#51 – ISO 9001:2015 DIS CONCERNS – UMBERTO TUNESI

Umberto Tunesi pixIn my previous piece titled “Beethoven’s Fifth and ISO 9001:2015” of August 2013, I commented ISO 9001:2015’s Committee Draft (CD).  And – as typical of me – I was not soft.

Now that its interim Draft International Standard (DIS) is available for voting by ISO Members before the Final Draft and the International Standard will be published, I also feel the need to comment the DIS, hoping that my comments will be beneficial to the “actors” who will use it.

There are a few paths that I could follow to comment the DIS:

One, I could go back to my previous comments and review them against the changes between the CD and the DIS.

Two, forget about my previous comments to the CD and start anew.  I prefer this second path because first, I’m a lazy man so I don’t want to read again what I wrote some ten months ago and second, I guess that you readers would prefer a fresh look rather than being fed with “leftovers” from a previous piece.

Of course, those of you who’re so active to compare my previous piece with this will find some similarities and contradictions, too.  B ut, as an italian saying goes, in the meantime much water has flown under the bridges, meaning that things may have changed.

Three, due to the differences between the DIS and the CD, further differences can be expected in the Final Draft and in the Standard itself.  Therefore it seems to me quite uneventful to spend much time on the DIS, if it were not for the sake to dig into the ISO’s Committee’s thinking.

Nonetheless, this process seems also to be a significant change as compared to the previous ISO 9001’s, where there were scant differences in the process of development from drafts to the final standard.  Maybe that ISO is now more focused on the ever changing Market and on its own market, too.

Due to the changes in worldwide economy, we might as well expect Chinese or other standards to take over ISO, ASTM and other western standards.

ISO 9001 5th (2015) is expected to represent a major change in ISO 9001 philosophy, making therefore its understanding – more than its knowledge – a major impact on audit, and auditors’, culture.  And therefore profoundly affecting consultants’ and trainers’ job.

There’s one more point: I intend to move throughout the DIS’s text by not following it page by page, but rather summarizing its contents in some basic categories, that I try to classify in order of riskiness for the ISO 9001 5th’s Users, such as:

  • Interesting points.
  • Information worth considering;
  • Apparent contradictions;
  • Areas of concern.

What follows is based on the interim DIS at my disposal.  What you have in your hands might differ from it, yet I expect any DIS’s basic structure to be substantially the same.

One more warning: as any standard, it has not to be read parceling it by but in a holistic way: the whole is much larger than the sum of its parts.

INTERESTING POINTS

Foreword:

Trade constraints are mentioned, such as patent rights, use of trade names, and WTO’s and TBT’s (Technical Barriers to Trade) rules.

Further on, the DIS’s clauses’ structure is compared to ISO 9001 (2008)’s and the approach to simultaneously meeting two or more standards’ requirements is briefly mentioned.

It’s therefore a Section worth knowing and understanding, because we all too often bypass the introductory sections of standards and go straight to requirements.  We tend to neglect the basics but dig instead into details.  “They will teach you the Hows instead of the Why’s” seems to be the bell that tolls in our minds.

This is a general bad habit, that we should all start trying to avoid when working at management systems.

Introduction:

0.1 General:

Design, implementation and maintenance of a quality management system is strategic decision that has to be be taken by the organization’s top management.

All too often, in my auditor career I met with organizations where the top management assigned the quality management system to young non empowered fellows, saying to  them “you do quality and I do business”.  Still, ISO 9001 5th is a blunt knife, since it doesn’t empower auditors to hit the heart of the matter.  How can any registrar’s auditor raise a major non conformity against a top manager that only shows its involvement by words, but not by facts?  This doesn’t allow any registrar’s auditor any truly effective corrective action.

Context

Let’s call it organization’s environment or habitat, it doesn’t matter.  ISO 9001 started using this term since its latest edition and I find it a great step forward.  Pity that most auditors still stick to the wording of ISO 9001 and don’t interpret it in the light of the context in which the organization operates and intends to operate.  ISO 9001 is such a broad-range standard that requires much attention when verified for implementation and maintenance  We should stop, once for all, to read it as it is, but read it instead “between the lines”.  Understanding requires knowledge and effective implementation of rules requires understanding further to knowledge.

0.2 The ISO Standards for Quality Management – ISO 10000 number range

The ISO 10000 series includes a number of interesting and useful guidelines that are typically neglected, examples of which follow.  We keep sticking first to requirements rather than digging further into what requirements mean and how they can be constructively approached.  Let’s see now some of the ISO 10000 Standards series:

  • Customer satisfaction.
  • Quality plans.
  • Quality management in projects.
  • Configuration management.
  • Measurement processes and equipment.
  • Documentation
  • Quality management system financials and economics.
  • Statistics.
  • Personnel.
  • Quality management system consultants.
  • Quality management system audits.

