The Hidden Requirements of ISO9001:2015 – An Introduction

The origins of this series were long in the making – An in-depth report on what it is and how to deal with it. It started back in 2010 while researching trends in Standard development. I noticed a correlation between updates in ISO 9004 which later found their way into ISO 9001. Granted the current revision of ISO 9004 was released in 2009 so I was a little slow on the uptake. But in my defense, I was managing a consulting business at the time, traveling and serving many clients along the way.

What I noticed was the progression of topics of current interest in the UK, finding their way into BS (British Standards) documents and migrating into ISO Standards or vice versa. Sometimes with the same identifier (number) sometimes different. But sometimes with only a ‘hat tip’ to the original, inserted into ISO 9004 only to be incorporated into the next revision of ISO 9001..

The tracking of these Hidden Requirements, as I like to call them, has become a game for me and identifying and implementing the ‘next best thing’ is what has kept me ahead of the competition for quite a while. When I say ‘competition’ I’m really referring to CB auditors. I know something today that they don’t and I’ve ‘beaten them to the punch.’

Take Risk, for instance, and call it what you like – I began implementing Enterprise Risk Management Frameworks (ERM) for clients back in 2011. For some, a four-year history of both formal and informal risk assessments is more than enough ‘objective evidence’ to convince any CB auditor that the requirements of ‘Risk Based Thinking’ are being met.

The relationship between BSI and ISO is common knowledge (as bed-fellows usually are) and so it makes sense that ISO would want to ‘cash in’ on the spoils, making the ideas contained therein an International Standard instead of just a National Standard. ISO 45001 is a good example – replacing the National Standard BS / OHSAS 18001: 2007 with an International version and of course usurping the copy rights.

But I digress… So, here’s the hype

Annex SL: Origins

Annex SL grew out of what was previously known as ISO Guide 83. ISO claimed that Most organizations have more than one management system, and many expressed frustrations at the extra time and resources that it took to implement and certify their various management systems with differing structures, definitions, and requirements. ISO Guide 83, which was adopted in 2011, was the first formal effort to create consistency in structure and terminology across ISO management systems standards.

Annex SL: A common structure

Annex SL is a high-level structure created by ISO to provide a universal high-level structure, identical core text, and common terms and definitions for all management system standards. It was designed to make it easier for organizations that have to comply with more than one management system standard.

What I’m seeing today in ISO 9004 pertaining to implementation of multiple management systems, specifically, ISO 14001, ISO 45001 and ISO 27001, which I suspect, at least some aspects may become mandatory requirements in some later revision of ISO 9001 and made possible by this new HLS. In 2027 I don’t want to hear any whining that I didn’t tell you so!

So on to Hidden Requirements. One thing you will note is by the time these make it into ISO 9001, a Technical Committee (TC) is, or soon will be, formed along with sub-committees whose responsibilities it is (will be) to develop standards which in turn will generate revenue.

First on the list is Human Factors (TC-159,) if you read my last post “What a Good Question,” you may have noticed I mentioned that, “It begins with environment: ergonomics, light, temperature, noise level (safety guy stuff) as conducive to productivity (things like the ‘Hawthorn Effect’) and moves to stressors and eventually the cause for nonconformance (and its opposite: Poka-Yoke.) ISO 9001 is presently only interested in the former, AS 9100 the latter. As I see it, eventually, both AS & ISO will be interested in both and you’ll need to be ready for it!”

ISO/TC 159 Ergonomics
Creation date: 1974

ISO/TC 159/SC 1 General ergonomics principles
ISO/TC 159/SC 3 Anthropometry and biomechanics
ISO/TC 159/SC 4 Ergonomics of human-system interaction
ISO/TC 159/SC 5 Ergonomics of the physical environment

Standardization in the field of ergonomics, in particular, general ergonomics principles, anthropometry and biomechanics, ergonomics of human system interaction and ergonomics of the physical environment, addressing human characteristics and performance, and methods for specifying, designing and evaluating products, systems, services, environments and facilities

ISO/TC 159/SC 1 General ergonomics principles
ISO/TC 159/SC 3 Anthropometry and biomechanics
ISO/TC 159/SC 4 Ergonomics of human-system interaction
ISO/TC 159/SC 5 Ergonomics of the physical environment

Total number of published ISO standards related to the TC and its SCs (number includes updates) 128

Really! 128 Standards already? Yep – Get ready to open the pocketbook! Now on to what it is and what we need to do about it.

What’s New and Why Is It in MY Standard? Part 3

Is your HF Program effective?

In our last post we learned a little something about Human Factors. Now we’ll learn how tell the auditor, “Go to ‘H’ ‘E’ double hockey sticks!” and have them look forward to the journey.

Originally conceived as an Occupational Health and Safety practice, focusing on controls to minimize safety hazards and conditions leading to personal injury, Human Factors was later adapted by the US military for people working with “complex systems” and adopted by organizations within suitably complex industries such as FAA aircraft repair stations, space vehicle design and nuclear power. It’s a complicated group of disciplines and comprised of multiple components such as ergonomics, psychology, safety, environmental management, training, human resources and corrective action.

