ISO 9001:2015 Non-Applicability

Non-applicable clauses and how to treat them

I’m starting to get asked this a lot just now, so maybe it’s time for an article to explain it, and to point people at. Those people going through ISO 9001 transition now, and whose QMS identifies some clause(s) that ISO 9001:2008 calls “exclusions”, will need to revisit the matter.

In many ways the same rules apply, but there are a couple of differences.

Firstly, whereas in ISO 9001:2008, “exclusions” were limited to Section 7 (Product Realisation), ISO 9001:2015, on the face of it, applies no such constraints so, in theory at least, non-applicability (the new name for exclusions) may be identified within ANY of the new auditable requirements of Sections 4-10. In practice, however, you will find that your realistic non-applicable clauses (that is, clauses that certain types of organisations may justifiably explain are not applicable to its operations) will be limited to parts of ISO 9001:2015 sections 7 and (mostly) 8 (which is, to all intents and purposes, the equivalent of the old Section 7).

It is unlikely that any requirements of Sections 4, 5, 6, 9 or 10 could be justifiably cited as not applicable. I’d be amazed if any were accepted under any circumstances.

So what could be cited as not applicable?

There aren’t that many potentially non-applicable clauses. In Section 7 (Support), in practice you are looking at clause 7.1.5 – this relates to monitoring and measurement resources and measurement traceability. This clause deals with the EQUIPMENT that may be used in monitoring and measurement (not monitoring and measurement activity) and includes the old calibration and equipment care requirements. Not all organisations use equipment in their monitoring and measurement activities, and it will be a fairly common non-applicable clause, especially with service providers. Measurement traceability (note NOT Product Identification & Tracebility – this is different and taken care of within Section 8) is not always a requirement, and in fact the wording of the clause in ISO 9001:2015 actually states “where measurement traceability is a requirement …”. Measurement tracebility will normally, if it applies, be required either by legislation or by the customer contract.

In Section 8 (Operation) there are a few potentially non-applicable requirements, because it contains all the old favourites from ISO 9001:2008. Most notably;

  • 8.3 Design and development
  • 8.5.2 Identification & Tracebility (of product)
  • 8.5.4 Preservation
  • 8.5.5 Post delivery activities

In practice pretty much close to 100% of any other non-applicable claims will be drawn from the above and Clause 7.1.5. Note that in days gone by “Customer Property” used to be a reasonably common exclusion under ISO 9001:2008/ISO 9001:2000, however as this clause (ISO 9001:2015 clause 8.5.3) covers intellectual property and data, it is rarely justifiable these days. Most companies hold some customer data that requires protection –  financial/payment/bank data at the very least.

How to record non-applicable clauses

If you deem that a clause or clauses is/are not applicable to your QMS (for example it simply does not contain a design element, or you have no physical output that can be spoiled or damaged and so requires preservation controls), these must be identified and JUSTIFIED in the statement of SCOPE (see clause 4.3) of your QMS. In justifying the non-applicable clause, you are simply explaining (and making it clear) why this does not apply to any of the contents, controls or customer requirements of your QMS.

Hope this helps.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , | 2 Comments

ISO 45001 Update (August 2017)

Last Updated 2nd August 2017 (see footnotes)

Background

I’ll start this post by outlining the background and history of the transition of OHSAS 18001 to ISO 45001, for those of you that may not have been following the saga, or for those of you that have been fed incorrect information.

Initially the plan was to issue the new ISO 45001 standard along with ISO 9001 and ISO 14001 in September 2015. Unfortunately agreement on the content of ISO 45001 proved problematic and that didn’t happen. Initially this led to added levels of consultation and amendment, culminating in the issue of a Draft International Standard (DIS) of ISO 45001 in 2016. At that time it was hoped that the level of comment would be at a level that ISO 45001 would be able to be issued directly – skipping the Final Draft International Standard (FDIS) stage. That proved to be an outrageously optimistic plan, and in fact the level of disagreement on content was such that it was decided to start again from scratch, rather than to try to reconcile the outstanding issues by revising the 2016 DIS. In short it was sent back to the drawing board, and the revised timetable for issuing ISO 45001 targeted Spring 2018 as the date of issue. So a second DIS (DIS 2) was issued in April 2017. Again it was hoped that the level of comment would be so low as to allow the issue of the ISO 45001 without it passing through the FDIS stage. Again this was not possible.

