Oxebridge Quality Resources - ISO 9001 and AS9100 Implementation

By Christopher Paris, VP Operations

In the software world, under a contract from the Department of Defense, Carnegie Mellon University launched a quality management system for software developers called the Capability Maturity Model (CMM), and then gave administration rights to the CMM to the Software Engineering Institute (SEI). Years later, this model was improved and renamed the CMMI (Capability Maturity Model Integration).

Not accidentally, the CMMI looks a lot like ISO 9001, but on steroids. The requirements for attaining CMMI are much more complex and rigorous than ISO 9001, and based on a tiered model which assesses a company’s capability maturity level. Most companies start at CMMI Level 2, indicating they are just a tad above being totally chaotic and ad hoc. Companies then strive to increase their CMMI level to prove higher levels of quality maturity.

Yes, this is a grossly understated explanation of the CMMI, but suits the point of this article.

There are a few problems with CMMI. First, it is run solely by SEI and therefore has all the problems of a monopoly - it’s massively expensive, with implementation services starting in the six-figure range easily, and with only one approved auditing body and auditor training provider - SEI. Yes, they perform both services and no one has called foul on the obvious conflict of interest, as they have in the ISO 9001 world, where auditor trainers and auditing bodies must be separate entities.

In short, nothing goes through CMMI without SEI. And there are no allowable competitors.

Secondly, it is very, very complex. Organizations without serious resources and the willingness to study - hard - will find implementing CMMI nearly impossible. A demand for CMMI to a small, underfunded company could well put them out of business.

But it may be inevitable. CMMI does not only apply to software developers and related areas of the software industry. With its popularity increasing, CMMI Level 2 requirements are popping up in more and more government contracts, even if the subcontractor may not really be a provider of software.

SEI has grown into three “constellations”: the original CMMI for Development, CMMI for Acquisition (CMMI-ACQ), released in late 2007, and now CMMI for Services (CMMI-SVC) released  in February of 2009.

Even the original CMMI for Development may apply to any type of design and manufacturing organization, and likewise now the Services and Acquisitions adaptations. This means CMMI has already expanded outside of just software development.

Expect ISO 9001 to face stiff competition from this new “Cadillac” on the lot, even giving the cost and difficulty of CMMI. In the software world, it is already true that ISO 9001 is seen as “quaint” in comparison with CMMI. How long will it take for that thinking to seep into the automotive or aerospace industries?

(Answer: it already has. More and more NASA contracts are beginning to “suggest” CMMI.)

As far back as 2003, I saw this writing on the wall and gave a series of free lectures to ASQ chapters and anyone else who would listen, called “Ten Steps to Save ISO 9001.” You can download the original presentation as a PDF file here (675 kb).

This talk presented my statistical analysis of the official ISO Survey data, and proved that the adoption rate of ISO 9001 was declining (something ISO still refuses to acknowledge or report, even though we are now in negative territory, meaning more companies are dropping ISO 9001 than picking it up.) Along with that data, I presented a solution: take the best of the CMM / CMMI and create a new framework for ISO 9001 based on it.

In short this meant making ISO 9001 a Management Maturity Model. I then proposed “The M3 Initiative” - breaking ISO 9001 into two or three maturity levels, so that small machine shops with little oversight by their customers could put into place only key elements of ISO 9001 (say, inspection, testing, manufacturing controls, calibration), while more “mature” companies would implement additional requirements (internal auditing, management reviews), and fully mature companies adopting the entire standard (including preventive action and continual improvement.) A possible ISO 9001 “Level 4″ would adopt Baldridge criteria. The market would drive what level would be best for each organization. This would have the twofold effect of making ISO 9001 more palatable to smaller companies who wanted less documentation and rigor in their QMS, thus increasing the adoption rate of ISO 9001 worldwide. Large contractors would then mandate certain levels of ISO 9001 to its suppliers, driving them towards the highest level they felt they needed of their supplier, thus doing away with the binary “certified or not-certified” nature of ISO 9001 which leads to a lot of very bad companies brandishing an ISO 9001 logo with aplomb.

As an aside, I even proposed a model of core ISO requirements, which could then be augmented with sector-specific requirements, thus doing away with the proliferation of sector standards we now see (AS9100, TS 16949, ISO 13485, etc.) Even environmental or safety modules could be attached easily, making ISO 9001 would truly universal, yet infinitely flexible.

