With the Committee Draft of ISO 9001:2015, it’s evident that ISO has entered into a full blown existential crisis. I’d say mid-life crisis, but that would assume we are only halfway through the life of ISO 9001, and ISO seems dead-set preventing 9001 from shambling along for another 25 years.
Very few users of today’s ISO 9001 remember how the standard started. Those that do only go back to BS5750, and seem to think it originated from there. They forget that the whole thing started in 1959 under the US Department of Defense’s quality standard MIL-Q-9858.
ISO 9001’s Origins: Kill the Europeans
It’s important to remember this history to understand what the purpose of a quality system standard was: to ensure the quality of products by formalizing and harmonizing the methods of production and inspection. Back then it was important for the DoD to know that its weapons manufacturers were making loud, firey things that would get loud and firey in the faces of our enemies, and not in the faces of the soldiers shooting them. A gun isn’t very helpful if it shoots backwards.
Before ISO had any international street cred, BSI was the world’s standards gangsta, yo. The US had pushed MIL-Q-9858 onto its allies through NATO, publishing it as AQAP-1. BSI snatched it up and published a few variants (BS9000 and BS5179) before settling on BS5750. The Brits added in some intangible management system concepts, like auditing and corrective action, but the text of MIL-Q-9858 was still very much present.
At that point in history, the only thing ISO was famous for was photographic film speeds. It took another decade or so before the world had enough of the BS standards (pun intended) and ISO managed to wrest international legitimacy away from BSI. In 1987 it published ISO 9001’s first edition, basically a reprint of BS5750 translated into more languages with weird glottal stops. Screw the little yellow Kodak boxes, ISO had a new flagship product.
But through it all, the intent remained the same as when MIL-Q-9858 had been released: standardize the methods of production (I won’t say “means of production” lest we sound too Marxist) in order to ensure a quality product. Certification followed, and the intent there was to reduce the number of customer audits which companies were plagued with by having a single, accredited, trusted audit take the place of all 2nd party audits.
Then a lawyer spoke up. We don’t know his name, but we’ll call him Fester Bestertester, because I am pretty sure he looked like a Don Martin character. He told ISO that if they attempted to attest to the quality of any company certified under ISO 9001, it would likely face liability lawsuits in the event that a certified company released a defective product on the public. And so ISO immediately began distancing itself from its newborn baby, like a neglectant mother that likes to brag about her beautiful child, but who refuses to feed it.
Fleeing from any responsibility over certification, ISO left the development of assessment rules largely to the certification bodies themselves, policed by a group of accreditation bodies who answered only to some nebulous IAF memoranda of understanding, and
buddy peer reviews. That resulted (albeit indirectly) in the astoundingly weak “36-hour Lead Assessor course” which has since pumped out thousands of “industry expert auditors” who, only 36 hours prior, hadn’t been experts at anything. More than two decades of crap auditing later, and ISO is watching its flagship sink.
Fester Bestertester went on to a career in knife-throwing, but ISO held fast to his advice: avoid liability at all costs. And so ISO 9001 was completely rewritten in 2000, with requirements gutted and a new focus put on enabling the end user to interpret vague clauses intended for “generic” usage by any industry. With the compliant quality press in tow, ISO retconned its history and convinced the world that it was never about ensuring a quality product at all, but rather “continually improving” quality systems. A decade of users grew to believe this new fiction, and will still argue to the death that this was the truth back in 1987, even though anyone with a slightly longer attention span will know it’s not the case.
Nevertheless, ISO 9001:2000 wasn’t a terrible standard. The process approach brought more good than harm, and gave users some tools to really drive product improvement. (A process isn’t worth much if it doesn’t result in a product.) It was enough to take us into the next century, if not much beyond that.
And so we have ISO 9001:2015, the draft that’s been met with near-universal derision. Entire industries are calling on ISO to fix it before release, along with certification body reps, auditors, consultants and current ISO 9001 certificate holders. Everyone can see disaster in the making, and the list of problems grows as more and more people read the thing. It’s more vague than ever; it brings nothing from the ever-advancing quality profession; it’s language for risk defies not only the established understanding of risk management, but even contradicts other ISO standards on the subject; it is absolutely un-auditable.
Paton Them on the Back
There are those praising it, of course. Folks like Lorri Hunt, Denise Robitaille, Gary Cort, Jack West and Nigel Croft. The fact that they all have one thing in common — they wrote the damn thing — should just be ignored. The (again) compliant quality press will remain as free of critical thinking as always, and publish their mindless, self-indulgent pablum, attempting to convince their readers that all is well.
But looking at the text of 9001:2015 we can see the existential crisis in full effect. Rewriting history once again, ISO is attempting to convince us that 9001 has always been concerned with risk — not continual improvement or harmonized production and inspection — and that it has never been prescriptive. This conflict over “prescription” vs “requirements” has tortured the TC 176 committee members during this revision more than ever. The debate has been so strong that the participants can no longer distinguish the two concepts, like someone who repeats a word over and over until the sound of it turns to gibberish.
Take Two Requirements and Call Me in the Morning
The truth is that ISO 9001 was always prescriptive. It was only in order to sell ISO 9001 to the WTO, and avoid being shut down as a violation of the Barriers to Free Trade agreements, that it claimed to include only “generic requirements.” But as soon as it demanded a company perform internal audits, it was prescribing a method of self assessment. By demanding inspection, it prescribed a method of quality control. By demanding procedures, it prescribed a method of communicating information.
Under 9001:2015, that struggle has resulted in the Bestertester Doctrine supplanting not only good content, but logic entire. With the latest version, what were already pretty vague requirements are now diluted beyond recognition, under the defense that the standard should not prescribe. The problem? 9001:2015 still prescribes; it just uses really, really lousy wording to do it.
The result is an un-auditable standard. End users will have to interpret that standard and implement according to their interpretation. That sounds fine, but inevitably those 36-hour-trained “expert” auditors are going to have their own interpretations, and clashes will occur. Auditing — an already unpleasant experience — will get worse. Since audits are already expensive and of dubious value, adding more irritation to the mix is the exact opposite that needs to happen. Competitors like NADCAP, CMMI and who-knows-how-many-2nd-party audit schemes are already warming their engines to fly past ISO 9001.
The path forward is simple. ISO needs to take a pause and regroup. It needs to come to terms with the fact that it is prescribing, and embrace that role. It must then include clear language of such prescriptions … er, “requirements”… for its intended audience: users and auditors. And it needs to stop pretending that the purpose of ISO 9001 isn’t for improving actual, physical products. The chief criticism of ISO 9001 is that after all those costs and certification audits, there’s no guarantee of an improvement in actual product. And that’s what people want. Only the floppy-footed lawyers are arguing against that.
The next version of ISO 9001 should take us deep into the 21st century, not back to pre-industrial era where Greeks stood around in robes and discussed rhetoric and chewed hemlock.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.