ISO 9001:2015 Non-Applicability

Non-applicable clauses and how to treat them

I’m starting to get asked this quite a bit just now, so maybe it’s time for an article to explain it and to point people at. Those people going through ISO 9001 transition now, and whose QMS has what ISO 9001:2008 calls “exclusions” will need to revisit the matter. In many ways the same rules apply, but there are a couple of differences.

Firstly, whereas in ISO 9001:2008, “exclusions” were limited to Section 7 (Product Realisation clauses), ISO 9001:2015, on the face of it, applies no such constraints so, in theory at least, non-applicability (the new name for exclusions) may be identified within ANY of the new auditable requirements of Sections 4-10. In practice, however, you will find that your realistic non-applicable clauses (that is, clauses that some types of organisations may justifiably explain are not applicable to its operations) will be limited to parts of the new sections 7 and (mostly) 8 (which is, to all intents and purposes, the equivalent of the old Section 7).

It is unlikely that any requirements of Sections 4, 5, 6, 9 or 10 could be justifiably cited as not applicable.

So what could be cited as not applicable?

There aren’t that many potentially non-applicable clauses. In Section 7 (Support), in practice you are looking at clause 7.1.5 – this looks at monitoring and measurement resources and measurement traceability. This clause deals with the EQUIPMENT that may be used in monitoring and measurement and includes the calibration requirement and equipment care requirement. Not all organisations use equipment in their monitoring and measurement activities, and it will be a fairly common non-applicable clause, especially with service providers. Measurement traceability (note NOT Product Tracebility – this is different and taken care of within Section 8) is not always a requirement, and in fact the requirement in ISO 9001:2015 actually states “where measurement traceability is a requirement …”. Measurement tracebility will normally, if it applies, be required either by legislation or by the customer contract.

In Section 8 (Operation) there are a few, because it contains all the old favourites from ISO 9001:2008. Namely;

  • 8.3 Design and development
  • 8.5.2 Identification & Tracebility (of product)
  • 8.5.4 Preservation
  • 8.5.5 Post delivery activities

In practice pretty much close to 100% of any other non-applicable claims will be drawn from the above and Clause 7.1.5. Note that in days gone by “Customer Property” used to be a reasonably common exclusion under ISO 9001:2008/ISO 9001:2000, however as this clause (new clause 8.5.3) covers intellectual property and data, it is rarely justifiable these days. Most companies hold some customer data that requires protection, financial/payment/bank data at the very least.

How to record non-applicable clauses

If you deem that a clause or clauses are not applicable to your QMS (for example it simply does not contain a design element, or you have no physical output that can be spoiled or damaged and so requires preservation controls), these must be identified and JUSTIFIED in the statement of SCOPE (see clause 4.3) of your QMS. In justifying the non-applicable clause, you are simply explaining (and making it clear) why this does not apply to any of the contents, controls or customer requirements of your QMS.

Hope this helps.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , | Leave a comment

ISO 45001 Update (March 2017)

Last Updated 11th April 2017 (see footnotes)

Background

I’ll start this post by outlining the background and history of the transition of OHSAS 18001 to ISO 45001, for those of you that may not have been following the saga, or for those of you that have been fed incorrect information.

Initially the plan was to issue the new ISO 45001 standard along with ISO 9001 and ISO 14001 in September 2015. Unfortunately agreement on the content of ISO 45001 proved problematic and that didn’t happen. Initially this led to added levels of consultation and amendment, culminating in the issue of a Draft International Standard (DIS) in 2016. It was hoped that the level of comment would be at a level that ISO 45001 would be able to be issued (skipping the FDIS stage) some months later. That proved to be an outrageously optimistic plan, and in fact the level of disagreement on content was such that it was decided to start again from scratch, rather than to try to reconcile the outstanding issues by revising the 2016 DIS. In short it was sent back to the drawing board, and the revised timetable for issuing ISO 45001 targeted Spring 2018 as the date of issue.

