A Look at the Changes Between CD and DIS of ISO 9001:2015

Now that the Draft International Standard (DIS) version of ISO 9001:2015 is out, we can see what changes were made by TC 176 between it and the previous Committee Draft (CD) version. This gives us a sense of not only what will be included in the final released standard, but also what the hell TC 176 has been doing all this time, and whether they really could have considered the 3,000+ user feedback comments, or if they just pencil-whipped it.

Semicolonoscopy

Taking both standards, hacking their dopey DRM restrictions, importing them into Word, removing line numbering and formatting, and then conducting a comparison of the two files, gives us the complete picture of all the changes made to the CD, now included in the DIS. Comparing only the requirements sections (clauses 4 through 10) and ignoring the forwards, definitions and appendices, and ignoring changes to formatting or where requirements were simply moved, Word reports over 960 changes were made. Half of these were insertions of new or corrected material, and the other half deletions, which makes sense since nearly every deletion would be met with a corresponding addition. But a quick scan reveals the bulk of these to be fixes to semicolons and commas, mostly to correct bulleted lists after they were altered by the edits.

Beyond those minor changes, the edits comprise two types: small modifications and major substantive changes.  An overview of the changes would appear to show a tendency to strip out text, and reduce the overall word count. This pursuit of brevity comes at a cost, however: whereas the CD had included some valuable explanations and examples to clarify requirements, these have been removed, leaving interpretation up for grabs. Probably not wise. It also didn’t work; the difference in word count between the two is only about 100 words, so where they cut in one area, they just added more language in another, opting to insert old 9001:2008 language back into the standard.

(ISO is planning an official ISO 9001 interpretation guide, which only concedes that they anticipate the standard to be poorly understood, but perhaps their thinking is that this guide will be the place to include such examples? They should have focused on making the language better understood to begin with, but c’est la vie.)

The Little Changes

Here is a look at some of the smaller changes:

• “Goods and services” has been returned to “products and services.”
• Details on who may constitute an “interested party” has been stripped. The definition remains, however, but there is no bulleted list of examples.
• The language explaining exclusions (which are still allowed, by the way) was greatly reduced.
• Company “leadership” must now “take accountability” for process effectiveness. A tiny change with big implications?
• The Quality Policy must also be “applied” within the organization, not merely communicated and understood.
• 

  Comparison of changes to Risk requirements in CD vs DIS

  The clause on risk was reduced in size by combining two redundant requirements. (See graphic.)

• A previous nod to the service industry to include “surveys” as a measurement device, was removed. While this is probably good (how does one calibrate a survey?) it nevertheless continues the alienation of the service sectors, and maintains the manufacturing bias of 9001.
• “Determination of Market Requirements” was changed back to the 9001:2008 heading of “Determination of Requirements.” Alas, this is probably a backwards step.
• “Control of nonconforming process outputs, products and services” is the newest title for the old “control of nonconforming product” requirement. Where the CD seemed to confuse process nonconformities with product nonconformities, this new version gets it right, although uses some tortured language to get there. Essentially there are no actual changes from 9001:2008, but the language is greatly reworded, which may cause some to infer otherwise.
• Some notes were added to the “knowledge management” (KM) requirements, which should help in understanding what TC 176 is talking about. KM is another complex discipline like risk management and human factors, and probably shouldn’t be tossed willy-nilly into the standard, but at least it’s better defined now, than it was in the previous CD.

The Big Changes

More substantive changes:

• The text of “Determining the Context of the Organization” has been dramatically stripped of details, specifically as to what constitutes “external and internal issues.” This is likely to add more confusion, since the standard is no longer clear on what these terms mean.
• “Process approach” requirements are worded differently than in the CD, but still much improved over the 2008 version.
• A requirement to provide “People” (“necessary for the effective operation of the QMS”) was added.
• QMS change management language is improved.
• A lot of language from 9001:2008 was re-introduced relative to control of monitoring and measurement devices.
• All quality objectives must be measurable (“where practicable” was deleted.) This is problematic, since sometimes an objective is a qualitative goal, and not a quantifiable target. It also continues the legacy of anti-Deming “management by objectives.”
• A lot of old 9001:2008 language was reinserted relative to requirements review.
• The “Design” requirements were heavily edited, and unfortunately not for the better. For example, control of design changes was (like all the change control language in the DIS) dramatically cut from the CD. While the title has been returned to “Design and Development” (as opposed to the CD’s “Development” title), some of the language is so cryptic as to be unintelligible. Perhaps someone can tell me what this is supposed to mean:

Where the detailed requirements of the organization’s products and services are not already established or not defined by the customer or by other interested parties, such that they are adequate for subsequent production or service provision, the organization shall establish, implement and maintain a design and development process.