It doesn’t stop there. The application of HF is equally complicated, affecting multiple aspects of an organization, including:

  • Work planning
  • Facility and equipment design and planning
  • Maintenance, repair and inspection of product
  • Product design
  • General management
  • Training
  • Work rules

oopsWhen planning work, for example, factors such as the physical and mental fatigue of workers must be considered, while product design must consider the ergonomics aimed at the end-user of the product. The inclusion of HF in ISO 9001 could potentially force companies to consider alternate methods of information transfer in order to reduce mental fatigue; this usually pushes companies to move to methods other than documentation, towards signs, illustrations, verbal instruction. How do you control verbal instruction?

Full implementation of HF under ISO 9001 would be extremely difficult. HF professionals are one third OH&S expert, one third psychology major, one third EMS guru and one third professional trainer. Yes, that’s four thirds; it’s that complex!

Next we have the fact that auditors, who will receive no training whatsoever on Human Factors, won’t know how to audit it. Like the process approach from ISO 9001:2000, the first year or two they will just ignore it. Then, as confidence grows (or ANAB writes CBs up) they’ll come into their own. Bogus nonconformities will be written, costing end user organizations more money as they scramble to fix nebulous, amorphous findings not really grounded in any firm requirement.

homerSo, now what?

Hey look folks, it ain’t rocket science – Illegitimi non carborundum! (Don’t let the bastards grind you down.)

The first thing you do is to adopt the World Health Organization’s definition. The Standard says you must consider (implying this is a requirement) with no documented information needed and it doesn’t mandate“Who’s” definition you must adopt. So (with tongue in cheek) you adopt WHO’s definition. And, it’s perfectly legal.

“Human factors refer to environmental,organizational and job factors, and human and individual characteristics which influence behavior at work in a way which can affect health and safety. A simple way to view human factors is to think about three aspects: the job, the individual and the organization and how they impact people’s health and safety-related behavior.”

Nowhere in the above is there any inference to human error and should there be any question as to how you have considered your human factors, you can smile and remind them that, “It’s the law!” (29CFR 1910 – Table of Contents)

And, there are record requirements required by OSHA – But you don’t have to show them because the information contained therein is of a personal nature.

And… If mention of 10.1(b) comes up, you tell them that you are continually looking for opportunities: correcting, preventing and reducing, all day, every day… no documented information required.

Are you still holding that thought (from Parts 1 & 2)?

ISO 9001:2015 element 10.1 does contain a scary note.

NOTE: Examples of improvement can include correction, corrective action, continual improvement, breakthrough change, innovation and re-organization.

The references to breakthrough change and innovation may someday become the fodder for another post. And, re-organization (Organizational Development) is a discipline unto itself – Let’s see the auditors assess that one!

So, although we have zoomed in on how to deal with one complex topic like Human Factors, I hope you see it’s a simple fix. The requirements might be very involved; the fix doesn’t have to be. The Standard tells us we have to consider all the new requirements but leaves the details up to us. Make sure you consider them before your auditor tries to impose his or her belief system on you.

I hope this helps. Thanks for visiting…

Now for those of you who happen to be Aerospace inclined (or Masochists) the next post will detail everything you need to know about Human Factors in a marathon of useless trivia. Eventually, we’ll discuss all the new additions in detail… Lots of luck!

Note: Once again, The Kilpatrick Group would like to express thanks to Oxebridge Quality Resources International and their Senior V.P. Christopher Paris for his contribution to this series.

What’s New and Why Is It in MY Standard? Part 2

Last time we talked about the problem. Now, we’ll put it together…

Inclusion of each “requirement” brings with it their own unique set of challenges and therefore their own unique ways of dispensing of it, but, however unique, we can identify some universal truths and in doing so, glean understanding into risk treatment – these are:

  • Etymology – the origin of the word and the historical development of its meaning.
  • Implication – auditor’s interpretation, perception of etymology.
  • Mitigation – What the hell are we going to do about it?

Let’s take Human Factors, for example… The elephant in the room.

Clause 7.1.4 says:

“Environment for the Operation of Processes

The organization shall determine, provide, and maintain the environment necessary for the operation of its processes and to achieve conformity of products and services.”

Then adds:

“NOTE: A suitable environment can be a combination of human and physical factors, such as:

  1.  social (e.g., non-discriminatory, calm, non-confrontational);
  2.  psychological (e.g., stress-reducing, burnout prevention, emotionally protective);
  3.  physical (e.g., temperature, heat, humidity, light, airflow, hygiene, noise).

These factors can differ substantially depending on the products and services provided.”

Without the Note, this clause is very much the same as the old clause 6.4. but with the Note, suddenly all the bells and whistles go off.

How is an auditor going to reasonably assess if a company has provided a proper “social and psychological environment” – non-discriminatory, calm, non-confrontational, stress-reducing, burnout prevention and emotionally protective? A ‘touchy-feely’ world?

Clause 10.1 goes on to say…

“The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction.

