The Troubled History of ISO 9001’s Clause on Preventive Action

[Originally published in May 2022, but worth revisiting.]

The ISO 9001 standard purports to provide a skeletal framework for continual improvement. For decades, both the authors and users of the standard understood this meant, in part, seeking to stop problems from happening before they occur. Decades prior to ISO’s publication of 9001, the quality assurance profession had already understood this, as well. We can track preventive measures as far back as the 1920s, when formal industrial process controls were first being developed. If you want to get really crazy, you can see preventive measures within the ancient engineering practices of the Egyptians, Sumerians, and Incas.

But TC 176, the committee that authors the ISO 9001 standard, has struggled to explain the concept, finally leading to its removal in 2015. So what, exactly, happened?

ISO 9001’s Ancestor

ISO 9001 was built upon another standard, the US Dept. of Defense’s MIL-Q-9858, published in the 1950s. That standard included a clause on “corrective action” which required, “the quality program shall detect promptly and correct assignable conditions adverse to quality.” While not name-dropping preventive action, per se, the clause moved in that direction:

Corrective action shall include as a minimum:… analysis of trends in processes or performance of work to prevent nonconforming product.

Elsewhere in that standard, the authors went further, in the clause on Cost of Quality (something ISO 9001 never got around to adopting at all):

The contractor shall maintain and use quality cost data as a management element of the quality program. These data shall serve the purpose of identifying the cost of both the prevention and correctionof nonconforming supplies (e.g., labor and material involved in material spoilage caused by defective work, correction of defective work and for quality control exercised by the contractor at the subcontractor’s or vendors facilities).

Even in its introductory clauses, MIL-Q-9858 emphasized proactive, preventive action:

The program shall provide for the prevention and ready detection of discrepancies and for timely and positive corrective action.

In all, MIL-Q-9858 defined eight separate areas where specific preventive actions were required to manage quality, even though the concept hadn’t earned its own standalone clause.

ISO Takes a Turn At Bat

ISO 9001 only came on the scene after MIL-Q-9858 morphed into NATO’s AQAP-1 standard, and then mutated further via the BSI standards of BS 9000, BS5719, and BS5750. But much of the original MIL-Q-9858 text was still there, with only minor edits. The ISO 9001:1987 standard took the same approach as the MIL-spec, not calling out “preventive action” as a standalone clause, but placing it within the clause of corrective action, and sprinkling it throughout the standard itself.

From clause 4.1.2.1 on responsibility and authority:

The responsibility, authority and the interrelation of all personnel who manage, perform and verify work affecting quality shall be defined; particularly for personnel who need the organizational freedom and authority to … initiate action to prevent the occurrence of product nonconformity.

… and clause 4.14 on corrective action:

The supplier shall establish, document and maintain procedures for … investigating the cause of nonconforming product and the corrective action needed to prevent recurrence.

But “prevent recurrence” isn’t quite the same as full-on, standalone preventive action, which is performed to ensure a problem doesn’t occur in the first place. So by 1994, TC 176 added preventive action as its own clause:

4.14.3 Preventive Action

The procedures for preventive action shall include:

a) the use of appropriate sources of information such as processes and work operations which affect product quality, concessions, audit results, quality records, service reports, and customer complaints to detect, analyze, and eliminate potential causes of nonconformities;
b) determination of the steps needed to deal with any problems requiring preventive action;
c) initiation of preventive action and application of controls to ensure that it is effective;
d) confirmation that relevant information on actions taken is submitted for management review.

And so things remained throughout the next few editions. “Preventive action” held a spot as a separate clause in both the 2000 and 2008 versions of the standard.

Throughout that time, however, ISO struggled to explain what they meant by it. Articles were written nearly monthly by consultants and ASQ gadflies on the difference between corrective and preventive action. ANAB’s ancestor, RAB, pushed down on accredited certification bodies because they found that certified companies routinely “didn’t get” the concept of preventive action; many audit nonconformities were written. Greedy TC 176’ers started selling books on preventive action, just to exploit the confusion.

The answer was always simple: ISO needed to explain the concept in easy-to-understand terms. “Corrective action” is taken to address existing problems, and “preventive action” is taken to find potential problems. There may be a preventive aspect to corrective actions — you don’t want the problem to recur — but preventive action can be a standalone activity, stopping problems before they occur.

