ISO 9001:2015 Frequently Asked Questions
Does ISO 9001:2015 now have 10 chapters instead of 8?
Yes, the ISO 9001:2015 standard has been restructured to align with ISO Directives, Part 1, Annex SL. This change is being applied to all ISO management system standards (such as Environmental, Occupational Health and Safety, IT security, etc.).
This new structure of 10 chapters, common titles and the order of the controls in each chapter will align consistently with the other management system standards mentioned above. There is also a common vocabulary for these standards, which will also allow for an effective integration.
What is “context of the organization”?
That’s a great question. In the 2008 version of ISO, it wasn’t there so there will be some thinking and some activity to define your hospital’s context. Basically, context of the organization is the role your hospital plays in its current environment, internally and externally. In other words, what factors in your environment (internal and external issues) can affect your ability to meet your objectives. Determining your hospital’s context will set the stage for the balance of your QMS.
Who are my stakeholders and interested parties?
These are terms that come to ISO 9001 from the environmental standard, ISO 14001. Stakeholders and interested parties could be your patient’s family, physicians, regulators, owners, contractors, payers, your community, etc. Take care to define these correctly because there are new controls later in the standard that build around those that we define as "relevant". We will create many processes around the needs and expectatations of the relevant interested parties.
Did the process approach go away in this revision?
The process approach actually became much more robust. Now that risk and opportunity have been included in almost every chapter, processes will be managed based on risk. The requirement for knowing your processes sequence and interaction will be enhanced when risk is integrated. The result should be more reliable processes.
Can you explain the new leadership requirements?
Yes, there are several. First, accountability for the effectiveness of the QMS is explicit. Second, aligning the policy and objectives with the context and strategic direction of the hospital and integrating the QMS with your hospital’s business processes. Another new control is the explicit support of other leadership in their roles. Risk and opportunity appears in customer focus. The intent of these new controls is to bring quality to all areas of your hospital and ensure that quality doesn’t fall on one person or department.
Why did the role of Management Representative go away?
The title/position of “management representative” is removed. The controls remain, however. Again, the intent is to take “quality” out of one person’s responsibility and to make it everyone’s responsibility. This is supported in other controls for leadership and in the newly enhanced "competence" and "awareness" controls.
What are risks and opportunities?
Let’s begin with some basic definitions: risk- the degree of uncertainty on achieving objectives. Opportunities are positive or upside risks. The phrase used to discuss risks and opportunities is risk-based thinking. This phrase is not defined anywhere in ISO 9001. Its definition is really self-evident. We define it as the consideration of risk when planning, implementing and maintaining your quality system. A mature risk-based thinking process will identify upside risk AND downside risk and manage them both appropriately.
Do I need another Risk Management program?
ISO 9001 only calls for risk-based thinking; there is no requirement for a risk management program, yet risk is foundational in this new revision. Most likely, you currently have risk management in place in your hospital. Risk-based thinking is proactive risk and it’s integrated into your process approach. Do it correctly and you’ll create a safer patient environment. Editors note: Once the concept of risk-based thinking fully sinks in from the accreditation perspective, hospitals will see benefit in integration of current risk practices mostly financial and legal) with the risk controls from ISO 9001. Again, 9001:2015 now requires integration of your quality management system into your business processes and strategic direction.
If Preventive action is no longer an explicit requirement, how do we identify potential issues to prevent?
The control named "Preventive Action" has left the building...but the requirement has not. It is now bigger and better than ever and goes under the new name of "risks and opportunities"! The ISO experts say that risk was always implied in the 2008 standard, but we now know that it is explicit in 2015. When addressing risks and opportunities, you are preventing potential issues. This includes good risk (opportunities) and bad risk. By integrating risk into our processes, we bring forward the opportunity to readily identify opportunities, thereby meeting the intent of the former control of "preventive action"...we also create a safer patient environment. When you place these new controls for risk and opportunities (aka risk-based thinking) with the new controls for leadership commitment and the integration of quality with hospital business and strategies, you can see a much broader benefit. Preventive action was mostly at the transactional level, and truthfully, never fully realized as intended. Risk and opportunities is more broad and now encompasses, explicitly all levels of the hospital, transactional all the way to strategic.
