Changes to ISO 9001

At Acorn Regulatory we are committed to ensuring quality in all aspects of what we do so it’s vital to us to stay informed of updates in legislation, requirements or standards in our field of expertise – quality and regulatory. This week we are looking at the September 2015 update of ISO 9001.

In September 2015, ISO 9001:2008 was updated to ISO 9001:2015. This update was required in order to respond to the latest trends and ensure the standard stays relevant in the business world. Organisations have been granted a three-year transition period after the revision has been published to migrate their quality management system to the new edition of the standard. This means that by September 2018 a certificate to ISO 9001:2008 will no longer be valid.

The new version, ISO 9001:2015 is based on three basic core concepts:
– that process approach
– the plan-do-check act methodology
– risk based thinking

Risk Based Thinking – what is it and what it means for organizations certified and/or using ISO 9001:2008

Risk is defined as “the effect of uncertainty on an expected result”. It is the decision of the organisation as to how extensively the risk-based approach is applied.

However consider this, the new requirement to have a risk based approach should be seen as a positive part of the QMS and not as a thorn in your side. It makes the QMS more meaningful and effective and supports the fundamental objective every organisation has to be more successful.

So now, in order to be compliant to ISO 9001:2015, each organisation must determine the risk and opportunities within the core of your organisation. This is where alignment with business strategy comes into play. With the new clause – understanding the organisation and its context “the organisation shall determine the external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve intended results of its quality management system”

The QMS and business processes are to be aligned “ensuring the integration of the QMS requirements into the organisations business processes”. This could be done through consolidating the quality and business objectives. The ultimate goal of any organisation is 100% customer satisfaction. The purpose of a QMS fundamentally is to achieve 100% customer satisfaction. From a business perspective increased customer satisfaction is correlated with an increased profitability (there are many studies providing evidence to support this). It can only be a good thing when the world of business and quality collide. ISO9001:2015 seems to agree and that’s what makes it more relevant in today’s world.
Every business has objectives whether they are documented or not and by consolidating the business and quality objectives the organisation must actively work to ensure that objectives are achieved and in turn provide evidence that the objectives are being met. ISO 9001:2015 gives the tools and the structure to do just that. The new standard requires the organisation to ‘give assurance’ that it can ‘achieve its intended results’, i.e. objectives. By aligning the quality and business objectives, assurance that intended results are achieved can be supported by showing “what will be done, what resources are required, who is responsible, when it will be completed and how the results will be evaluated’, all these steps are in fact a plan or more specifically a business plan.
The risks of not achieving the objectives for the year in question need to be considered along with the opportunities. There may be several opportunities to meet an objective but the level of risk associated to each opportunity can vary.

The example below demonstrates some of the opportunities associated with the objective. Each opportunity has a different level of risk. A risk matrix can be used to categorise and quantify the level of risk to remove the element of subjectivity. In addition an ‘FMEA style’ approach can be used to identify the most suitable opportunity to address the risk. Instead of using the following well known approach of Failure = Severity x Occurrence x Detection this approach could be modified as follows:

Objective = Risk x Ease of Implementation of Opportunity x Likely Effectivity

The above quantitative scoring system allows the organisation to identify and quantify risk and opportunity for each objective.

The risks and opportunities associated with the operation of the organisation need to be considered and the organisation needs to plan how to address these risks and opportunities.

The organisation may decide based on the risks identified to implement all opportunities to mitigate the risk. A plan will be needed to address all opportunities where action has been agreed.

Reference to risk in ISO 9001:2015

The following list details the areas in ISO 9001:2015 where risk is referenced:
 Introduction to the concept of risk-based thinking
 Clause 4: The organization is required to determine the risks which can affect its ability to meet objectives. The organisation needs to plan and implement the appropriate action to address the risks.
 Clause 5: Top management are required to commit to ensuring Clause 4 is followed
 Clause 6: The organization is required to take action to identify risks and opportunities
 Clause 8: The organization is required to implement processes to address risk
 Clause 9: The organization is required to monitor, measure, analyse and evaluate the risks and opportunities
 In Clause 10:The organization is required to improve by responding to changes in risk

Preventive Action Revised for improved applicability

In most organisations keeping up to date with non-conformances and associated CAPA’s is enough work so the requirement in ISO9001:2008 to “eliminate the cause of potential nonconformities” is not always acted upon when opportunity arises. The new standard has removed the requirement for preventative action and now requires actions to address risks and opportunities. This is a much improved approach with a real feeling of relevancy and usefulness. As the risk based approach is a core concept in the new standard the requirement to address risks and opportunities is throughout the standard as discussed above.