These shall include:

b) correcting, preventing, or reducing undesired effects

This might be construed as requiring us to recognize that humans are prone to errors. But, if so, must we design the process and environment to prevent and reduce human errors? Could be, except to me, it sounds more like Poka Yoke – Mistake Proofing. Hey, what do I know?



Anyway – This is especially important in aerospace, where it is estimated that 80% percent of accidents and maintenance errors can be attributed to human factors.

Fortunately, the aerospace industry has long been cognizant of the need to address human factors, and there are several good resources available to the public on the internet:
• The Federal Aviation Administration’s Aviation Maintenance Technician Handbook , which added an addendum on human factors
• The SAE’s Supply Chain Management Handbook, which added an update on human factors in 2014

Human Factors is defined as:

Human Factors: The study of human behavior (physically and psychologically) in relation to particular environments, products, or services and the potential effect on safety. Recognition that personnel performing tasks are affected by physical fitness, physiological characteristics, personality, stress, fatigue, distraction, communication, and attitude in order to ensure a safe interface between the personnel and all other environmental elements such as other personnel, equipment, facilities, organizations, procedures, and data.”

Note: Keep in mind that what began as a Health and Safety practice (hence the ergonomics part) and also more popular on the ‘other side of the pond’ has morphed into a completely different discipline.

Enter ISO 9001:2015 and for all the evidence that TC 176 ignores the rest of the world, this odd requirement seems to have crept in. You can’t tell because the requirement isn’t named as such, but it appears to be the same “Human Factors” requirement from AS 9110, the aircraft repair station standard.

In AS 9110, the requirements for “Human Factors” (HF) are:

“The organization shall determine and manage the work environment needed to achieve conformity to product requirements. The work environment shall give consideration to human factors and human performance, and ensure that the effectiveness of personnel is not unduly impaired.”

So, how did an Aerospace requirement, “Human Factors,” end up in ISO 9001:2015?

OMG – It’s ISO 9000!

The answer is that it wasn’t an aerospace requirement after all. If you go back to ISO 9000:2000 we find that HF has slept unnoticed and dormant for the past 16 years.

Here’s the definition of “work environment” provided by ISO 9000:

3.3.4 work environment: set of conditions under which work is performed

NOTE Conditions include physical, social, psychological and environmental factors (such as temperature, recognition schemes, ergonomics and atmospheric composition).”

Then, we need to look at ISO 9004 for more of the same:

6.6 Work environment:

The organization should provide and manage a suitable work environment to achieve and maintain the sustained success of the organization and the competitiveness of its products. A suitable work environment, as a combination of human and physical factors,should include consideration of

  • creative work methods and opportunities for greater involvement to realize the potential of people in the organization,
  • safety rules and guidance and the use of protective equipment,
  • ergonomics,
  • psychological factors, including workload and stress,
  • workplace location,
  • facilities for people in the organization,
  • maximization of efficiency and minimization of waste,
  • heat, humidity, light, airflow, and
  • hygiene, cleanliness, noise, vibration and pollution.

The work environment should encourage productivity, creativity and well-being for the people who are working in or visiting the organization’s premises (e.g. customers, suppliers, and partners).

At the same time, the environment complies with applicable statutory and regulatory requirements and addresses applicable standards (such as those for environmental and occupational health and safety management).”

Remember, neither 9000 or 9004 contain auditable requirements but this is where the insidiousness creeps in. If you remember part 1, I said to “Hold that Thought?” Here it is! ISO 9001 gives us the news today… ISO 9000 and 9004 show us tomorrow’s news. And, it’s been this way almost from the beginning…

So the bottom line is, someone took what had previously been an optional, advanced best practice of ISO 9004, defined in a non-binding ISO 9000 definition, and made it an auditable, mandatory requirement in 9001.

(Yes, it’s a “note” — but that doesn’t stop auditors from trying to enforce it!)

In this part, we have discussed Etymology and Implication, next time we’ll look at Mitigation. See you next time…

Note: The Kilpatrick Group would like to express thanks to Oxebridge Quality Resources International and their Senior V.P. Christopher Paris for his contribution to this series.

What’s New and Why Is It in MY Standard? Part 1

The 2015 revision of ISO 9001 is thrust upon us (for over a year now) and it is Greek – gifts anyone?

  • Changes in structure, expanding the number of sections to ten from the previous eight with additions in performance management and evaluation, to help with future alignments among different standards through the new High Level Structure (HLS) which provides a framework for drafting standards which can be applied concurrently (integrated management systems or multiple management systems) such as ISO 9001, ISO 14001 and ISO 27001. Hold This Thought!
  • Movement away from the classical corrective/preventative action approach to more of a general risk management model based upon ISO 31000:2009, Risk Management-Principles and Guidelines, (but sugar-coating it by calling it Risk-Based Thinking.)
  • Requiring systems which take into account the “context of the organization,” “identification of Interested Parties” and consideration of “Scope and Boundaries”which implies broader measurement, planning and implementation, perhaps taking into account areas such as “sustainability” (energy use, materials procurement, environmental impact, etc.), “corporate social responsibility” (social accountability) and “organizational resilience and health.” The latter seems to incorporate areas relating to business continuity and disaster recovery.
  • Movement of “documents” (ISO 9001:2008 Clause 4.2.3) and “records” (Clause 4.2.4) to “documented information,” (ISO 9001:2015 Clauses of 7.5) seems to be more accepting of electronic documents and document control approaches. However, the new clause language, which more generally requires organizations to retain documented information as evidence of implementation, has opened up debate as to whether the Standard is mandating procedures as it did in the past. Don’t go there.

