure (i.e.
clauses numbering). Where MSS providing guidance (Type B MSS) are involved, it is important that their functions be clearly
defined together with their relationship with the MSS providing requirements (Type A MSS), for example:
— guidance on the use of the requirements standard;
— guidance on the establishment/implementation of the management system;
— guidance on improvement/enhancement of the management system.
Where the proposed MSS is sector specific:
— it should be compatible and aligned with the generic MSS;
— the relevant committee responsible for the generic MSS may have additional requirements to be met or procedures to be
53

followed;
— other committees may need to be consulted, as well as CASCO on conformity assessment issues.
 ISO 9001:2015

In the case of sector specific documents, their function and relationship with the generic MSS should be clearly defined (e.g.
additional sector-specific requirements; elucidation; or both as appropriate).
Sector-specific documents should always show clearly (e.g. by using different typographical styles) the kind of sector-specific
information being provided.
NOTE 1 The ISO/TMB/JTCG “Joint Technical Coordination Group on MSS” has produced a set of rules for the addition of
discipline specific text to the identical text.

NOTE 2 Where the identical text or any of the requirements cannot be applied in a specific MSS, due to special circumstances,
this should be reported to the ISO/TMB through the TMB Secretary at [email protected] (see SL.9.3).

SL.8.2 MSS development process

SL.8.2.1 General
In addition to the JS, the development of an MSS should follow the same requirements as other ISO deliverables (ISO/IEC
Directives, Part 1, Clause 2).
SL.8.2.2 Design specification
To ensure that the intention of the standard, as demonstrated by the justification study, will be maintained, a design
specification may be developed before a working draft is prepared.
The responsible committee will decide whether the design specification is needed and in case it is felt necessary, it will decide
upon its format and content that is appropriate for the MSS and should set up the necessary organization to carry out the task.
The design specification should typically address the following.
User needs The identification of the users of the standard and their associated needs, together with the costs and
benefits for these users.

Scope The scope and purpose of the standard, the title and the field of application.
Compatibility
How compatibility within this and with other MSS families will be achieved, including identification of
the common elements with similar standards, and how these will be included in the recommended
structure (see Appendix 2 to this Annex SL).

Consistency Consistency with other documents (to be) developed within the MSS family.
NOTE Most, if not all of the information on user needs and scope will be available from the justification study.

The design specification should ensure that

a) the outputs of the justification study are translated correctly into requirements for the MSS,

b) the issues of compatibility and alignment with other MSS are identified and addressed,

c) a basis for verification of the final MSS exists at appropriate stages during the development process,

d) the approval of the design specification provides a basis for ownership throughout the project by the members of the
TC/SC(s),

e) account is taken of comments received through the NWI ballot phase, and

f) any constraints are taken into account.

The Committee developing the MSS should monitor the development of the MSS against the design specification in order to
ensure that no deviations happen in the course of the project.
54
 ISO 9001:2015

SL.8.2.3 Producing the deliverables

SL.8.2.3.1 Monitoring output

In the drafting process, the output should be monitored for compatibility and ease of use with other MSS, by covering issues
such as

— the high level structure (HLS), identical sub-clause titles, identical text and common terms
and core definitions the need for clarity (both in language and presentation), and — avoiding
overlap and contradiction.

SL.8.2.4 Transparency of the MSS development process

MSS have a broader scope than most other types of standard. They cover a large field of human endeavour and have an
impact on a wide range of user interests.
Committees preparing MSS should accordingly adopt a highly transparent approach to the development of the standards,
ensuring that
— possibilities for participation in the process of developing standards are clearly identified, and — the development
processes being used are understood by all parties.
Committees should provide information on progress throughout the life cycle of the project, including
— the status of the project to date (including items under discussion),
— contact points for further information,
— communiqués and press releases on plenary meetings, and
— regular listings of frequently asked questions and answers.
In doing this, account needs to be taken of the distribution facilities available in the participating countries.
Where it may be expected that users of a Type A MSS are likely to demonstrate conformity to it, the MSS shall be so written
that conformity can be assessed by a manufacturer or supplier (first party, or self-declaration), a user or purchaser (second
party) or an independent body (third party, also known as certification or registration).
Maximum use should be made of the resources of the ISO Central Secretariat to facilitate the transparency of the project and
the committee should, in addition, consider the establishment of a dedicated openaccess website.
Committees should involve the national member bodies to build up a national awareness of the MSS project, providing drafts
as appropriate for different interested and affected parties, including accreditation bodies, certification bodies, enterprises and
the user community, together with additional specific information as needed.
The committee should ensure that technical information on the content of the MSS under development is readily available to
participating members, especially those in developing countries.

SL.8.2.5 Process for interpretation of a standard

The committee may establish a process to handle interpretation questions related to their standards from the users, and may
make the resulting interpretations available to others in an expedient manner. Such a mechanism can effectively address
possible misconceptions at an early stage and identify issues that may require improved wording of the standard during the
next revision cycle. Such processes are considered to be “committee specific procedures” [see Foreword f)].

SL.9 High level structure, identical core text and common terms and core definitions for use in Management Systems
Standards

SL.9.1 Introduction
The aim of this document is to enhance the consistency and alignment of ISO MSS by providing a unifying and agreed upon
high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS (and
B where appropriate) are aligned and the compatibility of these standards is enhanced. It is envisaged that individual MSS
will add additional “discipline-specific” requirements as required.
55

NOTE In Annex SL.9.1 and Annex SL.9.4 “discipline-specific” is used to indicate specific subject(s) to which a management
system standard refers, e.g. energy, quality, records, environment etc.
 ISO 9001:2015

The intended audience for this document is ISO Technical Committees (TC), Subcommittees (SC) and Project Committees
(PC) and others that are involved in the development of MSS.
This common approach to new MSS and future revisions of existing standards will increase the value of such standards to
users. It will be particularly useful for those organizations that choose to operate a single (sometimes called “integrated”)
management system that can meet the requirements of two or more MSS simultaneously.
Appendix 2 to this Annex SL sets out the high level structure, identical core text and common terms and core definitions that
form the nucleus of future and revised ISO Type A MSS and Type B MSS when possible.
Appendix 3 to this Annex SL sets out guidance to the use of Appendix 2 to this Annex SL. SL.9.2 Use

ISO MSS include the high level structure and identical core text as found in Appendix 2 to this Annex SL. The common terms
and core definitions are either included or normatively reference an international standard where they are included.
NOTE The high level structure includes the main clauses (1 to 10) and their titles, in a fixed sequence. The identical core text
includes numbered sub-clauses (and their titles) as well as text within the sub-clauses.

SL.9.3 Non applicability

If due to exceptional circumstances the high level structure or any of the identical core text, common terms and core definitions
cannot be applied in the management system standard then the TC/PC/SC needs to explain their rationale for review by:
a) providing an initial deviation report to ISO/CS with the DIS submission;

b) providing a final deviation report to ISO/TMB (through the ISO/TMB Secretary at [email protected]) upon submission of the
final text of the standard for publication.

TC/PC/SC shall use the ISO commenting template to provide their deviation reports.
NOTE 1 The final deviation report can be an updated version of the initial deviation report.

NOTE 2 TC/PC/SC strive to avoid any non-applicability of the high level structure or any of the identical core text, common
terms and core definitions.

SL.9.4 Using Annex SL Appendix 2

Discipline-specific text additions to Annex SL Appendix 2 are managed as follows.
1. Discipline-specific additions are made by the individual ISO/TC, PC, SC or other group that is developing the specific
ISO management system standard.

2. Discipline-specific text does not affect harmonization or contradict or undermine the intent of the high level structure,
identical core text, common terms and core definitions.

3. Insert additional sub-clauses, or sub-sub-clauses (etc.) either ahead of an identical text sub-clause ( or sub-sub-clause
etc.), or after such a sub-clause (etc.) and renumbered accordingly.

NOTE 1 Hanging paragraphs are not permitted — see ISO/IEC Directives, Part 2, clause 5.2.4.

NOTE 2 Attention is drawn to the need to check cross referencing.

4. Add or insert discipline-specific text within Appendix 2 to this Annex SL. Examples of additions include:

a) new bullet points

b) discipline-specific explanatory text (e.g. Notes or Examples), in order to clarify requirements

c) discipline-specific new paragraphs to sub-clauses (etc.) within the identical text

d) adding text that enhances the existing requirements in Appendix 2 to this Annex SL

5. Avoid repeating requirements between identical core text and discipline-specific text by adding text to the identical core
text taking account of point 2 above.
56

6. Distinguish between discipline-specific text and identical core text from the start of the drafting process. This aids
identification of the different types of text during the development and balloting stages.
 ISO 9001:2015

NOTE 1 Distinguishing options include by colour, font, font size, italics, or by being boxed separately etc.

NOTE 2 Identification of distinguishing text is not necessarily carried into the published version.

7. Understanding of the concept of “risk” may be more specific than that given in the definition under 3.9 of Appendix 2 to
this Annex SL. In this case a discipline-specific definition may be needed. The discipline-specific terms and definitions
are differentiated from the core definition, e.g. (XXX) risk.

NOTE The above can also apply to a number of other definitions.

8. Common terms and core definitions will be integrated into the listing of terms and definitions in the discipline-specific
management system standard consistent with the concept system of that standard.

SL.9.5 Implementation
Follow the sequence, high level structure, identical core text, common terms and core definitions for any new management
system standard and for any revisions to existing management system standard.

