Why Understanding Your Internal & External Issues Is Important

Background to the new ISO 9001:2015 Requirement

Rather than repeat myself by going over the requirement at a general level, here’s a link to an earlier post where I have tried to explain the general principles involved.

ISO 9001:2015 – Internal and External Issues

External Issues – A more detailed examination

Why is it important?

I’m drafting a gap analysis at the moment for what you could best describe as a “traditionally structured” QMS. Like many systems of this type, there is no formal structure for identifying internal and external issues, the associated risks and the necessary contingencies and back up plans. In this situation you often get the impression that the management team simply “know” what these things are and “naturally take them into account”. So why the need for anything more formal?

Well, here’s what can happen when you get things wrong …

Monarch Airlines Collapse – where did it go wrong?

It’s perhaps worthwhile taking time to consider the sequence of events and understanding what went wrong for Monarch because this sorry tale outlines quite well why it might be worthwhile trying to adopt a more formal proactive approach to risk management. Does it guarantee everything will be fine? Of course it doesn’t. But what it might do is provide focus as to the size and scale of risks that the company is running (ie, understanding the worst case scenario) and perhaps helping the company understand if there is a Plan B that can be put in place to mitigate the effects, should the worst come to the worst.

In short, the article suggests that Monarch had too many of its eggs in one or two baskets (holiday flights to Turkey and North African destinations) and when demand for flights to this region reduced considerably, it left the company with no place to go.

I know it’s always much easier to analyse failures from the perspective of hindsight, but this state of affairs catches the sentiment quite well.

Posted in ISO 9001:2015, Risk & Assurance | Tagged , , | 2 Comments

ISO 9001:2015 Non-Applicability

Non-applicable clauses and how to treat them

I’m starting to get asked this a lot just now, so maybe it’s time for an article to explain it, and to point people at. Those people going through ISO 9001 transition now, and whose QMS identifies some clause(s) that ISO 9001:2008 calls “exclusions”, will need to revisit the matter.

In many ways the same rules apply, but there are a couple of differences.

Firstly, whereas in ISO 9001:2008, “exclusions” were limited to Section 7 (Product Realisation), ISO 9001:2015, on the face of it, applies no such constraints so, in theory at least, non-applicability (the new name for exclusions) may be identified within ANY of the new auditable requirements of Sections 4-10. In practice, however, you will find that your realistic non-applicable clauses (that is, clauses that certain types of organisations may justifiably explain are not applicable to its operations) will be limited to parts of ISO 9001:2015 sections 7 and (mostly) 8 (which is, to all intents and purposes, the equivalent of the old Section 7).

It is unlikely that any requirements of Sections 4, 5, 6, 9 or 10 could be justifiably cited as not applicable. I’d be amazed if any were accepted under any circumstances.

So what could be cited as not applicable?

There aren’t that many potentially non-applicable clauses. In Section 7 (Support), in practice you are looking at clause 7.1.5 – this relates to monitoring and measurement resources and measurement traceability. This clause deals with the EQUIPMENT that may be used in monitoring and measurement (not monitoring and measurement activity) and includes the old calibration and equipment care requirements. Not all organisations use equipment in their monitoring and measurement activities, and it will be a fairly common non-applicable clause, especially with service providers. Measurement traceability (note NOT Product Identification & Tracebility – this is different and taken care of within Section 8) is not always a requirement, and in fact the wording of the clause in ISO 9001:2015 actually states “where measurement traceability is a requirement …”. Measurement tracebility will normally, if it applies, be required either by legislation or by the customer contract.

In Section 8 (Operation) there are a few potentially non-applicable requirements, because it contains all the old favourites from ISO 9001:2008. Most notably;

  • 8.3 Design and development
  • 8.5.2 Identification & Tracebility (of product)
  • 8.5.4 Preservation
  • 8.5.5 Post delivery activities

In practice pretty much close to 100% of any other non-applicable claims will be drawn from the above and Clause 7.1.5. Note that in days gone by “Customer Property” used to be a reasonably common exclusion under ISO 9001:2008/ISO 9001:2000, however as this clause (ISO 9001:2015 clause 8.5.3) covers intellectual property and data, it is rarely justifiable these days. Most companies hold some customer data that requires protection –  financial/payment/bank data at the very least.