Now, it is my belief, although I have no proof, that all the inclusions are of greater interest to our brothers and sisters on the ‘other side of the pond’ and as such, makes me question their relevance to organizations here in the US – certainly inclusion of what we’ll refer to as ‘Fringe Topics,’ i.e. those related to business but not within the scope of ISO 9001, such as, Information Security and Energy Management, fall under scrutiny.

And are these bad things? In and of themselves, I have to say no… but yes.

The re-structuring to 10 clauses and reduction of foundational principles is neither a plus (in most cases – still holding that thought?) or a minus – It’s just different. The reduction of prescriptive requirements (i.e. documentation) on the other hand is a real plus but that’s where I have to draw the line.

Image courtesy of Dr. Seuss Enterprises, L.P.

Image courtesy of Dr. Seuss Enterprises, L.P.

Inclusion of ‘Fringe Topics,’ for Big Business, is good for the rest of us, in away, it will nudge them down a more socially responsible path, but we’ll pay for it through increases in goods and services due to the rising ‘cost of doing business.’The same is not true for the small businessman. Amidst the continual heaping of additional requirements on an already straining annual budget we’ll hear the cries for mercy – it’s a horny dilemma –“Should we continue to play or should we take our toys and go home?”

I see the 2015 revision as the beginning of the end for many of us, not able or willing to justify the additional expenses of this escalating pay to play ‘merry–go–round’ and growing reluctance to continue to fight the good fight only to risk confrontation with our customers.

For 2015, TC-176 introduces greater emphasis on: Leadership and Process Approach, then tosses in Risk, Knowledge and Supply Chain Management, all of which are not necessarily bad things but they foreshadow shapes of things to come – referencing standards like Environmental Management & (soon to be released) Occupational Health& Safety. These may be of great interest in countries with weaker or no legislative oversight but here in the US we have the EPA and OSHA both of which have the power to levy financial pain (fines) or even file criminal charges (prison time) for violation. And,with veiled threats, as seen in above references to Information Security, Energy Management, Business Continuity and Corporate Social Responsibility, one begins to suspect, if included – even as notes in ISO 9001 (the way Human Factors has been included), a plethora of obscure nonconformities looming ominously above our heads.

It would appear on the surface, that introduction of seemingly innocent concepts, like risk-based thinking, something I would expect most business people are not just familiar with but actively engaging in, are more so a recognition of existing practice rather than actual requirements. But I may be in the minority interpreting these as such and therefore worry that the other’s interpretations may open us up to serious threat from assessors whose competence in such disciplines would or should at least be challenged.

But wait, there’s more – Even as these Standards proliferate, the insidiousness of ISO remains hidden from all except those who know where to look!

The most innocent of references, like Organizational Knowledge (7.1.6) have an associated Standard (in draft – Reference SI 25006, AS 5037 & BS 2001 as guidance documents) or Lean (ISO 13053.) And, you start to get the picture.

So, what does this all mean? Still holding that thought? It means, if you want to play the game, you have to buy the Standards! Which Standards? Well… all of them! After all, ISO is nothing more than a book (Standards) publishing house and yes, each of the subjects listed above also has an associated Standard.

  • ISO 14001 – Environmental Management,
  • ISO 45001 – Occupational Health & Safety,
  • ISO 27001 & 2 – Information Security,
  • ISO 50001 – Energy Management,
  • ISO 22301 – Business Continuity,
  • ISO 26000 – Corporate Social Responsibility

Now consider this… you have just spent thousands of dollars for a library of standards ($500 alone for Information Security.) What do you think it will cost you to implement and maintain the program? Not an expert in all the above? Add the cost of a consultant!

So, now what?

We’ll take a closer look in part 2.

Interested Party Analysis

The question was recently posted… “What’s the best way to determine my Interested Parties?

”There are many ways of accomplishing this but one tried and true method is an Interested Party Analysis.


Identification of an Interested Party’s expectations is an essential part of developing a compliant QMS. A common method of determining this is with an Interested Party Matrix – where the Interested Party is plotted against two variables. These variables might be plotting the level of ‘stake’ in the outcomes of the organization against ‘resources’ of the Interested Party. Another is the ‘importance’ of the Interested Party against the ‘influence’ of the Interested Party.

The concept is the same, though the emphasis is slightly different.


Boxes A, B and C identify the key Interested Parties. The implications of each box is summarized below:

Box A
These are Interested Parties appearing to have a high degree of influence on the organization, who are also of high importance for its success. This implies that in the implementing of the QMS the organization will need to construct good working relationships with these Interested Parties, to ensure an effective coalition of support for the company. Examples might be the senior local officials and politicians or trade unions.