But ISO’s arcane and needlessly bureaucratic standards development processes don’t lend themselves to simple texts. By the time a standard is written, it’s been mutilated to such an extent to often becomes unintelligible.

Rise of the Consultants

Post-2000, TC 176 had two main problems. During the 2000 revision, the TC 176 committee was largely led by consultants, but wasn’t exclusively populated by them. This is why the 2000 version remains, arguable, the most popular version of all time. By 2010, when work had begun on the next edition, TC 176 had become nearly exclusively populated by consultants. End users were nowhere to be found, and TC 176 found it had to falsify attendance records to make it seem like users were involved. Consultants were falsely categorized as “corporate” users or “government representatives.” But in the end, nearly 90% of TC 176’s membership were private consultants, although official figures put the number less than 50%. When I challenged the US committee to fix this, they assigned someone to the project… a private consultant. To no one’s surprise, he found nothing wrong, and the incorrect figures remained in place.

Those consultants have a profit motive, and thus a conflict of interest. By making ISO 9001 as confusing as possible, they can sell more books and seminars and services afterward. If you make ISO 9001 easy to understand, you put the consultants out of business!

So ISO 9001:2015 became the confusing monstrosity we see now. Paragraphs make no sense, clauses lead nowhere, entire sections offload the responsibility of defining requirements on the reader, requirements appear in two or three locations at once, and terms change meanings mid-stream. New concepts are introduced without any definitions, and some of the definitions included are merely restatements of the words themselves (“organizational knowledge is knowledge specific to the organization.”) Worse, ISO utilized no editors in its production, so all the errors landed in the final, published document.

Annex SL Infects Everything

The second problem was Annex SL, Geneva’s attempt to standardize standards. Originally called a “High-Level Structure” (HLS), this was intended to be a document template, designed to define what standards should look like (formatting, clause numbering schemes, etc.). But the ISO Technical Management Board (TMB) working group responsible for the HLS quickly got drunk on power, and demanded the right to craft actual requirements that would be imposed on all ISO management system standards, no matter what the subject matter. For a decade or more, Geneva was growing frustrated by the slow pace of TC standards development, as delays were costing it money. So while Geneva had little control over the various TCs, it had complete control over the TMB and its HLS team. By taking away standards writing authority from the TCs, and giving it to the TMB, ISO could control the development process, and bypass all that messy debate and international consensus. It could finally ensure standards got published on its timeline, not that of the subject matter experts.

So HLS became “Annex SL”, inserted into an annex of a mandatory ISO working procedure, and subject to no voting. It now included not only formatting instructions, but two key elements: clause titles and actual clause text. It would then be imposed on management system standards for quality assurance, environmental management, occupational safety, medical device manufacturing, aerospace, and even cybersecurity. Even though it was written by no subject matter experts in any of those fields.

As a result, TC 176 was faced with a conundrum: adopt Annex SL in whole, or do the unthinkable and revolt against Geneva. There was precedent for the latter, too. TC 210, the authors of the medical device standard ISO 13485, had rejected Annex SL outright and refused to adopt it. Craftily, they said their drafts were already “too far along” to change direction to suit Annex SL, so they’d take a look at it next time. Geneva bought that story, even though TC 210 had lied; they never had any intention of adopting Annex SL at all.

But TC 176, led by greedy consultants, was never going to mount an insurrection against their landowners. Instead, they saw dual benefits from Annex SL. First, it meant that the TMB had done their work for them, so TC 176’ers could take credit for writing ISO 9001 without having to actually do it. And second, Annex SL was so confusing it would demand users buy consulting services afterward. Win-win.

The problem? Because the Annex SL text was not written by quality management professionals, it made no mention of “preventive action.” In fact, the ISO TMB authors never heard of the concept. Instead, they mangled two separate concepts — nonconforming product and corrective action — into a single clause, called “nonconformity and corrective action.” Quality professionals know the two sit at different levels of a hierarchy, but the ISO bureaucrats at TMB had no clue, because they weren’t subject matter experts on quality assurance.

Now TC 176 was stuck. How could they fix Annex SL without touching it?

Do Nothing, Except Copy and Paste

Predictably, TC 176 took the easy way out, and did nothing.

The first Working Draft (WD) of ISO 9001:2015, written in 2012, was just a copy-and-paste of the Annex SL text, with no QMS-specific language added:

The WD wasn’t circulated for comments, however. Worse, ISO tried to sue Oxebridge for publishing it, and exposing the fact that TC 176 wasn’t actually doing any work. (ISO dropped the case when I threatened to countersue.)