Current Status

At the time of writing, the 2017 FDIS is anticipated to be released for comment in Quarter 4 2017, probably November. For those of you unfamiliar with the various stages of consultation for ISO standards, the FDIS is generally expected to be, give or take a few tweaks here and there, pretty close to the standard that finally gets issued. So we (think we) are nearly there. We are now realistically looking at Quarter 2, 2018 as the most likely date of issue of ISO 45001. But we can now do that with a reasonable degree of optimism.

What this means for OHSAS 18001

What this means for OHSAS 18001 is that it will continue to be the most prevalent certifiable management system standard in the world until at least the end of 2019. Even if ISO 45001 is issued in the Spring of 2018, it will take the certification bodies some months to achieve their Accreditation. Also (and I am using ISO 9001 and ISO 14001 as sighters for that timeline) it is normal for relatively few organisations to target a transition audit at the earliest opportunity. For a number of reasons it is often best to let the dust settle. OHSAS 18001 will remain a live document until at least Spring 2021. We can expect transition audits to pick up pace towards the end of 2019, with the deadline being sometime in mid 2021 – three years from the date it gets issued (a date we don’t know yet).

 

What this means for OHSAS 18001 Lead Auditor Training

We have seen a reduced flow of traffic this past 2 years through our OHSMS (OHSAS 18001) Lead Auditor Courses. This is partially understandable. For those people that are in no particular hurry to complete their course, there has been a tendency to defer their training and complete the course under the new standard and avoid the need for a short ISO 45001 transition course. It is important, however, to remember that whenever standards change, it DOES NOT render your training to an older version of the standard redundant. The course, remember, is officially entitled OHSMS Auditor/Lead Auditor, and we all complete our training to whichever standard is current at the time. In my case that was OHSAS 18001:1999 for instance. It is also important to remember that up until at least the end of 2019, it is OHSAS 18001 that will be the most certified standard worldwide and, up until that time, the majority of OHSMS audits will be to that standard. Clearly completing the OHSMS Course to ISO 45001 and skipping the OHSAS 18001 phase comes with some medium term restrictions for that reason.

Those of us that completed their training to older versions of the standard will need to complete an appropriate transition course to ISO 45001 (not a full lead auditor course). It is anticipated that the IRCA approved transition courses and the new OHSMS Auditor/Lead Auditor course will be available around Easter time in 2018. As is usual when standards change you may see a plethora of alleged “ISO 45001 training” being offered earlier. In fact I have been seeing this for over a year. There is nothing ILLEGAL with offering training against a DIS or FDIS, but bear in mind that this training WILL NOT be accredited and it WILL NOT even be training against the official standard, as it hasn’t even been drafted yet. In my opinion it just exploits a combination of ignorance and impatience. Caveat emptor applies.

Shaun Sayers

Posted in Occupational Health & Safety, OHSAS 18001 | Tagged , | 1 Comment

ISO 9001:2015 Organisational Context

Don’t overthink it!

There has been a lot of chatter this past year about this new section 4 requirement of ISO 9001. Not all of it, in my opinion, either informed or particularly helpful. In essence, the whole concept of ISO 9001 Organisational Context is something we can summarise in very simple terms.

The End of Copy and Paste …. Maybe

In very simple terms, the requirement for Organisational Context requires the system to be demonstrably the system that belongs to the organisation. Something developed by them, for them, taking into account its own organisational environment and challenges and NOT a copy/paste job. Putting it bluntly, it should see an end to copy/paste/generic manuals. That’s the idea anyway.

The concern I have is that it might not. Already I have seen banner adverts on LinkedIn that advertise for sale “ISO 9001:2015 compliant Management System Documentation”. By definition there can be no such thing. Anything that is off the shelf simply cannot meet the Context requirements of Section 4. We need our Certification Body auditors to see this as a red line. Let’s hope …

And The Auditors?