Box B
These are Interested Parties of high importance to the success of the organization, but with low influence. This implies that they will require special initiatives if their interests are to be protected. An example may be traditionally marginalized groups (e.g. Indigenous people, youths, seniors), who might be beneficiaries of a new service, but who have little ‘voice’ in its development.

Box C
These are Interested Parties with high influence, who can therefore affect organizational outcomes, but whose interests are not necessarily aligned with the overall goals of the company. They might be financial administrators, who can exercise considerable discretion over funding disbursements. This conclusion implies that these Interested Parties may be a source of significant risk, and they will need careful monitoring and management.

Box D
The Interested Parties in this box, with low influence on, or importance to the organizational objectives, may require limited monitoring or evaluation, but are of low priority.


To provide a clearer understanding of Interested Parties and, as a result, provide insights as to how best to engage them.


Use for the QMS either in the early stages, or with a group developing an Interested Party plan.

Special considerations/weaknesses:

All analytical tools are only models. The tool is dependent on subjective data, and will vary according to the person and situation being used. It should probably not be a public document.


1. Make a list of all Interested Parties.
2. Write the name of each Interested Party on a post-it note or index card.
3. Rank the Interested Parties on a scale of one to five, according to one of the criteria on the matrix, such as ‘interest in the organizational objectives’ or ‘interest in the financial success’.
4. Keeping this ranking for one of the criteria, plot the Interested Parties against the other criteria of the matrix. This is where using post-it notes or removable cards are useful.
5. Ask the following questions:
Are there any surprises?
Which Interested Parties do we have the most/least contact with?
Which Interested Parties might we have to make special efforts to ensure engagement?

And there you have it… Hope this helps.

What is really required… Epilog?

Two weeks later… He writes back (in blue ink):

Can I ask you a question regarding documentation?  It’s in regards to that same client we discussed a couple weeks back. They have half of their forms on an ERP system, and other forms in pdf/hardcopy. They are in the middle of transitioning to the ERP, but not all of the forms are uploaded yet. I understand that the ERP controls the documents that are in it. But for the documents that aren’t, do you feel those documents should have an ID, rev. date? I always felt that if the document was printed out and completed by hand, that it should be controlled. I know the standard is flexible on how the docs are controlled, but when you have a doc system that is half ERP and half not, it’s kind of a grey area. I’m doing a gap audit and have been going back and forth.

Thank You,

My response:

First of all, what is your definition of control?  Does an identification number and revision date really constitute control?

If you are in agreement that the ERP controls documents then you can eliminate those already entered into the system.  That leaves you with pdf files and hard copies.  I would argue that pdf files are controlled by virtue of satisfying d & e below (c is a different issue.)  If they are a Word / Excel or e-file (pdf) they have to reside somewhere on the computer.  Chances are these files are the latest and greatest (old versions overwritten) and pdf cannot be revised.

So all you have to worry about is hard copies.  Now you need to read their procedure and answer a couple of questions specific to c – d.

Let’s look at AS 9101D audit standard (before they ‘mucked things up.’)  These requirements parallel the AS 9100C Standard exactly.  For relation to AS 9100 Rev. D see What is Really Required? Part 1.

If you see evidence that the requirements below are being followed, then they are compliant, if not, they aren’t.  (N/A) indicates the requirement is not relevant to the context of the question.

4.2.3 Control of documents

Documents required by the QMS must be controlled

A documented PROCEDURE must exist and include controls needed for:            

  1.  approval process (N/A)
  2.  review, update, and re-approval process (N/A)
  3. identification of changes and current revision status
  4. documents are available where needed
  5. documents are legible and identifiable
  6.  external documents are identified and controlled (N/A)
  7.  obsolete documents are identified and controlled (N/A)

You must ask yourself the following:

  1. Are the documents current?
  2. Is there a revision record? (It does not have to be on the individual document – just some way to determine you have a current copy.)
  3. Does this record somehow identify changes made?
  4. Are documents available when and where needed?
  5. Can you read them?
  6. Can you tell them apart – but more important, can they?

If you answered YES, then (at the minimum) they have met the requirements.  If you answered NO, then they have not.  If they are AS 9100 Certified look at previous audit findings that might indicate another auditor questioned their control process.  But, they sound as if they are planning on entering all documents into ERP which kind of makes the whole thing moot.

If you still don’t feel warm and fuzzy about this, you could document an OBSERVATION such that the process needs to be completed without undue delay because there is the risk of potential nonconformity.

Figure you (they) only have a year to make it happen and that depends on their surveillance cycle.  It will take you quite a while to document changes to their system – adding context, interested party needs, wants and desires, implementing the new processes (bone up on APQP) and addressing Positive Risk (opportunities,) Training, Full-system Audit (CAPAs) and Management Review.  So plan on being busy…


Certified companies will need to upgrade to AS 9100D by June 14, 2018 and this should coincide with a scheduled surveillance or re-certification audit.   Although, a special audit can also be scheduled and paid for.  If you want to earn your keep, recommend they start preparations now – it will be cheaper in the long run.

I hope this helps.

And for the rest of you… Thanks for reading.

What is really required? Part 2

And now my response.

