What are your expectations of ISO 9001 now that it is 2018?

[Marc]

I'm going to start out with this quote from the "Snake Oil" discussion:

Sidney,

I was stating the future position more in hope than fact.

For B2B the way forward is probably the industry-specific versions of the standard (ISO 9001) with the active engagement of the industry’s top tier customers.

The riskier industries are the first to welcome regulation but even with medical devices we may generally assure quality but we still have a long way to go to prevent major failings.

Aerospace seems to enjoy a virtually defect-free certification regimen largely, perhaps, due the industry versions of ISO 9001 being used in a well-regulated industry. Counterfeit products may be an ongoing threat. Automotive shares this benefit and risk but seems to struggling with the design and development of autonomous vehicles.

Right now the construction industry continues to have many problems virtually untouched by ISO 9001 and certification. A recent bridge collapse in Florida and a tower in London with its blazing cladding spring to mind. The designers, constructors and manufacturers claimed to have used certified products within their certified management systems.

For regulation to work well the demand has to come from the public/industry. As concerned quality professionals I doubt we would be successful in lobbying our government for laws, a regulator, regulations and enforcement until more people die.

Wanting to change a defective service continues to drive us and I guess that is why we are both on the Cove.

John

What are your expectations of ISO 9001 now that it is 2018? And - Do your believe your expectations are realistic?

For example, I have seen the bridge collapse example cited in a few places - I do not see the role of ISO 9001 in that failure. I see the role of, and compliance with, local, state, and federal regulations for designing and building structures as being factors.

 

[Sidney Vianna]

What are your expectations of ISO 9001 now that it is 2018? And - Do your believe your expectations are realistic?

I think the latest document that encapsulates the expected outcomes of accredited certification is pretty much on target.

I see the role of, and compliance with, local, state, and federal regulations for designing and building structures as being factors.

When it comes to product regulatory compliance as in the case of a bridge for an engineering/construction firm, certainly the quality system is expected to achieve and deliver that.

From the document I linked:

analyses and understands customer needs and expectations, as well as the relevant statutory and regulatory requirements related to its products, processes and services ;

 

[Marc]

Yup - I know what they say. I am asking this from a personal level. I already know what the ISO folks say.

Just like the bridge collapse example - Assuming compliance with local, state, and federal regulations for designing and building such structures, how would such a general "standard" as ISO 9001, which is essentially just good business practices, make a difference? Companies have to be doing these things anyway, even if they're not registered to ISO 9001.

Some thoughts:

• How many of the companies listed in stock exchanges around the world are registered to ISO 9001? There are 47 major stock exchanges in the world: Seven are in the Americas, 14 are in Asia Pacific, 26 are in Europe, Middle East, & Africa, 23 stock exchanges are in developed countries and 24 are in emerging countries. It is estimated that there are about 47,383 companies listed in those various stock markets.
• The Family Firm Institute (ffi.org) estimates there are about 24 million private and closely held businesses in the US; Forbes estimates there are about 27 million. How many of these are registered to ISO 9001?
• According to a report by China’s Administration for Industry and Commerce (AIC) released on 14 January 2016, the number of companies in China is 77,469,000. I wonder how many of these are registered to ISO 9001.
• The entire number of companies listed in the United Kingdom: ~3.6 million.

And from about 17 years ago: How Many Companies Are Really Registered to ISO 9001? - How many in 2017?

Part of this is my watching as the Elsmar forum was originally rather focused on ISO 9001 and automotive's QS-9000 and then TS 16949. These days the forum is weighted towards medical devices. In all I've read, medical device safety is mostly due to national and international regulations, with a few ISO sector specific standards which these days are supposed to incorporate ISO 9001, yet add additional requirements or have other typically sector specific requirements. What is the value of such a general standard as ISO 9001 these days?

And when I read some things people write, such as:

In the event of a lawsuit, if a company has a registered ISO 9001-based QMS, the documentation can be obtained through discovery to determine whether the requirements under Clause 4.4, Design Control, have been satisfactorily addressed and audited. The key for any company's defense will be adequate and effective documentation.

I come back to what use is the FDA's GMP and the various FDA regulations? Can ISO 9001 really replace FDA requirements (not to mention Europe's MDD's)? And in the quote above - If it's a lawsuit, a company's design and development records can be gotten through discovery whether the company is registered to ISO 9001 or not.

Coming back to ISO 9001 - I'm wondering why these days so many people are saying things like this: ISO certification schemes are flawed causing risks to public safety - E.g.: the Takata airbag scandal, Deepwater Horizon oil spill disaster, and VW emissions scandal.

So, for example - Is ISO 9001 now supposed to be some sort of guarantor of product or service safety?

I read this recently: "...While mapping out the processes and workflow for ISO 9001 implementation, many moldmakers have discovered wasted steps that have lead to streamlined processes...." I thought to myself: I have always called my services "Business Systems and Standards" consulting. While I did a lot of implementations over the years, I always made it clear to the companies that they should expect the "implementation process" to be the most important part, and that if they wanted me involved it would go far beyond simply compliance to ISO9001. It is there that the value lies. It is there that various problems and things like "wasted steps" are typically identified. If a company is really forward looking they would have identified these before. I have always said that I see value in the implementation process, and I believe it. Actual registration is a different issue.

