The New ISO 9001:2015 . . . An introduction and an interview.
© 2016 Richard Heller, QPC Group

Transcript of a webinar presented April 7, 2016 for the Quality Training Institute

 Good morning,
My name is Richard Heller.  I am vice president of continuous improvement at the QPC Group.  I am also the host of these Continuous Improvement Training Webinars.  You can find them on our website at We also posted copies at the Illinois Chamber of Commerce website at

 Before we start, I want to add a quote from Aristotle about quality:

“Quality is not an act; it is a habit.”

I saw an article about 5 myths of dieting.  One of the myths is that it takes a lot of will-power to diet.  The article really blew my mind when it claimed that skinny people don’t use will-power to stay skinny.  Instead their eating and exercises are habits.  Quite a guy, that Aristotle.  Do you think he read that article?

Anyway, to get on with our topic, today, our topic is the New ISO 9001 Standard and How to Get There.

First of a Three Part Series

This webinar is part 1 of a 3 webinar series.  It is intended to help you navigate the transition from the 2008 version of the standard to the 2015 version.

In today’s webinar, we will cover a little bit about the history of the ISO and the Annex SL document.  We will show how the Annex SL document links all the ISO standards together, and why it is important to ISO 9001.  As part of that discussion, I want to address documentation and whether this revision means that everyone has to do a complete overhaul of their quality management systems.  Finally, I’ll give a brief overview of the major changes to the revised standard.

The second webinar in this series will cover Risk-Based Thinking and Process Management.  These two concepts are central to a clear understanding of the ISO 9001 Quality Management System.  Process Management actually entered the standard in 2000, but didn’t become nearly as important as is it now.  Experience shows that successful process management creates successful organizations.  Similarly, those companies that address process risk are also more successful.

Our third webinar in this series covers Leadership, Planning, and Performance Indicators.  In that webinar, we’ll also talk more about the transition from the old standard to the new one.  We will also go into more detail about how changes to the financial, legal, and cultural environment will continue to place stresses on your organization.  Our goal is to help you creating a flexible and fluid organization that can accommodate these changes.

OK, Now, Let’s Get Started!

The new standard . . . what’s happened.

Many of the people in our audience already know quite a bit about the International Organization for Standards (ISO).  But I would like to say a few words about the ISO, that is the organization, for those who may not be quite as familiar.

About the International Organization for Standards, the ISO

The International Organization for Standards, ISO, is an independent, non-governmental organization that prepares standards.  Started in 1946, its membership consists of the national standards organizations from over 160 different countries.  For example, in the US, we have the American National Standards Institute, ANSI.  ANSI is a member of the ISO.  In Great Britton, there is the British Standards Institute or BSI.  They are also members. 

Certainly, each of these member organizations can, and does promote their own standards, but the service rendered by the ISO is to gain world-wide acceptance.  Let’s say you develop a new type of plastic cushioning.  Part of your development was to get the material specked in for a particular application.  As part of your ‘specking in’ process would include preparing a standard and getting it approved, perhaps by one of the plastics societies.  If the product that uses your cushion goes international, you will certainly need a universal specifications society to endorse it.  Our ANSI can carry that ball to the ISO group, who will evaluate the standard and, hopefully, give you their blessing.  If your company is the only one in the world making it, you have just made a great coo.  

ISO revises its standards every 6 to 10 years.  Every other revision produces a major change.  In 1987 the emphasis was on documentation.  In 2000 the emphasis was on processes.  In this revision, the emphasis is on risk.

But, I’m getting a little in front of myself.  Being closely connected to the ISO standards, it’s easy to overlook that fact that not everyone has our perspective.

 ISO Standards

 ISO publishes standards for industry, governments, organizations, and other institutions.  They are located in Geneva, Switzerland and started operating out of a converted house in 1946.  To date, they have produced over 19,000 standards covering almost all aspects of business and technology and the number keeps growing.  They publish about 100 new or revised standards every month.

That’s a lot of standards!

Keep in mind that they independent of every government, but they do work with them.  Technically, the ISO is a non-governmental, international organization.  It claims a membership of over 160 national standards bodies.  In the US, our national standards body is the ANSI, or the American National Standards Institute.  We belong.  In Great Brittan, it is the BSI or British Standards Institute.  They belong.  Canada, Mexico, every European country, the Asian countries, South American, African, Australia, New Zealand, as well as the nations of the Pacific Ocean, Caribbean, . . . they all belong.  In exchange for membership and support, the ISO shares all their standards.  Those standards all have universal acceptance.

