<\/a>Changes to Clauses<\/strong><\/span><\/p>\n0.1 Introduction<\/strong><\/p>\nA complete re-write of the bit on\u00a0“risk-based thinking<\/em>“; ISO appears to have taken my advice and stopped pretending RBT was part of the process approach. This section frustratingly continues the nearly-criminal insistence that RBT = preventive action. Anyone who has worked five minutes in a real QMS knows this is untrue. The new paragraph also conflates risks and opportunities; a new paragraph tries to explain “opportunities<\/em>,” but it’s still called “risk-based thinking<\/em>,” so it implies that opportunities are some form of risk. Keep this in mind because it comes up again later in Annex A.<\/p>\nDespite inventing “opportunity-based thinking<\/em>” this time around, it’s worth noting that no one added this to clause 0.1. So one and doesn’t know what the other is doing.<\/p>\nThankfully, the user’s “Bill of Rights<\/em>” remains untouched. This is the paragraph that starts with “it is not the intent of this document..<\/em>.” and it is an invaluable tool for users who are harassed by uninformed auditors.<\/p><\/blockquote>\n0.2 Quality Management PRinciples<\/strong><\/p>\nNo changes.<\/p>\n
0.3 Quality Management Principles<\/strong><\/p>\nNo changes from ISO 9001:2015.<\/p>\n
0.4 Process Approach<\/strong><\/p>\nMoves text around. Risk-based thinking is no longer presented as a subset of the process approach. In fact, it’s kicked out of clause zero entirely.\u00a0 But the text just a page before it, in 0.1, insists risk-based thinking is<\/strong> <\/em>a part of the process approach. So, the edits to 0.4 should have triggered corresponding edits to 0.1, but did not. The two sections contradict each other. Once again, nobody is editing this thing.<\/p>\n1.0 Scope<\/strong><\/p>\nNo changes.<\/p>\n
2.0 Normative references<\/strong><\/p>\nNo changes; still only references ISO 9000.<\/p>\n
3.0 Terms and Definitions<\/strong><\/p>\nNow adds definitions and expands on what was in previous CD drafts. This section is growing, not shrinking. Now adds definitions for the following terms:<\/p>\n
\n- organization<\/li>\n
- interested party (stakeholder)<\/li>\n
- top management<\/li>\n
- management system<\/li>\n
- quality management system<\/li>\n
- policy<\/li>\n
- quality policy<\/li>\n
- objective<\/li>\n
- risk (adds contradictory notes showing the authors fighting amongst themselves. One note says risk is both positive and negative, while another note says it is only negative.)<\/li>\n
- process (adds a note defining “special process<\/em>“)<\/li>\n
- competence<\/li>\n
- documented information<\/li>\n
- performance<\/li>\n
- continual improvement<\/li>\n
- effectiveness<\/li>\n
- requirement<\/li>\n
- conformity<\/li>\n
- nonconformity<\/li>\n
- corrective action (references “preventive action<\/em>” but never defines the term)<\/li>\n
- audit<\/li>\n
- measurement<\/li>\n
- monitoring (the definition here says this is relevant to activities, but then a note suggests this is relevant to products [“objects<\/em>“])<\/li>\n<\/ul>\n
Still no<\/strong><\/em> definitions for “strategic direction<\/em>” or “opportunity<\/em>,” despite the terms being crucial for understanding the standard. “Opportunity<\/em>” is 50% of the clause, and no one knows what it means.<\/p>\nWhile many of the definitions are taken from ISO 9000, they are still very, very bad. ISO 9000 needed to be updated, but wasn’t. So, now we have bad definitions appearing in two<\/strong> <\/em>documents.<\/p>\nIt is likely this section will get cut, though. ISO is cannibalizing its own products here; no one will buy ISO 9000 if the definitions appear in ISO 9001. Sales are going to drop.<\/p>\n
4.0 Context of the Organization<\/strong><\/p>\nStill presents sub-clauses in the wrong order. This is made worse by the Annex A guidance; see below.<\/p>\n
4.1 Understanding the Organization and Its Context<\/strong><\/p>\nAdds climate change language from the ISO 9001:2015 Amendment 2024. No other changes.<\/p>\n