Qualitatively, all these topics are crucial to an effective functioning of a quality management system, therefore their risk level is very, very high.

Exception made for customer satisfaction requirements, on which I’m very cold because I don’t trust its usual methods of investigation and analysis of results, and measurement processes and equipment, that I often consider like one more organization owner’s Ferrari, all remainders are basics and should be treated as such.  Therefore, knowledge and understanding of the related ISO series standards cannot be but beneficial.

INFORMATION WORTH CONSIDERING

Introduction:

0.1 General:

Risks associated with organization’s context and objectives.

Since context and objectives determine the organization’s processes – although DIS’s Section 3 Terms and Definitions defines the term determination quite vaguely (ref. 3.67) and often registrars’ auditors ask for documented evidence of determinations, thus making life difficult to small to medium sized organizations, mainly but not only – the association concept means that risk is a process, too, and that it has to be approached as such.

I’ve written some pieces dealing with this view of mine, emphasizing that isk is far from being a cause or an effect but being a process in itself h to be managed as such.

No structure and documentation uniformity needed.

We’re back to the roots, once more.  Though the approach “copy and paste” may be very convenient to consultants, trainers and to registrars’ auditors too.  As a twenty years career auditor I must blame the organizations that accept this approach.  t doesn’t reflect who they are, what they do and how they do it.  It doesn’t honor either the consultants, the trainers and the organizations themselves.

Once, I found myself studying a quality management system manual of an organization in Sicily, producing diagnosis reagents.  In the section addressing personnel, I read that its personnel was specifically trained and qualified to maintain motorbikes …

0.2 The ISO Standards for Quality Management: organizational benefits

Here again the DIS seems to stumble upon a cobblestone.  On one side it says it has to be beneficial to organization’s customers and on the other it says it can be beneficial to the organization itself.

Maybe this is a further apparent contradiction (see below) but in this piratical business world of ours it’s very, very difficult to imagine any reasonable organization sacrificing itself for its customers’ life.

See also Introduction,  Section 0.3 Process Approach, Section 0.5 “Risk-based thinking” and Section 1 Scope

Section 3 Terms and Definitions:

It has evidently been improved against the previous CD’s Section, though it’s now a quite long read and study.

There’re many clones as compared to previous ISO 9001’s one would have expected.   They’d be put in the background or clarified or expanded: as it is now.  This Section risks to be overlooked, due to its redundancy.

Apparent Contradictions:

Section 6.1.2 refers planning and monitoring actions to address the determined risks.  We’re back to the roots because ISO 9001 5th DIS pushes us to focus on the risks for product or service conformity and the only help it gives us is ISO 31000.  Fair enough, but when ISO 9001 5th DIS tells us that it can improve our quality management system to our company’s or organization’s benefit, it sounds contradictory in today’s quite piratical business world.

Angels don’t walk on Earth.

Areas of Concern:

Section 0.3 Process Approach and Section 0.4 Plan-Do-Check-Act Cycle: much has been said and written – may be too much – on both topics.  But looking for touchable outcomes, it doesn’t seem that most organizations or companies, especially the smaller ones, have come out smartly since these principles were first included in ISO 9001 and related Standards.  We’ve therefore to be very careful when implementing both principles and when we do it, we’ve to be very well aware of the context (see above) in which we operate.

In spite of the many documents that ISO has issued to interpret ISO 9001’s requirements, I seldom met registrars’ auditors who know them.  Besides, auditors’ exams are only based on testing their knowledge of the Standard only, ignoring all the deciphering related documentation.

Section 0.5 “Risk-based thinking”: that risk-based thinking was always implicit in ISO 9001 is quite doubtful.  ISO 9001 has always pushed hard on conformity to specifications, instead.  And leaving to the ISO 31000 guideline, the establishment of a formal risk management system sounds like Pilate’s hand-washing.

Section 0.6 Compatibility with other management systems:

Leadership, policy and responsibilities (clause 5):  This has always been an, if not “the”, Achille’s heel of ISO 9001 implementation, therefore affecting quality management systems’ effectiveness and improvement, if and as applicable.

Until registered organizations or companies will be Registrars’ or Certification Bodies’ customers, and pay for their fees, there’ll be no true independence, hence registrars’ auditors will never be allowed to point their index finger where the real failure lies.

