What’s New and Why Is It in MY Standard? Part 2

Last time we talked about the problem. Now, we’ll put it together…

Inclusion of each “requirement” brings with it their own unique set of challenges and therefore their own unique ways of dispensing of it, but, however unique, we can identify some universal truths and in doing so, glean understanding into risk treatment – these are:

  • Etymology – the origin of the word and the historical development of its meaning.
  • Implication – auditor’s interpretation, perception of etymology.
  • Mitigation – What the hell are we going to do about it?

Let’s take Human Factors, for example… The elephant in the room.

Clause 7.1.4 says:

“Environment for the Operation of Processes

The organization shall determine, provide, and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.”

Then adds:

“NOTE: A suitable environment can be a combination of human and physical factors, such as:

  1.  social (e.g., non-discriminatory, calm, non-confrontational);
  2.  psychological (e.g., stress-reducing, burnout prevention, emotionally protective);
  3.  physical (e.g., temperature, heat, humidity, light, airflow, hygiene, noise).

These factors can differ substantially depending on the products and services provided.”

Without the Note, this clause is very much the same as the old clause 6.4. but with the Note, suddenly all the bells and whistles go off.

How is an auditor going to reasonably assess if a company has provided a proper “social and psychological environment” – non-discriminatory, calm, non-confrontational, stress-reducing, burnout prevention and emotionally protective? A ‘touchy-feely’ world?

Clause 10.1 goes on to say…

“The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.

These shall include:

b) correcting, preventing, or reducing undesired effects

This might be construed as requiring us to recognize that humans are prone to errors. But, if so, must we design the process and environment to prevent and reduce human errors? Could be, except to me, it sounds more like Poka Yoke – Mistake Proofing. Hey, what do I know?



Anyway – This is especially important in aerospace, where it is estimated that 80% percent of accidents and maintenance errors can be attributed to human factors.

Fortunately, the aerospace industry has long been cognizant of the need to address human factors, and there are several good resources available to the public on the internet:
• The Federal Aviation Administration’s Aviation Maintenance Technician Handbook , which added an addendum on human factors
• The SAE’s Supply Chain Management Handbook, which added an update on human factors in 2014

Human Factors is defined as:

Human Factors: The study of human behavior (physically and psychologically) in relation to particular environments, products, or services and the potential effect on safety. Recognition that personnel performing tasks are affected by physical fitness, physiological characteristics, personality, stress, fatigue, distraction, communication, and attitude in order to ensure a safe interface between the personnel and all other environmental elements such as other personnel, equipment, facilities, organizations, procedures, and data.”

Note: Keep in mind that what began as a Health and Safety practice (hence the ergonomics part) and also more popular on the ‘other side of the pond’ has morphed into a completely different discipline.

Enter ISO 9001:2015 and for all the evidence that TC 176 ignores the rest of the world, this odd requirement seems to have crept in. You can’t tell because the requirement isn’t named as such, but it appears to be the same “Human Factors” requirement from AS 9110, the aircraft repair station standard.

In AS 9110, the requirements for “Human Factors” (HF) are:

“The organization shall determine and manage the work environment needed to achieve conformity to product requirements. The work environment shall give consideration to human factors and human performance, and ensure that the effectiveness of personnel is not unduly impaired.”

So, how did an Aerospace requirement, “Human Factors,” end up in ISO 9001:2015?

OMG – It’s ISO 9000!

The answer is that it wasn’t an aerospace requirement after all. If you go back to ISO 9000:2000 we find that HF has slept unnoticed and dormant for the past 16 years.

Here’s the definition of “work environment” provided by ISO 9000:

3.3.4 work environment: set of conditions under which work is performed

NOTE Conditions include physical, social, psychological and environmental factors (such as temperature, recognition schemes, ergonomics and atmospheric composition).”

Then, we need to look at ISO 9004 for more of the same:

6.6 Work environment:

The organization should provide and manage a suitable work environment to achieve and maintain the sustained success of the organization and the competitiveness of its products. A suitable work environment, as a combination of human and physical factors,should include consideration of

  • creative work methods and opportunities for greater involvement to realize the potential of people in the organization,
  • safety rules and guidance and the use of protective equipment,
  • ergonomics,
  • psychological factors, including workload and stress,
  • workplace location,
  • facilities for people in the organization,
  • maximization of efficiency and minimization of waste,
  • heat, humidity, light, airflow, and
  • hygiene, cleanliness, noise, vibration and pollution.