SL.9.6 Guidance
Find supporting guidance in Appendix 3 to this Annex SL.
Appendix 1
( normative )

Justification criteria questions

1. General
The list of questions to be addressed in the justification study are in line with the principles listed in SL.6. This list is not
exhaustive. Additional information not covered by the questions should be provided if it is relevant to the case.
Each general principle should be given due consideration and ideally when preparing the JS, the proposer should provide a
general rationale for each principle, prior to answering the questions associated with the principle.
The principles the proposer of the MSS should pay due attention to when preparing the justification study are:
1. Market relevance

2. Compatibility

3. Topic coverage

4. Flexibility

5. Free trade

6. Applicability of conformity assessment

7. Exclusions
NOTE No questions directly refer to the principle 8 “ease of use”, but it should guide the development of the deliverable.

Basic information on the MSS proposal

57

1 What is the proposed purpose and scope of the MSS? Is the document supposed to be a guidance document or
a document with requirements?
 ISO 9001:2015

2 Does the proposed purpose or scope include product (including service) specifications, product test methods,
product performance levels, or other forms of guidance or requirements directly related to products produced or
provided by the implementing organization?

3 Is there one or more existing ISO committee or non-ISO organization that could logically have responsibility for
the proposed MSS? If so, identify.

4 Have relevant reference materials been identified, such as existing guidelines or established practices?

5 Are there technical experts available to support the standardization work? Are the technical experts direct
representatives of the affected parties from the different geographical regions?

6 What efforts are anticipated as being necessary to develop the document in terms of experts needed and
number/duration of meetings?

7 Is the MSS intended to be a guidance document, contractual specification or regulatory specification for an
organization?

Principle 1: market relevance

8 Have all the affected parties been identified? For example:

a) organizations (of various types and sizes): the decision-makers within an organization who approve work
to implement and achieve conformance to the MSS;

b) customers/end-users, i.e. individuals or parties that pay for or use a product (including service) from an
organization;

c) supplier organizations, e.g. producer, distributor, retailer or vendor of a product, or a provider of a service
or information;

d) MSS service provider, e.g. MSS certification bodies, accreditation bodies or consultants; e) regulatory
bodies;

f) non-governmental organizations.

9 What is the need for this MSS? Does the need exist at a local, national, regional or global level? Does the need
apply to developing countries? Does it apply to developed countries? What is the added value of having an ISO
document (e.g. facilitating communication between organizations in different countries)?

10 Does the need exist for a number of sectors and is thus generic? If so, which ones? Does the need exist for small,
medium or large organizations?

11 Is the need important? Will the need continue? If yes, will the target date of completion for the proposed MSS
satisfy this need? Are viable alternatives identified?

12 Describe how the need and importance were determined. List the affected parties consulted and the major
geographical or economical regions in which they are located.

13 Is there known or expected support for the proposed MSS? List those bodies that have indicated support. Is there
known or expected opposition to the proposed MSS? List those bodies that have indicated opposition.
58
 ISO 9001:2015

14 What are the expected benefits and costs to organizations, differentiated for small, medium and large
organizations if applicable?
Describe how the benefits and the costs were determined. Provide available information on geographic or
economic focus, industry sector and size of the organization. Provide information on the sources consulted and
their basis (e.g. proven practices), premises, assumptions and conditions (e.g. speculative or theoretical), and
other pertinent information.

15 What are the expected benefits and costs to other affected parties (including developing countries)?
Describe how the benefits and the costs were determined. Provide any information regarding the affected parties
indicated.

16 What will be the expected value to society?

17 Have any other risks been identified (e.g. timeliness or unintended consequences to a specific business)?

Principle 2: compatibility
18 Is there potential overlap or conflict with (or what is the added value in relation to) other existing or planned ISO
or non-ISO international standards, or those at the national or regional level? Are there other public or private
actions, guidance, requirements and regulations that seek to address the identified need, such as technical
papers, proven practices, academic or professional studies, or any other body of knowledge?

19 Is the MSS or the related conformity assessment activities (e.g. audits, certifications) likely to add to, replace all
or parts of, harmonize and simplify, duplicate or repeat, conflict with, or detract from the existing activities
identified above? What steps are being considered to ensure compatibility, resolve conflict or avoid duplication?

20 Is the proposed MSS likely to promote or stem proliferation of MSS at the national or regional level, or by industry
sectors?

Principle 3: topic coverage

21 Is the MSS for a single specific sector?

22 Will the MSS reference or incorporate an existing, non-industry-specific ISO MSS (e.g. from the ISO 9000 series
of quality management standards)? If yes, will the development of the MSS conform to the ISO/IEC Sector Policy
(see 6.8.2 of ISO/IEC Directives, Part 2), and any other relevant policy and guidance procedures (e.g. those that
may be made available by a relevant ISO committee)?

23 What steps have been taken to remove or minimize the need for particular sector-specific deviations from a
generic MSS?

Principle 4: flexibility
59

24 Will the MSS allow an organization competitively to add to, differentiate or encourage innovation of its
management system beyond the standard?
 ISO 9001:2015

Principle 5: free trade

25 How would the MSS facilitate or impact global trade? Could the MSS create or prevent a technical barrier to
trade?

26 Could the MSS create or prevent a technical barrier to trade for small, medium or large organizations?

27 Could the MSS create or prevent a technical barrier to trade for developing or developed countries?

28 If the proposed MSS is intended to be used in government regulations, is it likely to add to, duplicate, replace,
enhance or support existing governmental regulations?

Principle 6: applicability of conformity

29 If the intended use is for contractual or regulatory purposes, what are the potential methods to demonstrate
conformance (e.g. first party, second party or third party)? Does the MSS enable organizations to be flexible in
choosing the method of demonstrating conformance, and to accommodate for changes in its operations,
management, physical locations and equipment?

30 If third-party registration/certification is a potential option, what are the anticipated benefits and costs to the
organization? Will the MSS facilitate joint audits with other MSS or promote parallel assessments?

Principle 7: exclusions
31 Does the proposed purpose or scope include product (including service) specifications, product test methods,
product performance levels, or other forms of guidance or requirements directly related to products produced or
provided by the implementing organization?

Appendix 2
( normative )

High level structure, identical core text, common terms and core definitions

NOTE In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic safety, IT security,
food safety, societal security, environment, quality) that needs to be inserted. Blue italicized text is given as advisory notes to
standards drafters.

Introduction
DRAFTING INSTRUCTION Specific to the discipline.

1. Scope
60

DRAFTING INSTRUCTION Specific to the discipline.

 ISO 9001:2015

2. Normative references
DRAFTING INSTRUCTION Clause Title shall be used. Specific to the discipline.

3. Terms and definitions

DRAFTING INSTRUCTION 1 Clause Title shall be used. Terms and definitions may either be within the standard or in a
separate document. To reference Common terms and Core definitions + discipline specific ones. The arrangement of terms
and definitions shall be according to the concept systems of each standard.

For the purposes of this document, the following terms and definitions apply.
DRAFTING INSTRUCTION 2 The following terms and definitions constitute an integral part of the “common text” for
management systems standards. Additional terms and definitions may be added as needed. Notes may be added or modified
to serve the purpose of each standard.

DRAFTING INSTRUCTION 3 Italics type in a definition indicates a cross-reference to another term defined in this clause,
and the number reference for the term is given in parentheses.

DRAFTING INSTRUCTION 4 Where the text “XXX” appears throughout this clause, the appropriate reference should be
inserted depending on the context in which these terms and definitions are being applied. For example: “an XXX objective”
could be substituted as “an information security objective”.

3.1 organization

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives
(3.8)
Note 1 to entry: The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise,
authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

3.2 interested party (preferred term) stakeholder (admitted term) person or organization (3.1) that can affect, be affected
by, or perceive itself to be affected by a decision or activity

3.3 requirement

need or expectation that is stated, generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties
that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

3.4

management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and objectives (3.8) and processes
(3.12) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and operation.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions
of the organization, specific and identified sections of the organization, or one or more functions across a group of
organizations.

3.5

top management
61

person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
 ISO 9001:2015

Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top management refers
to those who direct and control that part of the organization.

3.6 effectiveness

extent to which planned activities are realized and planned results achieved

3.7 policy

intentions and direction of an organization (3.1), as formally expressed by its top management (3.5)

3.8 objective result to be

achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals)
and can apply at different levels (such as strategic, organization-wide, project, product and process (3.12)).

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion,
as an XXX objective, or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of XXX management systems, XXX objectives are set by the organization, consistent with the
XXX policy, to achieve specific results.

3.9 risk effect of

uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of,
an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and
“consequences” (as defined in ISO Guide 73:2009, 3.6.1.3) , or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in
circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

3.10 competence

ability to apply knowledge and skills to achieve intended results

3.11 documented information

information required to be controlled and maintained by an organization (3.1) and the medium on which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.

Note 2 to entry: Documented information can refer to:

— the management system (3.4), including related processes (3.12);

— information created in order for the organization to operate (documentation);

62

— evidence of results achieved (records).

3.12 process
 ISO 9001:2015

set of interrelated or interacting activities which transforms inputs into outputs

3.13 performance
measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including services),
systems or organizations (3.1).

3.14 outsource (verb)

make an arrangement where an external organization (3.1) performs part of an organization’s function or process (3.12)
Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the outsourced
function or process is within the scope.

3.15 monitoring determining the status of a system, a process (3.12) or an

activity

Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

3.16

measurement
process (3.12) to determine a value

3.17 audit

systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it objectively to determine
the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a
combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

3.18 conformity fulfilment of a

requirement (3.3)

3.19 nonconformity

non-fulfilment of a requirement (3.3)

3.20 corrective action action to eliminate the cause of a nonconformity (3.19) and to prevent
recurrence

3.21 continual improvement recurring activity to enhance

performance (3.13)
63

4. Context of the organization

 ISO 9001:2015

4.1 Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to
achieve the intended outcome(s) of its XXX management system.

4.2 Understanding the needs and expectations of interested parties

The organization shall determine:

— the interested parties that are relevant to the XXX management system; — the relevant
requirements of these interested parties.

