Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, AS9110, AS9120, ISO 13485, IATF 16949, ISO 14001, ISO 27001, ISO 45001, ISO 20000, and related ISO standards, as well as, Six Sigma.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

ISO 45001:2018

Apr 4, 2018 in Newsletter | Comments Off on ISO 45001:2018

ISO 45001:2018, “Occupational health and safety management systems — Requirements with guidance for use”, is now available. ISO 45001 is a replacement for OHSAS 18001:2007.

ISO 45001 adopts Annex SL, thus sharing the same clause structure, core text, and terms and definitions as ISO 9001:2015 (quality management) and ISO 14001:2015 (environmental management).

ISO 45001 specifies requirements for an occupational health and safety (OH&S) management system and gives guidance for its use. It enables organizations to provide safe and healthy workplaces by preventing work-related injury and ill health, as well as, by proactively improving OH&S performance.

The new standard is applicable to any organization that wants to establish, implement, and maintain an OH&S management system to improve occupational health and safety, eliminate hazards and minimize OH&S risks (including system deficiencies), take advantage of OH&S opportunities, and address OH&S management system nonconformities associated with its activities.

ISO 45001 helps an organization to achieve the intended outcomes of its OH&S management system. Consistent with an organization’s OH&S policy, the intended outcomes of an OH&S management system include:

a) continual improvement of OH&S performance;
b) fulfilment of legal requirements and other requirements;
c) achievement of OH&S objectives.

ISO 45001 applies to any organization regardless of its size, type, and activities. It is applicable to the OH&S risks under the organization’s control and considers factors such as the context in which the organization operates and the needs and expectations of its workers and other interested parties.

ISO 45001 doesn’t state specific criteria for OH&S performance, nor is it prescriptive about the design of an OH&S management system. It doesn’t address issues such as product safety, property damage, or environmental impacts, beyond the risks to workers and other relevant interested parties.

ISO 45001 can be used in whole or in part to systematically improve occupational health and safety management. However, claims of conformity to ISO 45001 are not acceptable unless all its requirements are incorporated into an organization’s OH&S management system and fulfilled without exclusion.

According to an ISOFocus article, the main change is that ISO 45001 concentrates on the interaction between an organization and its business environment, while OHSAS 18001 was focused on managing OH&S hazards and other internal issues.

The standards also diverge in other ways, for example:

  • ISO 45001 is process-based – OHSAS 18001 is procedure-based
  • ISO 45001 considers both risk and opportunities – OHSAS 18001 deals exclusively with risk
  • ISO 45001 includes the views of interested parties – OHSAS 18001 does not

You can order ISO 45001:2018 at this ISO webpage for about $168.

IATF 16949 Nonconformities

Apr 4, 2018 in Newsletter | Comments Off on IATF 16949 Nonconformities

A recent article in the OMNEX Navigator provided an analysis of 181 transition audits to the IATF 16949:2016 automotive standard.

Top 5 Nonconformities

The top five IATF 16949 clauses with nonconformities are listed below by percentage of total nonconformities:

1. Total Productive Maintenance ( = 4.9%
2. Control Plan ( = 3.9%
3. Contingency Plans ( = 3.8%
4. Control of Production and Service Provision (8.5.1) = 2.7%
5. Internal Auditor Competency (7.2.3) = 2.4%

Top 5 Majors

The top five IATF 16949 clauses with majors are listed below by percentage of total major nonconformities:

1. Customer-Specific Requirements (4.3.2) = 5.3 %
2. Internal Auditor Competency (7.2.3) = 5.3%
3. QMS Audit ( = 5.3%
4. Total Productive Maintenance ( = 4.5%
5. Management Review Inputs (9.3.2) = 4.5%

To read the Omex Navigator, go to this web page.

Safety Report

Apr 4, 2018 in Newsletter | Comments Off on Safety Report

The 2018 Annual Safety Progress Report from SafeStart and EHS Daily Advisor was developed based on the survey responses from 531 environmental, health, and safety professionals.