The work environment should encourage productivity, creativity and well-being for the people who are working in or visiting the organization’s premises (e.g. customers, suppliers, and partners).

At the same time, the environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management).”

Remember, neither 9000 or 9004 contain auditable requirements but this is where the insidiousness creeps in. If you remember part 1, I said to “Hold that Thought?” Here it is! ISO 9001 gives us the news today… ISO 9000 and 9004 show us tomorrow’s news. And, it’s been this way almost from the beginning…

So the bottom line is, someone took what had previously been an optional, advanced best practice of ISO 9004, defined in a non-binding ISO 9000 definition, and made it an auditable, mandatory requirement in 9001.

(Yes, it’s a “note” — but that doesn’t stop auditors from trying to enforce it!)

In this part, we have discussed Etymology and Implication, next time we’ll look at Mitigation. See you next time…

Note: The Kilpatrick Group would like to express thanks to Oxebridge Quality Resources International and their Senior V.P. Christopher Paris for his contribution to this series.

What’s New and Why Is It in MY Standard? Part 1

The 2015 revision of ISO 9001 is thrust upon us (for over a year now) and it is Greek – gifts anyone?

  • Changes in structure, expanding the number of sections to ten from the previous eight with additions in performance management and evaluation, to help with future alignments among different standards through the new High Level Structure (HLS) which provides a framework for drafting standards which can be applied concurrently (integrated management systems or multiple management systems) such as ISO 9001, ISO 14001 and ISO 27001. Hold This Thought!
  • Movement away from the classical corrective/preventative action approach to more of a general risk management model based upon ISO 31000:2009, Risk Management-Principles and Guidelines, (but sugar-coating it by calling it Risk-Based Thinking.)
  • Requiring systems which take into account the “context of the organization,” “identification of Interested Parties” and consideration of “Scope and Boundaries”which implies broader measurement, planning and implementation, perhaps taking into account areas such as “sustainability” (energy use, materials procurement, environmental impact, etc.), “corporate social responsibility” (social accountability) and “organizational resilience and health.” The latter seems to incorporate areas relating to business continuity and disaster recovery.
  • Movement of “documents” (ISO 9001:2008 Clause 4.2.3) and “records” (Clause 4.2.4) to “documented information,” (ISO 9001:2015 Clauses of 7.5) seems to be more accepting of electronic documents and document control approaches. However, the new clause language, which more generally requires organizations to retain documented information as evidence of implementation, has opened up debate as to whether the Standard is mandating procedures as it did in the past. Don’t go there.

Now, it is my belief, although I have no proof, that all the inclusions are of greater interest to our brothers and sisters on the ‘other side of the pond’ and as such, makes me question their relevance to organizations here in the US – certainly inclusion of what we’ll refer to as ‘Fringe Topics,’ i.e. those related to business but not within the scope of ISO 9001, such as, Information Security and Energy Management, fall under scrutiny.

And are these bad things? In and of themselves, I have to say no… but yes.

The re-structuring to 10 clauses and reduction of foundational principles is neither a plus (in most cases – still holding that thought?) or a minus – It’s just different. The reduction of prescriptive requirements (i.e. documentation) on the other hand is a real plus but that’s where I have to draw the line.

Image courtesy of Dr. Seuss Enterprises, L.P.

Image courtesy of Dr. Seuss Enterprises, L.P.

Inclusion of ‘Fringe Topics,’ for Big Business, is good for the rest of us, in away, it will nudge them down a more socially responsible path, but we’ll pay for it through increases in goods and services due to the rising ‘cost of doing business.’The same is not true for the small businessman. Amidst the continual heaping of additional requirements on an already straining annual budget we’ll hear the cries for mercy – it’s a horny dilemma –“Should we continue to play or should we take our toys and go home?”

I see the 2015 revision as the beginning of the end for many of us, not able or willing to justify the additional expenses of this escalating pay to play ‘merry–go–round’ and growing reluctance to continue to fight the good fight only to risk confrontation with our customers.

For 2015, TC-176 introduces greater emphasis on: Leadership and Process Approach, then tosses in Risk, Knowledge and Supply Chain Management, all of which are not necessarily bad things but they foreshadow shapes of things to come – referencing standards like Environmental Management & (soon to be released) Occupational Health& Safety. These may be of great interest in countries with weaker or no legislative oversight but here in the US we have the EPA and OSHA both of which have the power to levy financial pain (fines) or even file criminal charges (prison time) for violation. And,with veiled threats, as seen in above references to Information Security, Energy Management, Business Continuity and Corporate Social Responsibility, one begins to suspect, if included – even as notes in ISO 9001 (the way Human Factors has been included), a plethora of obscure nonconformities looming ominously above our heads.