Current Status

At the time of writing, the 2017 DIS is anticipated to be released for comment in April 2017. Again it is hoped that the level of comment will be at a level that and FDIS stage can be skipped, but let’s see. The bottom line is that we won’t see ISO 45001 issued in 2017, however the target of Spring 2018 still looks realistic.

What this means for OHSAS 18001

What this means for OHSAS 18001 is that it will continue to be the most prevalent certified management system standard in the world until at least 2019. Even if ISO 45001 is issued in the Spring of 2018, it will take the certification bodies some months to achieve their Accreditation. Also (and I am using ISO 9001 and ISO 14001 as examples) it is normal for relatively few organisations to target a transition audit at the earliest opportunity. OHSAS 18001 will remain a live document until at least Spring 2021.

Update 11th April 2017

The second DIS for ISO 45001 has been published and will be available for review and comment on various platforms internationally once translations have been approved. A four month consultation process will then follow, at the end of which a decision will be made as to whether an FDIS stage is required. This will depend upon the volume of comments made and the amount of revision that is deemed necessary. The best case scenario is that an FDIS is not deemed necessary and ISO 45001 is published. This could be as early as November 2017. If an FDIS stage is deemed necessary then the anticipated timeline for publication will move to Quarter 2 2018 at the earliest.

So what is most likely? There are two issues. Firstly the appetite of national bodies to chip away still more at this DIS with comments. It is possible the protracted process has worn everyone down and comments at this stage reduce as a result of fatigue. However past experience has shown that the reconciliation of ISO 45001 with the Annex SL format has proven problematic so far, not just with the requirements, but with the adoption of the Annex SL Normative References (the most problematic being the Annex SL definition of Risk). If I were a betting man I’d be putting my money on the FDIS/2018 release scenario, but let’s see.

Posted in Occupational Health & Safety, OHSAS 18001 | Tagged , | 1 Comment

ISO 9001:2015 Organisational Context

Don’t overthink it!

There has been a lot of chatter this past year about this new section 4 requirement of ISO 9001. Not all of it, in my opinion, either informed or particularly helpful. In essence, the whole concept of ISO 9001 Organisational Context is something we can summarise in very simple terms.

The End of Copy and Paste …. Maybe

In very simple terms, the requirement for Organisational Context requires the system to be demonstrably the system that belongs to the organisation. Something developed by them, for them, taking into account its own organisational environment and challenges and NOT a copy/paste job. Putting it bluntly, it should see an end to copy/paste/generic manuals. That’s the idea anyway.

The concern I have is that it might not. Already I have seen banner adverts on LinkedIn that advertise for sale “ISO 9001:2015 compliant Management System Documentation”. By definition there can be no such thing. Anything that is off the shelf simply cannot meet the Context requirements of Section 4. We need our Certification Body auditors to see this as a red line. Let’s hope …

And The Auditors?

In my experience its quite rare for an organisation and its people not to have a reasonable understanding of its own context. They may not have designed the system around it particularly well, and many issues that affect the organisation might be managed in a less than systematic way, but generally everyone knows what sort of things are likely to bite them on the behind. That could be things like fluctuations in demand, seasonal fluctuations, price of supplies and commodities, trading conditions, weather events, transport and infrastructure disruptions etc – they will know what they are. It is quite common on the other hand, for an external auditor to fail to understand the context of the auditee. There is a reasonable excuse for this – how could they? The auditor visits one or two times a year, they can’t possibly understand the context of the auditee organisation as well as the people that work there day in day out. Part of the requirement of Section 4 involves the auditee explaining its system to the auditor. Explaining why they do what they do, and, in some ways, making the auditor’s job easier and reducing the chances of conflict through ignorance.

Internal and External Issues

In an earlier article I explained how important this new requirement is. It is, in my opinion, also likely to be the most significant transition issue for most organisations as it is commonly not managed in a documented or a systematic way.