First the lesson…

You have to remember that all Management System Standards (MSS) are intended for the auditor, not the organization. They are a ‘checklist’ of requirements the organization must meet to be allowed (or stay) in the club. They were never intended as a one-of-a kind way to achieve conformance, but that’s what we made them. There is no requirement for the organization to own a copy, although ISO isn’t complaining. It’s only a requirement for the auditor to have (and use) – and they’re often provided by the CB for the purpose of documenting findings.

The auditors and CBs turned the Standard(s) into the playbooks, best in class benchmarks, have to have, way to do things – not just for document control but for everything and if you don’t have a copy, you don’t know how to play the game. The ABs encouraged and supported this ‘standardization’ of activities – making it easier to police CB activities and ‘ding’ them if their auditors deviated from ‘the way.’ The IAF published guidance documents, ISO published (and sold) technical standards and ISO 9001 Auditing Practices Group created a whole library of guides to auditing, just to get the point across.

What we ended up with by the late 90’s (when I entered the game) was nothing more than a template – enter name here – that was generally accepted as ‘the best way to get the job done.’ My handler gave me a floppy disk (remember them?) with 20 or so individual files, each with the most basic description of the 20 (or so) elements which needed to be addressed, each with the same – insert company name here – instructions to submit to the review committee who added a watermark (to protect their copyright) and sent it off to the customer. It took us about ½ a day to generate a new system, ½ a day to implement (jam it down the customers’ throats,) another day to audit it and then some smoke and mirrors training and management review assistance; 3 – 4 days’ actual work for which they were charged 10 – 12K for the pleasure.

Clients were obviously disappointed with the lack of quality but paid up because there wasn’t any other way to play the game. All the consulting firms were the same. And, you could tell, by the template, which consulting group did the work. There were no graphics, no color, no creativity, no deviation from ‘the way it is done,’ ever! If there was any deviation, the document(s) did not make it out of review. Reject – do over (the right way.)

And this is why auditors (even to this day) expect to see things ‘as they should be.’ Now apply this to document control – enter: Title, ID Number, Revision Level, Revision Date, Dress size, First-Born’s Middle Name, throw in a page number for good measure and sign each in triplicate. Reference Technical Report – ISO/TR 10013:2001, Guidelines for quality management system documentation (cost approx. $125 US.)

And then, I broke the mold… Not only did it change the way we write documents but ittech-report1 upset an awful lot of auditors along the way – things didn’t look the way they expected. It challenged the old norms. It made them think. And that, my friend IS the way it should be!

Now let’s look at your question.

AS 9100C (which is expires midnight 9/14/18) states:

4.2.1 General

Notes 2 and 3 remind us that we, as auditors, need to remain open minded – that what works in one situation may not in another.

Note 1 defines the term “documented procedure” as that which is established, documented, implemented and maintained. This note specifically avoids discussing content because content is at the discretion of the organization and is compliant if that content describes the controls needed and addresses 4.2.3 (a – g.)tech-report2

Hope this helps…

It was very helpful, thank you.

By the way, I love your post this week. I haven’t read the whole post yet but after I read the first sentence, I was thinking I can relate with this guy. Then I quickly figured out that duh, it is me.

I’m looking forward to reading it.

I figure if you have questions, maybe others do as well.

Keep ‘em coming and wait ‘til you see the post on Control of Documents!
– – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Here’s an afterthought…

Not only does Note 1 define the term “documented Procedure” but it goes on to say, A single document may address the requirements for one or more procedures. A requirement for a documented procedure may be covered by more than one document.

Let’s say your client has a quality manual (I know they do because AS 9100C requires it and there won’t be any AS 9100D registration audits until 2017) and that quality manual said that the President or some other Senior Manager is responsible for reviewing, approving (and changes to) AQMS level I and II documents; Level III & IV documents are reviewed, approved and updated by the appropriate process owner; revision level and changes are recorded on the Master Document List; all AQMS documents are available to all staff electronically as read-only and the electronic file is overwritten if updated and documents of external origin are maintained as pdf files. (Identification and legibility should not be an issue because the files are maintained electronically) – technically you have it in one sentence! Would that do it for you?

Absolutely. When you put it like that, I can totally visualize that scenario.

Many Thanks.

What is really required? Part 1

As I’m wrapping up my day, the other day, I noticed a question from a ‘brother wizard’ and as I am to discover, it continues into the following day. What a great excuse for a post.

He writes (in blue ink):

I hope you are well…

I have a new client that runs a bulk of their AS 9100 through a software called uniPOINT (EQMS) and also some through JobBOSS. What is your approach to the electronic / paperless systems? All the same rules apply documentation wise no? I show that they added some new docs but [don’t] have doc numbers or name or rev. My understanding was regardless of whether the system is electronic based or not, they still have to have doc numbers & name & controls in place. Is that your assessment as well?

