ISO 9001 Drastically Revised

Are you wondering what’s new in the latest version of ISO 9001?

The simple answer is, “Just about everything.” The rumor is that the technical committee added a clause about risk-based quality management systems. The truth is that the revised standard has 11 major clauses instead of 9, and clauses 4-10 have been retitled, reorganized and rewritten. The technical committee essentially blew up the standard, and they had a little trouble putting it back together. Anyone that has an existing ISO 9001 quality system certificate will have a major task in front of them to revise and update their quality system documentation to address these changes. This article summarizes the major changes and provides some tools and suggestions for strategy to help you make the transition.

Exhibit 1 provides a comparison of the titles for the major clauses in the current and revised versions of ISO 9001. The clauses of the revised standard highlighted in green have been revised, but the organization and titles have been maintained. Clauses highlighted in yellow have not only been retitled, but the content from the current version of ISO 9001 was reorganized and rewritten.

Exhibit 1: Comparison Table of Major Clauses

Packard Chart_1

Examples of Changes Made
I had some trouble finding the clause for internal auditing. In the current version, management review is clause 8.2.2, while in the revised standard internal auditing was shifted to clause 9.2. You might expect control of conforming product to be shifted from clause 8.3 to 9.3, but control of nonconforming product is not even in clause 9. Clause 8.3 was combined with clause 8.5.2, corrective action, and the resulting clause is “Nonconformity and corrective action” found in the revised standard under clause 10.2. These changes might seem strange, but preventive action (the current Clause 8.5.3) was completely eliminated. There’s a note in clause 0.5 explaining the elimination of the preventive action clause and the introduction of risk-based thinking instead. Even the clause for management review was reorganized. Instead of placing management review under the clauses for “Leadership” (Clause 5), management review is found in clause 9.3 of the revised standard.

After being totally confused by the revisions made to ISO 9001, I struggled for a while to identify a logical strategy for updating an existing quality system to comply with these changes. One approach is to focus on the procedural requirements instead of the organization of the revised standard. Exhibit 2 compares the requirements for documented information of ISO 9001:2008 with the revised draft. In ISO 9001:2008, Note 1 in subclause 4.2.1 states, “Where the term ‘documented procedure’ appears within this International Standard, this means that the procedure is established, documented, implemented and maintained.” This statement was revised in ISO 9001:2015 and now is referred to as “documented information” in Annex A.6. Unfortunately, there are 53 references to “documented information” throughout ISO 9001:2015, but Exhibit 2 attempts to reconcile these differences. The six requirements for a “documented procedure” in ISO 9001:2008 are highlighted in blue.

Exhibit 2: Comparison of Documented Information Requirements

Packard Chart_2

Should You Keep Your Quality Manual?
The ISO 9001:2015 standard eliminates the requirement for a quality manual, but there is still a requirement to define how you meet the requirements of the standard. Therefore, I recommend maintaining a quality manual. A quality manual will also be required as part of the revised ISO 13485 standard (i.e., ISO 13485:2015).

If you have only an ISO 9001 certification, you might consider reorganizing and rewriting your manual to match the revised standard. However, if you have both ISO 13485 and ISO 9001, then you should probably maintain your existing organization of the quality manual because ISO 13485 has not changed in structure of the clauses. If you have both quality certifications, then you should probably add a cross-reference table at the end of your manual to indicate how you meet all the documentation requirements of ISO 13485 and 9001. Some of the 53 requirements for documented information will be procedures, and there are many more procedural requirements in ISO 13485, 21 CFR 820 and the European Medical Device Directive. The requirements for documented information that you meet by maintaining records can be addressed in a separate document for control of records or records retention.

Conclusions / Recommendations
The ISO 9001:2015 standard is a major revision that will require significant time and resources to determine the best way to implement the revised quality system. Most companies will need all three years of the transition period for compliance, and each medical device company is likely to develop their own solutions due to changes in ISO 13485.

Overall I do not see ISO 9001:2015 as an improvement. I believe that a risk-based approach is needed, but the way that it is being introduced in this Standard appears to be too radical of a departure from the current structure of the Standard.

If your company is a medical device contract manufacturer that does not have ISO 13485, you might consider updating your quality system to comply with ISO 13485 and drop your ISO 9001 certification. If you choose this approach, the revisions to your quality system will be much easier for employees to understand and implement in one year. You may even want to inquire with each of your customers in the next 6 months to see what their strategy will be. I already know of two clients that have dropped ISO 9001 and a third that is planning to drop ISO 9001 certification.

Rob Packard is a regulatory consultant with 20 years of experience in the medical device, pharmaceutical and biotechnology industries. Mr. Packard served in senior management at several medical device companies, including President and CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing and maintaining ISO 13485 and ISO 14971 certification. From 2009 to 2012, he was a lead auditor and instructor for one of the largest Notified Bodies. His specialty is regulatory submissions for high-risk medical devices for CE Marking applications, Canadian medical device applications and 510(k) submissions. The most favorite part of his job is training others. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Medical Device Academy