The whole of ISO 9001 5th DIS is in practice a reprisal on its previous editions on leadership, policy and responsibilities and therefore doesn’t empower auditors, consultants or trainers to push the leader(s) to act as such. Once more, ISO 9001 is a blunt knife in this context: company owners or organization leaders will keep doing just what they want and the “customer focus” will continue to be an illusion to maintain or attract customers when they come in.

For QS 9000 and ISO/TS 16949 a customer is a “king” or even an “emperor”; but it’s just like when our mother or mother-in-law visits us: everything has to be absolutely in order and neat, but before or afterwards, well …

Process for improvement: it is long being debated; when organizations or companies struggle for survival in their own context, what’s more important for ISO 9001 conformity? Context or improvement?

Section 4.4 quality management system and its processes, sub-item risks and opportunities refers Section 6.1.1,   sub-item prevention, reduction of undesired effects: this brings us back to Section 0.5 “Risk-based thinking”, that  is qualitatively and quantitatively evaluated risks.

Sections 4 Context of the organization, 5 Leadership and 6 Planning for the quality management system are probably the most important Sections of this DIS. If we fail to properly evaluate and implement these requirements, we might very well end up in not making a quality management system work but only looking for product or service conformity.

Sections 7.1 Resources, 7.2 Competence, 7.3 Awareness, 7.4 Communication, 7.5 Documented information make no reference to the context in which the company or organization operates or intends to operate.

In a growingly worldwide multi-religion, multi-cultural, multi-lingual context, these aspects have to be taken into account.  I do certainly understand English language but – as an Italian – I would have London’s fish and chips if only starving for hunger.

In addition to this, Section 7.1.5 Monitoring and measuring resources deserves special attention.  Since many years, the so called industry leaders have spent huge money for devices that – yes – are only used to collect dust.

Just like the Ferrari’s, they use once a month, often much less.  And some of these devices don’t cost less than a Ferrari, too.

This means a useless company’s or organization’s bleeding; but, as we saw above, how can any auditor write a major nonconformity against such a bad leadership, to correct it?

One more point on Section 7 Resources: in today’s computer dominated world, the younger generations have all the cards to succeed while the older ones, despite how skilled they are, are doomed to retire. This means a waste of resources: the young don’t teach the older and won’t learn from them.

Section 8.3 Design and development of products and services:  ISO 9001 5th DIS seems to keep ignoring that since decades business requires “co-design” or does sub-contract design, a striking example of which is the drug Industry.  If the requirements of Section 8.3 have to fit the present business context they have to be interpreted very attentively and not only sticking to “what’s written in the Standard”.

Oddly enough, while ISO 9001 adapts itself to the ever changing manufacturing processes, it’s like a pyramid when it’s about design and development processes.

Section 8.4 Control of externally provided products and services  Here there are some golden rules.

First, when you control the received product or service it’s often too late.

Second, though boring or expensive may be, supplier’s audits are effective tools to prevent mishaps; and there are also second party auditors in far away countries.

Third, use mom’s approach.  W hen you’re cheated three times, change supplier.

All the rest is just paper to make auditors happy.

Sections 9 Performance evaluation and 10 Improvement: “épater la bourgeoisie”, would say the French, make the auditors happy, “nothing else matters”.  It’s quite depressive that out of ten – ten ! – Sections there’re just a very few that are really taken care of, and those concern product or service features.  ISO 9001 should be used as a tool to ensure the functionality of a company’s or organization’s quality management system, thus including its own quality.

The sub-section that is dedicated to internal audit, which is a basic tool to evaluate the organization’s performance and provide input to its improvement process.  This indicates  nothing new as compared to the CD, to the previous ISO 9001’s and to the ISO 19011 guideline.

Unless the top management intends to do it, internal auditors are not – not  – empowered by the DIS to enforce the corrective or preventive actions arising from internal audits’ results.

Once more, this DIS’s sub-section reminds of Leslie Nielsen’s  “The Naked Gun” films.

Conclusion:

As we see, as the “apparent contradictions” lines score low quantitatively, but they don’t do at all qualitatively.

ISO 9001 5th DIS still suffers its predecessors’ malady.  T hough it invokes its implementers’ consistency, it’s itself inconsistent.

Our expectations, as risk professionals, would be that ISO 9001 5th’s final draft and internal standard would address more thoroughly the risks of not properly addressing all of its requirements, rather than keeping listing a number of “shall’s” or “should’s”.

Organizations – as such – know what they have to do.  They now have to be aware of the risks the ISO 9001 implementation.

Leave a Reply

Your email address will not be published. Required fields are marked *