NOT YOUR FATHER S STANDARD. Wali Alam Quality Institute of America ASQ-Houston Section 1405-May

Transcription

1 NOT YOUR FATHER S STANDARD What is Changing and How to deal with the upcoming ISO 9001:2015 Wali Alam Quality Institute of America ASQ-Houston Section 1405-May

2 RISK BASED THINKING (approach)

3 Agenda Milestones in QMS Standards: NOT YOUR FATHER S STANDARD Significant differences Some Excerpts from the DIS (Draft International Standard) How to handle the differences

4 Milestones in ISO Progression from (customer) command & control to more and more self-governance 1987 and 1994: Task oriented- 9001, 9002, and 2008: Process based, emphasis on customer satisfaction, more inclusive of non-manufacturing organizations

5 Milestones in ISO : Not your father s standard! Annex SL, uniformity across all MSS: Quality, Environmental, Safety, IT Security etc. 1.1 Million QMS certifications in ISO 9001 alone--- total--?? Maintains all the current 2008 requirements BUT- -gives you freedom in how you should meet those requirements Does add some new requirements: Context of the Organization Risk Based Thinking Management of Change Knowledge Management

6 Annex SL High Level Structure (aka Annex SL) for various ISO management system standards. Been called the most important event since ISO The new structure is set up with 10 clauses (vs. the 8 clauses in ISO 9001:2008.) Discipline-specific requirements will be focused on clause 8 Operation. The other 9 clauses address common elements for all management system standards: Quality, Environment, Safety, IT security.

7 Annex SL contd. Those implementing multiple management systems (e.g. quality, environmental, health and safety) will have less work to do because in future, the core requirements of these will be identical. Will simplify both the initial implementation and the ongoing maintenance of such systems.

8 Notable Changes Really? Documented information Quality Manual-not specifically required, nor are documented procedures. Not even 5!! However: #4.4. -Shall Establish, Implement, Maintain, Continually Improve a QMS...including processes Maintain documented info necessary to support operation of processes?? Retain documented info to have confidence that processes are carried out as planned??

9 So what has changed? We are allowed to think and decide We just turned 21!!

10 Notable Changes Really? Preventive Actions Danger! This one is a real doozy, and liable to cause withdrawal symptoms: Preventive Actions are gone! No need to do them any more But OMG! It has been replaced by a whole new QMS that is supposed to prevent/ minimize problems from happening anywhere in the entire system--- not just one little part of the system! A much more mature way of looking at risk management!

11 Notable Changes Really? 8.4 Externally provided products and services- Incorporates requirements of purchasing and outsourcing into one; includes products from customers In essence, the concerns and controls are similar regardless of the path these external products and services had taken. Risk-based approach to determine the type and extent of controls appropriate to each external provider and all external provision of goods and services. Smart! Group similar stuff together so that sources of potential failures could be dealt more efficiently

12 Notable Changes Really? Management Representative not specifically called out as an individual having the sole responsibility and authority for the QMS.. BUT: Entire section 5 is devoted to Leadership: Leadership and Commitment, Customer Focus, Quality Policy Organization Roles, Responsibilities Top Management shall assign responsibility and authority so that QMS complies with Standard, is effective, employees have customer focus, maintain integrity of QMS during changes

13 Notable Changes Really? Management Representative But we cannot have a Management Rep? Really? Of course we can if want to. We have in fact, turned 21! Maybe the subliminal requirement is that just a Rep will not do we must have a CQO in the C- suite.

14 (Not so) Notable Changes contd. DIS 9001:2014 clause 10 title changed to Improvement. Improvement not only consists of incremental (continual) improvement, can also arise as a result of periodic breakthroughs, reactive change or as a result of reorganization.

15 Notable Additions 4. Context of the Organization: Understanding the Organization and its context: external and internal issues, Strategic Direction Understanding needs of interested parties Scope of the QMS shall be documented and maintained, including products and services of the organization, and justifications for any exclusions.