ISO 9001 - Background

Perhaps their most popular standard is the ISO 9001, quality management system.  The intent of this standard is to provide a framework to organizations that provide goods and services.  The goal is that those products meet the customer’s requirements.

The ISO published its first quality standard in 1987.  Since then, they have issued revisions about every six to eight years.  The revisions go through major structural and conceptual changes about every other revision.  For example, in 1987, the standard consisted of 20 elements.  In 2000, they whittled the structure down to 8 elements.  Now, in 2015, we’re back up to 10 elements.

The concepts that the ISO introduced were documentation in 1987, process management in 2000, and risk issues in 2015. 

A lot has changed over the years.  In the 80’s and before, I worked in a number of businesses that were run on a verbal basis.  I like to think of it as the rule of the manager.  From shift to shift, operators had to adjust their practices to meet the whims of the supervisor.  In the office, our processes were dictated by those little green and black screens.  Everyone in the office had her own work-around for when the screen went down or when the information was wrong.

I was working in a paint company at the time.  We had a warehouse floor full of defective drums of coatings.  Each drum was labeled with its batch and product number.  One man . . . a man with the most remarkable memory I’ve ever encountered . . . knew the story for each drum.  It was remarkable.  Give him a number and he would relate a 15-minute story about what went wrong, how it went wrong, who was involved, and why it was there. 

When the plant closed, he was let go and every drum was shipped to another location.  Without the expert, they had to re-analyze each drum and start learning a new story.

 That was a great lesson for me about the benefits of documentation.  Since then, I’ve seen warehouses full of old, obsolete equipment, and product defects that remind me of that paint warehouse. 

A document based system lets you track the problems, while, at the same time provides you with the steps you need to follow to prevent the build-up of problems.  It will also help you avoid creating the same problem, over and over.

 When you start documenting what you are doing, you start seeing the mistakes and wasted efforts of your system.  In the paint example I just mentioned, the big mistake was letting the drums build up the way it did.

When we start looking at the business as a series of processes, we see how they can link together and create synergies of efficiency. 

The 2000 version of the ISO standard brought the light to bear on the deficiencies uncovered by the documentation stage.  This version of the standard asked organizations to map their process flows . . . how they created value for the customers.  As it turned out, the emphasis on processes made it easier for the service sections of our economy to embrace the ISO 9001 standard as well. 

We will talk more about processes in our next webinar, but let me mention that by looking at the organization from the vantage of a series of processes, we are able to get a better picture of how everything fits together.

One thing I learned from consulting and auditing organizations is that most people are pretty efficient in the way they do their jobs.  This is especially true in the office area.  I have a neat in-box, and a simple out-box.  I do my best to move everything across my desk in an orderly fashion.  In addition, the other people in my office have equally orderly systems for doing their jobs.

But what creates the problems isn’t the in- and out- bins.  It’s the flow from my out-box to your in-box.  Most audit findings arise from the stuff that falls on the floor as it moves from one desk to the next.  (I say that figuratively, of course.  For most of us, the in- and out-box is an electronic hyperlink in Outlook.

The current ISO 9001 version . . . 2015. 

For at least the last three years, the ISO committee on quality management systems have been working on bringing the concept of “risk” into the standard.  This is just as important as was the introduction of both the concepts of documentation as well as processes.

Risk is everywhere.  In the past, the ISO standard looked at risk from the point of view of “Prevention”.  Organizations then merged “Prevention” with “Corrective Action” and we came up with the acronym CAPA as if they were the same.

But they really aren’t the same.  Corrective actions look back at what did go wrong.  They are reactive.  Preventive actions look forward and ask what could go wrong and, of course, how can we keep that from happening.  Preventive actions are proactive.

Now, the new standard is asking up to separate the reactive from the proactive approach.  They aren’t saying we shouldn’t react to problems.  But they are saying that proactive goes a lot further than the CAPA approach of the past.

The proactive emphasis is to use the concept of risk.  There are a number of ways we already address risk in our businesses.  I don’t believe that the ISO is asking us to re-invent the wheel.  But they are asking us to recognize that when we do certain things, like creating a FMEA, subscribing to a legal service that monitors our legislatures, or submitting our financials to an outside auditor, we are already addressing risk.  The question we need to ask is simply, are we on top of the business and other risks, or are we getting whipped around.

In a roundabout way, that is the International Standards Organization and I’ve tried to present a little history about the ISO 9001 quality management standard.

What is Annex SL?

In short, Annex SL is an umbrella standard that controls how the ISO writes a standard.  Think of it as a common Table of Contents that can be used for all the management standards.