This is, of course, exactly what CMMI is proving can be done, and they are successful with it, while ISO 9001 withers on the vine. But a true Management Maturity Model could be less difficult than CMMI, which is stuck under the monopolistic thumb of SEI, and their engineers. They have no reason to make CMMI easy, since they are the sole provider of training and certification courses. (Even “independent” CMMI consultants must be blessed by CMMI, or they risk trademark infringement and a lack of proper credentials. For auditors, an annual fee — in the thousands — is now being discussed as a requirement.)

The audiences of my presentations — comprised mostly of quality managers in ISO 9001 user companies — were always interested, even if registrars sniffed their noses at the idea, citing it all as too much work. (Never underestimate the laziness of certification bodies.) I decided to bring the discussion to two venues: the International Association of Accredited Registrars (IAAR) and the US TAG to ISO TC 176.

The IAAR is the professional industry group whose membership is comprised of many of the world’s accredited registrars, along with a representative of ANAB and its Canadian counterpart, SCC. My discussion was met with one large “feh”. It was abundantly clear that despite statistical evidence that ISO 9001 was declining, and a prediction of registar door-closing — something that came true just a few years later — no one in the room much cared to save their own jobs. So strange and paranoid was their response, the IAAR actually put me under a verbal embargo, indicating I could not tell or write any articles about my presentation to them. (I am pretty sure that after six  years, that embargo no longer holds.)

When I joined the US TAG to ISO TC 176 - the group responsible for developing ISO 9001 itself, I gave a similar presentation. But it was put on the schedule as an off-agenda item, and was not attended by anyone in any power of the TAG — Jack West, Lori Hunt, etc. were all off doing their own things. So naturally, as shocked as my little audience was to hear that ISO 9001 was dying, and CMMI presented the way to fix it, my proposal never got put on the table as anything to take serious.

An interesting aside, though: my proposal was the initial driver which formed the sub-committee to create a crosswalk between ISO 9001 and the CMMI. I attended the first meeting, but not being an IT professional, I did not take a leadership role and as a result my name appears nowhere on the final document eventually released by SEI. I mention this only as evidence that my little discussion on the impending growth of CMMI and the things we can learn from it, had some impact in the ISO and CMMI worlds.

My appearance at the US TAG was too late to affect the upcoming revised standard which would later be released as ISO 9001:2008. It had already been decided that every other standard would be a major revision, and nothing should be done to tinker with the ISO 9001:2000 too much at that time. I then proposed that we adopt the maturity model concept for whatever would follow ISO 9001:2008 (presumably ISO 9001:2012). I received no support from the leadership, and I suspect that much of this was due to (a) an uncomfortable lack of familiarity with CMMI by the leadership, and (b) the natural tendency of the US TAG to move glacially slow and respond only to the direction given to it by 2 or 3 key members, all who have their own motivations.

In the long term, however, failing to adopt a maturity model to ISO 9001 will ultimately lead to the CMMI eclipsing it entirely. ISO may lose power as well, as there will be no reason whatsoever for SEI to let loose the reins of its monopoly and let ISO start making money selling CMMI standards. The entire US TAG — and the entire TC 176 — will be left out of the development of the next generation of quality management system standards. And what of ASQ? It will be spelled S - E - I.

As it did in 2004, my solution remains the same. TC 176 needs to stop work right now on whatever it is planning for 2012 (which, face it, won’t be released until 2014 at best anyway) — and start talking to smart folks about adopting a maturity model for ISO 9001 that not only re-popularizes the standard, but makes it easier and more accessible to organizations who so desperately need it. If any quality professionals or TAG members want to be purely selfish, they can view it as a way to save their lofty positions and lucrative book contracts.

Take the best of CMMI and apply it to ISO 9001, or CMMI will just take over ISO 9001.

Is anyone listening?

We will find out. A copy of this article is being sent to the International Accreditation Forum (IAF), ISO TC 176 leadership and Alka Jarvis, current Chair of the US TAG.

Anyone interested in a more detailed (albeit boring) model of what ISO 9001 would look like as a Management Maturity Model can download the original “10 Steps to Save ISO 9001″ presentation and jump to page 51.

(Christopher Paris is VP Operations and founder of Oxebridge, having worked with ISO 9001 since its inception in 1988. To date he has personally implemented over 150 ISO 9001, AS9100 and related quality management systems.)

