|
ISO IEC 90003 2014
is based on the ISO 9001 2008 quality
management standard.
The following formula summarizes how these two QMS
standards are related:
ISO IEC 90003 =
ISO 9001 + advice on how to apply ISO 9001 to software
ISO 9001 has changed, but the “advice on
how to apply ISO 9001 to software”
hasn't. It's still the same. Accordingly, the following material
will discuss the
changes that were made to the underlying ISO 9001 standard.
ISO 9001 2000 and ISO 9001 2008 use the
same numerical system to organize
the standard. As a result, the new ISO IEC 90003 standard looks
much like the old.
However, some (ISO 9001) changes were made. When you compare ISO
9001 2000
and ISO 9001 2008 you’ll notice that the changes that have been
made tend to be
minor clarifications and modifications. These changes are
summarized below.
|
Outsourced
processes
The process
approach continues to be of central importance to ISO
9001.
And since outsourcing
has become increasingly common during the last few
years, the new ISO 9001 standard has expanded its discussion
of outsourced
processes (see ISO 9001 section 4.1).
The new standard makes it clear that
an outsourced process is still part of your
QMS
even though it is performed by a party that is external to
your organization.
The new standard emphasizes the need to ensure that outsourced
processes
comply with all customer, statutory, and regulatory
requirements. While the
responsibility for a process may have been outsourced, your
organization
is, nevertheless, still responsible for ensuring that it meets
all customer,
regulatory, and statutory requirements.
While the old standard said that
outsourced processes must be controlled, the new
standard goes further by expecting you also to specify the
type, nature, and extent
of control. ISO 9001 2008 also wants you to think
carefully about how you’re going
to control outsourced processes. How you choose to control an
outsourced process
should be influenced by the potential impact it could have on
your products, whether
or not process control will be shared with the process
supplier, and whether or not
adequate controls can be contractually created using your
purchasing process.
|
Documentation
ISO 9001 2008, section 4.2.1, makes
it clear that QMS documentation
includes
not only the records
required by the standard but also the records that your
organization needs in order to be able to plan, operate, and
control its QMS
processes. So the new standard has expanded the definition of
documentation to include all QMS process records.
Section 4.2.1 makes it clear that a
single document may contain several procedures
or several documents may be used to describe a single
procedure. While this has
always been an option, the new standard makes this possibility
explicit.
ISO 9001 2000 section 4.2.3 gave the
impression that all external documents needed
to be identified and controlled. This has now been clarified.
The new standard now
says that you need to identify and control the distribution of
only those external
documents that you need in order to be able to plan and
operate your QMS. In
other words, only relevant external QMS documents need to be
controlled,
not all of them.
|
Management
representative
ISO 9001 2000, clause 5.5.2, allowed
you to appoint any member of management
to oversee the organization’s QMS. Since the old
standard did not explicitly say
that the management representative must be a member of the
organization’s
own management, outsiders were sometimes appointed, instead.
This loophole has now been closed.
ISO 9001 2008 now makes it very clear
that the management representative must be a member of the
organization’s
own management.
|
Competence
While both old and new standards
stress the importance of competence,
the old
standard wasn’t very clear about who they were talking about.
Now it’s clear that all
QMS personnel must be competent. ISO 9001 2008, section 6.2.1,
makes it clear that
any task within the QMS may directly or indirectly affect the
organization’s ability or
willingness to meet product requirements. Since any QMS task
could directly or
indirectly influence product quality, the competence of anyone
and everyone
who carries out any QMS task must be assured.
|
Infrastructure
For ISO 9001 2000 (section 6.3) the
term infrastructure includes buildings,
workspaces, equipment, software, utilities, and services like
transportation
and communications. ISO 9001 2008 has now added information
systems to
the previous list of support services. Both old and new
standards expect you
to provide the infrastructure that your organization needs in
order to ensure
that product requirements are being met.
|
Work
environment
According to ISO 9001 2000, section
6.4, you are expected to manage the work environment that your
organization needs in order to be able to ensure that all
product requirements are being met. However, it failed to
indicate exactly what
they were talking about. This problem has now been solved. ISO
9001 2008
now says that the term work environment refers to
working conditions.
These working conditions
include physical and environmental factors,
as well as things like noise, temperature, humidity, lighting,
and weather.
According to the new ISO 9001 standard, all of these
conditions need to be
managed in order to help ensure that product requirements are
being met.
|
Customer
requirements
According to ISO 9001 2000, section
7.2.1, you are expected to identify your
customers’ specific delivery and post-delivery requirements.
Since some people
weren’t sure about what post-delivery meant, the new standard
has tried to clarify
this. According to ISO 9001 2008, post-delivery requirements
include things like
warranty provisions, contractual obligations (such as
maintenance), and
supplementary services (such as recycling and final disposal).
|
Design
and development planning
Both old and new standards expect
organizations to plan and perform product
design and development review,
verification,
and validation
activities (section 7.3.1).
While each of these three activities serves a different
purpose, ISO 9001 2008 makes
it clear that these three activities can be carried out and
recorded separately or in
any combination as long as it makes sense for the product and
the organization.
|
Design
and development outputs
Section 7.3.3 of ISO 9001 2000 wants
you to make sure that the design and development process
generates information (outputs) that your purchasing,
production, and service provision processes need to have. ISO
9001 2008
now also says that outputs could include information that
explains how
products can be preserved during production and service
provision.
|
Monitoring
and measuring equipment
While ISO 9001 2008, section 7.6,
refers to the need to control monitoring
and measuring equipment, the old standard talked about
controlling devices.
Since the term device can refer to almost anything
from a literary contrivance
to a machine, its meaning wasn’t exactly clear. The new
standard has removed
this ambiguity by using the term equipment.
Both the old and the new ISO 9001
standard want you to confirm that monitoring
and measuring software is capable of doing the job you want it
to do. In addition
to this requirement, the new standard suggests that
configuration management
and well established verification methods can be used to
ensure the ongoing
suitability of monitoring and measuring software. However,
this is not a
formal requirement, just a statement that explains how the
ongoing
suitability of software can be maintained.
|
Customer
satisfaction
Both old and new ISO 9001 standards
want you to monitor and measure customer satisfaction
(perceptions). A new note to ISO 9001 2008, section 8.2.1,
explains that there are many ways to monitor and measure
customer satisfaction. You could use customer satisfaction and
opinion surveys and you could collect product quality
data, track warranty claims, examine dealer reports, study
compliments and
criticisms, and analyze lost business opportunities.
|
Internal
audit records
Both old and new standards refer to
the need to establish a procedure to define how
internal
audits should be planned, performed, reported, and
recorded (section 8.2.2).
However, the old standard did not explicitly state that audit
records must actually be
maintained. This oversight has now been corrected. ISO 9001
2008 now explicitly
says that you must maintain a record of internal audit
activities and results.
|
Process
monitoring and measurement
Both old and new standards expect
you to monitor and measure QMS
processes.
A new note to ISO 9001 2008, section 8.2.3, wants you to
consider the impact each
process has on the overall effectiveness
of your QMS (and the impact it has on your
ability to meet product requirements) when you’re making
decisions about what
kinds of process monitoring and measurement methods should be
used.
|
Release
of product
According to ISO 9001 2000, section
8.2.4, you must make sure that product
monitoring and measuring records indicate who was responsible
for authorizing
the release of products. However, the old standard did not
specify who must be
on the receiving end. This has now been clarified. ISO 9001
2008 now makes it
clear that products are released for delivery to customers.
Records must
now indicate who releases products for delivery to customers.
|