4.3 Determining the scope of the XXX management system

The organization shall determine the boundaries and applicability of the XXX management system to establish its scope.
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1; — the
requirements referred to in 4.2.
The scope shall be available as documented information.

4.4 XXX management system

The organization shall establish, implement, maintain and continually improve an XXX management system, including the
processes needed and their interactions, in accordance with the requirements of this International Standard/this part of ISO
XXXX/this Technical Specification.

5. Leadership
5.1 Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the XXX management system by:
— ensuring that the XXX policy and XXX objectives are established and are compatible with the strategic direction of the
organization;
— ensuring the integration of the XXX management system requirements into the organization’s business processes;
— ensuring that the resources needed for the XXX management system are available;
— communicating the importance of effective XXX management and of conforming to the XXX management system
requirements;
— ensuring that the XXX management system achieves its intended outcome(s);
— directing and supporting persons to contribute to the effectiveness of the XXX management system;
— promoting continual improvement;
— supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
NOTE Reference to “business” in this International Standard/this part of ISO XXXX/this Technical Specification can be
interpreted broadly to mean those activities that are core to the purposes of the organization’s existence.

5.2 Policy

Top management shall establish a XXX policy that:

a) is appropriate to the purpose of the organization;

b) provides a framework for setting XXX objectives;

c) includes a commitment to satisfy applicable requirements;

d) includes a commitment to continual improvement of the XXX management system.

64

The XXX policy shall:

— be available as documented information;
— be communicated within the organization;
 ISO 9001:2015

— be available to interested parties, as appropriate.

5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated
within the organization.
Top management shall assign the responsibility and authority for:
a) ensuring that the XXX management system conforms to the requirements of this International Standard/this part of ISO
XXXX/this Technical Specification;

b) reporting on the performance of the XXX management system to top management.

6. Planning
6.1 Actions to address risks and opportunities

When planning for the XXX management system, the organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
— give assurance that the XXX management system can achieve its intended outcome(s);
— prevent, or reduce, undesired effects;
— achieve continual improvement.
The organization shall plan:
a) actions to address these risks and opportunities;

b) how to:
— integrate and implement the actions into its XXX management system processes;
— evaluate the effectiveness of these actions.

6.2 XXX objectives and planning to achieve them

The organization shall establish XXX objectives at relevant functions and levels.
The XXX objectives shall:
a) be consistent with the XXX policy;

b) be measurable (if practicable);

c) take into account applicable requirements;

d) be monitored;

e) be communicated;

f) be updated as appropriate.

The organization shall retain documented information on the XXX objectives.

When planning how to achieve its XXX objectives, the organization shall determine:
— what will be done;
— what resources will be required;
— who will be responsible;
— when it will be completed;
— how the results will be evaluated.

7. Support
65

7.1 Resources
 ISO 9001:2015

The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and
continual improvement of the XXX management system.

7.2 Competence

The organization shall:

— determine the necessary competence of person(s) doing work under its control that affects its XXX performance;
— ensure that these persons are competent on the basis of appropriate education, training, or experience;
— where applicable, take actions to acquire the necessary competence, and evaluate the effectiveness of the actions taken;
— retain appropriate documented information as evidence of competence.
NOTE Applicable actions can include, for example, the provision of training to, the mentoring of, or the reassignment of
currently employed persons; or the hiring or contracting of competent persons.

7.3 Awareness

Persons doing work under the organization’s control shall be aware of:
— the XXX policy;
— their contribution to the effectiveness of the XXX management system, including the benefits of improved XXX performance;
— the implications of not conforming with the XXX management system requirements.

7.4 Communication

The organization shall determine the internal and external communications relevant to the XXX management system,
including:
— on what it will communicate;
— when to communicate;
— with whom to communicate; — how to
communicate.

7.5 Documented information

7.5.1 General

The organization’s XXX management system shall include:

a) documented information required by this International Standard/this part of ISO XXXX/this Technical Specification;
b) documented information determined by the organization as being necessary for the effectiveness of the XXX
management system.

NOTE The extent of documented information for a XXX management system can differ from one organization to another due
to:

— the size of organization and its type of activities, processes, products and services;

— the complexity of processes and their interactions; — the

competence of persons.

7.5.2 Creating and updating

When creating and updating documented information the organization shall ensure appropriate:
— identification and description (e.g. a title, date, author, or reference number); — format (e.g. language,
software version, graphics) and media (e.g. paper, electronic);
— review and approval for suitability and adequacy.

7.5.3 Control of documented information

66

Documented information required by the XXX management system and by this International Standard /this part of ISO
XXXX/this Technical Specification shall be controlled to ensure:
 ISO 9001:2015

a) it is available and suitable for use, where and when it is needed;

b) it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).
For the control of documented information, the organization shall address the following activities, as applicable:
— distribution, access, retrieval and use;
— storage and preservation, including preservation of legibility;
— control of changes (e.g. version control); — retention
and disposition.
Documented information of external origin determined by the organization to be necessary for the planning and operation of
the XXX management system shall be identified, as appropriate, and controlled.
NOTE Access can imply a decision regarding the permission to view the documented information only, or the permission and
authority to view and change the documented information.

8. Operation
8.1 Operational planning and control

DRAFTING INSTRUCTION This sub-clause heading will be deleted if no additional sub-clauses are added to Clause 8.

The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions
determined in 6.1, by:
— establishing criteria for the processes;
— implementing control of the processes in accordance with the criteria;
— keeping documented information to the extent necessary to have confidence that the processes have been carried out as
planned.
The organization shall control planned changes and review the consequences of unintended changes, taking action to mitigate
any adverse effects, as necessary.
The organization shall ensure that outsourced processes are controlled.

9. Performance evaluation
9.1 Monitoring, measurement, analysis and evaluation

The organization shall determine:

— what needs to be monitored and measured;
— the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
— when the monitoring and measuring shall be performed;
— when the results from monitoring and measurement shall be analysed and evaluated.
The organization shall retain appropriate documented information as evidence of the results.
The organization shall evaluate the XXX performance and the effectiveness of the XXX management system.

9.2 Internal audit

9.2.1 The organization shall conduct internal audits at planned intervals to provide information on whether the XXX
management system:
a) conforms to:
— the organization’s own requirements for its XXX management system;
— the requirements of this International Standard/this part of ISO XXXX/this Technical Specification;
b) is effectively implemented and maintained.
67

9.2.2 The organization shall:

 ISO 9001:2015

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities,
planning requirements and reporting, which shall take into consideration the importance of the processes concerned and
the results of previous audits;

b) define the audit criteria and scope for each audit;

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process;

d) ensure that the results of the audits are reported to relevant management;

e) retain documented information as evidence of the implementation of the audit programme and the audit results.

9.3 Management review

Top management shall review the organization’s XXX management system, at planned intervals, to ensure its continuing
suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the XXX management system;

c) information on the XXX performance, including trends in:

— nonconformities and corrective actions;
— monitoring and measurement results;
— audit results;
d) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any need
for changes to the XXX management system.
The organization shall retain documented information as evidence of the results of management reviews.

10. Improvement
10.1 Nonconformity and corrective action

When a nonconformity occurs, the organization shall:

a) react to the nonconformity and, as applicable:
— take action to control and correct it;
— deal with the consequences;
b) evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur
elsewhere, by:

— reviewing the nonconformity;

— determining the causes of the nonconformity;
— determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;

d) review the effectiveness of any corrective action taken;

e) make changes to the XXX management system, if necessary.

Corrective actions shall be appropriate to the effects of the nonconformities encountered.
The organization shall retain documented information as evidence of: — the nature of the
68

nonconformities and any subsequent actions taken;

— the results of any corrective action.
 ISO 9001:2015

10.2 Continual improvement

The organization shall continually improve the suitability, adequacy and effectiveness of the XXX management system.
Appendix 3
( informative )

Guidance on high level structure, identical core text, common terms and core
definitions

Guidance on the high level structure, identical core text, common terms and core definitions is provided at the following URL:
Annex SL Guidance documents (http://isotc.iso.org/livelink/
livelink?func=ll&objId=16347818&objAction=browse&viewType=1).

ISO 9001:2015 – Risk Based Thinking

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to risk,
rather than treating it as a single component of a quality management system. In previous editions of
ISO 9001, a clause on preventive action was separated from the whole. Now risk is considered and
included throughout the standard. By taking a risk-based approach, an organization becomes proactive
rather than purely reactive, preventing or reducing undesired effects and promoting continual
improvement. Preventive action is automatic when a management system is risk-based.

Risk-based thinking is something we all do automatically and often sub-consciously for e.g. if I wish to
cross a road I look for traffic before I begin. I will not step in front of a moving car. The concept of risk
has always been implicit in ISO 9001 – this revision makes it more explicit and builds it into the whole
management system. The risk is considered from the beginning and throughout the standard, making
preventive action part of strategic planning as well as operation and review. Risk-based thinking is
69

already part of the process approach. For e.g. to cross the road I may go directly or I may use a nearby
 ISO 9001:2015

footbridge. Which process I choose will be determined by considering the risks. Risk-based thinking
makes preventive action part of the routine. Risk is often thought of only in the negative sense. Risk-
based thinking can also help to identify opportunities. This can be considered to be the positive side of
risk. Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an
increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The
opportunity of using a footbridge is that there is less chance of being injured by a car.

Opportunity is not always directly related to risk but it is always related to the objectives. By
considering a situation it may be possible to identify opportunities to improve.

The opportunities for improvement: a subway leading directly under the road, pedestrian traffic lights,
or diverting the road so that the area has no traffic. It is necessary to analyses the opportunities and
consider which can or should be acted on. Both the impact and the feasibility of taking an opportunity
must be considered. Whatever action is taken will change the context and the risks and these must
then be reconsidered.