The participants listed their top seven most pressing safety concerns as:

1. Employee engagement (48%)
2. Employees taking shortcuts or ignoring the rules (44%)
3. Supervisor participation in safety programs (38%)
4. Common recurring injuries, e.g., slips, trips, and falls (32%)
5. Lackluster safety culture (30%)
6. Organizational and/or leadership buy-in (28%)
7. Clashes between safety and production (26%)


The top three obstacles to implementing safety improvements were identified as:

1. Budget (57%)
2. Competing with other operational projects/priorities (50%)
3. Training time/logistics (43%)


When asked to choose the statement that best describes the compliance of their safety programs, they selected:

“We have an excellent safety program that goes well beyond OSHA compliance.” (15%)

“We are trying to take our safety program to the next level beyond compliance.” (40%)

“We are compliant with OSHA standards but have made no efforts to go beyond minimum compliance.”  (14%)

“We are not fully compliant with OSHA standards yet, but we’re actively trying to fix gaps in our compliance.” (24%)

“We are not compliant with OSHA regulations and unable to comply due to limited resources or lack of commitment.” (6%)

To download the full 40-page report, go to this web page.

Tackling Counterfeit

Apr 4, 2018 in Newsletter | Comments Off on Tackling Counterfeit

A new brochure on “Tackling Counterfeit with IEC and ISO Standards” is available for a free download from this web page.

The first page of the brochure sets the stage:

“In Roman times it was wine, in mediaeval times it was textiles and weapons, today it is everything from personal computers to potency pills. Counterfeit goods are nothing new, but with globalization, the Internet and increased movement of goods, the fakes business is booming.”

The brochure answers the questions “What exactly are counterfeit goods?” and “How does counterfeit affect you?”

The brochure provides counterfeit examples for Pharmaceuticals, Electronics, Food, and Consumer Products. For each industry, it answers the questions, “What are the risks?” and “How can I spot a fake?”, and then identifies the IEC and ISO standards that can help.

QMS and Processes

Apr 4, 2018 in Newsletter | Comments Off on QMS and Processes

ISO 9001:2015, clause 4, Context of the Organization, includes requirements for the organization to determine its:

  • external and internal issues (4.1)
  • relevant interested parties (4.2)
  • quality management system scope (4.3)
  • processes and their interaction (4.4)

This article is on clause 4.4 and establishing a quality management system and the interaction of its processes. See the External Issues and Internal Issues articles in our February 2018 newsletter. See the Interested Parties and Scope Statement articles in our March 2018 newsletter.

4.4 Quality management system and its processes

4.4.1 The organization must establish, implement, maintain and continually improve a quality management system (QMS), including the processes needed and their interactions, in accordance with the requirements of ISO 9001.

The organization must determine the processes needed for the quality management system and their application throughout the organization, and:

a) determine the inputs required and the outputs expected from these processes;
b) determine the sequence and interaction of these processes;
c) determine and apply the criteria and methods (including monitoring, measurements and related performance indicators) needed to ensure the effective operation and control of these processes;
d) determine the resources needed for these processes and ensure their availability;
e) assign the responsibilities and authorities for these processes;
f) address the risks and opportunities as determined in accordance with the requirements of 6.1;
g) evaluate these processes and implement any changes needed to ensure that these processes achieve their intended results;
h) improve the processes and the quality management system.

4.4.2 To the extent necessary, the organization must:

a) maintain documented information (documents) to support the operation of its processes;
b) retain documented information (records) to have confidence that the processes are being carried out as planned.


ISO 9000:2015, Fundamentals and Vocabulary, defines a “quality management system” as the part of a management system regarding quality. A “management system” is defined as a set of interrelated or interacting elements of an organization to establish policies and objectives, and processes to achieve those objectives.

The management system elements establish the organization’s structure, roles and responsibilities, planning, operation, policies, practices, rules, beliefs, objectives, and processes to achieve those objectives.

ISO 9000 defines a “process” as a set of interrelated or interacting activities that use inputs to deliver an intended result. Whether the “intended result” of a process is called output, product, or service depends on the context of the reference.

Inputs to a process are generally the outputs of other processes; outputs of a process are generally the inputs to other processes. Processes in an organization are generally planned and carried out under controlled conditions to add value.

A process where the conformity of the resulting output cannot be readily or economically validated is frequently referred to as a “special process”.


According to ISO/TS 9002:2016, the intent of clause 4.4 is to ensure that the organization determines the processes needed for its quality management system in accordance with ISO 9001. This includes not only the processes for production and service provision, but also the processes that are needed for the effective implementation of the system, such as internal audit, management review and others (including processes that are performed by external providers).

For example, if the organization determines the need for a process for monitoring and measuring resources, the process will need to meet the requirements of ISO 9001:2015, 7.1.5. The level to which processes need to be determined and detailed can vary according to the context of the organization and the application of risk-based thinking – taking into consideration the extent to which the process affects the organization’s ability to achieve its intended results, the likelihood of problems occurring with the process and the potential consequences of such problems.