In my experience its quite rare for an organisation and its people not to have a reasonable understanding of its own context. They may not have designed the system around it particularly well, and many issues that affect the organisation might be managed in a less than systematic way, but generally everyone knows what sort of things are likely to bite them on the behind. That could be things like fluctuations in demand, seasonal fluctuations, price of supplies and commodities, trading conditions, weather events, transport and infrastructure disruptions etc – they will know what they are. It is quite common on the other hand, for an external auditor to fail to understand the context of the auditee. There is a reasonable excuse for this – how could they? The auditor visits one or two times a year, they can’t possibly understand the context of the auditee organisation as well as the people that work there day in day out. Part of the requirement of Section 4 involves the auditee explaining its system to the auditor. Explaining why they do what they do, and, in some ways, making the auditor’s job easier and reducing the chances of conflict through ignorance.

Internal and External Issues

In an earlier article I explained how important this new requirement is. It is, in my opinion, also likely to be the most significant transition issue for most organisations as it is commonly not managed in a documented or a systematic way.

Scope

There is a requirement for a greater level of detail to be documented in the statement of scope. The reason for this, again, goes back to context. A vague, general or woolly scope is not helpful to customer organisations. It doesn’t clearly express the extent and limits of your the system. Again, also, the scope is used to match auditee and auditor. Making sure you get allocated with an auditor that is in a good position, based on industry experience, to discharge a competent audit. It’s important too.

Anyway, thanks for reading. Feel free to comment.

Shaun Sayers

Posted in ISO 9001:2015 | Tagged , | 2 Comments

How To Write A Nonconformance

Audit reporting requires a complete picture – to report the good as well as the bad – but in this post I want to concentrate on how we construct nonconformances. Depending upon how adversarial the audit relationship is (and some of them can be very adversarial) you might need to be forensic in our choice of words, with watertight nonconformances. You won’t normally need to be so forensic in your choice of words when reporting the good points because, let’s face it, nobody ever challenges the positive findings.

The problem with nonconformance reporting is that many can be written in an unhelpful, general, consultative and even downright confusing way. “x is inadequate”, “y is insufficiently robust”, “the requirement for z is not fully met”. None of these statements give the required level of clarity that the auditee deserves. Frankly, it’s lazy. So what should a solid nonconformance report contain? Well, here’s the formula …

The 1-2-3 Trick

A solid nonconformance report will contain three components, and will be written in a clear, objective way.

  1. Quote the requirement that has been breached. Most auditees don’t have a detailed knowledge of the audit criteria, so help them out by being specific. This also creates the basis for objectivity.
  2. Describe how the requirement has been breached. Again this is useful information. It helps them understand the gap between the requirement and what is currently happening and, consequently, will give them a starting point with regard to how they may correct the issue.
  3. Detail the Evidence. You will have a reason for raising the nonconformance and this should not be limited to a feeling in your water. You should have evidence, so tell them what it is. Not only does this give them the opportunity to check it themselves if they doubt you, but it also gives them a starting point for their investigation, rather than having to find the problem all over again from scratch.

At the first level, think about writing out your nonconformance in that way as a test for yourself. If you can’t describe it in those terms you have to consider whether you can defend the nonconformance if it is challenged, and you probably can’t. At the second level you are giving the auditee everything they need to know about the requirement, the breach and where you found it. It will be specific enough to be helpful, evidenced and objective.

Posted in Auditing | Tagged , , , , | 1 Comment

ISO 9001:2015 External Issues

What is the new requirement?

Clause 4.1 of ISO 9001:2015 requires the organisation to;

“determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system”

and that the organisation shall;

“monitor and review information about these external and internal issues”

In this post I will explore what that actually means and offer some suggestions and examples of how an organisation might demonstrate conformance to this requirement, focussing in this post specifically on external issues. For more background information on the wider requirement and on internal issues, you might find some useful guidance in this earlier post.

Determining and Reviewing External Issues Systematically

Let’s face it, most organisations will have a fairly intuitive grasp of the most pertinent external factors that affect the success and operation of its processes. You learn that by trial, error and often bitter experience. The challenge that management system conformance and certification throws at you is to be able to demonstrate that this important dynamic is processed somehow systematically and in an auditable way. It’s all very well simply “knowing” what they are and “naturally taking them into account on an ongoing basis” but that’s not really systematic or auditable, and therefore, for certification purposes, not much of a response. So what are the alternatives?

PEST Analysis

Some organisations I work with use a periodic PEST analysis to apply a framework to this exact process. Like a SWOT analysis (Strengths-Weaknesses-Opportunities-Threats) its an acronym, and works in exactly the same way – to add structure to the review process, forcing management to revisit specific areas. So what is PEST?