My response:

Welcome to Document Control 101…

AS 9100 Rev. D states: Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  • it is available and suitable for use, where and when it is needed;
  • it is adequately protected (e.g., from loss of confidentiality, improper use, or loss of integrity). For the control of documented information, the organization shall address the following activities, as applicable:

  • distribution, access, retrieval, and use;
  • storage and preservation, including preservation of legibility;
  • control of changes (e.g., version control);
  • retention and disposition;
  • prevention of the unintended use of obsolete documented information by removal or by application of suitable identification or controls if kept for any purpose.

When documented information is managed electronically, data protection processes shall be defined (e.g., protection from loss, unauthorized changes, unintended alteration, corruption, physical damage).

Personally I like paperless – if done well, it eliminates many headaches.

Here’s the Bad news – It’s entirely up to the organization to determine what control means to them and how they will address it. There should not be any consideration of what you prefer.

Here’s the Good news – If they stray too far, they will have a hard time convincing anyone that they have control. So, as a consultant, it would be value-added to recommend an ‘ISO Light’ approach that satisfactorily addresses the letter of the law – there’s a lot of wiggle room here. Do not issue an NCR unless there is no observable control.

And by the way, the latest revision gets dangerously close to requiring ISO 27001 & 2 Information Security…

Hope this helps,

Great answer as usual!

So the traveler (issued from JobBOSS), even though printed and initialed as it travels with the job, doesn’t have to have to have a doc number or rev. as long as the procedure outlines what their approach is? Is that how I’m understanding that?

That’s it!

JobBOSS is controlled by Job # (which is readily identifiable.) All process information (Sales, Purchasing, Production, etc. records) tie to that Job # with full traceability.

Read ONLY the words in the Standard. If adequately addressed, the company has defined ‘their version’ of control.

Now, here’s the kicker… I presume they have a procedure; does what they are doing match what they say they are doing? If so, you’re done. If not, you have an NCR.

Thank you. I’m glad I asked.

Because I’m used to the more traditional approach towards controlling docs, I allowed myself to adopt a very narrow interpretation of that element. Your feedback has really opened my eyes and changed the way I look at document control. With that being said,how specific does the control of docs procedure have to be? This company transitioned to this paperless system in the past year. I’m going to review their C of Doc procedure later today. I feel like I’m already over analyzing this…

My response and conclusion next time…

Customer Satisfaction?

Today I thought we’d give the serious ‘stuff’ a rest and just talk amongst ourselves – maybe with a little tongue in cheek. ‘Tis the Season and all!

Customer Satisfaction… Isn’t that why we do ISO in the first place? We want to produce a good quality product or service that will fulfill our customer’s needs and keep them coming back for more – Right?

customer1Wrong – We’re in business to make money and don’t let anyone tell you differently –Bah Humbug! If we don’t make money,we don’t stay in business. And let’s face it we don’t really care if our customer is happy, we just want them to give us their money.

So we hook up with a Registrar (CB –Certification Body) who will get us going with ISO, so we can advertise to our customer that we really do care about them and we can ‘prove it.’ And, what does the CB do for us? They give us apiece of paper that we can dazzle our customer (or potential customer) with and say, “See – Ain’t we great?”

I’ve often said that, it doesn’t matter who you are or what you do, no matter how bad your product or service is, you too can get registered. It’s true! First of all, the Registration audit will be the easiest you’ll ever go through. The CB wants you to be registered; the auditor wants you to be registered… it’s their business – that’s what they do and you pay them for the privilege. Do they care about product quality? Nope! Do they even look? Nope! Not unless they suspect false advertising… But if you call it high-priced junk, you’re good to go for a year.

Look at it from the CB’s perspective -They want you to make money. OK, maybe they don’t care if you make money, so long as you keep paying them. Look at it from the auditor’s perspective – All s/he cares about is the free coffee and donuts you bribe them with when they get there, the Pizza and Beer at noon and whether there are records of your returns and maybe a few customer surveys you cherry-picked to show them, someone loves you.

Just think about all the mouths you are feeding: Your scheduler and their family, the auditor, their family and all the businesses they interact with; the rent-a-car company, the hotel, the restaurant, the airlines… Now don’t you feel good about yourself?

But, the bottom line is ISO doesn’t help you make a better product, nor does it help you interact with your customer. Those are things that have to come from the heart. You can’t buy it. If you don’t have it; a desire to ‘do the right thing,’ ISO doesn’t help you at all.

Which, by the way, is the reason those poor souls who bet their last ‘coppers’ on ISO certification, as a last ditch effort to save their businesses, crash and burn. Regrettably, their customers already went somewhere else and that’s why they’re in a pickle in the first place.

So let’s forget all about ISO and focus on our customer… and the business of getting them, keeping them and most of all, keeping them coming back for more.

customer2Product quality is important but even the most demanding customer will forgive the occasional slip up as long as your Customer Service is strong,and there is a belief you will make things right.

And right means prompt replacement or credit no questions asked. The customer is always right – Right! Even when they’re wrong, they’re right!

Customers can be your best friend or your worst enemy. They might be singing your praises, writing you letters of adoration and telling all their friends and relations just how wonderful you, your staff and your products or services are or they may be silently smoldering, vowing never to ‘do that again’ and posting hate mail on social media. Keep an eye on Facebook! And remember, the angry customer is more likely to tell people about their awful experience than a happy customer singing praises.