Do we actually need regulations to ensure that ISO 9001 registered companies are actually in compliance with ISO 9001? And what to make of statements such as "...the industry is dominated by Certification Body registrars (CBs) who violate the rules, and sometimes the law, in order to issue certificates to any company that asks..."? Is the ISO 9001 registration system really that corrupt?

So to come full circle, as a person - What are YOUR realistic expectations of ISO 9001?

 

[Marc]

<snip> When it comes to product regulatory compliance as in the case of a bridge for an engineering/construction firm, certainly the quality system is expected to achieve and deliver that.

as well as the relevant statutory and regulatory requirements related to its products, processes and services ;

So - You're saying we need ISO 9001 to make sure a company complies with relevant statutory and regulatory requirements related to its products, processes and services? What does the FDA do? The US as well as most countries have regulatory agencies which are supposed to be the enforcers. I think I hear you saying that ISO 9001 auditors are to be "cops" to make sure these regulatory agencies are doing what they are doing (ensuring companies have identified and follow their rules and regulations)?

 

[yodon]

It (the original question) is an interesting one.

There's no reason a medical device company would pursue ISO 9001. FDA would not accept the audit results as sufficient (and similarly the EU would not accept compliance to 9001 as a presumption of conformity to the MDD or the MDR). ISO auditors are not qualified to audit to the QSR (or the MDD/MDR). (FDA can accept MDSAP audits but they can still choose to come inspect you even if you have an MDSAP audit - and you'd only have one of those if you were selling in Canada [required] or a group of the participating countries.)

Possibly a more interesting scenario might be some IoT gadget sold commercially. If it has a radio it's supposed to comply with FCC. A 9001 auditor might catch that and press to see evidence.

I think it's quite unrealistic to expect ISO auditors to be regulatory cops. They likely don't know ALL the regulatory requirements in a given locality. The bridge collapse example is quite perfect.

Speaking of expectations, I saw some post somewhere that alleged companies are seeing a 40% reduction in cost after converting to ISO 9001:2015. Uh huh, right.

I don't think my personal expectations have changed regarding a company's compliance to 9001. I would not choose a company solely on them having a certificate. I've seen way too many audits that are rubber stamps with a smattering of findings for show. I think it does provide a good foundation for companies to build on. The basic concept of risk-based thinking would be good for any organization. The downfall comes when companies start trying to do things to pass audits and auditors try to impose their wills on companies rather than looking at results / effectiveness.

 

[outdoorsNW]

On a more positive note for ISO9001, I think ISO9001 makes a difference, at least sometimes.
I started a new job about a year ago. In my first few weeks I looked at the previous year’s supplier nonconformances for suppliers of custom metal products. I had no know prior knowledge of any of the suppliers in this group. I looked at the nonconformance rate by total parts, dollars, and POs.
After I was done, I looked up if the supplier was ISO90001, AS9100 or none. I found the worst 2 (by a good margin) out of 10 suppliers were the only two not ISO9001 or AS9100. I did not see a correlation that suppliers with AS9100 were any better than suppliers with only 9001.

 

[jack770214]

My expectations are that the standard evolves into something that becomes an effective quality standard used for a baseline business operating system framework. With each new standard "the why" that supports "the what" of the standard should be in alignment to modern business models. For instance businesses are moving toward automation and software...the term Operator is almost archaic.

Sent from my LGMP260 using Tapatalk

 

[Tagin]

My perspective is that ISO 9001 is first and foremost a product being marketed and sold. Like most products, the aim is to increase revenue, by 1) reaching into new markets, 2) expanding adoption in existing markets, and 3) selling more add-on products and services.

My expectation is that in the efforts to achieve #1 and #2 ISO 9001 will continue down the path toward vagueness, thought-crime clauses, etc. in the name of 'broadening' its applicability and markets. As this direction garners more and more confusion, criticism and backlash, there may be some attempts to mitigate that negativity to avoid loss of sales.

One direction that mitigation could take would be to rewrite the standard with greater clarity of style, auditability, and meaning:

1. Currently, it is a confused mix of prose and bullet items. E.g., 9001:2015 7.1.5.2 has requirements a,b,c but then has a statement "The organization shall determine if the validity of previous measurement results..." which should be another bullet labeled 'd' but that wouldn't fit in the way they have it structured linguistically, so it hangs off the end of the section like an "oh yea, by the way, do this too!". "One bullet / one requirement!" should be the meme.
2. Thought-crime requirements, like RBT, should be removed/elevated to a status of 'guiding principles' behind (above?) the standard, but not be part of the requirements per se.
3. The inclusion of an authoritative (i.e., not a "guidance" doc which includes a disclaimer that they don't stand by it) companion document which answers "Why this requirement X is in the standard" for every X in the standard. If the requirements have a justification and intent for their inclusion, then let there be light and the justifications and intents be shone upon! As it currently stands, an alien visitor to Earth reading the internet quality discussions might think that ISO 9001 harkens from some mystical ancient civilization whose true intent and meaning were lost in the mists of time, and we discuss and ponder over the "intent" as if these were cryptic aphorisms found on stone tablets. (This companion doc would go a long way toward disambiguating the confusion over the "intent" of each requirement, which in my view constitutes 87.654321% of all internet and auditor discussions about a requirement.)