The management standards include the quality standard as well as Environmental (ISO 14000), Food and Safety Management, Energy Management, Risk Management, and more.

Some companies seek registration to two or more of these standards, that the Annex SL process helps provide common definitions and structure to the standards.  As a result, the responsibility for each clause in the ISO 9001 standard has a similar counterpart in each of the other standards.  Furthermore, the clause numbering systems mirror each other from one standard to the next.

What I’m saying that this duplication should make implementation of multiple standards easier for organizations.

When I first implemented ISO 9001 at a large chemical company, I remember that we had no model to work from.  Everything we did required an “invention.”  We had to figure out how to control our documents.  We had to determine who got copies of the procedures, how we would conduct audits, develop a format for creating production records, and on and on and on.

Once we did that, we found we were able to also address the EPA and FDA requirements for preparing, numbering, releasing, and storing procedures.  We could also duplicate our audit procedures for the Safety department.

At the time, we didn’t know about the different requirements until those of us in the various management roles started talking about our issues.  One of the big problems I faced, along with my counterpart in Environment, was that of keeping our procedures current.  Our system emphasized updating all our procedures on a three-year cycle. 

To keep the system manageable, we updated 1/36th of the procedures every month, farming them out to various departments so no one had to do too many in a single month.  Tom, our environmental manager asked if he could piggy-back on our system.

Actually, we ended up merging the document index in a spreadsheet and managed the document review as a single, once-a-month exercise.  It really didn’t add any extra work to our department, but it did provide my assistant and me with a Starbucks and muffin every month.

Going back to what I said at the beginning of this webinar . . .  something about how thin people don’t diet, they just have better eating habits?  I’m still paying for those bad habits today!

In any case, both his processes and mine were similar enough to be able to use the same systems.

Absolutely!  And that’s the argument for the Annex SL.  Tom and I had to figure it our ourselves.  There were a few differences we had to iron out, but for the most part, it was really a win-win situation.

One other example.  This was one I didn’t have a solution for, but the HR manager did.  We had a requirement in our company to make sure all the employees were getting the training they needed.  When you look at this problem from the outside, it is horrendous.  This means that every manager needs to identify the skills and training needs for each of her directs.  Furthermore, the manager has to confirm that the training is appropriate to the job. 

When I mentioned my problem to the HR manager, he said that he already had this information.  Unfortunately, it was on the pre-printed annual performance reviews, and he was reluctant to give me access to them. 

The performance reviews were all confidential.  “For his eyes only.”  His solution, the first year, was to pull out this information and copy it prior to filing them.  It was a pain, but I’m glad he did it.  The next year, he created a separate page in the annual review form making both copying and filing simpler.

So, Annex SL allows us to benefit from synergies. There are synergies between the different standards as well as synergies between the standard and the processes used by organizations to meet the standard.  Annex SL creates the synergy resulting in both an easier way of writing new standards as well as an easier way to implement the standard.

So, that’s it?  Is the Annex SL just about synergies?

Opportunities Beyond the Synergies.

The first is that the ISO breaks down Management System Standards (MSS) into two categories:

Type A MSS: Requirements, such as ISO 9001.  In order to be registered as an ISO 9001 organization, you must meet the Type A Management System Standard requirements.
Type B MMS: Guidelines, such as ISO 9004.  ISO 9004 provides guidelines on how to implement and improve your quality management system.

Annex SL Contents

The Annex SL contains a common set of 10 main clauses which every management system standard must contain.  In addition, there are some mandatory sub-clauses as well as mandatory worded content under the clauses.

The table identifies the 10 clauses.  These include:

  1. Scope
  2. Normative references
  3. Terms and references
  4. Context of the organization,
  5. Leadership
  6. Planning
  7. Support
  8. Operations
  9. Performance evaluation
  10. Improvement

For ISO 9001, the requirements your organization must fulfill are the clauses numbered from 4 to 10.  There are no registration-able requirements in clauses 1 to 3.

Another point that the ISO wants to make clear is that they have adopted what is known as the Deming Wheel.  The four spokes of this wheel are the “Plan-Do-Check-Act” approach for systems improvement. 

(I referred to this as “systems improvement” rather than “quality improvement” because it really applies well beyond the quality circle.

In the Annex SL sections, the clauses 1 to 6 follow the “Plan” spoke of the wheel.  Support and Operation (clauses 7 & 8) follow the “Do” and “Check” spokes respectively, while the final two clauses, Performance evaluation (9) and Improvement (10) follow the “Act” spoke.