How to record non-applicable clauses

If you deem that a clause or clauses is/are not applicable to your QMS (for example it simply does not contain a design element, or you have no physical output that can be spoiled or damaged and so requires preservation controls), these must be identified and JUSTIFIED in the statement of SCOPE (see clause 4.3) of your QMS. In justifying the non-applicable clause, you are simply explaining (and making it clear) why this does not apply to any of the contents, controls or customer requirements of your QMS.

Hope this helps.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , , | 2 Comments

ISO 45001 Update (August 2017)

Last Updated 2nd August 2017 (see footnotes)


I’ll start this post by outlining the background and history of the transition of OHSAS 18001 to ISO 45001, for those of you that may not have been following the saga, or for those of you that have been fed incorrect information.

Initially the plan was to issue the new ISO 45001 standard along with ISO 9001 and ISO 14001 in September 2015. Unfortunately agreement on the content of ISO 45001 proved problematic and that didn’t happen. Initially this led to added levels of consultation and amendment, culminating in the issue of a Draft International Standard (DIS) of ISO 45001 in 2016. At that time it was hoped that the level of comment would be at a level that ISO 45001 would be able to be issued directly – skipping the Final Draft International Standard (FDIS) stage. That proved to be an outrageously optimistic plan, and in fact the level of disagreement on content was such that it was decided to start again from scratch, rather than to try to reconcile the outstanding issues by revising the 2016 DIS. In short it was sent back to the drawing board, and the revised timetable for issuing ISO 45001 targeted Spring 2018 as the date of issue. So a second DIS (DIS 2) was issued in April 2017. Again it was hoped that the level of comment would be so low as to allow the issue of the ISO 45001 without it passing through the FDIS stage. Again this was not possible.

Current Status

At the time of writing, the 2017 FDIS is anticipated to be released for comment in Quarter 4 2017, probably November. For those of you unfamiliar with the various stages of consultation for ISO standards, the FDIS is generally expected to be, give or take a few tweaks here and there, pretty close to the standard that finally gets issued. So we (think we) are nearly there. We are now realistically looking at Quarter 2, 2018 as the most likely date of issue of ISO 45001. But we can now do that with a reasonable degree of optimism.

What this means for OHSAS 18001

What this means for OHSAS 18001 is that it will continue to be the most prevalent certifiable management system standard in the world until at least the end of 2019. Even if ISO 45001 is issued in the Spring of 2018, it will take the certification bodies some months to achieve their Accreditation. Also (and I am using ISO 9001 and ISO 14001 as sighters for that timeline) it is normal for relatively few organisations to target a transition audit at the earliest opportunity. For a number of reasons it is often best to let the dust settle. OHSAS 18001 will remain a live document until at least Spring 2021. We can expect transition audits to pick up pace towards the end of 2019, with the deadline being sometime in mid 2021 – three years from the date it gets issued (a date we don’t know yet).


What this means for OHSAS 18001 Lead Auditor Training

We have seen a reduced flow of traffic this past 2 years through our OHSMS (OHSAS 18001) Lead Auditor Courses. This is partially understandable. For those people that are in no particular hurry to complete their course, there has been a tendency to defer their training and complete the course under the new standard and avoid the need for a short ISO 45001 transition course. It is important, however, to remember that whenever standards change, it DOES NOT render your training to an older version of the standard redundant. The course, remember, is officially entitled OHSMS Auditor/Lead Auditor, and we all complete our training to whichever standard is current at the time. In my case that was OHSAS 18001:1999 for instance. It is also important to remember that up until at least the end of 2019, it is OHSAS 18001 that will be the most certified standard worldwide and, up until that time, the majority of OHSMS audits will be to that standard. Clearly completing the OHSMS Course to ISO 45001 and skipping the OHSAS 18001 phase comes with some medium term restrictions for that reason.

Those of us that completed their training to older versions of the standard will need to complete an appropriate transition course to ISO 45001 (not a full lead auditor course). It is anticipated that the IRCA approved transition courses and the new OHSMS Auditor/Lead Auditor course will be available around Easter time in 2018. As is usual when standards change you may see a plethora of alleged “ISO 45001 training” being offered earlier. In fact I have been seeing this for over a year. There is nothing ILLEGAL with offering training against a DIS or FDIS, but bear in mind that this training WILL NOT be accredited and it WILL NOT even be training against the official standard, as it hasn’t even been drafted yet. In my opinion it just exploits a combination of ignorance and impatience. Caveat emptor applies.

Shaun Sayers

Posted in Occupational Health & Safety, OHSAS 18001 | Tagged , | 3 Comments

ISO 9001:2015 Organisational Context

Don’t overthink it!