16 Notable Additions Organizational knowledge- New concept of determining necessary knowledge for operation of processes and conformity of products and services. Knowledge to be collected and made available as necessary. Include lessons learned from operational events.

17 Risk Management Notable Additions in Clause 4 the organization is required to determine the risks which can affect its ability to meet these objectives in Clause 5 top management are required to commit to ensuring Clause 4 is followed in Clause 6 the organization is required to take action to identify risks and opportunities

18 Risk Management Notable Additions Clause 8 the organization is required to implement processes to address risk Clause 9 the organization is required to monitor, measure, analyze and evaluate the risks and opportunities In Clause 10 the organization is required to improve by responding to changes in risk

19 Notable Additions contd. Terms and definitions have now been brought into the body of DIS 9001:2014. DIS 9001:2014 has three informative annexes. Annex A provides clarification on the new structure, terminology and concepts underpinning the DIS Annex B provides refreshed Quality Management Principles, which are drawn across from ISO Annex C details related quality management system standards from ISO s series. These are designed to provide assistance to organizations seeking to establish or improve their quality management performance.

20 How to deal with The Upcoming Changes

21 Changes you do not need to make: Organizations do not need to: Remove their management representatives. While there is no requirement in DIS 9001:2014 for a management representative, this does not prevent organizations from choosing to retain this role if they so wish. Throw out their Quality Manuals and Documented Procedures. While DIS 9001:2014 sets out no requirement for organizations to hold either a Quality Manual or Documented Procedures, if this documentation is in place, needed and working well, then there is no need for it to be withdrawn.

22 Changes you do not need to make: Organizations do not need to: Bottom Line: You must do what works best. Most businesses will find that documented and controlled procedures, policies, etc do add value. So, of course, if you agree, then by all means have them. The DIS does not require them by name. Renumber existing QMS documentation to correspond to the new clause references. The previous revisions did not require this either. This time it is explicit. But, then again, you can if you want to..

23 Changes you do not need to make: Organizations do not need to: Restructure their management systems to follow the sequence of requirements as set out in the DIS. Use the new terms and definitions contained within DIS 9001:2014: documented procedures, records instead of documented information, or supplier rather than external provider

24 If you already have an ISO 9001:2008 Based System

25 What you might want to do. Absolutely no reason to panic Will have 3 years from the time of publish date expected Sep 2015 or soon thereafter Keep in mind the notes that refer to changes you don t have to make. Make a plan for what changes you will make: Do study the standard can start when FDIS comes out July 2015 Decide and (yes) document your approach on how to align with ISO 9001:2015 Definitely need to demonstrate compliance!

26 What you might want to do. Decide on what are the net changes. At this time, the major ones are: Context of the Organization Risk based thinking how will you actually do it, and get something out of it. The Rodin model looks good, but wont get you the certification! How about Risk Management Actions..instead of Preventive Actions!

27 What you might want to do. Risk based thinking will need a (yes it will) process. A defined process for Risk Assessment. See flow charts at end of this presentations for guidance. Outputs should result in Corrective Actions, Risk Management Actions. These and other Improvement actions, and all major management actions will involve Changes to the Management System. Design a Management of Change (MOC) system. Bottom line don t pitch your documented system. Update it, make it more efficient and effective. Formal is Good! Don t confuse formal with bureaucratic!

28 If you do not have an ISO 9001:2008 Based System

29 What you might want to do. You can get certified to the current ISO 9001:2008, till March But if you want the new one: Wait till the FDIS (Final Draft International Standard) is published July Make a documented plan on how to build a new system. And, yes, document the system. You will have full freedom to have as many or as few documents as you wish.

30 What you might want to do. Make full use of the Risk Based Thinking You can use normal and day-to-day business processes, like SWOT analysis More and more people in the company will have the opportunity to get involved. Its not just the Quality Manager s system. It is everyone s, especially, everyone in top management.