A year later, the 2013 “Committee Draft” (CD) was produced and was circulated for informal comments, and still made no changes to the Annex SL section on corrective action:

Yet again, it showed that TC 176 was having endless meetings, traveling all around the world, and selling endless seminars and speaking tours, even as they were literally doing nothing.

But because the CD had been circulated for comments, they received them. Some 3,000 comments were received, and grumbling was everywhere, including over Annex SL and the removal of preventive action. So TC 176 knew it would have to do something to shut down dissent against Annex SL.

BSI to the Rescue

Behind the scenes, TC 176 was being led by Cary Cort, who struggled to have any influence at all. The real dealmaker was Nigel Croft, who headed up the influential “Subcommittee 2” (SC2), which works on the text of ISO 9001 itself. Croft, a Brit, had married a Portuguese heiress, and had moved to that country. While claiming to represent Portugal, Croft was still taking his instructions from BSI and the UK. It was Croft who coined the term “risk-based thinking” to brand Annex SL’s clause on risk.

(Cort would later quit TC 176 entirely, in frustration over “politics,” leaving Croft with even more power.)

In October of 2013, Croft began gaslighting the world, creating a false narrative that, no, ISO 9001 was always about risk management, and that preventive action hadn’t been removed at all. During a public training presentation given by his consulting company, Croft claimed that preventive action had been “reinforced throughout the standard” by the addition of risk-based thinking:

In that same presentation, Croft began laying the groundwork for the battle against the growing number of critics who opposed the elimination of the preventive action clause:

The reality is the opposite: ISO 9001 never embraced risk, and in fact full-on rejected it. Prior editions of ISO 9001 included language that specifically said the standard did not address risk management. From the ISO 9001:2008 version:

But Croft’s presentation to a tiny group was hardly enough to sway the planet. So in November of 2013, TC 176 held a meeting in Porto Portugal, led by Croft. Five participants formed a breakout session led by BSI. The output of that group was a BSI white paper that claimed, falsely, that Annex SL’s “risk-based thinking” absorbed the concept of preventive action, and that “risk has always been implicit in ISO 9001.”

TC 176 and BSI were all betting on the fact that no one remembered the language from prior versions of ISO 9001, and eventually, that proved to be true.

BSI then provided this paper to ISO, which republished it as an official ISO document, and then repeated it in numerous press releases. The meme was set. Immediately, groups like ASQ and CQI led the charge, parroting the false talking points, which led to the meme being picked up by consultants around the world. To this day, you still hear people insisting that “risk was always implicit in ISO 9001.”

No, it wasn’t. It really wasn’t.

Comments Explode

A few months later, in 2014, TC 176 began circulating the Draft International Standard (DIS) version. The only change made to the clause on corrective action was the addition of the phrase “including those arising from complaints“:

So it took TC 176 literally two whole years to add five words.

But while the WD and CD versions are rough drafts, and only subject to informal commenting, ISO procedures require formal commenting on the DIS. This is when things ground to a halt, because the comments on the DIS were not kind. Because TC 176 had wasted two years (2012 through 2014) without having meaningful discussions, this meant they had nearly no time left to address the huge number of gripes and comments coming from ISO member nations about the DIS.

Nearly sixty comments were specifically directed at the problems of the missing preventive action clause.

The US committee, dominated by Hunt, however, began aping the Porto talking points, saying “recognizing that preventive action is actually a part of risk management, Annex SL rightfully removed references to preventive action.” From the official database of comments:

(An aside: I’m told the US Chair, Alka Jarvis, opposed Hunt’s view, but was so conflict-averse, Hunt rolled over her. Jarvis was never able to effectively manage the US committee to overcome the influence of the consultant class, led by Hunt and Jack West.)

Deadline Looming

But those opposed to Annex SL weren’t going down quietly. Voices grew louder, and demanded clarifications of the clause on risk-based thinking (again, copied and pasted from Annex SL without edits) and the clause on preventive action. The flood of DIS comments was causing further delays. Under ISO rules, the comments had to be formally processed and dispositioned, one-by-one. The processing of comments was taking more time than the actual drafting of the standard, which (again) was largely written by less than a half-dozen individuals.

