As reported here, Accurate Energetic Systems (AES) suffered a plant explosion that killed 16 people, all while holding an ISO 9001 certificate issued by NSF-ISR. ISO 9001 includes a clause on product handling, so — yes — an explosion at an explosives manufacturer is in-scope for ISO 9001.
A few hours after Oxebridge’s reporting on the matter, AES took down its entire page on quality, including the copy of the ISO 9001 certificate they had posted there. At the same time, some weirdness over at IAF CertSearch was going on. It’s not at all clear who is to blame for this. Stick with me.
First, the AES entries on CertSearch — which is supposed to be the “source of truth” for all ISO 9001 certificates, by mandate of IAF — were open and available. IAF listed two ISO 9001 certificates for the same plant, both issued by NSF-ISR, but under two different certificate numbers. It’s not clear at all why two certs were issued for the same company, the same site, the same scope, and under the same standard. If I had to guess, one of them was a mistake, and NSF-ISR never purged the mistaken cert… but I’m guessing.
After our reporting, the certs appeared to disappear from CertSearch entirely. Although it now seems this is due to how one searches within CertSearch.
Going into CertSearch without logging in and searching for “Accurate Energetic Systems” results in the certificates showing. But if you log in, and CertSearch provides a list of companies you searched for, clicking that will result in nothing. I think what’s happening is that CertSearch presents a list of certificates you asked to validate or track (which requires a paid account), and if you didn’t pay, they won’t show up. But it’s not clear, and the CertSearch interface doesn’t provide any hints as to that. I’m guessing again.
But this would explain why the AES certs showed up under one view but not the other.
Then, things got weirder. One of the ISO 9001 certificates is now reported as “WITHDRAWN” in CertSearch, immediately after Oxebridge’s reporting. Apparently, NSF-ISR got embarrassed and decided to do the right thing. I’d say they get some kudos, but CertSearch still shows the other certificate as active. At least as of right now; that may change again once NSF reads this and goes in and fixes their mess.
So far we have two problems. First, IAF CertSearch remains a buggy mess, wholly unreliable, and a thing as far from a “source of truth” for ISO certificates as one can imagine. We still find fake certs listed, withdrawn certs showing active, and a host of certificates not appearing at all. This is after years of development by Quality Trade — who borked this up bigly — and after a mandate by IAF that all accreditation bodies must force their CBs to upload certificates into the system and maintain the accuracy of the records. In exchange, IAF is selling subscriptions to access the data, so you’d think they would try to get this right if only to ensure people got what they paid for. They did not, and people are getting ripped off.
Second, though, is the NSF-ISR mess. Why are there two certs for AES? Why was only one withdrawn?
The bigger issue for NSF, though, is why did they issue the certs in the first place? AES had a prior accident which killed one person, so their record on safe handling of their product — again, covered by ISO 9001 — was already suspect to the point of becoming criminal negligence. This suggests NSF didn’t do its due diligence and issued a new cert anyway, only to find itself bookended by two deadly accidents now.
This is on brand for NSF, mind you. One of my clients was having a poor experience with NSF and anticipated a sleepy, drive-by audit. They wanted something more robust. To get this, I contacted Randy Daugherty, the then-VP of ANAB, and we requested a witness audit. In short, we wanted ANAB to be sitting next to NSF when it audited the client. ANAB, of course, refused, saying they had no “procedures” to cover such a request and that it wasn’t clear who would pay for it. Daugherty told me we’d have to file a complaint against NSF first, and then maybe ANAB would respond by doing a special witness audit… but probably not. In the end, ANAB refused to do its job and ensure the credibility of the audit.
Sure enough, the audit was a mess. It was a multi-week audit by two auditors, and they only came away with one or two minor nonconformities. We had been hoping NSF would hold our fee to the fire so we could drive real improvement. We knew major nonconformities were sitting there, right in front of the auditor’s noses, but they were busy auditing document control while one guy complained about his gastrointestinal problems. (A lot of you are going to know which auditor I am talking about immediately, since you’ve all heard his IBS stories.) This comic strip is literally based on a real thing that happened during that audit (except for the genital warts joke.)
The NSF audit was so bad that my client’s customer raised the risk rating for my client and wrote a report denouncing the NSF audit as unprofessional. A year later, the Dept of Defense Inspector General’s office came in and audited the client and found dozens of AS9100 nonconformities, including majors, nearly mirroring the results of our internal audits.
Did NSF do anything? No, they kept returning and doing sleepy, drive-by audits. It appears they never bothered to take into account the DODIG report, even though it was publicly distributed. Per ISO 17021-1, they should have arranged a “Special Audit,” but never did. Everyone at the company walked away thinking AS9100 was an annoying joke. The quality team was deflated. NSF got paid, though, as did ANAB.
This happens everywhere, so it’s not just NSF to blame. Repeatedly, CBs issue certificates to companies that are later involved in disasters, deaths, product recalls, or scandals. Each time, they argue, “but the audit is just a snapshot in time.” But then, afterward, the companies maintain their certification.
That’s the part that suggests this is all a pay-to-play scam. If a CB knows a client killed someone, they are obligated to suspend the certificate (at least) and then perform an SA (Special Audit) to see whether it should be permanently withdrawn. But routinely, that doesn’t happen.
Now, in this case, it does appear that NSF-ISR withdrew the cert, but only after the reporting. It still doesn’t explain, however, why there is still one cert showing as active in IAF CertSearch. So they only get half-kudos.
I’d file a complaint, but thanks to the IAF’s new ban on any filings coming from Oxebridge at all, NSF-ISR will be protected by the very people tasked with overseeing them.
If CBs and ABs did their job, then bad companies would not get ISO certificates. Without those, the bad companies wouldn’t get contracts, and maybe people would still be alive. If CertSearch actually worked — and access was entirely free — maybe the public could hold the bad CBs accountable, too.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