Doesn’t fix the problem that the subclause title refers to “context,<\/em>” but then the clause text only talks about “issues<\/em>.”\u00a0Notes still don’t connect those two dots. Major flaws from ISO 9001:2015 remain uncorrected here.<\/p>\n4.2 Understanding the needs and expectations of interested parties<\/strong><\/p>\nAdds climate change language from the ISO 9001:2015 Amendment 2024.<\/p>\n
Adds a clarifying statement saying that the organization will determine “which of these requirements will be addressed through the quality management system<\/em>,” allowing you to keep many needs and expectations outside<\/strong> <\/em>of the QMS.<\/p>\nDoesn’t fix the problem that the subclause title uses the words “needs and expectations<\/em>” while the actual text refers to “requirements<\/em>.” Which is it?<\/p>\n4.3 Determining the Scope of the Quality Management System<\/strong><\/p>\nMinor language tweaks, no new requirements.<\/p>\n
Still does not require that the scope statement include locations<\/strong> <\/em>that fall under the QMS, despite this being a requirement for certification going back to the late 1980s. Still does not conclude that the scope statement is<\/strong> <\/em>the expression of the organization’s “context<\/em>“; the authors don’t understand how to interpret Annex SL for quality management.<\/p>\n4.4 Quality Management System<\/strong><\/p>\nNew clause name, drops the reference to the QMS “processes<\/em>.” Weird choice for the clause about the process approach. That change will cause confusion and further minimizes the importance of the process approach. Another bit of tinkering that has no real purpose.<\/p>\nMinor language tweaks, no new requirements.<\/p>\n
ISO did not clean this up, unfortunately, and the process approach remains as confusing as ever. This isn’t rocket science, but ISO has had 25 years to get this right and can’t do it.<\/p>\n
The bullet list for process controls should be presented in the PDCA order, and still isn’t. They still<\/strong> <\/em>don’t tie in process metrics with quality objectives, something practitioners have been doing since literally the 1980s, but ISO 9001 has not kept up.<\/p>\nThe process approach is then dropped by Clause 5 and never really mentioned again, breaking PDCA.<\/p>\n
5.0 Leadership<\/strong><\/p>\n5.1 Leadership & Commitment<\/strong><\/p>\n5.1.1 General<\/strong><\/p>\nAdds requirements for top management to promote “quality culture and ethical behavior.<\/em>” \u00a0More unenforceable platitudes, keeping the clause largely useless and un-auditable. Adds a really weak note: “The organization\u2019s culture and ethics can be demonstrated through shared values, beliefs, history, attitudes and observed behaviours.<\/em>”\u00a0<\/span><\/p>\nAnnex A later references ISO 10010 on Quality Culture, so expect that a lot of auditors will expect companies to implement that<\/strong> <\/em>standard in order to comply with this clause. Product placement for another ISO standard.<\/span><\/p>\n5.1.2 Customer Focus<\/strong><\/p>\nNo changes. Still a largely useless clause, as it simply refers to content already addressed elsewhere in the standard. Impossible to audit.<\/p>\n
5.2 Quality Policy<\/strong><\/p>\nClause title now invokes “Quality” Policy by name. Takes out the titles for the sub-clauses, but otherwise there are no changes.<\/p>\n
5.3 Organizational Roles, Responsibilities and Authorities<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes.<\/p>\n
6.0 Planning<\/strong><\/p>\n6.1 Actions to address risks and opportunities<\/strong><\/p>\nGoes back to the proposed text from the first CD1 draft, resulting in draft ping pong. It’s now broken into three subclauses. These will be controversial, as ISO 9001 is now taking a firm position that risk and opportunities are opposites<\/strong><\/em>. (They say this overtly in the Annex.) Still no requirement for procedures, processes, records, root cause, or any legacy preventive action language, so this will remain a huge flaw in ISO 9001.<\/p>\nISO 9001 will remain a reactive standard, rather than a proactive one. Risk-based thinking and opportunity-based thinking are weak tea compared o the classic preventive action requirements of ISO 9001:2000.<\/p>\n
6.1.1 General\u00a0<\/strong><\/p>\nJust keeps language from current standard.<\/p>\n