31 Not your Father s Standard EXCERPTS ISO 9001: 2014 Draft International Standard EXTRACTED TO ILLUSTRATE SIMILARITIES & CHANGES (not the full DIS) DO NOT USE AS REQUIREMENTS, OR REPRODUCE AS A REFERENCE

32 4. Context of the Organization 4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. The organization shall monitor and review the information about these external and internal issues.

33 4. Context of the Organization NOTE 1 Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social, and economic environments, whether international, national, regional or local. NOTE 2 Understanding the internal context can be facilitated by considering issues related to values, culture knowledge and performance of the organization.

34 4.4 Quality management system and its processes The organization shall establish, implement, maintain and continually improve a quality management system, including the processes needed and their interactions.

35 5. Leadership 5.1 Leadership and Commitment Leadership and Commitment for the quality management system Top management shall demonstrate leadership and commitment Customer focus 5.2 Quality policy 5.3 Organizational roles, responsibilities and authorities

36 6.1 Actions to address risks and Opportunities When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to: Give assurance that the quality management system can achieve its intended result(s); Prevent, or reduce, undesired effects; Achieve continual improvement.

37 6.1.2 The organization shall plan: Actions to address these risks and opportunities; How to: Integrate and implement the actions into its quality management system processes (see 4.4); Evaluate the effectiveness of these actions. Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

38 Risks NOTE Options to address risks and opportunities can include: avoiding risk, taking risk in order to pursue and opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

39 6.2 Quality Objectives and Planning to achieve them 6.3 Planning of changes Where the organization determines the need for change to the quality management system (see 4.4) the change shall be carried out in a planned and systematic manner. The organization shall consider: The purpose of the change and any of its potential consequences.

40 6.2 Quality Objectives and Planning to achieve them -The integrity of the quality management system; -The availability of resources; -The allocation or reallocation of responsibilities and authorities.

41 7.1.5 Monitoring and Measuring Resources Where monitoring or measuring is used for evidence of conformity of products and services to specified requirements the organization shall determine the resources needed to ensure valid and reliable monitoring and measuring results. The organization shall ensure that the resources provided: Are suitable for the specific type of monitoring and measurement activities being undertaken; Are maintained to ensure their continued fitness for their purpose.

42 7.1.5 Monitoring and Measuring Resources The organization shall retain appropriate documented information as evidence of fitness for purpose of monitoring and measurement resources. ---measuring instruments shall be: Verified or calibrated at specified intervals or prior to use against measurement standards traceable or national measurement standards. Where no such standards exist, the basis used for calibration or verification shall be retained as documented information;

43 7.1.5 Monitoring and Measuring Resources Identified in order to determine their calibration status; Safeguarded from adjustments, damage or deterioration that would invalidate the calibration status and subsequent measurement results. The organization shall determine if the validity of previous measurement results has been adversely affected when an instrument is found to be defective during its planned verification or calibration, or during its use, and take appropriate corrective action as necessary.

44 7.1.6 Organizational knowledge The organizational shall determine the knowledge necessary for the operation of its processes and to achieve conformity of products and services. --- NOTE 2 To obtain the knowledge required, the organization can consider: Internal sources (e.g. learning from failures and successful projects, capturing undocumented knowledge and experience of topical experts within the organization);

45 7.1.6 Organizational knowledge External sources (e.g. standards, academia, conferences, gathering knowledge with customers or providers). 7.2 Competence

46 7.3 Awareness 7.4 Communication The organization shall determine the internal and external communications relevant to the quality management system including:

47 7.3 Awareness 7.5 Documented information General The organization s quality management system shall include Documented information required by this International Standard; Documented information determined by the organization as being necessary for the effectiveness of the quality management system.

48 7.5.2 Creating and updating When creating and updating documented information the organization shall ensure appropriate: Identification and description (e.g. a title, date, author, or reference number); Format (e.g. a title, date, author, or reference number); Review and approval for suitability and adequacy Control of documented Information For the control of documented information---

49 8. Operation 8.1 Operational planning and control --- Determining requirements for the product and services; Establishing criteria for the processes and for the acceptance of products and services; Determining the resources needed to achieve conformity to product and service requirements.