With Cort gone, Croft, Hunt, and a handful of other leaders were not going to be told what to do, and no one was around to rein them in. So the TC 176 leadership simply pointed to rules flowed down by ISO HQ in Geneva. While the text of ISO 9001 would, technically, be subject to review and voting (in order to comply with procedures), the specific text of Annex SL could not be edited without prior permission by the ISO TMB or Executive. Furthermore, any review comments received about the Annex SL text would be recorded, but not acted upon: meaning, essentially, thrown out.

In the end, the TC 176 leadership overwhelmingly rejected the world’s comments: 5o% of official ISO member comments on the DIS version were rejected outright, including all that tried to object to Annex SL text. This effort was led by the TC 176 Secretary, Charles Corrie, of —  wait for it — BSI.

But even with conflicts of interest trying to lubricate the process as much as possible, TC 176 had lost a lot of time. Nearly eight months in 2014 were spent on processing comments, which means nothing else was happening during that time. The official ISO project plan had told TC 176 to generate the final draft by early 2014, and the DIS was still being debated deep into that year.

Meanwhile, discussions had begun on adding a clause on preventive action, since adding text to Annex SL was not forbidden. In fact, as we see, TC 176 had added those five words to the clause on corrective action already, establishing precedent.

So pressure began to mount to issue a second DIS, one that would fix a few problems, including the missing clause on preventive action. But having wasted so much time already, TC 176 faced a final problem: there was no way any of this would get done by the September 2015 publishing deadline set by ISO HQ. So TC 176 alerted ISO that they wouldn’t hit their deadline, and requested an extension.

As I’ve written about at length in Surviving ISO 9001:2015, ISO only makes money when standards are put up for sale on its website, not when they are stuck in development committees. So Geneva said, flat-out, no.

ISO wasn’t happy. Geneva had already given TC 176 a two-month breather by intentionally violating its own long-standing procedures. Based on their prior slow progress, ISO announced that the DIS would be submitted for voting before the manuscript could be translated. This meant that non-English-speaking countries had to vote on an English DIS draft, whether they understood it or not. Geneva benefitted twice: not only did this keep the sale date of ISO 9001 on track, it limited actual review comments, which typically slowed down progress.

So ISO was not about to give TC 176 another break. It told the committee that the September 2015 deadline was fixed, and that the DIS would be published as an FDIS no matter what. No more lifelines.

As a result, any ideas for a second DIS died nearly immediately, along with last-ditch efforts to add back the missing clause on preventive action. Now, officially, ISO and TC 176 would lean into the Porto talking points meme, and falsely insist that preventive action was “in there” as part of risk-based thinking, and that RBT was “implicit” in ISO 9001 all along. ANSI, led by Hunt, would convince the Americans, while BSI and Croft did their bit to shut up the Brits.

Sure enough, TC 176 began copying-and-pasting the Porto meme into official documents and public training materials:

And so, the Final Draft International Standard (FDIS) was released, and subjected — again — to more commenting. Yet again, people objected to RBT, the removal of preventive action, and even Annex SL as a whole. Look at this damning comment from the US, which was rejected outright:

The idea of a common structure is a good and valid idea. However Annex SL was improperly implemented. Annex SL contains technical requirement content. This content was written by a small group and has not been through the consensus process for worldwide approval. Technical experts were not allowed to alter the Annex SL language. Annex SL contains the majority of the technical requirements of the ISO 9001 standard. Therefore ISO 9001 is no longer a consensus standard. It is a standard written by a small group isolated from the quality experts around the world.

But, again, the comments were rejected and the FDIS was ratified, and the consultants had won. Hunt famously declared RBT the “biggest boon to consultants, ever” in an official US TC 176 meeting. Croft went on to sell his own services, through the “Croft Global Alliance.”

Geneva was happy because the standard went on sale on the ISO website on time, as planned. ANSI had already pre-ratified ISO 9001:2015 for US adoption before the draft was even published, so everyone was happy. Money started rolling in.

You’re Gonna Kill Somebody

To be clear, the lack of a clause on preventive action not only flies in the face of the entirety of quality assurance — we should be seeking things to prevent problems before they ever occur — it increases catastrophic risks to human life. Without an aggressive, formal “PA” system in place, supported by procedures and rules and root cause analysis and recordkeeping, defective products can be released to market, risking the lives of consumers worldwide.