Identify what your risks are – it depends on context

Example:
If I cross a busy road with many fast-moving cars the risks are not the same as if the road is small with
very few moving cars. It is also necessary to consider such things as weather, visibility, personal
mobility and specific personal objectives.
Understand your risks
What is acceptable, what is unacceptable? What advantages or disadvantages are there to one
process over another?

Example:
Objective: I need to safely cross a road to reach a meeting at a given time.
 It is UNACCEPTABLE to be injured.
 It is UNACCEPTABLE to be late.
Reaching my goal more quickly must be balanced against the likelihood of injury. It is more important
that I reach my meeting uninjured than it is for me to reach my meeting on time.

It may be ACCEPTABLE to delay arriving at the other side of the road by using a footbridge if the
likelihood of being injured by crossing the road directly is high. I analyses the situation. The footbridge
is 200 meters away and will add time to my journey. The weather is good, the visibility is good and I
can see that the road does not have many cars at this time. I decide that walking directly across the
70

road carries an acceptably low level of risk of injury and will help me reach my meeting on time.
 ISO 9001:2015

The Main Objectives of ISO 9001 to provide confidence in the organization’s ability to consistently
provide customers with conforming goods and services and to enhance customer satisfaction. The
concept of “risk” in the context of ISO 9001 relates to the uncertainty in achieving these objectives.

Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks?
Example: I could eliminate risk of injury caused by being hit by a vehicle if I use the footbridge but I
have already decided that the risk involved in crossing the road is acceptable. Now I plan how to
reduce either the likelihood or the impact of injury. I cannot reasonably expect to control the impact
of a car hitting me. I can reduce the probability of being hit by a car. I plan to cross at a time when
there are no cars moving near me and so reduce the likelihood of an accident. I also plan to cross the
road at a place where I have good visibility.

Implement the plan – take action

Example:
I move to the side of the road, check there are no barriers to crossing. I check there are no cars
coming. I continue to look for cars whilst crossing the road.

Check the effectiveness of the action – does it work?

Example:
I arrive at the other side of the road unharmed and on time: this plan worked and undesired effects
have been avoided.

Learn from experience – improve

Example:
I repeat the plan over several days, at different times and in different weather conditions. This gives
me data to understand that changing context (time, weather, quantity of cars) directly affects the
effectiveness of the plan and increases the probability that I will not achieve my objectives (being on
time and avoiding injury). Experience teaches me that crossing the road at certain times of day is very
difficult because there are too many cars. To limit the risk I revise and improve my process by using
the footbridge at these times. I continue to analyze the effectiveness of the processes and revise them
when the context changes. I also continue to consider innovative opportunities:
71
 ISO 9001:2015

 can I move the meeting place so that the road does not have to be crossed?
 can I change the time of the meeting so that I cross the road when it is quiet?
 can we meet electronically?

DEFINITIONS
ISO 9001:2015 defines risk as the effect of uncertainty on an expected result.

1. An effect is a deviation from the expected – positive or negative.

2. Risk is about what could happen and what the effect of this happening might be.
3. Risk also considers how likely it is.
The target of a management system is achieve conformity and customer satisfaction.

Explanation:
Risk is the possibility of events or activities impeding the achievement of an organization’s strategic
and operational objectives. It is the volatility of potential outcomes. Risk can be defined by two
parameters

 Severity (This is the Seriousness of the harm)

 Probability (This is the Probability that the harm will occur)
72
 ISO 9001:2015

Risk as Currently Stated in ISO 9001:2015

ISO 9001:2015 uses risk-based thinking to achieve this in the following way:

 Clause 4 (Context) the organization is required to determine the risks which may affect this.The
organization is also required to determine its QMS processes and to address its risks and
opportunities
 Clause 5 (Leadership) top management are required to commit to ensuring Clause 4 is followed.
Top management is required to
 Promote awareness of risk-based thinking
 Determine and address risks and opportunities that can affect product /service
conformity
 Clause 6 (Planning) The organization is required to identify risks and opportunities related to QMS
performance and take appropriate actions to address them
 Clause 7 (Support) the organization is required to determine and provide necessary resources (risk
is implicit whenever “suitable” or “appropriate” is mentioned)
 Clause 8 (Operation)the organization is required to manage its operational processes (risk is
implicit whenever “suitable” or “appropriate” is mentioned). The organization is required to
implement processes to address risks and opportunities.
 Clause 9 (Performance evaluation) the organization is required to monitor, measure, analyse and
evaluate the risks and opportunities.
 Clause 10 (Improvement) the organization is required to correct, prevent or reduce undesired
effects and improve the QMS and update risks and opportunities.
ISO 9001:2015 sub-clause 4.4.1—QMS and it processes
73

“The organization shall establish, implement, maintain and continually improve a quality
management system, including the processes needed and their interactions, in accordance with the
 ISO 9001:2015

requirements of this International Standard.

The organization shall determine the processes needed for the quality management system and their
application throughout the organization and shall determine: organization shall:
f) address the risks and opportunities as determined in accordance with the requirements of 6.1″
The organization must integrate the actions to address risks and opportunities into its QMS processes
using the PDCA cycle. Not all processes of a quality management system represent the same level of
risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty are not
the same for all organizations. Each organization is therefore responsible for the extent it applies
risk-based thinking and the actions it takes to address risk, including whether or not to retain
documented information as evidence of its determination of risks. 5.1.2—Leadership and
commitment with respect to the needs and expectations of customers

ISO 9001:2015 sub-clause 5.1.1—General under leadership and commitment

“Top management shall demonstrate leadership and commitment with respect to the
quality management system by: d) promoting the use of the process approach and risk-based
thinking;”
ISO 9001:2015, requires that when planning its QMS, the top management must implement and
promote a culture of risk-based thinking throughout the organization to determine and address the
risks and opportunities associated with providing assurance that the QMS can achieve its intended
result(s); provide conforming products and services, enhance customer satisfaction; promote desirable
effects and improvement; and prevent, or mitigate, undesired effects.

ISO 9001:2015 sub-clause 5.1.2—Customer focus

“Top management shall demonstrate leadership and commitment with respect to customer focus by
ensuring that:

b) The risks and opportunities that can affect conformity of products and services and ability to enhance
customer satisfaction are determined and addressed;”
This can be achieved by establishing process capabilities for each process from manufacturing and
assembly to packaging and product delivery and installation. The computation of a simple indicator of
process capability (Cp) or the adjustment of the process capability toward a specification (Cpk) would
help managers quantify their process risk. The objective would be to achieve the highest economically
feasible capability for each process, thus minimizing the risk of producing so-called unintended output.
74

6.1—Actions to address risks and opportunities

 ISO 9001:2015

6.1.1 “When planning for the quality management system, the organization shall consider the issues
referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that
need to be addressed to:
a) giving assurance that the quality management system can achieve its intended result(s)
b) enhance desirable effects
c) prevent, or reduce, undesired effects, and
d) achieve improvement.”
6.1.2 “The organization shall plan:

a) Actions to address these risks and opportunities, and

b) How to

1) Integrate and implement the actions into its quality management system processes (see 4.4), and
2) evaluate the effectiveness of these actions.
Any actions taken to address risks and opportunities shall be proportionate to the potential impact on
conformity of goods and services and customer satisfaction.”
The organization must integrate the actions to address these risks and opportunities into its QMS
processes using the PDCA cycle. Not all processes of a quality management system represent the same
level of risk in terms of the organization’s ability to meet its objectives and the effects of uncertainty
are not the same for all organizations. Each organization is therefore responsible for the extent it
applies risk-based thinking and the actions it takes to address risk, including whether or not to retain
documented information as evidence of its determination of risks. When planning its QMS, the
organization must consider the risks and opportunities presented by external and internal issues as
well as the needs and expectations of interested parties, relevant to its purpose and strategic
direction Means to address risks may include avoiding risk, taking risk in order to avail an opportunity,
removing the source of the risk, changing the likelihood or consequences, sharing the risk, or making
an informed decision to retain the risk. Opportunities can derive from favorable circumstances that
can lead to the use of new practices, launch new products, enter new markets, address new clients,
reduce waste or improve productivity, grow relationships, use new technology and other desirable and
viable opportunities to facilitate the organization in achieving its strategic direction and enhance
customer satisfaction.

9.1.3 – Analysis and evaluation

“The organization shall analyze and evaluate appropriate data and information arising from
monitoring and measurement.
75
 ISO 9001:2015

The results of analysis shall be used to evaluate:

e) The effectiveness of actions taken to address risks and opportunities;”
Planning also requires monitoring and measuring these actions and gathering, analyzing and evaluating
appropriate data and information to determine the effectiveness of such actions.

9.3.2 – Management review Inputs

” The management review shall be planned and carried out taking into consideration: e) the
effectiveness of actions taken to address risks and opportunities (see 6.1)“
This planning must be periodically reviewed and updated as necessary when taking corrective actions
or at management reviews. These actions must be proportional to the potential impact on the
conformity of products and services.

10.2.1- Non Conformity and Corrective action

“When a nonconformity occurs, including any arising from complaints, the organization shall:
e) update risks and opportunities determined during planning, if necessary;”
One could do failure mode effects and analysis (FMEA) to show that the risk-priority number has
decreased as a result of a process change. This would not be difficult to do but full of uncertainties
because FMEA is based on subjective assessment.
Use of risk based thinking.
By considering risk based thinking throughout the organization the likelihood of achieving stated
objectives is improved, output is more consistent and customers can be confident that they will
receive the expected product or service.