• Furthermore, the Design clauses are all out of sequence now, with design outputs appearing after design verification and validation is complete, which will confuse everyone. And the language still does not help users who have never understood the differences between verification and validation.
• “Development transfer” was also deleted entirely, which is too bad as it was probably a needed requirement, although poorly worded in the CD.
• Customer “perception” has been changed to “opinion” — a subtle change but perhaps a significant one. “Opinion” would imply the feedback is directly provided to the company, whereas “perception” might have been unstated but equally important to assess.
• Huge caveats have been thrown into the corrective action clause’s Notes:

NOTE 1 In some instances, it can be impossible to eliminate the cause of a nonconformity.

NOTE 2 Corrective action can reduce the likelihood of recurrence to an acceptable level.

The Unchanged

Some notable clauses which were hardly changed, but which could have used editing:

• Document control remains firmly fixed in the 1950’s model of binders and photocopies. ISO still can’t imagine information being exchanged in any other fashion, and it’s embarrassing. Blame TC 176’ers who probably can barely work their AOL email accounts, never mind understand modern information transfer technologies.
• The Standard still uses the term “process” in various contexts,not understanding that each time it does so, it invokes the process approach requirements. In many usages, it’s clear they don’t mean this, but they use the term anyway. The term “business processes,” for example, remains thrown into a casual sentence, without realizing that this will invited auditors to demand to audit client’s financials. Ridiculous.
• The new “documented information” clause continues to merge requirements for documents and records, without identifying either, which will inevitably lead to confusion over what is a document vs what is a record. A giant step backwards.
• Language defining what constitutes an “externally provided” product or service remains intact, which is a benefit since many were confused in earlier versions of 9001 as to what constituted an outsourced process or product.
• Still no requirement for a Quality Manual nor an explicit “Management Representative.”
• Still no requirement for preventive maintenance of equipment — the standard still only requires maintenance.
• The standard still calls out customer satisfaction surveys as a possible means of measuring satisfaction. Seriously? At least they added “market share analysis,” something I was pushing for since the 2000 version.
• Still some muddy language that will confuse users into when a nonconforming product requires corrective action, and when a process or other issue triggers one.
• Yes, it still calls out “continual” improvement.
• Yes, explicit preventive action is gone.

The Cake is a Lie

It appears that the bulk of the changes were not the result of user or TC 176 member feedback, and I would challenge those TC 176’ers who will inevitably claim otherwise. The tremendous majority of changes are word reductions which act to decrease clarity, not improve understanding. Of all the user comments I’ve seen in such exercises over the years, I don’t think I have ever seen any calling for “less words” purely for brevity’s sake.

As I mentioned, the bulk of language insertions was done to reinsert old 9001:2008 language. Sources within TC 176 indicated to me that this was planned even before the user feedback was processed; so those changes were, again, not done as a result of feedback.

Ditto for the changes related to removing requirements for a Quality Manual or ISO rep — these were decided on long before any feedback had been given.

Despite outcry over the inclusion of the terms “social and psychological factors” when controlling the work environment (a nod towards the arcane discipline known as “Human Factors“), the language remains intact. It’s nearly impossible that some users did not request this to be removed, but TC 176 wasn’t budging, creating a future disaster when auditors will have to asses whether an organization’s work environment is potentially noncompliant to “psychological factors.”

The fact that TC 176 isn’t budging on risk is also telling. We know that major players such as aerospace and automotive have serious, serious problems with TC 176’s approach to risk, and yet the risk language is nearly identical between the CD and DIS, meaning they just gave a big, fat middle finger to the world on this one.

Don’t like Annex SL and the ISO TMB imposing requirements on standards without consulting the Technical Committees? Screw you a second time.

So how did ISO DIS 9001 stack up against it’s original design spec and intentions? Have a look here for that story.

Blast from the past: standards developer thinks user feedback is “moronic.”