ISO 45001 Update

Current status as at June 2016

The development of ISO 45001 has been beset by delays as consensus amongst participating national bodies has been difficult to achieve. This led to the aim that ISO 45001 would be issued in October 2016 and that the FDIS stage would be omitted from the process (that is, it was hoped that comments and issues relating to the DIS would be minor and enable the process to proceed directly to the issue of the standard). Unfortunately this did not happen. The volume of comments and concerns raised by participating national bodies was very high and consequently ISO 45001 and the process of further consultation, will require a significant amount of work, meaning that, at this stage, the very earliest we can expect the standard to be issued is Quarter 4, 2017. The current most optimistic timelines for the publication of interim consultation documents are:

Second Draft International Standard: December 2016

Final Draft International Standard: Quarter 3, 2017

Those of you that have been following the saga may recall that some time ago it was somewhat optimistically hoped that ISO 45001 could be issued without the publication of an FDIS. Not only has that not happened, but we’ve even ended up with 2 DIS publications instead of the usual one.

Impact on OHSAS 18001/ISO 45001 certification

If we work on the optimistic assumption that ISO 45001 is issued in Quarter 4 2017, then that will mean organisations that hold OHSAS 18001 certificates will have until Quarter 4 2020 to manage the transition and certify to the new standard (i.e. 3 years from the date of issue). However it should be borne in mind that once the new standard is issued, it will be a few months before most certification bodies have completed their own approval process with their Accreditation Body (e.g. UKAS), so the earliest certifications to the new standard will not now be until 2018.

Impact on OHSAS 18001 Lead Auditor Training

This year has seen an understandable reduction in the number of students taking the OHSAS 18001 Lead Auditor Course, as was the case the previous year with the ISO 9001 and ISO 14001 courses. People that are in a position to delay taking the course are understandably keen to take the course after it incorporates ISO 45001. The likelihood now is that the earliest that an ISO 45001 Lead Auditor Course will be available will be Easter 2017. In considering whether to take the OHSMS Lead Auditor Course, it should be remembered that when ISO 45001 is issued, OHSAS 18001 is neither withdrawn nor rendered redundant. In fact, given that the 3 year transition process will now stretch to mid-2020, it now means that most organisations that hold OH&S management systems certification will remain certified to OHSAS 18001 until at least 2019, and most audits before that time will be to OHSAS 18001 rather than ISO 45001. So the current iteration of the course is far from on its last legs.

ISO 45001 Transition Training

It is anticipated that a 1 day IRCA approved transition module to ISO 45001 will be available sometime in the final quarter of 2017. This assumes the optimistic estimates for the issue of ISO 45001 do not suffer further delays.

Reasons for the delay?

The specific issues raised by the consultation process have not been published so, at this stage, I can only speculate. At earlier stages in the review process, the new Annex SL definition of Risk (the effect of uncertainty) was an area of disagreement and concern. It could be that these concerns were not sufficiently addressed by the DIS. Additionally, from my own perspective, I did note that the the level of participation and consultation required by the DIS had increased compared to OHSAS 18001 requirements, to the extent that virtually every decision and piece of information relating the the OHSMS was now required to be run past the workforce (including audit findings, management review outputs, OH&S objectives). I could see many people considering this as inordinate, excessive and impractical. Frankly it looked to me that the whims of some unions had been indulged too freely – but that’s pure speculation and opinion on my part.

Here’s a link to the IOSH statement on the delay. Since that time, there has been a meeting of the International Committee during which the target milestones for the second DIS and the FDIS were agreed.

Shaun Sayers

Posted in IRCA, ISO 14001, Occupational Health & Safety, OHSAS 18001 | Tagged , , , | Leave a comment

ISO 9001:2015: A Dystopian Nightmare

We don’t need no ………….  documented procedures …

I’m having a laugh, of course, but then there’s a lot to laugh about, just now.

ISO 9001:2015 does not require ANY documented procedures and, in the words of Sarah Palin, heads are spinning. Is panic too strong a word to use? Possibly not. After all, what is an auditor to do when they ask to see a procedure, only to be confronted with an answer and a statement of fact;

“We don’t have a written procedure and the standard doesn’t require us to have one”

Where does that leave the auditor? The auditee has NO procedure and they can’t be FORCED to have one? Are there no rules anymore? Does that mean we have to accept everything and anything? Fear not, here comes the lifejacket, and I’ll try to make the lesson really simple.

Stop asking for “procedures” and start asking about “CONTROLS”

There was a time, years ago, when “controls” and “procedures” were tantamount the same thing. Documented procedures were BY FAR the most widely applied control, so asking for “the procedure” was a much more reasonable request. Those days are gone, and ISO 9001:2015 has tried to reflect that. It has tried to reflect the way organisations manage their affairs in the 21st Century and, unfortunately for the lazier auditor (and those that are just plain thick), this will involve “documented procedures” to a lesser and lesser extent. Organisations often do things differently.

