A long time ago, one of TC 176’s official key performance indicators was to reduce the proliferation of sector-specific quality management system standards. That did not work out so well once ISO threw its lot in with private consultants. Soon, the very same consultants who were working on ISO 9001 began outsourcing themselves to competing standards developers. Sheronda Jeffries, a TC 176 darling, went on to help develop the (failed) telecommunications standard TL9000. Joe Bransky made a name for himself developing the automotive variant that later became IATF 16949. The aerospace industry launched (pardon the pun) AS9001 and later rebranded it as AS9100. ANAB cooked up a cockeyed scheme to partner with CB Smithers and a private consultant to unleash the (also failed) SN9001 scheme for snow management companies, ignoring any pretense of caring about conflicts of interest.
Behind the scenes, TC 176 quietly dropped its KPI and surrendered. The age of sector-specific ISO 9001 variants was upon us. The idea that ISO 9001 should serve every possible industry is seen as a mistake, despite TC 176 continuing to update ISO 9001 to make it so anyway.
This worried both standards developers and end users. Standards developers (I call them “STDs” because that’s funny) were worried they were cannibalizing their own products, like ISO 9001. Users were worried about a flood of endless variant certifications that would bankrupt them. Their fears largely — but not entirely — ended up unmet.
Instead, a benefit arose: the newer industry-specific standards are better.
While ISO 9001 is stuck in a hamster wheel cycle of adding more and more nonsensical requirements, the sector standards are hunkering down and adding requirements that reflect real-world best practices, which can be implemented using actual logic, and which can be audited with more ease. The only lingering problem is that each of these is often built on ISO’s bafflingly bad “Annex SL” text, but sector authors are getting around that by adding surrounding text that helps ground Annex SL and overcome its glaring flaws.
Enter ISO 7101
Now meet the latest sector standard, ISO 7101:2023 for healthcare quality management systems. The intended user base for ISO 7101 is defined as including “ministries of health, public and private health systems, hospitals, clinics, nongovernmental organizations and agencies that provide healthcare services, and more.”
So, why wasn’t ISO 9001 enough for these companies? The content of ISO 9001 provides the answer, as we will see.
First of all, yes, ISO 7101 is infected by the poor wording mandated by Annex SL. That text, which often comprises 25% or more of a given management system standard, was written by ISO TMB representatives without any particular subject matter expertise; they certainly have no credentials in healthcare. It’s imposed on standards authors and Annex SL cannot be edited (without complicated justifications) or even voted down.
But, like some of the other sector standards, the ISO 7101 committee found workarounds. I daresay that ISO 7101 appears to have cracked the case on how to present requirements in a user-focused manner despite Annex SL’s chaos.
For example, clause 4.0 on Context of the Organization is often pasted into a new standard and then never tweaked all that much. The original language is confusing and presented in the wrong order. One of my criticisms of COTO is that it tells the organization to identify its stakeholders (interested parties), leaving the end user with no clue who they might be. ISO 7101 corrects this by adding a requirement — not a note — dictating who this must include, at a minimum:
This shall include global financing partners, governmental, intergovernmental, and nongovernmental organizations with whom the organization has stated agreements.
While I’m not thrilled that clause 4.4 strips out the ISO 9001 style process approach, that clause includes this sentence, which ISO 9001 does not (emphasis added):
The organization shall have the systems, procedures and documented information as required by this document and have evidence of implementation of the same.
Why is that a good addition? Under ISO 9001, you can write procedures, but ISO 9001 never tells you that you have to actually follow them. (Auditors run to clause 8.1, but it’s not a good fit.) In ISO 7101, this is unambiguous.
That simple addition shows the thinking of ISO 7101’s authors: they wanted to add real-world requirements that could not only be understood by the reader, but also implemented and, later, audited.
Unafraid to Alienate the Lazy
ISO 7101 is also unafraid of words like “risk management.” Whereas ISO 9001 dumbed down the concept to “risk-based thinking,” ISO 7101 adds specific clauses on Risk Culture and Risk Management Processes. The authors were not hamstrung by a desire to sell more copies of ISO 7101 and thus make it accessible to lazy providers who don’t care about risk.
Whereas ISO 9001 does not require any documents or records to support “risk-based thinking,” ISO 7101 goes there. It requires specific procedures and records, and even found a way to require the user organization to “develop and maintain a register of risks and opportunities” without causing the apocalypse. ISO 9001 was afraid that if they required a “risk register,” Cthulhu would rise up and eat the human race.
Likewise, ISO 7101 requires an information management system; while that may sound daunting, the requirements here are sensible and not overly burdensome. They did not attempt to invoke all of ISO 27001 and its extensive cybersecurity controls. It’s doable, and it should be done. Patient data security is something a provider needs to worry about.
ISO 7101 really gets cooking in clause 8, which defines the ground-level controls for a healthcare QMS. Clause 8.2 defines Healthcare facilities management and maintenance, for example. Whereas ISO 9001 suggests that infrastructure “can” include equipment and facilities, ISO 7101 doesn’t even let you debate it. The standard tells you explicitly what is included and what you must do to manage your infrastructure. Yes, they invoke “preventive maintenance” by name without any fear.
Where ISO 9001 references “contingency actions” in a vague and entirely inexplicable way, ISO 7101 provides a specific list of requirements related to “contingency planning for facilities and services.” Again, there is no ambiguity about what it demands.
Instead of leaving “objectives” up to the interpretation of the reader, ISO 7101 defines mandatory performance indicators, such as “wait times,” “service user experience,” and “waste reduction efforts.”
How to Write Standards
So, how did ISO 7101 get things so right while ISO 9001 — the King of QMS Standards — has drifted off into nearly incomprehensible babble?
Apparently, they relied less on “consultants who show up” and instead used actual industry experts with verifiable credentials. The authors are not concerned with making the standard confusing so they could sell books and seminars later. The overwhelming takeaway is that ISO 7101 wants to save lives and improve healthcare. If that means adding things like risk management and actionable performance indicators, then so be it. If folks don’t like it, perhaps they should not be in an industry that directly affects human life.
If you’ve read the ISO Standards Users’ Bill of Rights, you can see that ISO 7101 meets many of the 10 requirements. (Unfortunately, ISO is still selling the document and not releasing it for free, but baby steps.)
A problem facing the standards, however, is a lack of interest by accreditation bodies in allowing CBs to issue certifications to it. I am not sure why that is, but ANAB and UKAS have both seemed disinterested in developing an ISO 17021-1 accreditation scheme for ISO 7101. This is unusual, since they usually develop certification schemes like a leaky tap, copying and pasting the required documents from one scheme to create a new one. (Did I mention ANAB’s SN9001 for snow shovelers?) It is very, very easy for an AB to create a new scheme.
I think I may know what is going on, though. There is a great deal of legal liability behind anything related to healthcare, and ISO 7101 inevitably will rope in regulatory requirements from the countries where it is used. Perhaps the ABs are pausing to assess just what their legal exposure would be. To date, they haven’t much cared if they continue to accredit testing labs and certification bodies that break the law, but they might be skittish about healthcare.
Additionally, accredited CBs are going to find it’s a heavy lift to get qualified auditors to audit ISO 7101. They won’t get away with their usual dozey buggers. I am sure a lot of cost-benefit analysis is going on.
I hope they get on the ball soon, as ISO 7101 could actually improve healthcare rather than just being another certificate that organizations can buy.
[Oxebridge won’t be offering ISO 7101 consulting at this time; I think it’s important to have this provided by an actual healthcare expert, and that’s not us. If I get someone on board who can do it, and who has the right credentials, we may offer it in the future.]
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