ISO/TS 9002:2016 provides guidance for ISO 9001:2015, 4.4.1, bullets a) to h):

a) Inputs and Outputs
The organization should determine the inputs required and the outputs expected from its processes. Inputs required for the processes should be considered from the viewpoint of what is required for the implementation of the processes as planned. Expected outputs should be considered from the viewpoint of what is expected either by the customers or the subsequent processes. Inputs and outputs can be tangible (e.g., materials, components or equipment) or intangible (e.g., data, information or knowledge).

b) Sequence and Interaction
When determining the sequence and interaction of these processes, the links with the inputs and outputs of the previous and subsequent processes should be considered. The methods for providing details of the sequence and interaction of the processes depends on the nature of the organization. Different methods can be used, such as retaining or maintaining documented information (e.g., process maps or flow diagrams), or a simpler approach, such as a verbal explanation of the sequence and interaction of the processes.

c) Criteria and Methods
To make sure that processes are effective (i.e., deliver the planned results), the process control criteria and methods should be determined and applied by the organization. The criteria for monitoring and measurement could be process parameters, or specifications for products and services. Performance indicators should be related to monitoring and measurement, or can be related to the organization’s quality objectives (criteria). Other methods for performance indicators include, but are not limited to, reports, charts, or the results of audits.

d) Resources
The organization should determine the resources needed for processes, such as people, infrastructure, environment for the operation of the processes, organizational knowledge, and monitoring and measuring resources. Considerations on the availability of resources should include the capabilities and constraints of existing internal resources and those that are obtainable from external providers.

e) Responsibilities and Authorities
The organization should assign the responsibilities and authorities for its processes by first determining the activities of the process and then determining the persons who will perform the activity. The responsibilities and authorities can be established in documented information, such as organization charts, documented procedures, operational policies, and job descriptions, or by using a simple approach of verbal instructions.

f) Risks and Opportunities
The organization should ensure that any actions needed to address risks and opportunities associated with the processes are implemented.

g) Evaluation and Changes
The organization should consider the performance data obtained through the review of criteria established for monitoring and measuring. Analyze and evaluate this data, and implement any changes needed to ensure that these processes consistently achieve their intended results.

h) Improvement Actions
The organization can use the results of analysis and evaluation to determine the necessary actions for improvement. Improvements can be made at the process level (e.g., by reducing variations in the way an activity is performed) or at the quality management system level (e.g., by reducing the paperwork associated with the system, allowing persons to concentrate more on managing the processes).

Documented Information
The intent of subclause 4.4.2 is to ensure that the organization determines the extent of documented information that is needed. Documented information is the information required to be controlled and maintained by an organization and the medium on which it is contained.

According to ISO/TS 9002:2016, the appropriate person (e.g., process owner, process output owner, process control person) should review what information is used for the process to perform consistently to deliver the intended output. For information (e.g., procedures, work instructions, visual aids, information and communication systems, drawings, specifications, metrics, reports, key performance indicators [KPIs], meeting minutes, representative samples, verbal conversations) that is used, an analysis of the value to support the process needs to be carried out.

The result of the analysis will be the decision as to which information will be treated as documented information. For example, when top management does strategic planning, they could consult and review relevant information on the internet, such as reports on the current and future status of the organization’s industry sector that have been developed by governmental agencies and other relevant parties. This information should not be considered as documented information, as it is available from the public domain. In contrast, a business plan that includes quality objectives, risk and opportunities, strategies, among other relevant elements (e.g., the organization’s mission, vision, values, and process map) would need to be considered as documented information.

It is up to the organization to specify the distinct types of documented information needed to support the operation of its processes and its quality management system. In determining the type and extent of documented information needed, the organization should evaluate its own needs and apply risk-based thinking. It should also consider its size, activities, types of products or services, complexity of its processes, resources, etc., as well as, the potential consequences of nonconformities.

While ISO 9001 specifies the use of documented information in some of its requirements, there can be a need for the organization to have additional documented information (such as documented procedures, websites, work instructions, manuals, regulations, standards, forms, guides, computer software, telephone applications) to control the operation of its processes.

Some of the organization’s documented information will need to be reviewed periodically and be revised to be kept up to date. ISO 9001 uses the phrase “maintain” documented information to refer to these types of “documents”.

Other documented information needs to be “retained” unchanged (unless a correction is authorized) to demonstrate conformity and to have confidence that processes are being carried out as planned. This type of documented information is referred to as a “record”.