Your job then is to make sure you understand your customers and make their experience with your company more pleasant than that of your competition if you want to keep them coming back. You will want to train your staff howto do their part to help enhance that customer experience. “So how do I do that?” you ask. Click the “Smile.”

customer3The smile is where you can obtain your free copy of “Service with a Smile,” a Kilpatrick Group e-book, our Christmas present to you with thanks for your loyalty. “Service with a Smile” is a compilation of tips and tricks for dealing with your customers.

It will tell you how to give them the best post possible buying experience and / or resolve problems should they arise.

The Kilpatrick Group would like to thank all those who contributed to this customer service manual.

Until next time friends – Happy Holidays.

Expected Outcomes for Accredited Certification

Expected outcomes for accredited certification to ISO 9001 (from the perspective of the organization’s customers)

“For the defined certification scope, an organization with a certified quality management system consistently provides products and services that meet customer and applicable statutory and regulatory requirements, and aims to enhance customer satisfaction.”

Notes: a. Customer requirements for the products and services may either be stated (for example in a contract or an agreed specification) or generally implied (for example in the organization’s promotional material, or by common practice for that economic/industry sector). b. Requirements for the products and services may include requirements for delivery and post-delivery activities.

What Accredited Certification to ISO 9001 Means

To achieve conforming products and services, the accredited certification process is expected to provide confidence that the organization has a quality management system that conforms to the applicable requirements of ISO 9001. In particular, it is to be expected that the organization:

A. has established a quality management system that is suitable for its products, services and processes, and appropriate for its certification scope,

B. analyzes and understands customer needs and expectations, as well as the relevant statutory and regulatory requirements related to its products and services,

C. ensures that product characteristics have been specified in order to meet customer and statutory/regulatory requirements,

D. has determined and is managing the processes needed to achieve the expected outcomes (conforming products and services, as well as enhanced customer satisfaction),

E. has ensured the availability of resources necessary to support the operation and monitoring of these processes,

F. monitors and controls the defined product and service characteristics,

G. aims to prevent nonconformities, and has systematic improvement processes in place to:

  1. Correct any nonconformities that do occur (including product or service nonconformities that are detected after delivery),
  2. Analyze the cause of nonconformities and take corrective action to avoid their recurrence,
  3. Address customer complaints,

H. has implemented an effective internal audit and management review process,

I. is monitoring, measuring and continually improving the effectiveness of its quality management system,

What Accredited Certification to ISO 9001 Does Not Mean

1) It is important to recognize that ISO 9001 defines the requirements for an organization’s quality management system, not for its products and services. Accredited certification to ISO 9001 should provide confidence in the organization’s ability to “consistently provide product that meets customer and applicable statutory and regulatory requirements”. It does not necessarily ensure that the organization will always achieve 100% product conformity, though this should of course be a permanent goal.

2) ISO 9001 accredited certification does not imply that the organization is providing a superior Product or service, or that the product or service itself is certified as meeting the requirements of an ISO (or any other) standard or specification.

Much Ado About Nothingdownloada1

The above is an ideal, a process, trusted to bring about conditions whereby, through transparency, goods and services are produced to meet customer requirements.But, in the real world, it’s not always the case.

Business is driven by economics, there are priorities, constraints and in some cases,conditions that are prohibitive to accredited certification.

Furthermore, there are those companies, whether intentionally or not, unable to meet the necessary quality requirements, yet, through customer pressure or the belief registration will enhance their bottom line they seek certification.

Guess what? Takata and Deepwater Horizon both held accredited certification (from legitimate registration bodies) and you see what happened to them.

Enter those (who give us all a bad name) promising low-cost certification, even to Standards that don’t exist and even more ludicrous, without any verification of your quality system. Yep – You heard me correctly, NO AUDITS. Registration certificate above is an example. Sadly, a former client of mine! Talk about turning to the Dark Side. Take it one step further, the certification body, above, agreed to certify a bogus company that claimed to produce a negative-buoyancy life jacket (which is intended to sink killing its wearer!)

My former client’s ‘certification’ took place long after we parted ways and unbeknownst to me*. In their defense, there were those ‘prohibitive conditions;’ lack of cash flow and absence of qualified staff to maintain a quality system properly combined with a large customer (in a regulated industry) who mandated a certified system or they would go elsewhere – they took advantage of this low-cost registration scheme, with or without knowledge of its legitimacy.

*Note – I discovered the certificate on-line, years later, while doing unrelated research. At present, I am unaware if this company is still in operation or not and regret being unable to take them to registration with a legitimate CB but suspect this to be a choice of desperation, one of which, most likely, did not ended so well.

Too often, I’ve seen small companies achieve certification only to find out it was a last ditch effort for survival – without the appropriate resources, it never ends well.

In Closing…

Most certified organizations (over 1,000,000 worldwide) are honest and dedicated to product quality and customer satisfaction but there are some dishonest out there. So I guess the message is still ‘buyer beware.’ Do your diligence and check to verify that your prospective or customer’s registrar (CB) is accredited here:

We’ll call this post a public service announcement.

Until next time…