So, whilst it is true to say the standard no longer requires any specific documented procedures, it DOES require auditable controls. That is, a controlled way of managing work activities that generates records of conformity. That is the whole purpose of an auditable management system. More and more these days that will involve the use of technology. The result is that where in the past where we’d have had documented procedures, we might now see software, on-line tools, menu driven screens and dashboard applications. Those are just a few examples.

Procedures may still be used of course, but they are just ONE option that an organisation has for exercising control, so it really is time to stop asking for procedures – and generating an increasingly predictable response (see above) – and to start asking about CONTROLS. Remember, it’s all about context now, and one “context” issue that affects absolutely everyone is that it is no longer 1995 …

Obviously this relies on the auditor understanding the concept of “auditable control” of course …

Shaun Sayers

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , | 1 Comment

ISO 9001:2015 Human Factors

Most people that know anything about management systems understand that human factors have to be accounted for. You can’t simply write a procedure or implement a control and then assume that it will be adhered to. People are not like that. People can be lazy, selfish, tired, distracted, hacked off … all of which can reduce the chance that a procedure, no matter how correct and communicated, may not be followed all of the time.

In general terms that means that a system manager should try so far as is possible to make the RIGHT thing to do also the EASIEST thing to do, as this dramatically increases the chances of conformance. Things that can’t be made easy (some things just are complicated) probably need a high level of monitoring (to account for the medium/high risk of nonconformance through poor understanding, laziness, short cuts or whatever).

At the time of writing, most of us are at the “theoretical” stage of understanding how ISO 9001:2015 will work. That is, we can see how it looks, but we don’t really know the levels that the certification bodies will operate at in terms of what they will and won’t accept. That process (which tends to work by custom and practice, osmosis even) will take some time to reveal itself. That said, I’ve noticed a couple of curious things that have not previously appeared in the standard that COULD have a significant impact – and the things I’m going to write about are very much hidden in the detail …

Controls to Prevent “Human Error”

How often is “human error” used as the Corrective Action Get Out Of Jail Free Card? Quite often, in my experience. Well, given the specific reference in Clause 8.5.1g, the options for organisations to use that excuse should be limited. Controls should seek to include actions to PREVENT HUMAN ERROR. Therefore, if human error is the cause of the nonconformity, then that Process Control requirement is not met. It will be interesting to see how that is audited (if it gets audited at all). At this stage I can’t help thinking that the standard might have been better if the aim to prevent human error was also included in the Nonconformity and corrective action clause too. It is very easy to overlook …

The “Social” and “Psychological” Work Environment

Good Lord! The requirements of clause 7.1.4 require that the organisation in terms of its work environment considers the following issues … (and I must to quote)

“Social (e.g non-discriminatory, calm and non-confrontational; and

Psychological (e.g. stress-reducing, burnout prevention, emotionally protective)”

Are they desirable attributes of an effective workplace? Well, yes they are, with the concept I have no problem. What I am looking forward to with a mixture of anticipation, trepidation and amusement is how they will be applied. Let’s think this through. How on earth will a QMS auditor interpret that? Quite aside from the fact that you are highly unlikely to witness highly charged and stressful events actually DURING the audit (because people are told to bite their tongues for a day) this could have significant legal implications for the company in countries where the employment laws deem stress, bullying, discrimination and so on to be unlawful. Are QMS sufficiently well versed in Employment Law so as to be legally correct in the call they make? In my experience they aren’t. Certification Bodies had better get their lawyers on standby.

I think this requirement, no matter how noble in its intent, is practically unenforceable. My guess is that this will actually be ignored.

Let’s see how these things move on. Time to get out the popcorn and plump up a cushion …

Shaun Sayers

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , , , | 5 Comments

ISO 9001:2015 Revised Quality Management Principles

The principles of quality management can be considered “threads” of good business practice that should focus the application and intent of the ISO 9000 series. ISO 9000:2015 provides guidance on the way that these principles should be applied:

Customer focus

“The primary focus of quality management is to meet customer requirements and to strive to exceed customer expectations”

Leadership

“Leaders at all levels establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives”

Engagement of people

“Competent, empowered and engaged people at all levels throughout the organization are essential to enhance the organization’s capability to create and deliver value”

Process approach

“Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system”

Improvement

“Successful organizations have an ongoing focus on improvement”

Evidence based decision making

“Decisions based on the analysis and evaluation of data and information are more likely to produce desired results”

Relationship management

“For sustained success, organizations manage their relationships with relevant interested parties, such as providers”

The principles underpinning ISO 9001 have therefore been reduced from 8 to 7. Customer Focus, Leadership and the Process Approach remain, Continual Improvement becomes “Improvement”, a Factual Approach to Decision Making becomes “Evidence Based Decision Making”, Involvement of People becomes “Engagement of People” and finally Mutually Beneficial Supplier Relationships becomes “Relationship Management” (taking into consideration more than just suppliers). The Systems Approach to Management is the casualty in the revision.