6.1.2 Actions to Address Risks<\/strong><\/p>\nKeeps much of the language from the current standard, but defines risk as things “that can have an undesirable effect on its ability to continually and consistently provide conforming products and services<\/em>.” This means that there are two<\/em> <\/strong>definitions of risk in the same standard!<\/p>\n6.1.3 Actions to Address Opportunities<\/strong><\/p>\nEntirely new subclause, and finally attempts to define “opportunity<\/em>” as things “that can have a desirable effect on its ability to continually and consistently provide conforming products and services<\/em>.” Positions opportunities as opposite to risk. Otherwise just a copy-and-paste of the risk paragraph above, with the only difference being the word “desirable<\/em>” instead of “undesirable<\/em>.” Adds unnecessary padding to standard.<\/p>\n6.2 Quality Objectives and Planning to Achieve Them<\/strong><\/p>\nThe addition of language that says objectives are to be measurable only \u201cif practicable<\/em>\u201d comes from a terribly wrong change made to Annex SL. Since BSI and those folks are slaves to the ISO Technical Management Board, they are refusing to fix this mistake, which will dramatically weaken all quality management systems. Obviously, objectives must be measurable in a QMS. This will push users into “management by slogans<\/em>,” which Deming warned against.<\/p>\nBullet list is re-ordered and adds new bullet requiring objectives be documented.<\/p>\n
TC 176 still does not close the loop on the process approach as the core of a QMS, and thinks process metrics and quality objectives are different things. They are not, but sure, let’s be unnecessarily redundant.<\/p>\n
6.2.2 maintains the cringeworthy \u201cwho, what, where,<\/em>\u2026\u201d language of Annex SL and ISO 9001:2015. Remains a blank clause, with no actual requirements. ISO still has no editors stepping in to fix this glaring flaw.<\/p>\n6.3 Planning of changes<\/strong><\/p>\nNo changes.<\/p>\n
7.0 Support<\/strong><\/p>\n7.1 Resources<\/strong><\/p>\n7.1.1 General<\/strong><\/p>\nNo changes.<\/p>\n
7.1.2 People<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes.<\/p>\n
7.1.3 Infrastructure<\/strong><\/p>\nNo changes. Continues to put the requirements into the note, keeping the error from ISO 9001:2015.<\/p>\n
7.1.4 Environment for the Operation of Processes<\/strong><\/p>\nContinues to put the requirements into the note, keeping the error from ISO 9001:2015. Maintains the bonkers language on \u201csocial and psychological\u201d factors such as \u201cemotionally protective<\/em>\u201d workplace. Adds new suggestions to consider \u201ctechnological<\/em>\u201d and \u201ccultural<\/em>\u201d aspects. This is then augmented by a section in the Annex on “emerging technologies<\/em>.”<\/span><\/p>\nThe term “emerging technologies<\/em>” is just used in passing, and there are no actionable requirements here that a user of the standard has to do, so it’s all fluff. Consultants are going to make a big deal of this, though, even though it says nothing.<\/p>\n7.1.5 Monitoring and Measuring Resources<\/strong><\/p>\nNo changes. Some proposed edits from the prior draft were, as predicted, removed. This now matches ISO 9001:2015 identically. The problem here is that clause 7.1.5.1 only requires a list of all measurement devices as “evidence of fitness for purposes<\/em>.” 7.1.5.1 isn’t about calibration. In the actual calibration clause (7.1.5.2) there is no<\/strong> <\/em>such record requirement, so ISO 9001 still doesn’t actually require a calibration registry!<\/p>\nAnd the clause’s content contradicts the attempts to define “monitoring<\/em>” and “measuring<\/em>” at the front of the standard. They can’t even remain consistent from one section to another.<\/p>\n7.1.6 Organizational knowledge<\/strong><\/p>\nNo changes.<\/p>\n
7.2 Competence<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes.<\/p>\n
7.3 Awareness<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes.<\/p>\n
7.4 Communication<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes. Still unauditable, still doesn’t include customer communication (which instead appears in 8.2, out of place.)<\/p>\n