What’s the big deal with awareness and communication?
Both of these controls, communication and awareness are more significant in 2015. Awareness is more explicit. Employees and contractors must be aware of the effects (good and bad) of their work on hospital objectives. Communication is key for effective process and risk control. Also, hospitals are now required to have communication processes with external interested parties and stakeholders. PS- did you know that enhancing internal communication (with patients and employees) is one of the top 3 ways to increase hospital profitability in 2016 (according to Becker’s Hospital CFO).
Did the quality manual and required procedures really go away?
One significant change from 2008 to 2015 is the less prescriptive documentation controls. No more controls for documenting the quality manual and the six procedures. Before you get too excited, many parts of the 2008 controls for the quality manual still have to be documented, just not in a document named quality manual. The processes in the six procedures actually have some new controls; they just don’t have to be documented in a procedure.
What is organizational knowledge?
It’s the knowledge needed to ensure that your hospital delivers consistent processes. In short, it’s knowledge management (KM). So this control includes how this knowledge will be maintained with retirements, etc….in essence, succession planning. FYI, this is the only completely new control in ISO 9001:2008.
What is difference between competence and organizational knowledge?
Let's use our references, specifically, ISO 9000:2015. Competence is defined as "ability to apply knowledge and skills to achieve intended results". Translated to plain English, it's knowing what to do. Competence is typically used in referenced to a person. Organizational knowledge is used as a collective term for the entire organization, which is a sum of competent persons. This organizational knowledge is from experience, education, etc. and is in effect, succession planning. The intent of organizational knowledge is to ensure that the people stay competent in the future, so that you can meet future needs and expectations of your patients.
Can I still exclude Design and Development?
The new controls now require design and development of processes. So, if you design processes, which we all do, you can no longer exclude this control. DNV GL states that they will initially survey this control against your project management (i.e.- construction, adding new services, etc.). Eventually, DNV GL will begin to survey process improvements, such as process redesign, Lean, Six Sigma, etc.
Who are my external providers?
These are your contractors, suppliers, etc. This list incudes your outsourced services and service providers, such as dietary, biomed, physicians, etc. The controls are more explicit regarding external provider performance.
What does ISO mean by "change control"?
This control requires the hospital to review and control changes of your processes to ensure consistency. The standard does not specify which processes need to be included in this change control process, therefore this control integrates many other controls, such as context of the organization, communication, risk-based thinking, and process design, among others.
Does nonconforming products now include services or processes?
Actually, this control is now entitled, “Control of nonconforming outputs”, so yes, this control does include services. This newly titled control brings in aspects of the old “nonconforming product” and the old “corrective action”. It’s not really a new control, simply an improvement in the alignment of how hospitals should manage their processes.
How significant are the changes to internal audit?
The most explicit change is the new control is that auditors must be objective and impartial of the audit process, replacing the old control of not auditing their own work. There is some implicit language that gives a nod to planning audits based on organizational changes, but some might argue that control was also implied in the 2008 revision. With the new controls for integrating the QMS with the strategic and business processes, there will be higher expectations of the auditors’ competencies. Internal auditors should now show real quantifiable value in their audit findings.
How are these changes applicable for hospitals?
Here is a short list of the “big deals” in ISO 9001:2015 for hospitals.
- Context of the organization and inclusion of interested parties and stakeholders in your QMS
- Integrating your QMS with strategic and business process (this is likely the most significant to success of your QMS). Accreditation can begin the migration from a financial liability to an asset.
- Implicit requirements for risk-based thinking and it’s integration with process management. This will be foundational for success and can begin the pathway to a sustainable patient safety environment. Done correctly, you won’t have to conjure up “preventive actions” for the surveyor. This will be hard wired into how you operate daily.
- Managing organizational knowledge
- Process design is huge. Once we integrate risk and processes, we better understand our real position in process outputs. Designing and revising processes will yield better results for our patients. Managing process changes is now required.
- Finally, with these enhancements, the value that a well-trained internal auditor can bring to the hospital is exciting. Conducting value-added audits will provide objective data for continual improvements (financial and operational)! PS- your CFO will appreciate this too!