It is important that we appreciate that these principles themselves are inter-dependent of one another. A system, by definition, is a set of inter-related activities and processes. Nothing should be viewed in isolation, and an effective QMS depends on effectively managing both the little picture (the detail of the procedures) and the big picture (but are we still in business?)

Shaun Sayers

You can find more ISO 9001:2015 articles here

Find out more about Capable People, our work, and our fantastic clients at CapablePeople.net

IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , , , | 1 Comment

ISO 9001:2015: Internal and External Issues

All management systems adopting the Annex SL format are required to identify and manage as appropriate, the management system’s internal and external issues. This will initially require an organisation to determine the scope of the management system, then to understand the processes within its scope, and then to further understand how they inter-relate both internally and externally.

Determining the Scope of the Management System

The requirement to determine the scope of the management system remains a requirement of ISO 9001:2015. It also remains a mandatory documentary requirement, however there is no longer any requirement as to where it must be documented (in ISO 9001:2008 it was required to have been documented with the Quality Manual). The issue of applicability remains within ISO 9001:2015. This means that, in certain circumstances, some of the requirements of ISO 9001:2015 may not be applicable to some management systems. The word “exclusion” no longer features, however clause 4.3 still states that;

“The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organisation determines is not applicable to the scope of its quality management system”

 Exclusions, therefore (in the ISO 9001:2008 use of the word), may still be claimed, and must still be justified, so in that sense there is no major change. In other words, and for example, if the organisation has no design and/or development function then it may state that the requirements of clause 8.3 do not apply. Clearly this claim of non-applicability must be consistent with the nature of processes that operate within the scope of the QMS in order for that claim to be justified.

ISO 9001:2015 does not put any limits on claims of non-applicability in the way that ISO 9001:2008 limits claims of exclusion to its clause 7. This places a higher emphasis for detailed justification on the organisation if it is to make any claim of non-applicability.

The Quality Management System and its Processes

Some processes will be purely internal, IT Support, for example, while other processes may interface with external bodies such as customers, suppliers and regulatory bodies. The Annex SL definition of a process is;

“Set of interrelated or interacting activities which transforms inputs into outputs”

 (Annex SL definition of Process)

Whilst it is important to understand how each process works, in terms of its individual inputs, outputs, objectives, the efficiency of the process flow and so on, it is also important to remember that the management system will contain several processes, and the efficiency and effectiveness of the system will depend to a large extent on how well these processes are harmonised as part of a cohesive system.

Needs and Expectations of Interested Parties

Some processes will interface with external parties, most commonly customers, regulators and suppliers. The effective operation of processes that interface with external interested parties will, as a minimum require the organisation to understand the inputs and expected outcomes from these processes in order that the needs and expectations of the interested parties can be served.

Customers and regulatory bodies in particular are critical to the long term success of the organisation and it is important that any processes that interface with these parties are appropriately monitored and measured in order to ensure that their needs are being fulfilled. However the “external issues” can be far more numerous and complex than the external parties that the organisation interacts with. Additional issues could include currency or commodity price fluctuations, the effect of weather (for example if you sell caravans or ice cream), seasonal demand, fashion, political sanctions and so on.

So far as “internal issues” are concerned, for a simple, single site organisation, this is pretty much limited to process interfaces, communications, staff turnover and so on. It’s important not to go hunting for issues where issues don’t exist. Not every system is complex and multi-layered. At the more complex end of the scale there are multi-site organisations with diverse products and processes. Their sites may not all be in the same country or even time zone, there may be language issues, they may have a lot of home working or off-site working, they may operate a three shift system (making handover a key issue) or, by their very nature suffer from a high staff turnover (hospitality industry, call centres etc).

A word of caution

Be careful not to get too carried away identifying every conceivable “internal and external issue” – remember the standard is only interested in those that have an effect on the QMS. The trouble with creating an exhaustive list of every internal and external issue you can think of is that it opens Pandora’s Box, because the requirement does not end with simply identifying them. Once issues have been identified, the standard requires that they are then monitored, evaluated and reviewed on an ongoing basis. Therefore, just as it is bad practice to create a “Corporate Risk Register” that contains every conceivable, barely conceivable and improbable risk, it is bad practice to over-burden your QMS processes with “internal and external issues” that are insignificant.

Shaun Sayers

You can find more ISO 9001:2015 articles here

Find out more about Capable People, our work, and our fantastic clients at CapablePeople.net

IRCA Approved ISO 9001:2015 Transition Courses delivered worldwide.

Posted in ISO 9000, ISO 9001:2015 | Tagged , , | 4 Comments