7.5 Documented information<\/strong><\/p>\nMinor re-phrasing per Annex SL updates, but no changes.<\/p>\n
Continues to mix up \u201cdocuments<\/em>\u201d and \u201crecords<\/em>,\u201d keeping the section confusing and rambling. A lot of people complained about this in the 2015 version, but TC 176 made it much, much worse this time. By slavishly adhering to the TMB’s Annex SL text changes, ISO now had to add the following clarification to the new Annex A:<\/p>\n\nFirst, the phrase \u201cshall be available as documented information\u201d replaces \u201cmaintain documented information\u201d which previously referred to documentation other than records. Second, \u201cdocumented information shall be available as evidence of\u201d replaces \u201cretain documented information as evidence of\u201d which previously referred to records.<\/p>\n
They made it worse<\/strong><\/em>, not better!<\/p><\/blockquote>\n8.0 Operation<\/strong><\/p>\n8.1 Operational planning and control<\/strong><\/p>\nMaintains ISO 9001:2015\u2019s errors of (a) not clearly explaining that the standard views \u201coperational<\/em>\u201d and \u201corganizational<\/em>\u201d processes differently, (b) not fixing the clause so that it can in any way be understood without a consultant.<\/p>\nInexplicably, they made the \u201coutsourced processes<\/em>\u201d thing worse<\/strong><\/em>, not better. Whereas ISO 9001:2015 referred readers over the 8.4, this draft removes that reference entirely. So now outsourced processes have no actual requirements to bite into. This will dramatically injure all quality systems, as there is no longer any language telling you what to do with an outsourced process.<\/p>\nThis clause desperately needed guidance in Annex A, as it’s a complex clause that few understand. Annex A does not<\/strong> <\/em>provide that guidance, however.<\/p>\n8.2 Requirements for Products and Services<\/strong><\/p>\n8.2.1 Customer Communication<\/strong><\/p>\nAdds a cringeworthy note defining what \u201ccustomer communication”<\/em> is \u2013 really? Did we need that? \u2013 then namedrops terms like \u201cweb site content, Frequently Asked Questions<\/em>\u201d as if it was written during the AOL era. (I like how “web site<\/em>” is two words, as if it was written in 1990.)<\/p>\nThis paragraph still doesn’t belong here, and should have been moved to 7.4.<\/p>\n
8.2.2 Determining the Requirements Related to Products and Services<\/strong><\/p>\nNo changes. Maintains bizarre language that this applies BEFORE a customer even exists (\u201cproducts and services to be<\/span><\/strong> offered to customers\u2026<\/em>\u201d) Still haven\u2019t fixed that.<\/p>\n8.2.3 Review of Requirements Related to Products and Services<\/strong><\/p>\nNo changes. Still a mess (\u201cto be offered\u2026<\/em>\u201d) and largely repeats what was said in 8.2.2. Old 2000 language was better, but they still won\u2019t restore it.<\/p>\n8.2.4 Changes to Requirements for Products and Services<\/strong><\/p>\nNo changes.<\/p>\n
8.3 Design and Development of Products and Services<\/strong><\/p>\nNo changes. Maintains the jumbled nature of this clause from 2015, implying that design validation happens before you create design outputs. Again, the \u00a02000 language was better, but they won\u2019t restore it. Agile folks, you will still hate this.<\/p>\n
\u00a0The clause STILL<\/strong> <\/em>does not discuss service design, despite it being in the title of the clause. This speaks to a gross lack of subject matter experts on the committee.<\/p>\n8.4 Control of Externally Provided Processes, Products and Services<\/strong><\/p>\nNo changes. This maintains the confusing repetition of requirements in 8.4.1 and 8.4.2. Also (again) this suggests no actual subject matter experts are working on this. TC 176 doesn\u2019t know how supply chain management and procurement work.<\/p>\n
Still does not require that you communicate with suppliers in actual writing. Verbal orders to supply chain are OK, per ISO.<\/p>\n
Outsourced processes still get no love.<\/p>\n
8.5 Production and Service Provision<\/strong><\/p>\n