Winter Haven FL — A number of online companies offer “ISO-in-a-box” solutions to implementing ISO 9001, packaging a number of documents and forms that have been pre-written as boilerplate templates, with the thinking that if you just customize them yourself, you will have a compliant ISO 9001 system that can pass scrutiny during an accredited ISO 9001 audit.Likewise there are similar pre-packaged bundles for ISO 13485, AS9100 and even TS 16949.

Oxebridge has been opposed to this approach, not because it fears competition (as we always say, there’s enough work in ISO 9001 to go around for everyone), but because our direct experience — through that of clients who have attempted implementing ISO 9001 with such templates — tells us these packages don’t work, and result in many companies failing their first audit. That introduces new “hidden costs” such as the fee for an entire additional audit by the registrar, along with all those associated travel and incidental expenses charged by the auditors.

To date, Oxebridge has been hired to “clean up” over 15 such systems, after they failed an audit by an accredited* registrar. Oxebridge had been brought into the company with the intent of correcting the major nonconformities, and upon seeing the use of such “store-bought” template packs, Oxebridge was forced to re-write much of the documentation from scratch, because the documents did not come close to complying with ISO 9001 or AS9100. This resulted in unnecessary expenses to the client, who thought they were saving money by buying a cheap package that promised compliance, and didn’t deliver.

Here are seven reasons such pre-packaged programs do more harm than good to companies that attempt to use them:

1. THEY DO NOT COMPLY. Despite claims to the contrary, these pre-packaged kits do not generally comply with their standards (ISO 9001, AS9100, etc.) as they pertain to the user’s company. They may address all the requirements of the applicable standard, but “addressing” and “complying” are two different things. According to accreditation rules under ISO 17021 (the rules which govern registrars), a Stage 1 audit (often called a document review or on-site readiness review) must be first performed to determine if the client company has addressed the requirements. Such kits help in this regard only. The Stage 2 audit performed by the registrar confirms compliance to the applicable standard. Having documents which only address the requirements, but which do not prove the client complies with the standard, may inevitably lead to major nonconformities issued during the Stage 2 audit. That means the client must fix the problems, and undergo a completely new Stage 2 audit (and in some cases, a Stage 1, too) effectively doubling registration costs. This is because the documents are written generically, for any organization, and therefore do not address how a specific company has interpreted and implemented each “shall clause” of the applicable standard. A clear giveaway, and typically an instant nonconformance, is how these kits handle ISO 9001 clause 4.1, which requires you to identify and then manage your processes. this is an exercise that is intimate to each company, and cannot be handled by a generic document; you must define your processes and then apply clauses 4.1 (a) through (f) to them, and a kit boilerplate cannot ever hope to achieve that. Only do these kinds of systems pass an audit when the auditor him/herself does not fully understand the process approach, a common problem plaguing the ISO 9001 and AS9100 world.
2. THEY ARE TOO GENERIC. Documents that are written once, for any type of organization, cannot be specific enough to prove to an auditor how your company does business. The worst form of these are the cut-and-paste type templates, that prompt you to literally replace every instance of “YOUR COMPANY NAME HERE” with (of course) your company name. Such templates usually give themselves away immediately when the company name appears in ALL CAPS throughout the documents, alerting auditors that templates were used. (Worse offenders are those ISO-kit providers that include their logo  at the top of every page! Such generic documents make no distinction between whether their client is a manufacturing facility, a service provider, a municipal agency, a government body or any other possible user of ISO 9001. These documents tend to pass the registrar’s Stage 1 document review, but will either fail at the on-site assessment portion of Stage 1, or fail at the full Stage 2 compliance audit portion.
3. THEY DEMAND RESOURCES IN ORDER TO COMPLY. Most of these ISO-in-a-box kits offer prompts throughout each boilerplate on what your people need to fill into the document in order to customize them properly. The problem here is that a single sentence or two of prompt cannot hope to yield the same result as someone who writes a custom document based on ISO 9001 training and experience. As a result, the prompts themselves are often misunderstood, and soon the company realizes they need to send their ISO team employees to outside, additional training on the ISO or AS standards themselves, which can run $1,500 per head. In short, in order to properly customize such templates, your employees need ISO training first. The end result otherwise is, as before, too generic and generally non-compliant with the particular standard, resulting (again) in a failed third-party audit.
4. THEY DO NOT ACCOUNT FOR EMPLOYEE TIME AND SALARY. Companies who purchase an ISO 9001 “kit” may only spend hundreds to a few thousand dollars for such a kit, and then fail to recognize that the time and human resources it takes to customize documents properly, and to write additional documents that may be required outside of what is provided by the kit, equals costs outside of the price of the kit. This means taking people off of their daily duties and putting them on tech writing assignments, to customize the documents. Often managers forget to ask themselves how much is this extra work impacting not only the person’s daily tasks and responsibilities, but what impact is it having on that person’s wages? Lost wages, due to working on ISO projects, must be factored into the overall cost of an ISO implementation program. With ISO-in-a-box kits, nearly 100% of the work must be done in-house, meaning a large drain on daily productivity and lost wages. Compared to a consultancy that writes custom documents, from scratch, for you (as in Oxebridge’s Rapid ISO 9001 and Rapid AS9100 programs), the kit approach may actually cost the company more money in the end, while increasing the risk of failing an audit.
5. THEY REQUIRE IN-HOUSE TECH WRITING EXPERTISE. Your employees are hired for certain tasks based on their abilities. Suddenly, when purchasing an ISO 9001 template kit, you are asking your staff members to become expert word processors and tech writers. Any manager who works with government contracts knows that developing a proposal in response to a government RFP requires tech writers of very high caliber, and that not everyone has that skillset. this is true when drafting ISO 9001 documents, as well, as it requires technical writing as it pertains to ensuring that each ISO 9001 or AS9100 “shall clause” is clearly addressed and represents the truth, in a technical manner. Managers who throw the kit at employees with poor writing skills and no tech writing background may find themselves with a compliant set of documents, but a set that cannot be understood by the auditors or employees because they are so poorly written. Having intelligent employees does not always equal out to having good writers. This means, in some cases, the company must hire additional temporary staff just to complete the boilerplate documents.
6. THEY FORCE THEIR SYSTEM ON YOU. The ISO kit approach assumes you will use all, or at least most, of their provided forms and documents, since the documents and forms tend to cross-reference each other. This means that if your company has used a certain type of inspection report for 15 years and is happy with it, you must now switch to the inspection report included in the purchased kit, whether you like it or not. Taken to the extreme, this can mean that an anonymous writer of a generic kit has decided what is best for your company, and is forcing you to change all the things you have done for years, despite the fact that these historical activities may not only already meet ISO 9001, but exceed it. Without a human being assessing the need for documents and records, you could replace a nearly-compliant and fully customized system that you have now for one that actually steps your company backwards, away from ISO 9001 compliance, by mandating you use new forms and procedures.
7. YOU MAY NEED A CONSULTANT ANYWAY. As mentioned before, Oxebridge has had to come in and “fix” such systems many times, after clients failed an audit using a template-based system. This is an additional cost, making the money and time spent on the work using the templates wasted entirely. Often we tell clients that their original documentation, forms or methods were fine as-is, and that the template documents drove them away from compliance, rather than towards it.  In our case, Oxebridge has gained the nickname “The Fixer” - the company that is called in to fix the disasters left by other consultants or ISO-in-a-box template approaches.

If your intention is to not only implement a natural, organic ISO 9001 or AS9100 system that meets the full requirements of the applicable standard, and which can pass the scrutiny of an accredited third-party certification audit, the use of ISO-in-a-box, “store-bought” systems may sound appealing, but will generally result in numerous minor, if not major, nonconformities during the audit.

Your two alternatives are to either train your employees on ISO 9001 using one of the many available courses across the country, or hire an implementation firm like Oxebridge to assist in the effort. The urge to reduce spending may be strong, and the appeal of cheap ISO kits is thus evident, but between hidden costs and high risks of failure, the other options should be considered first.

(*NOTE: throughout this article we have used the term “accredited registrar”. This is because the growth of unregulated, unaccredited registrars is becoming more and more of a problem, and such registrars — who are not recognized by your customers, generally, making their certificates worthless — may well let ISO-in-a-box systems pass an audit, even if the system does not comply with ISO 9001 or whichever standard is being audited. Readers are advised to always and only use registrars accredited by ANAB, UKAS or another IAF-signatory accreditation body.)