50 8. Operation Implementing control of the processes in accordance with the criteria; Retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned and to demonstrate conformity of products and services to requirements.

51 8.2 Determination of Requirements for Products and Services The organization shall establish, implement and maintain a process to determine the requirements for the products and services to be offered to potential customers. The organization shall ensure that: Product and service requirements (including those considered necessary by the organization), and applicable statutory and regulatory requirements, are defined; It has the ability to meet the defined requirements and substantiate the claims for the products and service it offers.

52 8.3 Design and development of products and services Design and development planning Design and development Inputs Design and development controls Design and development outputs Design and development changes

53 8.4 Control of externally provided products and services Products and services are provided by external providers for incorporation into the organization s own products and services; Products and services are provided directly to the customer(s) by external providers on behalf of the organization; A process or part of a process is provided by an external provider as a result of a decision by the organization to outsource a process or a function.

54 8.5 Production and service provision Control of production and service provision Identification and traceability Property belonging to customers or external providers Preservation

55 8.5.5 Post-delivery activities The risks associated with the products and services; The nature, use and intended lifetime of the products and services; Customer feedback; Statutory and regulatory requirements.

56 8.7 Control of Nonconforming process outputs, Products and Services The organization shall take appropriate corrective action based on the nature of the nonconformity and its impact on the conformity of products and services. This applies also to nonconforming products and services detected after delivery of the products or during the provision of the service. -- deal with nonconforming process outputs, products and services in one or more of the following ways: correction; segregation, containment, return or suspension of provision of products and services;

57 8.7 Control of Nonconforming process outputs, Products and Services Informing the customer; Obtaining authorization for: use as-is ; release, continuation or re-provision of the products and services; acceptance under concession.

58 9 Performance Evaluation 9.1 Monitoring, measurement, analysis and evaluation Customer satisfaction Analysis and evaluation The results of analysis and evaluation shall also be used to provide inputs to management review Internal audit 9.3 Management review

59 10. Improvement This shall include, as appropriate: improving processes to prevent nonconformities; improving products and services to meet known and predicted requirements; improving quality management system results.--- Nonconformity and corrective action--- react to the nonconformity, and as applicable: evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: 10.3 Continual improvement

60 The following 4 slides offer some tools for Risk Based Management Systems

61 Risk Assessment: Risk (Failure Mode) identification > RCA>Risk Analysis > Risk Evaluation ending in a RPN

62 Management of Change: Identification of Needed Change > Risk Assessment (RA)> Planning of the Change > Execution of the Change > Verification of the effectiveness of the change.

63 Risk Management will then consist of Risk Assessment, Management of Change, Contingency Planning, and Lessons Learned. When FET will do a complete Risk Management exercise, different people in the company can do the different submodules, and the overall owner(s) will be able to integrate all these sub-modules into one Risk Management Initiative.

64 The current CAPA could be looked at as an amalgam of Risk Assessment> Root Cause Analysis>MOC>Contingency Plan> Lessons Learned

65 CONCLUSION This will be a great standard! The standard is all growed up!! Users are allowed to think! I will not have to explain the difference between corrective and preventive actions for 5 years to the same person I will not have argue that you need more than 5 documented procedures to run a plant with 100 people I can treat audit clients with respect, and not just for their money. You can design your system just the way you need to effectively meet the requirements, prevent/ minimize risks to your organization What else will this standard do for you??

66 THE THINKING PERSON S STANDARD!!

67 THANK YOU!! Wali Alam, CQA, CQE, CFPIM (past), Registered Lead Auditor- RAB President, Quality Institute of America, (QIA) 8951 Ruthby, Houston, TX 77061, Suite 12 (W) , (F) , (C) Visit us at or