Annex A

Posted by Integrated Safety Inspection System on 9:08 PM with No comments


A.1 Structure and terminology

The clause structure (i.e. clause sequence) and some of the terminology of this edition of this International Standard, in comparison with the previous edition (ISO 9001:2008), have been changed to improve alignment with other management systems standards.

There is no requirement in this International Standard for its structure and terminology to be applied to the documented information of an organization’s quality management system.

The structure of clauses is intended to provide a coherent presentation of requirements, rather than a model for documenting an organization’s policies, objectives and processes. The structure and content of documented information related to a quality management system can often be more relevant to its users if it relates to both the processes operated by the organization and information maintained for other purposes.

There is no requirement for the terms used by an organization to be replaced by the terms used in this International Standard to specify quality management system requirements. Organizations can choose to use terms which suit their operations (e.g. using “records”, “documentation” or “protocols” rather than “documented information”; or “supplier”, “partner” or “vendor” rather than “external provider”).

Table A.1 shows the major differences in terminology between this edition of this International Standard and the previous edition.


ISO 9001:2008 ISO 9001:2015
Products products and services
Exclusions Not used (See Clause A.5 for clarification of applicability)
Management Representative Not used (Similar responsibilities and authorities are assigned but no requirement for a single management representative)
Documentation, quality manual, documented procedures, records Documented information
Work environment Environment for the operation of processes
Monitoring and measuring equipment Monitoring and measuring resources
Purchased product Externally provided products and services
Supplier External provider

A.2 Products and services

ISO 9001:2008 used the term “product” to include all output categories. This edition of this International Standard uses “products and services”. The term “products and services” includes all output categories (hardware, services, software and processed materials).

The specific inclusion of “services” is intended to highlight the differences between products and services in the application of some requirements. The characteristic of services is that at least part of the output is realized at the interface with the customer. This means, for example, that conformity to requirements cannot necessarily be confirmed before service delivery.

In most cases, products and services are used together. Most outputs that organizations provide to customers, or are supplied to them by external providers, include both products and services. For example, a tangible or intangible products can have some associated service or a service can have some associated tangible or intangible product.

A.3 Understanding the needs and expectations of interested parties

Subclause 4.2 specifies requirements for the organization to determine the interested parties that are relevant to the quality management system and the requirements of those interested parties.

However, 4.2 does not imply extension of quality management system requirements beyond the scope of this International Standard. As stated in the scope, this International Standard is applicable where an organization needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.

There is no requirement in this International Standard for the organization to consider interested parties where it has decided that those parties are not relevant to its quality management system. It is for the organization to decide if a particular requirement of a relevant interested party is relevant to its quality management system.

A.4 Risk Based Thinking

The concept of risk-based thinking has been implicit in previous editions of this International Standard, e.g. through requirements for planning, review and improvement. This International Standard specifies requirements for the organization to understand its context (see 4.1) and determine risks as a basis for planning (see 6.1). This represents the application of risk-based thinking to planning and implementing quality management system processes (see 4.4) and will assist in determining the extent of documented information.

One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management system requirements.

The risk-based thinking applied in this International Standard has enabled some reduction in prescriptive requirements and their replacement by performance-based requirements. There is greater flexibility than in ISO 9001:2008 in the requirements for processes, documented information and organizational responsibilities.

Although 6.1 specifies that the organization shall plan actions to address risks, there is no requirement for formal methods for risk management or a documented risk management processes. Organizations can decide whether or not to develop a more extensive risk management methodology than is required by this International Standard, e.g. through the application of other guidance or standards.

Not all the processes of a quality management system represent the same level of risk in terms of the organization’s ability to meet its objectives, and the effects of uncertainty are not the same for all organizations. Under the requirements of 6.1, the organization is responsible for its application of risk based thinking and the actions it takes to address risk, including whether or not to retain documented information as evidence of its determination of risks.

A.5 Applicability

This International Standard does not refer to “exclusions” in relation to the applicability of its requirements to the organization’s quality management system. However, an organization can review the applicability of requirements due to the size or complexity of the organization, the management model it adopts, the range of the organization’s activities and the nature of the risks and opportunities it encounters.

The requirements for applicability are addressed in 4.3, which defines conditions under which an organization can decide that a requirement cannot be applied to any of the processes within the scope of its quality management system. The organization can only decide that a requirement is not applicable if its decision will not result in failure to achieve conformity of products and services.

A.6 Documented information

As part of the alignment with other management system standards, a common clause on “documented information” has been adopted without significant change or addition (see 7.5). Where appropriate, text elsewhere in this International Standard has been aligned with its requirements. Consequently, “documented information” is used for all document requirements.

Where ISO 9001:2008 used specific terminology such as “document” or “documented procedures”, “quality manual” or “quality plan”, this edition of this International Standard defines requirements to “maintain documented information”.

Where ISO 9001:2008 used the term “records” to denote documents needed to provide evidence of conformity with requirements, this is now expressed as a requirement to “retain documented information”. The organization is responsible for determining what documented information needs to be retained, the period of time for which it is to be retained and the media to be used for its retention.

A requirement to “maintain” documented information does not exclude the possibility that the organization might also need to “retain” that same documented information for a particular purpose, e.g. to retain previous versions of it.

Where this International Standard refers to “information” rather than “documented information” (e.g. in 4.1: “The organization shall monitor and review the information about these external and internal issues”), there is no requirement that this information is to be documented. In such situations, the organization can decide whether or not it is necessary or appropriate to maintain documented information.

A.7 Organizational knowledge

In 7.1.6, this International Standard addresses the need to determine and manage the knowledge maintained by the organization, to ensure that it can achieve conformity of products and services.

requirements regarding organizational knowledge were introduced for the purpose of:
a) safeguarding the organization from loss of knowledge, e.g.
— through staff turnover;
— failure to capture and share information;
b) encouraging the organizationto acquire knowledge, e.g.
— learning from experience;
— mentoring;
— benchmarking.

A.8 Control of externally provided processes, products and services

Explanatory requirement for clause 8.4.1, 8.4.2 & 8.4.3

All forms of externally provided processes, products and services are addressed in 8.4, e.g. whether through:
a) purchasing from a supplier;
b) an arrangement with an associate company;
c) outsourcing processes to an external provider.

Outsourcing always has the essential characteristic of a service, since it will have at least one activity necessarily performed at the interface between the provider and the organization. The controls required for external provision can vary widely depending on the nature of the processes, products and services.

The organization can apply risk-based thinking to determine the type and extent of controls appropriate to particular external providers and externally provided processes, products and services.