It would appear on the surface, that introduction of seemingly innocent concepts, like risk-based thinking, something I would expect most business people are not just familiar with but actively engaging in, are more so a recognition of existing practice rather than actual requirements. But I may be in the minority interpreting these as such and therefore worry that the other’s interpretations may open us up to serious threat from assessors whose competence in such disciplines would or should at least be challenged.

But wait, there’s more – Even as these Standards proliferate, the insidiousness of ISO remains hidden from all except those who know where to look!

The most innocent of references, like Organizational Knowledge (7.1.6) have an associated Standard (in draft – Reference SI 25006, AS 5037 & BS 2001 as guidance documents) or Lean (ISO 13053.) And, you start to get the picture.

So, what does this all mean? Still holding that thought? It means, if you want to play the game, you have to buy the Standards! Which Standards? Well… all of them! After all, ISO is nothing more than a book (Standards) publishing house and yes, each of the subjects listed above also has an associated Standard.

  • ISO 14001 – Environmental Management,
  • ISO 45001 – Occupational Health & Safety,
  • ISO 27001 & 2 – Information Security,
  • ISO 50001 – Energy Management,
  • ISO 22301 – Business Continuity,
  • ISO 26000 – Corporate Social Responsibility

Now consider this… you have just spent thousands of dollars for a library of standards ($500 alone for Information Security.) What do you think it will cost you to implement and maintain the program? Not an expert in all the above? Add the cost of a consultant!

So, now what?

We’ll take a closer look in part 2.

Interested Party Analysis

The question was recently posted… “What’s the best way to determine my Interested Parties?

”There are many ways of accomplishing this but one tried and true method is an Interested Party Analysis.


Identification of an Interested Party’s expectations is an essential part of developing a compliant QMS. A common method of determining this is with an Interested Party Matrix – where the Interested Party is plotted against two variables. These variables might be plotting the level of ‘stake’ in the outcomes of the organization against ‘resources’ of the Interested Party. Another is the ‘importance’ of the Interested Party against the ‘influence’ of the Interested Party.

The concept is the same, though the emphasis is slightly different.


Boxes A, B and C identify the key Interested Parties. The implications of each box is summarized below:

Box A
These are Interested Parties appearing to have a high degree of influence on the organization, who are also of high importance for its success. This implies that in the implementing of the QMS the organization will need to construct good working relationships with these Interested Parties, to ensure an effective coalition of support for the company. Examples might be the senior local officials and politicians or trade unions.

Box B
These are Interested Parties of high importance to the success of the organization, but with low influence. This implies that they will require special initiatives if their interests are to be protected. An example may be traditionally marginalized groups (e.g. Indigenous people, youths, seniors), who might be beneficiaries of a new service, but who have little ‘voice’ in its development.

Box C
These are Interested Parties with high influence, who can therefore affect organizational outcomes, but whose interests are not necessarily aligned with the overall goals of the company. They might be financial administrators, who can exercise considerable discretion over funding disbursements. This conclusion implies that these Interested Parties may be a source of significant risk, and they will need careful monitoring and management.

Box D
The Interested Parties in this box, with low influence on, or importance to the organizational objectives, may require limited monitoring or evaluation, but are of low priority.


To provide a clearer understanding of Interested Parties and, as a result, provide insights as to how best to engage them.


Use for the QMS either in the early stages, or with a group developing an Interested Party plan.

Special considerations/weaknesses:

All analytical tools are only models. The tool is dependent on subjective data, and will vary according to the person and situation being used. It should probably not be a public document.


1. Make a list of all Interested Parties.
2. Write the name of each Interested Party on a post-it note or index card.
3. Rank the Interested Parties on a scale of one to five, according to one of the criteria on the matrix, such as ‘interest in the organizational objectives’ or ‘interest in the financial success’.
4. Keeping this ranking for one of the criteria, plot the Interested Parties against the other criteria of the matrix. This is where using post-it notes or removable cards are useful.
5. Ask the following questions:
Are there any surprises?
Which Interested Parties do we have the most/least contact with?
Which Interested Parties might we have to make special efforts to ensure engagement?

And there you have it… Hope this helps.