There’s a grossly disingenuous marketing campaign by the likes of ASQ, AQI, and nearly every ISO 9001 and AS9100 registrar and consultant on the planet, who are telling you that you still have time to update your QMS to the latest versions of these standards. The truth is, it’s now officially too late.
Yes, the deadline for final transition to ISO 9001:2015 or AS9100 Rev. D is September 15, 2018, but there’s an unofficial deadline that they don’t tell you about until after you signed the registrar contract. Per a totally made-up IAF mandate (here), all audits conducted as of right now — OK, technically March 15th, which as I write this is only a few days away — have to be done to the new version no matter what. This means you need to be conforming to the new version now, and can’t wait anymore.
And remember, if you don’t update by September 15th, they cancel your certificate. Isn’t that nice?
Companies face a number of different scenarios, depending on their current certification timeline. Let’s look at each one, but keep in mind none of these apply if you’ve already updated your system and are certified to the new version. This is only for the stragglers, which is… well, basically everyone.
First, understand that ISO 17021 accreditation rules mandate that surveillance audits of already-certified companies must be done at least annually. Some companies opt to have them done every six months, because they also enjoy being whipped by a dominatrix and having cigarettes put out on their arms, I guess. But the minimum is annual surveillance.
If your due date for your next surveillance audit hits prior to September 15th, your next audit will be against ISO 9001:2015 or AS9100D even if you’re not ready yet. You will get hammered with nonconformities for the new standards, as a result, and then you’ll have about 30 days to fix those (registrars are sketchy on that point). Naturally, your registrar may then demand an additional “nonconformity verification” audit of the “majors”; there’s no standard to dictate when an additional audit is required, so auditors love to pad their pockets by invoking this without real justification, and there’s nothing you can do about it. This means you may get hit with an extra audit fee, plus all those additional audit expenses (hotel, airfare, etc.) If you don’t fix the nonconformities by the Sept 15th deadline, you’ll lose your cert by default.
If your surveillance due date is after the September 15th deadline, then the 9/15 deadline trumps the surveillance date. That means you still have to undergo an audit before September 15th, or your cert will automatically cancel on the 16th. If it cancels, you have to undergo a new “initial registration audit” with your registrar, as if you are a new client, and the audit days automatically go up, since initial audits are always the longest. In addition, registrars want to schedule such audits 30-60 days before the 9/15 deadline, so if they hose up the paperwork and drag their feet, your cert doesn’t lapse because of their ineptitude. That means your actual transition audit window is March to the middle of June, not September. A tiny window.
Now let’s say you are up to date on your surveillance audits, but are coming up on the 3-year “recertification audit.” Basically, the same rules apply as surveillance audits, but your audit days will be longer, since recertification audits are longer than simply surveillance audits. Fun.
But what if your 3-year end-of-contract deadline is after the September 15th deadline? Well, that’s impossible since your registrar hard-dated your ISO 9001:2008 or AS9100 Rev. C certificate to “drop dead” on September 15th, 2015 no matter what. Go look.
So the entire thing is a tangle, and — as I wrote — it’s entirely an unforced error created by ISO and IAF merely to sell standards and audits. Making matters worse, the registrars lost a huge portion of their auditor pools (due to retirement, death, low pay and plain old auditor frustration), and they can’t schedule your audits in time to meet these deadlines. We now see SAI Global losing their entire accreditation because of this, and they are likely just the first. Meanwhile, ISO/IAF have refused a call to extend the deadline for ISO 9001, as has the IAQG for AS9100. It’s baffling.
So What to Do, Then?
The point is that as of right now, there’s likely no way you can upgrade in time. Yes, Oxebridge does some pretty fast work, and can update most systems in only weeks, but there’s already a line of clients filling up the calendar, making our availability limited. And, yes, you can tackle things with the free Oxebridge template kits (ISO 9001 kit here, AS9100 kit here), but that takes time. Time is not something most quality folks have an abundance of, especially with that deadline breathing down your neck.
Despite IAF and IAQG thinking updating an entire QMS is no big deal, actual employees of actual companies know it’s not something you want to rush. And at this point, even rushing won’t get it done in time. So you have to surrender. Buddha said:
If you let cloudy water settle, it will become clear.
If you let your upset mind settle, your course will also become clear.
Remember those Chinese finger traps someone gave you as a gag gift? Shove your fingers in, and no matter how hard you pull, they only tighten. The only way to get out of them is to push, which is utterly counterintuitive. If you haven’t updated to ISO or AS yet, then now is the time for counterintuition. Just yield. Let them have their deadline. Let them have their panic and frustration and mania. You don’t have to join them. Be the calm in the storm.
If you cannot meet the deadline, then let it lapse. At this point, it’s inevitable anyway, and the registrars will only hassle you with maddening audit schedules and additional audit days and endless nonconformities that are meaningless.
Once you yield to the inevitable, you can begin the work to improve your quality system at your own schedule, for your own purposes, and to better your performance for your customers. You can stop worrying about some donut-eating moron who likes to talk about himself all day and gets pissy if you don’t agree with his sports team preferences.
Losing your cert is a freeing experience. It is the perfect time to reassess your relationship with your registrar, and start shopping for a new one. It’s a great time to reach out to your customers and tell them “we’re rebooting our quality system to make it even better, and we’re bringing on a new certification body to ensure that greatness.” And, best of all, now you can take your time to update your system on your schedule, not one dreamed up by the (ex) VP of ANAB and the (ex) Secretary-General of ISO. (There’s a reason they’re both “exes.”)
What are the down sides? Not many. Yes, you will lose your certificate. But assuming you regain it again without too much delay — say 6-12 months — your customers are unlikely to notice, and no one is going to make a fuss. If you have a customer that has demanded, in their contract, that you maintain constant certification, then you have to notify them about your intent to update the system and (if applicable) that you had to change registrars. You will be surprised how many customers will either understand fully — they may be going through it themselves — or simply not even care. You are likely to lose exactly ZERO customers if you take a temporary and justified break from certification, for the purposes of improving that certification.
Next, when you “re-up,” your registrar — whether you got a new one or not — will treat you as a new client, and impose an “initial registration audit.” As I said, it’s the longest of all audits, so you will take a hit on additional audit days and related expenses. But given that the deadline scenarios I posed above have this risk embedded in them anyway, in almost all cases it’s moot.
[BTW, you can determine your initial audit days using the IAF “Mandatory Document # 5” (MD5) which you can download here. Jump to Annex A, Table I which tells you the minimum audit days required depending on your employee count. Then multiply that number by the industry average of $1300 per day, estimate the related expenses, and you’ll have an idea of what it will cost.]
If you go start to go beyond 6 months of being certified, you do run some risks. First, unless you’ve fixed all your marketing, you may be falsely claiming to be certified when you’re not; that runs afoul of deceptive advertising regulations. But honestly, if you’re simply in transition, you can’t really be held liable; companies are still marketing ISO 9002 certification, and that standard was killed 18 years ago. If you take longer than 12 months, you are asking for problems. Your customers will only have so much patience.
So clearly the only path ahead is to relax, let the waves flow over you and then stand up and grab a towel. Get to work updating your system but do it at your pace. Communicate openly with your customers. Do it for the right reasons. Make it matter.
When you’re ready, give us a shout. We’ll still be here, and so will you. The sky isn’t falling.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