On the other hand, what I would actually expect is a doubling-down of the current trend. I could even see the incorporation of what I would call 'defensive clauses'; e.g., furthering the encroachment of the standard into the management and philosophy of the organization as a way to tamp down the wrong-think of criticizing the standard. That is, the response to criticism and backlash would be to incorporate types-of-thinking requirements that essentially make such criticisms into nonconformances. To better serve the customer, make it a requirement that the customer become more suited to the product.

This may sound terribly pessimistic, but when viewed as a marketed product, I do not see much in the way of competition that carries the reputation (however deserved or not that reputation might be) of ISO 9001 or its sister products. There is thus little incentive to reinvent 9001 in response to some competitor products; instead, this organism called ISO 9001 will likely mutate largely unchecked so as to further exploit its current ecological niches (markets) and ooze into yet other niches, as long as it has a steady energy supply of reputation and auditing activity to feed from.

I do think 9001 has value and can improve an organization. However, it creates undue overhead and confusion due to unnecessary vagueness, style, dubious auditability, and refusal to categorically state the intent of each and every clause. Only when these characteristic flaws begin to notably impact their revenues will this trend be corrected.

 

[Golfman25]

My perspective is that ISO 9001 is first and foremost a product being marketed and sold. Like most products, the aim is to increase revenue, by 1) reaching into new markets, 2) expanding adoption in existing markets, and 3) selling more add-on products and services.

My expectation is that in the efforts to achieve #1 and #2 ISO 9001 will continue down the path toward vagueness, thought-crime clauses, etc. in the name of 'broadening' its applicability and markets. As this direction garners more and more confusion, criticism and backlash, there may be some attempts to mitigate that negativity to avoid loss of sales.

One direction that mitigation could take would be to rewrite the standard with greater clarity of style, auditability, and meaning:

1. Currently, it is a confused mix of prose and bullet items. E.g., 9001:2015 7.1.5.2 has requirements a,b,c but then has a statement "The organization shall determine if the validity of previous measurement results..." which should be another bullet labeled 'd' but that wouldn't fit in the way they have it structured linguistically, so it hangs off the end of the section like an "oh yea, by the way, do this too!". "One bullet / one requirement!" should be the meme.
2. Thought-crime requirements, like RBT, should be removed/elevated to a status of 'guiding principles' behind (above?) the standard, but not be part of the requirements per se.
3. The inclusion of an authoritative (i.e., not a "guidance" doc which includes a disclaimer that they don't stand by it) companion document which answers "Why this requirement X is in the standard" for every X in the standard. If the requirements have a justification for their inclusion, then let there be light and the justifications be shone upon! As it currently stands, an alien visitor to Earth reading the internet quality discussions might think that ISO 9001 harkens from some mystical ancient civilization whose true intent and meaning were lost in the mists of time, and we discuss and ponder over the "intent" as if these were cryptic aphorisms found on stone tablets. (This companion doc would go a long way toward disambiguating the confusion over the "intent" of each requirement, which in my view constitutes 87.654321% of all internet and auditor discussions about a requirement.)

On the other hand, what I would actually expect is a doubling-down of the current trend. I could even see the incorporation of what I would call 'defensive clauses'; e.g., furthering the encroachment of the standard into the management and philosophy of the organization as a way to tamp down the wrong-think of criticizing the standard. That is, the response to criticism and backlash would be to incorporate types-of-thinking requirements that essentially make such criticisms into nonconformances. To better serve the customer, make it a requirement that the customer become more suited to the product.

This may sound terribly pessimistic, but when viewed as a marketed product, I do not see much in the way of competition that carries the reputation (however deserved or not that reputation might be) of ISO 9001 or its sister products. There is thus little incentive to reinvent 9001 in response to some competitor products; instead, this organism called ISO 9001 will likely mutate largely unchecked so as to further exploit its current ecological niches (markets) and ooze into yet other niches, as long as it has a steady energy supply of reputation and auditing activity to feed from.

I do think 9001 has value and can improve an organization. However, it creates undue overhead and confusion due to unnecessary vagueness, style, dubious auditability, and refusal to categorically state the intent of each and every clause. Only when these characteristic flaws begin to notably impact their revenues will this trend be corrected.

Pretty spot on, imo.

One thing I think would help is if they broke the standard into 2 -- one for product manufacturing and one for service industries (banks, hospitals and such). That way they could use our manufacturing jargon so we could understand what they are thinking about. Plus, they might see service providers adopt the service version as they won't see it as a manufacturing standard.