I’ll have a “P” please, Bob

P is for POLITICAL. The P in PEST encourages the organisation to consider the political issues that can have a positive or negative affect on how the organisation works, so what could that include? Well, the recent decision of the UK to exit the EU is a massive and (at the time of writing) a major political event that could have significant effects on how an organisation operates. It will probably affect trade relationships (for better or worse we don’t yet know!), it may well also affect the organisations ability to recruit and employ non-UK citizens. Additionally, if the organisation receives a lot of its income via projects funded by, say, the European Social Fund (ESF), then the Brexit implications could well be severe. Other examples could include trade sanctions status. If the organisation has significant trade interests with, say, Iran or Russia, it would certainly need to keep in view the current nature of sanctions relevant to their operations which, at various points in time, may even become illegal. There are also ongoing domestic political issues that affect organisations. Public Sector bodies are always affected by current Government Policy, which sets both Public Sector policy and provides (or doesn’t) funding.

Gimme an “E”

E is for ECONOMIC. Economic factors affect virtually every organisation, but they aren’t the same for everyone and the scale is different for everyone, so what are the common examples? Well, the price of commodities is often a big issue. Oil prices on the world market have been depressed for some time. For some companies (for example those directly involved in the extraction of oil from the ground, and providing support for companies that do), the effects lately have been adverse and significant. Rates of pay have been cut, operations have been scaled back and people have lost their jobs. All these trends may of course be reversed as and when the oil price returns to a certain value, but clearly the oil companies need to monitor this very carefully, as the entire viability of their operation is reliant on that issue. However the fall in oil prices have not been bad for everyone. Organisations that produce chemicals that are derived from oil have seen the fall in price work in their favour – their costs have reduced. Transportation costs have also reduced as a consequence of falling fuel prices. However it’s not all about the price of commodities. Other economic factors that can affect the viability of the operation are trading conditions (often as a result of political issues), the availability of alternative options for customers and the price of alternatives (cheap imports, for example), or simply the liquidity of an organisation at a point in time and how much cash on hand it has.

“S” is for …

SOCIAL. Some organisations are affected significantly by social factors. Some products are massively affected by social trends. What may be the pinnacle of fashion one week, may be the least desirable thing to possess one month later (selfie sticks, shell suits, Gary Glitter CDs …). In understanding social trends, it is clearly important that the organisation understands the things that influence trends. For example, the ingredients used by TV chefs in their recipes significantly affect demand for that ingredient almost overnight, while a food scare (processed meat, saturated fat in fast foods) might affect consumer behaviour, for a time, in a very negative way. Obviously many large fast food, beverage and cosmetics companies actively seek to affect, manipulate or even dictate trends, and invest very heavily in doing it, so important a factor that it is. The demand for other products and services can be very seasonable or weather dependent (ice cream, lawn mowers, outdoor equipment …). This will obviously have an impact on production levels and also recruitment, which itself may be very seasonal. Bear in mind that what may be out of fashion in one market, may be the height of fashion in another (apparently in some countries they still LOVE Old Spice!). Companies that provide products and support of a medical nature will be affected also by world events such as outbreaks of diseases such as SARS or Ebola, so naturally they would need contingency plans to be able to move quickly whenever the World Health Organisation puts up a red flag.

“T” is for ….

Technological. Some companies are heavily impacted by technology, and will need to work hard to stay up to date with developments. Technology has a habit of (very quickly) creating new markets, drastically changing others and, at the same time, wiping others out in the blink of an eye. On a less dramatic level organisations may simply keep an eye on technological advances to see if better ways of working are being made possible (new machinery or ways of communicating, for instance) or even offering more user friendly options for maintaining a management system! This can include the use to a greater or lesser degree of cloud based storage systems, software and dashboard applications to replace documented procedures, using tablets with integrated templates to write up your audits and so on.

Anyway, I hope this post has given you some food and direction for your thought processes as you face your transitions. Done correctly, it is a review process that can add significant value to the efficiency of the organisation’s strategic processes.

Shaun Sayers

Posted in Auditing, ISO 9000, ISO 9001:2015 | Tagged , , , , , , | 10 Comments