Risk-based thinking therefore:

 builds a strong knowledge base

 establishes a proactive culture of improvement
 assures consistency of quality of goods or services
 improves customer confidence and satisfaction
76
 ISO 9001:2015

Use of Risk Register

The risk register or risk log becomes essential as it records identified risks, their severity, and the
actions steps to be taken. It can be a simple document, spreadsheet, or a database system, but the
most effective format is a table. A table presents a great deal of information in just a few
pages. There is no standard list of components that should be included in the risk
register. Some of the most widely used components are:

 Dates: As the register is a living document, it is important to record the date that risks are identified or
modified. Optional dates to include are the target and completion dates.
 Description of the Risk: A phrase that describes the risk.
 Risk Type (business, project, stage): Business risks relate to delivery of achieved benefit;, project risks
relate to the management of the project such as timeframes and resources, and stage risks are risks
associated with a specific stage of the plan.
 Likelihood of Occurrence: Provides an assessment on how likely it is that this risk will occur. Examples
are: L-Low >30%)(, M-Medium (31- 70%), H-High (>70%).
 Severity of Effect: Provides an assessment of the impact that the occurrence of this risk would have
on the project.
 Countermeasures: Actions to be taken to prevent, reduce, or transfer the risk. This may include
production of contingency plans.
 Owner: The individual responsible for ensuring that risks are appropriately engaged with
countermeasures undertaken.
 Status: Indicates whether this is a current risk or if risk can no longer arise and impact the project.
Example classifications are: C-current or E-ended.
 Other columns such as quantitative value can also be added if appropriate.

Risk-driven approach in organizational processes.

Identify what risks and opportunities are – it depends on context. For example If I cross a busy road
with many fast-moving cars the risks are not the same as if the road is small with very few moving
cars. It is also necessary to consider such things as weather, visibility, personal mobility and specific
personal objectives.
77

1. Analyze and prioritize your risks and opportunities.

 ISO 9001:2015

What risk is acceptable, what is unacceptable? What advantages or disadvantages are there to one
process over another? For Example If I need to safely cross a road to reach a meeting at a given
time. It is UNACCEPTABLE to be injured. It is UNACCEPTABLE to be late. The opportunity of reaching
my goal more quickly must be balanced against the likelihood of injury. It is more important that I
reach my meeting uninjured than it is for me to reach my meeting on time. It may be ACCEPTABLE
to delay arriving at the other side of the road by using a footbridge if the likelihood of being injured
by crossing the road directly is high. I analyze the situation. The footbridge is 200 meters away and
will add time to my journey. The weather is good, the visibility is good and I can see that the road
does not have many cars at this time. I decide that walking directly across the road carries an
acceptably low level of risk of injury and an opportunity to reach my meeting on time.

2. Plan actions to address the risks

How can I avoid or eliminate the risk? How can I mitigate risks? For example I could eliminate risk
of injury by using the footbridge but I have already decided that the risk involved in crossing the
road is acceptable. Now I plan how to reduce the likelihood of injury and/or the effect of injury.

I cannot reasonably expect to control the effect of a car hitting me. I can reduce the probability of
being hit by a car. I plan to cross at a time when there are no cars moving near me and so reduce
the likelihood of an accident. I also choose to cross the road at a place where I have good visibility
and can safely stop in the middle to re-assess the number of moving cars, further reducing the
probability of an accident

3. Implement the plan – take action

For example I move to the side of the road, check there are no barriers to crossing and that there
is a safe place in the center of the moving traffic. I check there are no cars coming. I cross half of
the road and stop in the central safe place. I assess the situation again and then cross the second
part of the road.

4. Check the effectiveness of the actions – Does it work?

For Example I arrive at the other side of the road unharmed and on time: this plan worked and
undesired outcomes have been avoided.

5. Learn from experience – Continual Improvement

For example I repeat the plan over several days, at different times and in different weather
78

conditions. This gives me data to understand that changing context (time, weather, quantity of cars)
directly affects the effectiveness of the plan and increases the probability that I will not achieve my
 ISO 9001:2015

objectives of being on time and avoiding injury. Experience teaches me that crossing the road at
certain times of day is very difficult because there are too many cars.

To limit the risk I revise and improve my process by using the footbridge at these times. Continue
to analyze the effectiveness of the processes and revise them when the context changes. I also
continue to consider innovative opportunities such as Can I move the meeting place so that the
road does not have to be crossed? Can I change the time of the meeting so that I cross the road
when it is quiet? Can we meet electronically?

QUALITY RISK MANAGEMENT

79
 ISO 9001:2015

INTRODUCTION
Risk management principles are effectively utilized in many areas of business and government
including finance, insurance, occupational safety, public health, pharmaceutical, pharmacovigilance,
and by agencies regulating these industries. Risk is defined as the combination of the probability of
occurrence of harm and the severity of that harm. However, achieving a shared understanding of the
application of risk management among diverse stakeholders is difficult because each stakeholder
might perceive different potential harms, place a different probability on each harm occurring and
attribute different severities to each harm.

PRINCIPLES OF QUALITY RISK MANAGEMENT

Two primary principles of quality risk management are:

 The evaluation of the risk to quality should be based on scientific knowledge and
 The level of effort, formality and documentation of the quality risk management process should
be commensurate with the level of risk.

GENERAL QUALITY RISK MANAGEMENT PROCESS

Quality risk management is a systematic process for the assessment, control, communication and
review of risks to the quality of product across the product life-cycle. A model for quality risk
management is outlined in the diagram. Other models could be used.

The emphasis on each component of the framework might differ from case to case but a robust process
will incorporate consideration of all the elements at a level of detail that is commensurate with the
specific risk.
80
 ISO 9001:2015

Overview of a typical quality risk management process

Decision nodes are not shown in the diagram above because decisions can occur at any point in the
process. These decisions might be to return to the previous step and seek further information, to adjust
the risk models or even to terminate the risk management process based upon information that
supports such a decision. Note: “unacceptable” in the flowchart does not only refer to statutory,
legislative, or regulatory requirements, but also to indicate that the risk assessment process should be
revisited.

Responsibilities
Quality risk management activities are usually, but not always, undertaken by interdisciplinary teams.
When teams are formed, they should include experts from the appropriate areas such as quality unit,
business development, engineering, regulatory affairs, production operations, sales and marketing,
legal, statistics, in addition to individuals who are knowledgeable about the quality risk management
process.
81
 ISO 9001:2015

Decision makers should

 take responsibility for coordinating quality risk management across various functions and departments of their
organization and
 ensure that a quality risk management process is defined, deployed, and reviewed and that adequate resources are
available.
Initiating a Quality Risk Management Process
Quality risk management should include systematic processes designed to coordinate, facilitate and
improve science-based decision making with respect to risk. Possible steps used to initiate and plan a
quality risk management process might include the following:

 Define the problem and/or risk question, including pertinent assumptions identifying the potential for risk
 Assemble background information and/or data on the potential hazard, harm or human health impact relevant to the
risk assessment
 Identify a leader and critical resources
 Specify a timeline, deliverables, and appropriate level of decision making for the risk management process
Risk Assessment
Risk assessment consists of the identification of hazards and the analysis and evaluation of
risks associated with exposure to those hazards. Quality risk assessments begin with a well-defined
problem description or risk question. When the risk in question is well defined, an appropriate risk
management tool and the types of information that will address the risk question will be more readily
identifiable. As an aid to clearly defining the risk for risk assessment purposes, three fundamental
questions are often helpful:

1. What might go wrong?

2. What is the likelihood (probability) it will go wrong?
3. What are the consequences (severity)?
Risk identification
Risk identification is a systematic use of information to identify hazards referring to the risk question
or problem description. Information can include historical data, theoretical analysis, informed
opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?”
question, including identifying the possible consequences. This provides the basis for further steps in
the quality risk management process.

Risk analysis
82
 ISO 9001:2015

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or
quantitative process of linking the likelihood of occurrence and severity of harms. In some risk
management tools, the ability to detect the harm (detectability) also factors in the estimation of risk.

Risk evaluation
Risk evaluation compares the identified and analyzed risk against given risk criteria. Risk evaluations
consider the strength of evidence for all three of the fundamental questions. In doing an effective risk
assessment, the robustness of the data set is important because it determines the quality of the
output. Revealing assumptions and reasonable sources of uncertainty will enhance confidence in this
output and/or help identify its limitations. Uncertainty is due to combination of incomplete knowledge
about a process and its expected or unexpected variability. Typical sources of uncertainty include gaps
in knowledge, gaps in process understanding, sources of harm (e.g., failure modes of a process, sources
of variability), and probability of detection of problems.

The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of
a range of risk. When risk is expressed quantitatively, a numerical probability is used. Alternatively, risk
can be expressed using qualitative descriptors, such as “high,” “medium,” or “low,” which should be
defined in as much detail as possible. Sometimes a risk score is used to further define descriptors in
risk ranking. In quantitative risk assessments, a risk estimate provides the likelihood of a specific
consequence, given a set of risk-generating circumstances. Thus, quantitative risk estimation is useful
for one particular consequence at a time. Alternatively, some risk management tools use a relative risk
measure to combine multiple levels of severity and probability into an overall estimate of relative risk.
The intermediate steps within a scoring process can sometimes employ quantitative risk estimation.

Risk Control
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to
reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional
to the significance of the risk. Decision makers might use different processes, including benefit-cost
analysis, for understanding the optimal level of risk control. Risk control might focus on the following
questions:

 Is the risk above an acceptable level?

 What can be done to reduce or eliminate risks?
 What is the appropriate balance among benefits, risks and resources?
 Are new risks introduced as a result of the identified risks being controlled?
83
 ISO 9001:2015

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds
a specified (acceptable) level. Risk reduction might include actions taken to mitigate the severity and
probability of harm. Processes that improve the detectability of hazards and quality risks might also be
used as part of a risk control strategy. The implementation of risk reduction measures can introduce
new risks into the system or increase the significance of other existing risks. Hence, it might be
appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after
implementing a risk reduction process.

Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the
residual risk or it can be a passive decision in which residual risks are not specified. For some types of
harms, even the best quality risk management practices might not entirely eliminate risk. In these
circumstances, it might be agreed that an appropriate quality risk management strategy has been
applied and that quality risk is reduced to a specified (acceptable) level. This (specified) acceptable
level will depend on many parameters and should be decided on a case-by-case basis.

Risk Communication
Risk communication is the sharing of information about risk and risk management between
the decision makers and others. Parties can communicate at any stage of the risk management process.
The output/result of the quality risk management process should be appropriately communicated and
documented. Communications might include those among interested parties (e.g., regulators,
industry, within a company, industry, or regulatory authority). The included information might relate
to the existence, nature, form, probability, severity, acceptability, control, treatment, detectability, or
other aspects of risks to quality. Communication need not be carried out for each and every risk
acceptance. Between the industry and regulatory authorities, communication concerning quality risk
management decisions might be effected through existing channels as specified in regulations and
guidance.

Risk Review
Risk management should be an ongoing part of the quality management process. A mechanism to
review or monitor events should be implemented. The output/results of the risk management process
should be reviewed to take into account new knowledge and experience. Once a quality risk
management process has been initiated, that process should continue to be utilized for events that
might impact the original quality risk management decision, whether these events are planned (e.g.,
results of product review, inspections, audits, change control) or unplanned (e.g., root cause from
failure investigations, recall). The frequency of any review should be based upon the level of risk. Risk
review might include reconsideration of risk acceptance decisions.
84
 ISO 9001:2015

RISK MANAGEMENT METHODS AND TOOLS

Quality risk management supports a scientific and practical approach to decision making. It provides
documented, transparent, and reproducible methods to accomplish steps of the quality risk
management process based on current knowledge about assessing the probability, severity, and,
sometimes, detectability of the risk. Traditionally, risks to quality have been assessed and managed in
a variety of informal ways (empirical and/or internal procedures) based on, for example, compilation
of observations, trends, and other information. Such approaches continue to provide useful
information that might support topics such as handling of complaints, quality defects, deviations, and
allocation of resources. An organization can can assess and manage risk using recognized risk
management tools and/or internal procedures (e.g., standard operating procedures). Below is a non-
exhaustive list of some of these tools

1. Basic Risk Management Facilitation Methods

Some of the simple techniques that are commonly used to structure risk management by organizing
data and facilitating decision making are:

 Flowcharts
 Check Sheets
 Process Mapping
 Cause and Effect Diagrams (also called an Ishikawa diagram or fish bone diagram)

2. Failure Mode Effects Analysis (FMEA)

FMEA provides for an evaluation of potential failure modes for processes and their likely effect on
outcomes and/or product performance. Once failure modes are established, risk reduction can be
used to eliminate, contain, reduce, or control the potential failures. FMEA relies on product and
process understanding. FMEA methodically breaks down the analysis of complex processes into
manageable steps. It is a powerful tool for summarizing the important modes of failure, factors
causing these failures, and the likely effects of these failures. FMEA can be used to prioritize risks
and monitor the effectiveness of risk control activities. FMEA can be applied to equipment and
facilities and might be used to analyze a manufacturing operation and its effect on product or
process. It identifies elements/operations within the system that render it vulnerable. The output/
results of FMEA can be used as a basis for design or further analysis or to guide resource
deployment.
85
 ISO 9001:2015

Attachment 02: FMEA

Quality Tools
Failure Mode and Effects Analysis

Description Instructions Learn More

86
 ISO 9001:2015

This template illustrates a Failure Mode and ● Initiate action to reduce the RPN
Effects Analysis (FMEA), also referred to as
a ● Re-evaluate the RPN value after
Potential Failure Mode and Effects Analysis completion of the recommended
(PFMEA) or Failure Modes, Effects and actions
Criticality Analysis (FMECA). A detailed
discussion can be found at www.ASQ.org
Please follow the link for detailed To learn
more about other quality tools, visit the ASQ
87

Learn instructions for data entry About

Quality web site.
 ISO 9001:2015

FAILURE MODE AND EFFECTS ANALYSIS

Drill Hole Responsibility: J. Doe FMEA number: 123456

Current Prepared by: J. Doe Page : 1 of 1
88

Item: J. Doe (Engineering), J. Smith (Production), B. Jones (Quality) FMEA Date (Orig): 1/1/2008 Rev:
Model: 1
Core Team:
C Potential O D Action
Responsibility
l Cause(s)/ c e Results
Potential Potential S Current R and
Process a Mechanis c t Recommended S O D R
Failure Effect(s) of e Process P Target
Function s m(s) of u e Action(s) Actions P
Mode Failure v Controls N Completion e c e
s Failure r c Date Taken v c t N

Break
Improper Operator
Drill Blind Hole to through
7 machine 3 training and 3 63 0
Hole deep bottom of
set up instructions
plate
Hole not Incomplete Improper Operator
deep thread 5 machine 3 training and 3 45 0
enough form set up instructions
Broken Install Tool
5 5 None 9 225 J. Doe 3/1/2008 5 5 1 25
Drill Detectors
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
0 0
 SYDNEY WATER

FMEA Procedure

(This is a general procedure. Specific details may vary with standards of your organization or industry.)
1. A
Assemble a cross-functional team of people with diverse knowledge about the process, product or service and
customer needs. Functions often included are: design, manufacturing, quality, testing, reliability, maintenance,
purchasing (and suppliers), sales, marketing (and customers) and customer service.

2. I
Identify the scope of the FMEA. Is it for concept, system, design, process or service? What are the boundaries?
How detailed should we be? Use flowcharts to identify the scope and to make sure every team member
understands it in detail. (From here on, we’ll use the word “scope” to mean the system, design, process or service
that is the subject of your FMEA.)

3. F
Fill in the identifying information at the top of your FMEA form. Figure shows a typical format. The remaining steps
ask for information that will go into the columns of the form.

4. I
Identify the functions of your scope. Ask, “What is the purpose of this system, design, process or service? What
do our customers expect it to do?” Name it with a verb followed by a noun. Usually you will break the scope into
separate subsystems, items, parts, assemblies or process steps and identify the function of each.

5. F
For each function, identify all the ways failure could happen. These are potential failure modes. If necessary, go
back and rewrite the function with more detail to be sure the failure modes show a loss of that function.

6. F
For each failure mode, identify all the consequences on the system, related systems, process, related processes,
product, service, customer or regulations. These are potential effects of failure. Ask, “What does the customer
experience because of this failure? What happens when this failure occurs?”

7. D
Determine how serious each effect is. This is the severity rating, or S. Severity is usually rated on a scale from 1
to 10, where 1 is insignificant and 10 is catastrophic. If a failure mode has more than one effect, write on the FMEA
table only the highest severity rating for that failure mode.

8. F
For each failure mode, determine all the potential root causes. Use tools classified as cause analysis tool, as well
as the best knowledge and experience of the team. List all possible causes for each failure mode on the FMEA
form.

9. F
For each cause, determine the occurrence rating, or O. This rating estimates the probability of failure occurring for
that reason during the lifetime of your scope. Occurrence is usually rated on a scale from 1 to 10, where 1 is
extremely unlikely and 10 is inevitable. On the FMEA table, list the occurrence rating for each cause.
 SYDNEY WATER

10. F
For each cause, identify current process controls. These are tests, procedures or mechanisms that you now have
in place to keep failures from reaching the customer. These controls might prevent the cause from happening,
reduce the likelihood that it will happen or detect failure after the cause has already happened but before the
customer is affected.

11. F
or reach control, determine the detection rating, or D. This rating estimates how well the controls can detect either
the cause or its failure mode after they have happened but before the customer is affected. Detection is usually
rated on a scale from 1 to 10, where 1 means the control is absolutely certain to detect the problem and 10 means
the control is certain not to detect the problem (or no control exists). On the FMEA table, list the detection rating
for each cause.

12.
(Optional for most industries) Is this failure mode associated with a critical characteristic? (Critical characteristics
are measurements or indicators that reflect safety or compliance with government regulations and need special
controls.) If so, a column labeled “Classification” receives a Y or N to show whether special controls are needed.
Usually, critical characteristics have a severity of 9 or 10 and occurrence and detection ratings above 3.

13.

Calculate the risk priority number, or RPN, which equals S × O × D. Also calculate Criticality by multiplying severity
by occurrence, S × O. These numbers provide guidance for ranking potential failures in the order they should be
addressed.

14.

Identify recommended actions. These actions may be design or process changes to lower severity or occurrence.
They may be additional controls to improve detection. Also note who is responsible for the actions and target
completion dates.

15.

As actions are completed, note results and the date on the FMEA form. Also, note new S, O or D ratings and new
RPNs.
 SYDNEY WATER

1. Failure Mode, Effects, and Criticality Analysis (FMECA)

FMEA might be extended to incorporate an investigation of the degree of severity of

the consequences, their respective probabilities of occurrence, and their detectability,
thereby becoming a Failure Mode, Effects, and Criticality Analysis (FMECA). In order for such an
analysis to be performed, the product or process specifications should be established. FMECA can
identify places where additional preventive actions might be appropriate to minimize risks.

FMECA application should mostly be utilized for failures and risks associated with manufacturing
processes; however, it is not limited to this application. The output of an FMECA is a relative risk
“score” for each failure mode, which is used to rank the modes on a relative risk basis.
 SYDNEY WATER

Attachment 03: FMECA Procedure Example

Procedure

Failure Mode Effects and Criticality Analysis (FMECA)

1. Overview

1.1. Objective
Sydney Water’s maintenance objective is to ensure that assets achieve their design service requirements within acceptable
risk at lowest life cycle costs. The purpose of this procedure is to document the procedure for undertaking Failure Mode
Effects and Criticality Analysis for Sydney Water’s facility assets. The objective is to identify the items where
modification to the design or the operating, inspection, or maintenance strategies may be required to reduce the severity of
the effect of specific failure modes. It can be performed to meet a variety of different objectives, for example, to identify
weak areas in the design, the safety-critical components, or critical maintenance and test procedures.