Presently, at least eight of the ISO standards have already adopted the Annex SL structure, including ISO 9001.  ISO 14001 has also adopted the structure and ISO 13485 is well on its way.  We expect to see ISO/TS 16949, AS9100/10/20 and BSI OHSAS 18001 as these are patterned after the ISO 9001 standard.

Documentation Requirements

One final point about the ISO 9001 standard itself.  The Annex SL approach is not a documentation requirement.  Unlike the earlier versions of the standard where documentation was critical, the documentation requirements have been reduced.  Firstly, the earlier versions of the standard required organizations to document specific procedures and keep specific records.  This standard uses the term: “documented information”. 

Documented information could be procedures, records, computer spreadsheets, or any other way you may want to keep the information.  Mandatory documented information includes the

  1. Scope of the quality management system,
  2. Operation of processes,
  3. A quality policy, and
  4. Control of how you provide products and services. 

There are 18 other requirements for Documented information.  We used to refer to these items as “Records”.  Almost all of them consist of information you would normally keep to confirm that the products and services are/were designed properly, made correctly, and met the customer requirements.

 The other records relate to ensuring that your business processes are functioning well, and to provide evidence needed to make improvements.

Earlier, I promised to provide an outline of the changes in the ISO standard from the earlier revision to this one. 

The changes that ISO is introducing fall into four areas:

  1. Re-organizing the standard to use the Annex SL format. 
  2. Creating a greater emphasis on understanding where the organization fits into the economic and social community
  3. Emphasizing that organizations function because of leadership and providing clear issues that leaders need to address
  4. Focusing on the organization as a system of processes, each with inputs, activities, outputs, and the risks incumbent on each of these elements

Finally, the world is not static.  Organizations that don’t improve or get better are left behind.  We mentioned continuous improvement, and “Improvement” gets its own section of the standard.

So, let’s wrap it up.

 Today, we talked about using the Annex SL format for an umbrella that defines organizations.  I also talked about documentation and the Plan-Do-Check-Act approach that the standard integrates throughout. 

These changes are all a little cerebral.  What can an organization do now to make the change?  The first step starts with listening to webinars like these and learning about the changes.  Then deciding whether updating your quality system to the new standard still makes sense for the business.  Of course, if you do decide to update, then updating becomes a matter of timing.

The second step is deciding how they want to update.  Organizations can either get the training for their own people, or bring in outside help to make the changes for them.    There are advantages to both approaches, and the approach an organization takes depends to a large degree on the organization itself.  There is no “one-size-fits-all” answer. 

The third step is committing people and their time to make the changes.  In some cases, the update may not be any imposition on the organization.  The implementation may just be gathering the information and tools in such a way that they are available. For example, the organization may already have business plans and marketing evaluations that provide how the organization fits into their current market niches.  Other organizations may have no clue on how to do this.

The fourth and last step involves working with your certification assessor to transfer your certification from the 2008 standard to the new one.

Just four steps.  It’s almost simple:

  1. Decide to update
  2. Train your own people or call in outside help
  3. Commit people and resources to make the change
  4. Bring your outside auditor on-board

Deadline for Updating your System

Keep in mind that the standard is already “in-effect”.  However, organizations can keep their current registration to the 2008 for the next three years.  Then they must be registered to the new version.

That being said, there is a practical element to this.  If a company waits until the last minute, their registrar may not have the resources to complete the audit and issue their new registration papers.

Another more important issue, however, is the losses that come from putting it off.  It’s the same with any improvement project.  Let’s say that something in the standard will save money by implementing it.  If you update today, you start your savings today.  However, if you update in three years, you don’t start saving for three years.

An important issue in the standard involves risk and opportunity.  The questions will always remain: is it better to act now or wait; is it better to do it, or to not do it? Where is the biggest return?  Most business people got where they are by evaluating the risks and rewards, and taking appropriate actions.  I think that those of you who tuned into this webinar recognize that, and are willing to maximize their opportunities.

Who are we?

One last point I want to make is that at QTI, we offer assistance to organizations who want to update their quality system.  We can help you with the transition to the 2015 revision.  OK, that’s a bold-faced, self-serving advertisement for QTI, but, look, this is what we do: we help organizations improve.  In the long run, those improvements help our clients become more profitable and better members of our communities.  It’s that simple.

Well, that’s about it.  Thank you for reading this.  If you have any questions, please e-mail me at  We will be happy to talk with you about this topic.

Look back next week for more information.

on-site quality Consulting and training