Yes, I’m squatting on the name of Andy Nichols’ next book, but it was either that or “Cracking the Case of ISO 9001:2015” and ticking off Jack West. In retrospect, I probably should have come up with my own participle phrase concoction, like “Shoving Your Face into ISO 9001” or “Drowning in the Detritus of ISO 9001” but I’m too lazy to go back and edit it now.
The FDIS of ISO 9001:2015 is fast upon us, but already some myths and memes are forming, much to the frustration of anyone who’s actually read the damn thing. Even if the eventual published standard fixes some of these, they are already so burned into the common chatter — led mostly by ISO 9001 registrars — it’s unlikely they are going to change any time soon.
So let’s fire up the debunkerizer, and see if we can cut through this mess.
Risk-Based Thinking = Risk Management
It really doesn’t matter how many times ISO and TC 176 tell people that its scented-candle aromatherapy approach called “Risk Based Thinking” isn’t full blown risk management, they are going to continue to say so anyway. Nearly every CB, and every CB auditor, is trotting out FMEA and “risk registers” as the way to address the “risk management requirements of the new ISO 9001 standard.”
As reported to me directly by the people who invented it, RBT isn’t risk management, it’s just a way to nudge companies into considering risks when dealing with pretty much anything in their QMS. The idea was to avoid calling it risk management since, based on the scope and size of a company, full-blown risk management may not be useful in many companies. A small 3-man machine shop doesn’t need risk registers the scale of what Honeywell uses, for example. TC 176, for all its faults, at least understood that.
But in the vacuum of comprehension left by TC 176’s inability to properly explain RBT, ISO 9001 experts are filling in the gaps with what they do know, and that means FMEA, risk registers, and insisting that RBT=RM. It’s utterly untrue, and must be challenged every time we hear it.
You Don’t Have to Document Anything Now
The TC 176 authors have always confused being generic with being vague, and fell deeper into this trap with the 2015 version by gutting all specific callouts for documentation. They claim this allows companies the freedom to document what they want, but already it’s being misinterpreted as “we don’t have to document anything!”
Not quite. In fact, the standard calls for “defining” quite a few things, and often “defining” means “documenting.” And you will still need to determine which aspects are best communicated through documentation. The good news is that you have more freedom to decide how to do this, but companies that delete all their documents and move to using only verbal communication are likely to struggle.
ISO 9001:2015 is a Major Change
The bulk of the changes made from 9001:2008 to the 2015 edition was paragraph shuffling; by our estimate, as much as 74% of the changes were just renumbering old requirements. Of the material that was added, “risk based thinking” pops out as the biggest ideological shift, but since (as we said) there are no requirements tied to RBT, so it doesn’t actually count as a significant change. It’s a theme, not a rule.
In fact, the most significant change to the standard is the clause on “Context of the Organization” which is a one-time mental exercise that most companies should muddle through with few problems. While this fact should be a welcome relief to users, it will frustrate trainers, consultants and registrars trying to sell $1,000 a seat “transition” courses.
The Standard Was Developed by Consensus
Many of the changes that were made were driven by the imposition of something called “Annex SL.” As we’ve discussed at length elsewhere, Annex SL was dreamed up not by TC 176, but by the ISO Technical Management Board, which doesn’t follow the same rules of consensus as the TC’s. In short, they forced TC 176 to adopt Annex SL, and prohibited TC 176 members from refusing any of its requirements.
That’s not consensus, that’s a dictate. Big difference.
BTW, when challenged on this point, not a single TMB member would agree to comment. That tells you something, if even they can’t defend their position.
The High Level Structure Matters
The biggest talking point coming out of the various experts is that the new standard adopts a “High Level Structure” (HLS) required by Annex SL. The HLS does nothing more than shuffle the paragraphs into a common sequence that can later be shared by all management system standards, such as 14001. It’s part of a marketing push by ISO to sell the world on “integrated management systems,” enabling it to sell two, three or four standards at once, rather than just one.
Let me be real clear: how paragraphs are numbered is utterly irrelevant to users. If anything, this finally gives companies the chance to break free from slavish alignment with ISO clause numbers, and just use their own structure. The HLS impacts on other standards developers the most, and nearly not at all for ISO 9001 end users. Only those obsessed with keeping their documents numbered in accordance with the standard will be stressed by this.
The New Standard Addresses Worker Ergonomics
OK, so I might be partially responsible for this because of some stuff I wrote earlier on how “human factors” got slipped into the 9001:2015 draft. Had I not said anything, this might have slipped under the radar, but it became a thing once people noticed.
Under 6.4, the new standard reads “the work environment shall give consideration to human factors and human performance, and ensure that the effectiveness of personnel is not unduly impaired.”
Because few in the quality profession understand “human factors,” they jump to what they do know, and think it’s all about ensuring operators have the right chairs, keyboards, and spongy mats to stand on. People who actually study HF know that’s not true, and “ergonomics” is a complex brew of a thousand other concepts, but it certainly sounds good when you are trying to appear like an expert.
Hopefully this gets pulled from the final 9001 release, so we can avoid this mess entirely. But, no, you won’t have to buy new ergonomic keyboard drawers to comply with ISO 9001 now.
You Don’t Need a Management Representative Anymore
While technically true — the new revision does away with the requirement for a single management representative — the risk here is that users will miss the more obvious truth, that the new standard just pushes all that responsibility onto top management. The benefit here is that now it allows management to delegate roles to multiple people, rather than one, but demands that top management retain overall responsibility, rather than assigning it to some unlucky lackey.
In short, top management is its own representative now, and that’s better.
Documents and Records Are the Same Thing Now
Because the scented candles they used when dreaming up “risk based thinking” were apparently spiked with something stronger than just incense, the TC 176 gang decided to combine the concepts of “documents” and “records” into a single thing, called “documented information.” To anyone with a functioning cerebral cortex, this makes no sense.
Documents and records are separate things, requiring separate controls. The previous language wasn’t broke, but TC 176 decided to fix it anyway. Idiots.
Now companies will forever be confused if they have to advance the revision level of a log sheet every time they make an entry. If you don’t think that will happen, you aren’t paying attention, because I get that question all the time. At least before I could point to the standard and explain it; now I can’t, because even the standard doesn’t understand the difference.
No, documents and records aren’t the same thing, and never will be. Users will have to trudge over the bad wording of the standard, and continue to maintain separate control mechanisms.