1.2. Scope
Failure mode effect and criticality Analysis shall be undertaken at:
• Concept stage
• Detail design stage
• Commissioning stage and
• Operational and Maintenance stage when significant changes have taken place in the operating context or asset
component configuration or every ten years whichever is the lesser.

1.3. Summary
This procedure is based on:
• US MIL-STD-1629A, Procedures for Performing a Failure Mode, Effects and Criticality Analysis, It provides a
qualitative approach.

• British Standard BS 5760, that provides a quantitative approach

Failure modes, effects and criticality analysis (FMECA) is generally undertaken to determine critical maintenance or
renewal required for any asset. It can also be used to determine the critical failure mode and the consequences of a failure
for SWC assets. (FMECA) is an extension of FMEA which aims to rank each potential failure mode according to the
combined influence of its severity classification and probability of failure based on the best available data. By determining
the critical failure mode of an asset it is possible to target and refine maintenance plans, capital expenditure plans, and
investigative activities, to address the potential failure.
 SYDNEY WATER

Risk Priority Number (RPN) is obtained by quantifying the severity, probability and detectability score. This is used to
prioritize asset remedial activities.

Issue Date: June 2010

Page 1 of 11

2. Procedure to conduct FMECA

2.1. Basic information required for the FMEA process.

What does the System do? Mission.
What is its function? Function
How could it fail to perform its function? Failure Mode.
What happens if it fails? Effect of Failure.
What is the Likelihood of failure? Occurrence (O)
What is the consequence of failure? Severity (S)
What is the predictability of failure? Detectability (D)
What is the Risk Priority Number (RPN)? RPN = O x S x D

2.2. General requirements for FMECA

• FMECA Team shall consist of Designers, Planners, Operators, and Maintainers.
• Identify the critical Asset / Maintainable Unit (Top 20 % failures using Pareto principle)
• Apply FMECA to develop the most cost effective maintenance for the Asset / Maintainable Unit. The Asset /
Maintainable Unit is regarded as the maintainable unit this is the lowest level of disaggregation over which we have
control over its maintenance.
2.3. Steps involved in EMECA
1. Define system boundaries for analysis. Identify the Asset / Maintainable Unit or system being analysed.
2. Understand system/Asset / Maintainable Unit/item requirements and function. Collect information on the Asset /
Maintainable Unit/item, its process disaggregation, failure history, Manuals, P & I Diagrams etc. Conduct
Pareto analysis of the failure frequencies and select the top 20% failure of the most frequent fail classes.
3. Define failure/success criteria for the system/ Asset / Maintainable Unit/item.
4. Determine each Asset / Maintainable Unit /item potential failure modes,
5. Determine the causes of the failures for each mode
6. Determine the effects and consequence of the failure for each mode.
7. Establish Asset / Maintainable Unit/item failure mode severity Severity (S) score of the failure consequence.
8. Determine item failure mode (frequency) occurrence (O) score.
 SYDNEY WATER

9. Determine item failure mode detectability (D) score

10. Assess the risk priority for each failure mode.
11. Risk Priority Number (RPN) Score – S x F x D
12. Review actions, currently being taken, for dealing with the failure modes.
13. Develop remedial measures to eliminate or mitigate the potential fault or failure. This may require:
i. Maintenance method changes including preventive maintenance, tooling, spares provision,
Asset / Maintainable Unit replacement, condition monitoring.
ii. Changes in operating procedure;

iii. Production process changes

iv. Support procedure changes; and
v. Design changes;

14. Re-assess a revised risk priority for the failure modes.

The template to undertake this FMECA exercise is given in Table-1 below.

2.4. Ranking of Severity, Probability and Detectability

Severity. Severity is an assessment of the seriousness of the effect of the potential failure mode to the next component,
subsystem, system or customer if it occurs. Severity applies to the effect only. A reduction in Severity Ranking index can
be effected only through a design change. Severity should be estimated on a “1” to “5” scale. See Severity Rating Table
below

Severity Ranking

Severity Asset / System / People Enterprise

Maintainable Unit mission
5 Definite or presumed Complete Loss of life Major plant and production
destruction or loss of loss Enterprise survival
CATASTROPHIC degradation of other capability doubtful
functional Asset /
Maintainable Unit
 SYDNEY WATER

4 Complete failure of or 40 % to 80 % Severe Moderate plant and

damage to functional loss of injury and production loss
CRITICAL Asset / Maintainable capability long term
Unit under damage
consideration
3 Important degradation 10 % to 40 % Moderate Significant production loss
of functional Asset / loss of injury with
MODERATE Maintainable Unit capability full
under consideration or recovery
substantial increase in
operator workload

2 Minor degradation of Less than 10 Minor injury Minor production loss

functional Asset / % loss of
MARGINAL Maintainable Unit capability
under consideration
1 Negligible effect on No or No injury No or negligible production
performance of negligible loss
MINOR functional Asset / effect on
Maintainable Unit success
under consideration
Examples of failure effect severity scales (Ref BS 5760)

Occurrence (Event frequency). Occurrence is how frequently a specific failure cause/mechanism is projected to occur.
The likelihood of occurrence ranking number has a meaning rather than a value.

Removing or controlling one or more of the causes/mechanisms of the failure mode through a design change is the only
way a reduction in the occurrence ranking can be effected.

Estimate the likelihood of occurrence of potential failure cause/mechanism on a “1” to “5” scale. Only occurrences
resulting in the failure mode should be considered for this ranking; failuredetecting measures are not considered here. See
Occurrence Rating Table below

Range Estimates of failure probability can be used to rank probabilities of occurrence or, alternatively, item failure rates
may be employed. Frequency ranges for process Asset / Maintainable Unit typically:

Rank Occurrence Criteria Occurrence Failures per year in

Rates (Cycles, Process
Hrs etc.) - Ref industry – Ref Moss
Dodson Reliability Assessment
Reliability HB
1 - Unlikely Unlikely Unreasonable to expect this 1/100,000 -
failure mode to occur
2 -Very Low Isolated – Based on similar designs 1/10,000 <0.0l
having a low number of failures
 SYDNEY WATER

3- Low Sporadic – Base on similar designs that 1/1,000 0.01 to 0.1

have experienced occasional failures

4- Medium Conceivable – Based on similar designs 1/100 0.1 to 1.0

that have caused problems
5-High Recurrent – Certain that failures will 1/10 >1
ensure
Examples of failure occurrence scales

If available from a similar process, statistical data should be used to determine the occurrence ranking.

Detection is the ability to detect the cause/mechanism/weakness of actual or potential failure. In Design FMEA, this must
occur before the component, subsystem, or system is released for production. In Process/Service FMEA it must occur in
time to prevent distribution in case of a product or catastrophe in case of an Asset / Maintainable Unit. In order to achieve
a lower ranking, generally the planned control (eg, preventative activities) has to be improved. See Detection Ranking
Table below.

When assessing the probability that the current controls will prevent or detect the cause of the failure mode; do not assume
that the detection rating will be low because the occurrence rating is low.
 SYDNEY WATER

SYDNEY WATER

Detection Ranking (Ref Dodson Reliability Handbook)

Rank Detection Criteria Probability %

1 Very High Probability of detecting the failure before it occurs. 80 – 100
Almost always preceded by a warning
2 High Probability of detecting the failure before it occurs. Preceded 60 – 80
by a warning most of the time
3 Moderate Probability of detecting the failure before it occurs. 40 – 60
About 50%chance of getting a warning
4 Low Probability of detecting the failure before it occurs. Always 20 – 40
comes with little of no warning
5 Remote Probability of detecting the failure before it occurs. Always 0 - 20
without a warning
Examples of failure detection scales

Risk Priority Number (RPN). The Risk Priority Number is the product of the Severity, Occurrence, and
Detection rankings.
Risk Priority Number = Severity x Occurrence x Detection
The RPN, as the product S x O x D, is a measure of design/process risk. This value should be used to rank
order the concerns in the Design/Process (e.g., in Pareto fashion). The RPN will be between 1 and 125. For
higher RPNs the team must undertake efforts to reduce this calculated risk through corrective action(s). In
general practice, regardless of the resultant RPN, special attention should be given when severity is high.
If the RPN Number is more than 33 you need to investigate the possibility to renew or replace the asset
based on
• Condition (Poor grade 4),
• Total Maintenance cost in last 5 yrs > than 60 % of replacement value
• Remaining Life less than 5 yrs
• Spares availability (long lead time, obsolescence)

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

Issue Date: June 2010 Document Owner: Manager, Strategic Version 03 BMIS Number: AMQ0006
709 of 79Page Asset Management
 SYDNEY WATER

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

BMIS Number: AMQ0006 Version 03 Issue Date: June 2010

Document Owner: Manager, Strategic Asset Management Page 6 of 11

2.5. Clarification of Failure modes, problems or

symptoms Example for a Submersible Pump Failure:
Symptom Detected
Cause at Hardware or Part level of
(Failure Mode) or Problem at Maintainable unit
maintainable unit’s
level

Increase in pump down time Choke

Pump failed to start Jam

Pump unable to start when called for by level signal Broken shaft

Pump unable to start when called for by level signal Bearing failure

Water found in oil chamber Seal failure

Increase in pump down time Incorrect seating

Increase in pump down time Wear Ring Failure

Water found in oil chamber O-ring fault

Leakage / low pumping rate Damaged/cracked casing

Noise Loose impeller

Low pumping rate Impeller damaged

General Common Problems or Symptoms

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

Issue Date: June 2010 Document Owner: Manager, Strategic Version 03 BMIS Number: AMQ0006
709 of 79Page Asset Management
 SYDNEY WATER

ν Dirt or foreign matter in ν Overheating due to lack of ν Drain blocked

mechanism, pipe Breakage coolant, or cooling surface ν Electrical
ν or jamming due to blocked insulation failure
overloading or misapplied ν Fracture of pipe or vessel due to Electrical
ν
load Breakage due to wear welding fault, thermal stress or connection failure
and tear fatigue Loss of hydraulic fluid Consumable not
ν
Lubricant lacking, Incorrect assembly ν replenished, e.g.,
ν
deteriorated or dirty Part missing, loose or falls off lubricant Catalyst
ν
Securing or mounting ν
Seal leaking regeneration
nut/bolt/fastener loose or ν ν
required
Leak in pipe, valve, tap, etc.
ν missing Balance incorrect
ν Hose damaged
Foundations not firm or (
ν
Vermin – e.g. rat chews through
secure insulation, bird makes nest in air ν
Vandalism Water
ν Corrosion, rust ν
inlet, supply failure
Balance (vibration) ν Flood / water damage Protective device
ν
Filter blocked or dirty failed
ν
ν
Alignment incorrect
ν
Power supply failure ν
ν ν
Fire damage
ν Design or manufacture
ν fault
ν

DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.

