Can we talk about ISO 9001:2015’s new design clause, 8.3? Because there’s a subtle and pernicious problem simmering below the surface, and it could affect every ISO 9001 certified company in the world.
In the old days, when men wore powdered wigs and women wore… umm … unpowdered wigs?, we had a pretty clear understanding of the design clause. In the original ISO 9001:1987 standard, design was spun out entirely, and appeared only in ISO 9001; if you didn’t design product, you opted instead for ISO 9002, which edited out the design clause entirely, so there was no confusion. This bifurcation (trifurcation, if you include ISO 9003) led to two problems. Some companies tried to game the system by opting for ISO 9002 even when the designed product, simply because they didn’t want to impose QMS rules on their engineering staff. Meanwhile, other companies sought ISO 9001 even if they didn’t do design, because either their customers mandated “9001” explicitly, or they simply thought “9001” was better than “9002” because it was more widespread, and didn’t want to be seen as having a lesser QMS.
In 2000, ISO attempted to fix this mess by putting the three standards back together, and then allowing “exclusions.” This reduced both of the problems, even if some companies still tried to game it by excluding clauses that actually applied to them; but now it was up to the registrars to address that problem, so ISO washed their hands of responsibility. But the 2000 standard was still pretty clear: the design and development requirements only applied to “product.” If you were a built-to-print shop, then it didn’t apply, and you could exclude it. Simple.
Then, of course, came the intellectual, ivory tower manglejob known as ISO 9001:2015. The standard represents the worst results of a product built by a conflicted set of bad actors all working to serve a private organization: ISO. While ISO may be a not-for-profit organization, its staff and executive officers are not volunteer workers, and they collect a lucrative salary. The revenue made by ISO goes two primary buckets: operating costs (rent, utilities, etc.) and those salaries. So the more money ISO makes, the more the executives make. Also simple.
Throughout its history, ISO has made tweaks to ISO 9001 to maximize its usage, and thus its sales. In 1994 they removed language that previously said the standard was only to be used when required by a customer contract, for example. The 2000 version took baby steps towards the service industry by claiming, “throughout the text of this International Standard, wherever the term ‘product’ occurs, it can also mean ‘service’.”
ISO 9001:2015 followed this trick, but went much further and copied and pasted the word “service” everywhere into the text. Mind you, ISO has entire standards dedicated to service quality systems, such as ISO 20000, but they aren’t the flagship, whereas ISO 9001 is. To toss in service providers into ISO 9001 would be easy, and ensure an even wider market for the flagship. So ISO literally ordered that any reference to “product” simply be swapped out for “product and service” anywhere in the standard. This ignores the fact that service providers have very different methods of contract review, execution, measurement, etc.; to TC 176, a QMS for products is the same as one for services, and you need only throw the word “service” into the text and you’re done. If you don’t believe me, here’s TC 176’s Denise Robitaille, saying exactly that:
Despite the fact that we have long said that ISO 9001 is a generic standard and we are able to massage the language to demonstrate how it has applicability for service industries, it’s been a hard sell because people have to really understand how some of this stuff applies to the service industry. The revised standard has greatly de-emphasized its focus on manufacturing, replacing terms like “products” with “products and services.”
Good lord, they’re stupid.
Anyway, for the most part, this change is innocent, if sometimes frustrating. Many service companies have SLAs (service level agreements) which become their guideposts throughout everything they do; that term makes no appearance in ISO 9001, since the authors probably never heard of an SLA. Instead, you have to interpret SLA’s as being “quality objectives” or “process measurements” somehow, and then convince an auditor about your interpretation later. But this is largely manageable.
For the new design clause — now residing clause 8.3 — the change becomes far more problematic. Here the TC 176 authors simply pasted in “… and services” everywhere the word “product” had appeared, without any understanding of the fallout that would result. Again, the intent was to sell more copies of ISO 9001 to service providers (rather than take the obvious tack, and just make a separate ISO 9001 variant for service companies.) But then, the standard adopted the same language as the previous four versions of ISO 9001, which were all product-specific.
The problem now, however, is that the registrars see dollar signs when they look at the new clause. So prevalent were the companies that “excluded design,” previous editions of IAF Mandatory Document 5 (MD5) — which defines audit day requirements — provided separate calculations of minimum audit time for those companies who included design, and then another column for those excluded it. Roughly speaking, most companies that excluded design found their audits were about a day shorter than those who included it. That’s a nice savings, typically of about $1300 plus a whole hotel night and rental car day.
The registrars want that money back, so some are now taking the position that “build to print shops” cannot exclude design anymore, since the act of building a product to someone else’s data is a service, and now clause 8.3 requires you to include the design of services. Therefore, you are expected to put 8.3 back into scope, develop quality system processes for service design, and — of course — tell your registrar to add a day or more to their annual audit.
Ka-ching!
ISO has been largely silent on this growing controversy, though. Nearly all of its endless guidance documents and supporting standards do not talk about “design of service,” since they know it’s a third rail subject for which they will definitely get burnt. Service organizations understand the design of services is a very, very different creature than the design of products, usually entailing the development of a service catalog, internal and external SLAs, configuration items and more. Sure, you can do all of this under ISO 9001:2015 — heck, you can do anything under it’s vague language now — but the average build-to-print shop would never have the expertise in this field as, say, an IT consulting firm or a professional hotel cleaning company. It’s an entirely different world.
So far, too, the IAF has been largely useless on this. They are beholden to the registrars, so are likely to side with them eventually, and publish something that says “no one can exclude 8.3, ever, because everything any company does is essentially a service.” Don’t be surprised if you see that, but for now, they haven’t pulled that trigger. For sure, there are calculations and models being run by both ISO and IAF on how much impact that would have on the sale of ISO 9001 standard and certifications, since it would result in an outright revolt. But I expect them to do it anyway.
The good news is that it may be too late. Every company that was previously certified to ISO 9001:2008 with an exclusion for design appears to be upgrading to ISO 9001:2015 with the exclusion intact, and registrars — so far — have not de-certified anyone based on this wacky new interpretation. Build-to-print shops are, so far, going on as usual. That has resulted in a flood of tens of thousands of ISO 9001:2015 certificates issued to build-to-print shops that ISO and IAF will have a very hard time revoking if they suddenly implement this crazy interpretation. They may have waited too long.
Alternatively, ISO/IAF may issue a new ruling and then mandate yet another “transition period” wherein any company that had excluded 8.3 would lose their certification in a year or two if they didn’t take steps to put it back in. I can see that happening, since ISO and IAF love making money through strongarm bullying and the invention of out-of-thin-air “deadlines.”
So, for now, proceed as usual, but proceed with caution. If you get caught with a registrar trying to milk more audit days out of you my saying you can’t exclude 8.3, find a new registrar.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world