Additional changes to ISO 9001

Fewer prescribed requirements

A Quality Manual is no longer required. This aligns with a change of approach in general with regard to documentation. ‘Documented requirements’ has been replaced with ‘Documented Information’. Documented information is defined as “information required to be controlled and maintained by an organisation and the medium on which it is contained”. It “can be in any format and media and from any source”
With a continued emphasis on a process based approach there is no requirement for the uniformity of structure to align with the clause structure of the standard. The majority of organisations implemented the standard in a uniform way, clause by clause where compliance to each clause was documented in the quality manual. Now compliance to the standard can be demonstrated using a different approach with reference to “internal and external issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system”

Less emphasis on documents.

Requirements to have a documented quality manual, documented procedures (control of documents, control of records, internal audit, control of non-conforming product, corrective action, preventive action) and quality records have been removed so there mandatory procedures will be no longer be required in order to gain certification. While ISO 9001:2008 specified a number of mandatory documents, ISO 9001:2015 does not. However that does not mean that organisations have to throw away their quality manuals and documented procedures. If this documentation is in place and working well, there is no need to withdraw it. However these documents will need to be reviewed to ensure they reflect the updated requirements of ISO 9001:2015.

Improved applicability for services

For all of us out there who are applying the standard to a service and not a product this update is a great improvement in terms of applicability and implementation.
ISO9001:2015 references services much more in comparison to ISO 9001:2008 which mostly refers to products in the clauses. This results in improvement in applicability of the standard to service providers.
The table below identifies clauses where reference to services is included.
ISO9001:2008 ISO 9001:2015
7.2 Customer-related processes 8.2 Determination of requirements for products and services
7.2.1 Determination of requirements related to the product 8.2.2 Determination of requirements related to the products and services
7.2.2 Review of requirements related to the product 8.2.3 Review of requirements related to the products and services
7.3.1 Design and development planning 8.3 Design and development of product and services
7.4 Purchasing 8.4 Control of externally provided products and services
7.4.3 Verification of purchased product 8.6 Release of products and services
7.5.5 Preservation of Product 8.5.4 Preservation
8.2.4 Monitoring and Measurement of Product 8.6 Release of products and services
8.3 Control of Non-conforming Product 8.7 Control of non-conforming process outputs, products and services

Management Responsibility to Leadership

‘Management Responsibility’ has been replaced by ‘Leadership’.

There is no longer a requirement for a management representative instead roles, responsibilities and authorities are to be assigned, communicated and understood.
Additional improvement in leadership:
 A requirement to define the boundaries of the QMS.
 Increased emphasis on organizational context.
 Increased leadership requirements.
 Greater emphasis on achieving desired outcomes to improve customer satisfaction.

Internal Communication to Communication

Internal communication for the effectiveness of the quality management system has been replaced by communication with more general requirements on what, when, with whom and how to communicate.


The biggest change – Risk based approach
The biggest improvement – Identify risks and opportunities
Smaller improvements:
– Reduced documentation requirements (Quality manual, defined SOP not mandatory)
– Increased focus on the process approach
– Increased focus on business, determining internal and external issues relevant to strategic direction
– Greater applicability to services
– Greater focus on communication

We are happy to advise on ISO 9001 or any other aspect of your quality system.  Contact us today on 00353 52 61 76706 or complete your details below and we will get straight back to you.

About the Author
Gemma Robinson, PhD
Managing Director
As Managing Director of Acorn Regulatory, Gemma Robinson is actively involved on client projects on a day to day basis and she leads a team of respected pharmaceutical, medical device, pharmacovigilance and clinical trial experts.  Gemma is also an active contributor to developing and promoting standards in the regulatory affairs profession and she has worked with a number of academic and not for profit organisations to encourage individuals to pursue a career in regulatory affairs and the broader STEM subjects. You can read more articles by Gemma by clicking the link below.
Other articles by Gemma Robinson PhD