Issue Date: June 2010 Document Owner: Manager, Strategic Version 03 BMIS Number: AMQ0006
709 of 77Page Asset Management
SYDNEY WATER

Table –1: Template to undertake FMECA.

 DOCUMENT UNCONTROLLED IF PRINTED OR DOWNLOADED. CONTROLLED VERSION IS IN THE BMIS.
BMIS Number: AMQ0006 Version 03 Issue Date: June 2010
Document Owner: Manager, Strategic Asset Management Page 8 of 11
3. Context

3.1. Definitions
Term Definition

Current Controls. Current design or process controls are descriptions of the controls
that either prevent to the extent possible the failure mode from
occurring or detect the failure mode should it occur.
Detection This is the ability to detect the cause/mechanism/weakness of actual
or potential failure.
Occurrence (Event frequency). Occurrence is how frequently a specific failure cause/mechanism is projected to
occur. The likelihood of occurrence ranking number has a meaning rather than

a value.
Potential Cause(s)/Mechanism Potential Cause of Failure is defined as how the failure could of Failure occur,
described in terms of something that can be corrected or
can be controlled, or an indication of a design weakness, the consequence of which
is the failure mode.

Potential Effect(s) of Failure
Potential Failure Mode.
Potential Effects of Failure are defined as the effects of the failure
mode on the function, as perceived by the customer. The customer in
this context could be the next operation, subsequent operations or
locations. Each must be considered when assessing the potential
effect of a failure.
A Potential Failure Mode is defined as a manner in which a
component, subsystem, system or process could potentially fail to
meet the design intent and/or the process requirements.

Recommended Action(s) Corrective action should be first directed at the highest ranked
concerns and critical items.

Revised Risk Analysis After the corrective actions have been identified, estimate and record
the resulting severity, occurrence and detection ratings.
Calculate and record the resulting RPN.

Risk Priority Number (RPN). Provides a quantitative measure of risk. The Risk Priority Number is
the product of the Severity, Occurrence, and Detection rankings.

Severity Severity is an assessment of the seriousness of the effect of the

potential failure mode to the next component, subsystem, system or
customer if it occurs.

3.2. Responsibilities
The FMECA procedure shall be conducted at:
 • Concept stage by the designers and planners
• Detail design stage by designers.
• Commissioning stage by the contractor.
• Operation stage by the operators, planners and maintainers to review the maintenance requirements

Position Responsibility

Manager - Strategic Asset Management (SAM) Procedure owner

Maintenance Strategy Leader – SAM Procedure development and review

Planners, Designers, Contractors & Operators Procedure implementation

Management System Policy publishing (in BMIS); initiating

Administrator scheduled policy review cycles and
incorporating of amendments

3.3. References

Document type Title

Legislation • Occupational Health & Safety Act

Other documents • US MIL-STD-1629A, Procedures for Performing a

Failure Mode, Effects and Criticality Analysis, It provides a
qualitative approach.
• British Standard BS 5760, that provides a quantitative approach

4. Document control

Procedure title: Failure Mode Effects and Criticality Analysis (FMECA) procedure

Effective date: 18-06-2010 Review Period: As Required Registered file: N/A

BMIS file name: AMQ0006

Procedure Owner Manager, Strategic Asset Management (SAM)

Prepared by: SAM - Maintenance Strategy Leader

Approved by: SAM - Asset Strategy Manager Wastewater

5. Revision control chart

Please refer to Sydney Water’s Business Management Information System (BMIS) for version control details.

2. Fault Tree Analysis (FTA)

The FTA tool is an approach that assumes failure of the functionality of a product or process. This
tool evaluates system (or subsystem) failures one at a time but can combine multiple causes of
failure by identifying causal chains. The results are represented pictorially in the form of a tree of
fault modes. At each level in the tree, combinations of fault modes are described with logical
operators (AND, OR, etc.). FTA relies on the experts’ process understanding to identify causal
factors.

FTA can be used to establish the pathway to the root cause of the failure. FTA can be used
to investigate complaints or deviations in order to fully understand their root cause and to
ensure that intended improvements will fully resolve the issue and not lead to other issues (i.e.
solve one problem yet cause a different problem). Fault Tree Analysis is an effective tool for
evaluating how multiple factors affect a given issue. The output of an FTA includes a visual
representation of failure modes. It is useful both for risk assessment and in developing monitoring
programs.

Hazard Analysis and Critical Control Points (HACCP)

HACCP is a systematic, proactive, and preventive tool for assuring product quality, reliability, and
safety). It is a structured approach that applies technical and scientific principles to analyze, evaluate,
prevent, and control the risk or adverse consequence(s) of hazard(s) due to the design, development,
production, and use of products.

HACCP consists of the following seven steps:

1. conduct a hazard analysis and identify preventive measures for each step of the process
2. determine the critical control points
3. establish critical limits
4. establish a system to monitor the critical control points
5. establish the corrective action to be taken when monitoring indicates that the critical control
points are not in a state of control
6. establish system to verify that the HACCP system is working effectively
7. establish a record-keeping system
HACCP might be used to identify and manage risks associated with physical, chemical, and biological
hazards (including microbiological contamination). HACCP is most useful when product and process
understanding is sufficiently comprehensive to support identification of critical control points. The
output of a HACCP analysis is risk management information that facilitates monitoring of critical points
not only in the manufacturing process but also in other lifecycle phases.

Hazard Operability Analysis (HAZOP)

HAZOP is based on a theory that assumes that risk events are caused by deviations from the design or
operating intentions. It is a systematic brainstorming technique for identifying hazards using so-called
guide words. Guide words (e.g., No, More, Other Than, Part of) are applied to relevant parameters
(e.g., contamination, temperature) to help identify potential deviations from normal use or design
intentions. HAZOP often uses a team of people with expertise covering the design of the process or
product and its application.

HAZOP can be applied to manufacturing processes, including outsourced production and formulation
as well as the upstream suppliers, equipment and facilities for drug substances and drug products. It
has also been used primarily in the pharmaceutical industry for evaluating process safety hazards. As
is the case with HACCP, the output of a HAZOP analysis is a list of critical operations for risk
management. This facilitates regular monitoring of critical points in the manufacturing process.

1. Preliminary Hazard Analysis (PHA)

PHA is a tool of analysis based on applying prior experience or knowledge of a hazard or failure to
identify future hazards, hazardous situations and events that might cause harm, as well as
to estimate their probability of occurrence for a given activity, facility, product, or system. The tool
consists of:

1. the identification of the possibilities that the risk event happens,

2. the qualitative evaluation of the extent of possible injury or damage to health that could result,
3. a relative ranking of the hazard using a combination of severity and likelihood of occurrence,
and
4. the identification of possible remedial measures
 PHA might be useful when analyzing existing systems or prioritizing hazards where circumstances
prevent a more extensive technique from being used. It can be used for product, process and facility
design as well as to evaluate the types of hazards for the general product type, then the product
class, and finally the specific product. PHA is most commonly used early in the development of a
project when there is little information on design details or operating procedures; thus, it will often
be a precursor to further studies. Typically, hazards identified in the PHA are further assessed with
other risk management tools such as those in this section.

2. Risk Ranking and Filtering

Risk ranking and filtering is a tool for comparing and ranking risks. Risk ranking of complex systems
typically involves evaluation of multiple diverse quantitative and qualitative factors for each risk.
The tool involves breaking down a basic risk question into as many components as needed to
capture factors involved in the risk. These factors are combined into a single relative risk score that
can then be used for ranking risks. “Filters,” in the form of weighting factors or cut-offs for risk
scores, can be used to scale or fit the risk ranking to management or policy objectives.

Risk ranking and filtering can be used to prioritize manufacturing sites for inspection/audit
by regulators or industry. Risk ranking methods are particularly helpful in situations in which
the portfolio of risks and the underlying consequences to be managed are diverse and difficult to
compare using a single tool. Risk ranking is useful for management to evaluate both quantitatively-
assessed and qualitatively-assessed risks within the same organizational framework.

Supporting Statistical Tools

Statistical tools can support and facilitate quality risk management. They can enable effective data
assessment, aid in determining the significance of the data set(s), and facilitate more reliable decision
making. A listing of some of the principal statistical tools commonly used is provided:

 Control charts, for example Acceptance control charts, control charts with arithmetic average and
warning limits, Cumulative sum charts , Shewhart control charts, Weighted moving average.
 Design of experiments (DOE)
 Histograms
 Pareto charts
 Process capability analysis