Scope

There is a requirement for a greater level of detail to be documented in the statement of scope. The reason for this, again, goes back to context. A vague, general or woolly scope is not helpful to customer organisations. It doesn’t clearly express the extent and limits of your the system. Again, also, the scope is used to match auditee and auditor. Making sure you get allocated with an auditor that is in a good position, based on industry experience, to discharge a competent audit. It’s important too.

Anyway, thanks for reading. Feel free to comment.

Shaun Sayers

Posted in ISO 9001:2015 | Tagged , | 2 Comments

How To Write A Nonconformance

Audit reporting requires a complete picture – to report the good as well as the bad – but in this post I want to concentrate on how we construct nonconformances. Depending upon how adversarial the audit relationship is (and some of them can be very adversarial) you might need to be forensic in our choice of words, with watertight nonconformances. You won’t normally need to be so forensic in your choice of words when reporting the good points because, let’s face it, nobody ever challenges the positive findings.

The problem with nonconformance reporting is that many can be written in an unhelpful, general, consultative and even downright confusing way. “x is inadequate”, “y is insufficiently robust”, “the requirement for z is not fully met”. None of these statements give the required level of clarity that the auditee deserves. Frankly, it’s lazy. So what should a solid nonconformance report contain? Well, here’s the formula …

The 1-2-3 Trick

A solid nonconformance report will contain three components, and will be written in a clear, objective way.

  1. Quote the requirement that has been breached. Most auditees don’t have a detailed knowledge of the audit criteria, so help them out by being specific. This also creates the basis for objectivity.
  2. Describe how the requirement has been breached. Again this is useful information. It helps them understand the gap between the requirement and what is currently happening and, consequently, will give them a starting point with regard to how they may correct the issue.
  3. Detail the Evidence. You will have a reason for raising the nonconformance and this should not be limited to a feeling in your water. You should have evidence, so tell them what it is. Not only does this give them the opportunity to check it themselves if they doubt you, but it also gives them a starting point for their investigation, rather than having to find the problem all over again from scratch.

At the first level, think about writing out your nonconformance in that way as a test for yourself. If you can’t describe it in those terms you have to consider whether you can defend the nonconformance if it is challenged, and you probably can’t. At the second level you are giving the auditee everything they need to know about the requirement, the breach and where you found it. It will be specific enough to be helpful, evidenced and objective.

Posted in Auditing | Tagged , , , , | 1 Comment

ISO 9001:2015 External Issues

What is the new requirement?

Clause 4.1 of ISO 9001:2015 requires the organisation to;

“determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system”

and that the organisation shall;

“monitor and review information about these external and internal issues”

In this post I will explore what that actually means and offer some suggestions and examples of how an organisation might demonstrate conformance to this requirement, focussing in this post specifically on external issues. For more background information on the wider requirement and on internal issues, you might find some useful guidance in this earlier post.

Determining and Reviewing External Issues Systematically

Let’s face it, most organisations will have a fairly intuitive grasp of the most pertinent external factors that affect the success and operation of its processes. You learn that by trial, error and often bitter experience. The challenge that management system conformance and certification throws at you is to be able to demonstrate that this important dynamic is processed somehow systematically and in an auditable way. It’s all very well simply “knowing” what they are and “naturally taking them into account on an ongoing basis” but that’s not really systematic or auditable, and therefore, for certification purposes, not much of a response. So what are the alternatives?

PEST Analysis

Some organisations I work with use a periodic PEST analysis to apply a framework to this exact process. Like a SWOT analysis (Strengths-Weaknesses-Opportunities-Threats) its an acronym, and works in exactly the same way – to add structure to the review process, forcing management to revisit specific areas. So what is PEST?