There has been a lot of chatter this past year about this new section 4 requirement of ISO 9001. Not all of it, in my opinion, either informed or particularly helpful. In essence, the whole concept of ISO 9001 Organisational Context is something we can summarise in very simple terms.

The End of Copy and Paste …. Maybe

In very simple terms, the requirement for Organisational Context requires the system to be demonstrably the system that belongs to the organisation. Something developed by them, for them, taking into account its own organisational environment and challenges and NOT a copy/paste job. Putting it bluntly, it should see an end to copy/paste/generic manuals. That’s the idea anyway.

The concern I have is that it might not. Already I have seen banner adverts on LinkedIn that advertise for sale “ISO 9001:2015 compliant Management System Documentation”. By definition there can be no such thing. Anything that is off the shelf simply cannot meet the Context requirements of Section 4. We need our Certification Body auditors to see this as a red line. Let’s hope …

And The Auditors?

In my experience its quite rare for an organisation and its people not to have a reasonable understanding of its own context. They may not have designed the system around it particularly well, and many issues that affect the organisation might be managed in a less than systematic way, but generally everyone knows what sort of things are likely to bite them on the behind. That could be things like fluctuations in demand, seasonal fluctuations, price of supplies and commodities, trading conditions, weather events, transport and infrastructure disruptions etc – they will know what they are. It is quite common on the other hand, for an external auditor to fail to understand the context of the auditee. There is a reasonable excuse for this – how could they? The auditor visits one or two times a year, they can’t possibly understand the context of the auditee organisation as well as the people that work there day in day out. Part of the requirement of Section 4 involves the auditee explaining its system to the auditor. Explaining why they do what they do, and, in some ways, making the auditor’s job easier and reducing the chances of conflict through ignorance.

Internal and External Issues

In an earlier article I explained how important this new requirement is. It is, in my opinion, also likely to be the most significant transition issue for most organisations as it is commonly not managed in a documented or a systematic way.


There is a requirement for a greater level of detail to be documented in the statement of scope. The reason for this, again, goes back to context. A vague, general or woolly scope is not helpful to customer organisations. It doesn’t clearly express the extent and limits of your the system. Again, also, the scope is used to match auditee and auditor. Making sure you get allocated with an auditor that is in a good position, based on industry experience, to discharge a competent audit. It’s important too.

Anyway, thanks for reading. Feel free to comment.

Shaun Sayers

Posted in ISO 9001:2015 | Tagged , , | 2 Comments

How To Write A Nonconformance

Audit reporting requires a complete picture – to report the good as well as the bad – but in this post I want to concentrate on how we construct nonconformances. Depending upon how adversarial the audit relationship is (and some of them can be very adversarial) you might need to be forensic in our choice of words, with watertight nonconformances. You won’t normally need to be so forensic in your choice of words when reporting the good points because, let’s face it, nobody ever challenges the positive findings.

The problem with nonconformance reporting is that many can be written in an unhelpful, general, consultative and even downright confusing way. “x is inadequate”, “y is insufficiently robust”, “the requirement for z is not fully met”. None of these statements give the required level of clarity that the auditee deserves. Frankly, it’s lazy. So what should a solid nonconformance report contain? Well, here’s the formula …

The 1-2-3 Trick

A solid nonconformance report will contain three components, and will be written in a clear, objective way.

  1. Quote the requirement that has been breached. Most auditees don’t have a detailed knowledge of the audit criteria, so help them out by being specific. This also creates the basis for objectivity.
  2. Describe how the requirement has been breached. Again this is useful information. It helps them understand the gap between the requirement and what is currently happening and, consequently, will give them a starting point with regard to how they may correct the issue.
  3. Detail the Evidence. You will have a reason for raising the nonconformance and this should not be limited to a feeling in your water. You should have evidence, so tell them what it is. Not only does this give them the opportunity to check it themselves if they doubt you, but it also gives them a starting point for their investigation, rather than having to find the problem all over again from scratch.

At the first level, think about writing out your nonconformance in that way as a test for yourself. If you can’t describe it in those terms you have to consider whether you can defend the nonconformance if it is challenged, and you probably can’t. At the second level you are giving the auditee everything they need to know about the requirement, the breach and where you found it. It will be specific enough to be helpful, evidenced and objective.

Posted in Auditing | Tagged , , , , | 1 Comment