The other day I released a draft copy of the new Oxebridge Q001 (“Q Thousand and One”) standard, intended to provide an alternate-reality, open source version of ISO 9001. Already the things has gotten tremendous feedback on LinkedIn and through the O-Fan ether, I’m happy to say.

Frustrated with years of cynical sniping and indignant sniffing the ISO TC 176’ers who insisted that ISO 9001 was great because they wrote it, and suggested I didn’t know what the hell I was talking about because I wasn’t on TC 176 (even though I was), I figured I would put my money where my mouth was.

With Oxebridge Q001, I wanted to prove a few key points:

ISO 9001:2015 never needed to be complicated.

While everyone can say that, it remains nothing more than a rough opinion in the absence of any proof. So how do you prove that a thing is complicated? With Q001, I’ve released a standard that remains compliant to ISO 9001, but is much easier to understand. While “complicated” is still a subjective thing, my version shows that ISO could have made ISO 9001 simpler, but just chose not to.

You CAN invoke “risk management” in ISO 9001 without breaking the world.

TC 176 was terrified to use the term “risk management” for fear it would hurt ISO 9001’s sales. They also claimed that invoking risk management would somehow confuse users. Oxebridge Q001 disproves this; the “risk-based thinking” clause 6.1 includes less words than the RBT content ISO 9001, but does a superior job in setting up scalable risk management within a quality management system. It doesn’t shy away from that “management” word.

Not only that, Oxebridge Q001 addresses opportunity management, which ISO 9001 nearly entirely ignores.

The Oxebridge Q001 callout for risk and opportunity management shows it can be done in a way that lets the user decide how easy or complicated to make it, and that it never needed to be anything scary in the first place.

Preventive action and risk management CAN co-exist.

TC 176 dropped the clause on preventive action essentially because they ran out of time pursuing their¬† September 2015 deadline. Then, they made up a bullshit argument that “risk-based thinking” obviated the need to have a clause on preventive action at all, as if this was a binary decision: one or the other.

Oxebridge Q001 shows that you can pursue COTO-based risk and opportunity management while still having a robust preventive action reporting system, with the two feeding back and forth between each other.  Risks or opportunities identified may lead to the filing of formal preventive action requests; formal PARs may then feed back into identifying new risks and opportunities.

The two don’t hinder each other, they enhance each other.

I’ve always argued that ISO’s decision to drop preventive action will result in real people getting killed, since there is no formal requirement for a company to go out and find potential nonconformities now; this fixes that. Maybe less people will get killed by Oxebridge Q001 (assuming ISO doesn’t have me killed for publishing it — LOL.)

Procedures ARE NOT evil.

ISO has reacted to criticism from a minority of lazy companies who claimed they wouldn’t implement ISO 9001 because “it requires too many procedures!” In 2000 they stripped the procedure count from twenty down to six, and those lazy trolls still complained. So in 2015, they took out nearly all the procedure requirements, and people are still complaining. The fact is, ISO was never going to be adopted by those trolls in the first place, so dumbing down their standard to appeal to them was a fool’s errand.

And, anyway, companies still implement procedures because:

  1. they realize they need them to ensure consistency in work,
  2. they help in training new employees,
  3. customers demand they have them, and
  4. auditors expect to see them during audits, no matter what ISO 9001 says.

So Oxebridge Q001 puts back in the requirements for documented procedures. A lot of folks will complain, but if they look twice, they will see that they probably already have these procedures anyway. The metric I used when invoking a required procedure was to ask, “if they don’t document this, will the variation in employee execution of the work result in a quality defect?

In the end, Oxebridge Q001’s latest draft (0.4 as I write this) calls out about 20 required procedures, and then a handful more that are “as applicable” or otherwise optional. We’re just slightly over what was required by the 1987 version of ISO 9001.

Oh, and there’s no Quality Manual required under Oxebridge Q001, even if I still personally like them.

You CAN make “management commitment” tangible.

Ever since it’s first iteration, ISO 9001 has struggled with how to invoke “management commitment” meaningful, as well as something you prove during an audit. The Oxebridge Q001 standard achieves this by requiring management to “provide evidence” of various tasks, such as participation and meetings and analysis of cost of quality data. Now, all auditors need to do is ask to see that evidence, rather than having long-winded theoretical conversations with top management that mean nothing in the real world.

It then requires management to not only develop a “quality culture” for the company — which sounds pretty ethereal — but they must then document what that culture is. This way, the ethereal nature of a “culture” becomes a tangible, verifiable reality.

Quality objectives ARE the process metrics.

ISO has always confused the old-style quality objectives with process measurements and metrics. I’ve argued they are the same thing, in a true process-based management system. It’s pointless to have some overall quality objective like “99% pass rate!” if that doesn’t mean anything to half of your actual processes. You have to measure your processes anyway (KPIs, etc.), so just make those your quality objectives and be done with it!

Oxebridge Q001 does this, by scrapping the old-style quality objectives and emphasizing process metrics. I re-branded these as, simply, “process quality objectives.

Notes DON’T have to be stupid.

In Oxebridge Q001, the notes are not statements of opinion injected by TC 176’ers with an agenda (“emotionally protective workplace!“), but actual hints on what an acceptable means of complying with a given requirement might be. I’ve tried to keep these to a minimum, under the idea that the language of the requirements should be written clearly so that explanation isn’t necessary, but still added some anyway.

For instance, the term “outsourced processes” is finally defined! That has been something ISO was not able to do for, literally, decades.

Requirements should only appear ONCE.

The ISO 9001:2015 standard never underwent any formal editing, so in some cases requirements appear in two or three places. For example, if you don’t publicize your Quality Policy, you could be found in violation of three clauses: 5.1.1, 5.2.2, and 7.3. This causes no end of problems, especially when auditing.

Oxebridge Q001 removes these. Now, if you fail to do something, you only sit in violation of one clause, and know exactly where you need to focus.

You CAN use colors in your standards.

ISO is stuck on a printing model presumably based in the 1800s, before mass color printing was invented. The Oxebridge Q001 standard uses color coding to highlight where documents are required (in green) and where records are required (in purple), making it easier for the reader to spot these. You can still print a copy in black and white if your printer is out of color ink, and you don’t lose anything, but the color copy helps.

Standards CAN be free.

Okay, I don’t expect ISO to suddenly get philanthropic and hand out its standards, but I will. Ironically, TC 176’ers are already sniffing at this, suggesting either (a) Oxebridge is doing this for money through self-promotion, or (b) ISO’s model is what is truly “for the public good.” They don’t seem to notice that ISO charges money for their standards while slathering their logos all over the thing, and then just outright up-sells by embedding references to various ISO standards inside other ISO standards.

I’m pretty sure my work is a bit better for the public and industry — because it’s free — than ISO’s. But whatever. They’re rich and I’m not, so maybe they’re onto something.

So, if you want to play around in the Oxebridge Q001 sandbox, grab your copy here. Let me know what you think.




ISO 45001 Implementation