I’ll have a “P” please, Bob

P is for POLITICAL. The P in PEST encourages the organisation to consider the political issues that can have a positive or negative affect on how the organisation works, so what could that include? Well, the recent decision of the UK to exit the EU is a massive and (at the time of writing) a major political event that could have significant effects on how an organisation operates. It will probably affect trade relationships (for better or worse we don’t yet know!), it may well also affect the organisations ability to recruit and employ non-UK citizens. Additionally, if the organisation receives a lot of its income via projects funded by, say, the European Social Fund (ESF), then the Brexit implications could well be severe. Other examples could include trade sanctions status. If the organisation has significant trade interests with, say, Iran or Russia, it would certainly need to keep in view the current nature of sanctions relevant to their operations which, at various points in time, may even become illegal. There are also ongoing domestic political issues that affect organisations. Public Sector bodies are always affected by current Government Policy, which sets both Public Sector policy and provides (or doesn’t) funding.

Gimme an “E”

E is for ECONOMIC. Economic factors affect virtually every organisation, but they aren’t the same for everyone and the scale is different for everyone, so what are the common examples? Well, the price of commodities is often a big issue. Oil prices on the world market have been depressed for some time. For some companies (for example those directly involved in the extraction of oil from the ground, and providing support for companies that do), the effects lately have been adverse and significant. Rates of pay have been cut, operations have been scaled back and people have lost their jobs. All these trends may of course be reversed as and when the oil price returns to a certain value, but clearly the oil companies need to monitor this very carefully, as the entire viability of their operation is reliant on that issue. However the fall in oil prices have not been bad for everyone. Organisations that produce chemicals that are derived from oil have seen the fall in price work in their favour – their costs have reduced. Transportation costs have also reduced as a consequence of falling fuel prices. However it’s not all about the price of commodities. Other economic factors that can affect the viability of the operation are trading conditions (often as a result of political issues), the availability of alternative options for customers and the price of alternatives (cheap imports, for example), or simply the liquidity of an organisation at a point in time and how much cash on hand it has.

“S” is for …

SOCIAL. Some organisations are affected significantly by social factors. Some products are massively affected by social trends. What may be the pinnacle of fashion one week, may be the least desirable thing to possess one month later (selfie sticks, shell suits, Gary Glitter CDs …). In understanding social trends, it is clearly important that the organisation understands the things that influence trends. For example, the ingredients used by TV chefs in their recipes significantly affect demand for that ingredient almost overnight, while a food scare (processed meat, saturated fat in fast foods) might affect consumer behaviour, for a time, in a very negative way. Obviously many large fast food, beverage and cosmetics companies actively seek to affect, manipulate or even dictate trends, and invest very heavily in doing it, so important a factor that it is. The demand for other products and services can be very seasonable or weather dependent (ice cream, lawn mowers, outdoor equipment …). This will obviously have an impact on production levels and also recruitment, which itself may be very seasonal. Bear in mind that what may be out of fashion in one market, may be the height of fashion in another (apparently in some countries they still LOVE Old Spice!). Companies that provide products and support of a medical nature will be affected also by world events such as outbreaks of diseases such as SARS or Ebola, so naturally they would need contingency plans to be able to move quickly whenever the World Health Organisation puts up a red flag.

“T” is for ….

Technological. Some companies are heavily impacted by technology, and will need to work hard to stay up to date with developments. Technology has a habit of (very quickly) creating new markets, drastically changing others and, at the same time, wiping others out in the blink of an eye. On a less dramatic level organisations may simply keep an eye on technological advances to see if better ways of working are being made possible (new machinery or ways of communicating, for instance) or even offering more user friendly options for maintaining a management system! This can include the use to a greater or lesser degree of cloud based storage systems, software and dashboard applications to replace documented procedures, using tablets with integrated templates to write up your audits and so on.

Anyway, I hope this post has given you some food and direction for your thought processes as you face your transitions. Done correctly, it is a review process that can add significant value to the efficiency of the organisation’s strategic processes.

Shaun Sayers

Posted in Auditing, ISO 9000, ISO 9001:2015 | Tagged , , , , , , | 10 Comments