Under Croft’s vision of ISO, pushed by Geneva’s corporate sales goals, problems only have to be formally addressed and resolved after they happen. If you want to do preventive action, you can, and you can use the guidance provided by “RBT” to do so. But that guidance doesn’t include any actual requirements for processes, procedures, records, formal processing, cause analysis, or anything else. Go ahead: go read clause 6.1 of ISO 9001:2015 and find an actual requirement. There aren’t any, because it was guidance text written by the TMB, and not intended to be used without supporting surrounding requirements. TC 176 was just too stupid and lazy to do their part of the job.

And if you don’t want to do preventive action at all, that’s cool, too.

I say, no. That’s unacceptable.

The Future

The next edition of ISO 9001 is likely to get worse, not better, when it comes to preventive action. Croft handpicked Paul Simpson to replace him in the lucrative position of SC2 Chair, heading up the drafting of the next standard. Under Simpson and Croft, ISO has already violated years of precedent and procedures, and ignored multiple international votes which demanded ISO not revise the standard. In fact, they’ve already begun working on the new standard, largely in secret, and have been doing so since last year (2021). The primary motive is to continue to maintain compliance with Annex SL, which was itself recently updated. Of course, Croft and Simpson — and Hunt, who has done a tremendous amount of preliminary work on the new standard already — stand to make a lot of money for their consulting practices.

Simpson, however, brings a new level of incompetence to the scene, like never before. Whereas Hunt and Croft are at least aware of some quality management principles and the history of ISO 9001, Simpson is clueless on even the basics. Everything Simpson has learned about quality management does not come from actual experience or books, but from ISO 9001 itself… and even then, only the 2015 version. Simpson has insisted that “ISO 9001 doesn’t require inspection,” because the 2015 version swapped out the term “inspection” for “planned arrangements,” and he can’t read context.

Recently, Simpson said that any process that doesn’t meet requirements shouldn’t be called a process at all, negating the entirety of the process approach and the entire science of process design. But such bizarre logic is consistent for Simpson, who believes you should only accept incoming data that supports your view, and throw anything else out entirely.

And Simpson is entirely on the anti-preventive action train, taking his cues from Croft. Simpson doesn’t know the history of the clause, nor even the drastic need to restore it. Instead, he believes the Porto talking points are Holy Gospel. To Simpson, Annex SL is the culmination of every human endeavor, and represents the pinnacle of quality management practices, despite the fact that no quality assurance subject matter expert ever wrote the thing.

And Simpson isn’t beneath lying about it, either. He has consistently claimed that Annex SL was the product of TC participation and voting, despite all evidence — including official comments from TC 176 members — proving otherwise. It’s not clear if Simpson imagines that he voted on Annex SL, or if he is just willing to say anything to protect the hands in Geneva that feed him.

As such, Simpson is the worst possible guy to be heading up TC 176’s efforts. The standard demands that companies seek negative feedback and improve their products, while Simpson rejects all negative feedback and attacks anyone who suggests even the slightest need for improvement to ISO 9001. Simpson is a one-man, walking master class in two distinct, deeply troubling cognitive defects: confirmation bias and the false consensus effect. Nothing anyone will ever say will convince him of anything that might contradict his predetermined view. This is the wrong person in the wrong seat, and he should nowhere near any job in the quality field, period.

But Simpson is the toadiest of ISO toadies, sucking up to Croft and the ISO executive (as well as the CQI), so very likely to continue to succeed, even if he can’t hold down an actual job.

This means the world will continue to have to manually implement preventive action procedures and controls, no matter how silent the version of ISO 9001 may be on the subject.

Recommendation: just go back and read the 1994 version, and implement that. You’ll save yourself a lot of headache, and probably save lives in the process.

---

UPDATE January 2023: Paul Simpson has resigned from his role at TC 176, and Nigel Croft has turned his attention to other matters (such as UNIDO, ISO/CASCO, and bigger fish.) As a result, the US’ Lorri Hunt has largely taken over control of TC 176 internationally, alongside Jose Dominguez (a co-author on her ISO 9001 books.) Hunt is a supporter of Annex SL, and has already ensured that the next version of ISO 9001 will include the updated Annex SL text. The world voted on whether to update the standard or not, and voted no, but Hunt (alongside Simpson, prior to his resignation) maneuvered to update the standard anyway. With BSI’s help, they invented an argument to issue an “early revision” even though the world voted not to revise the standard. Hunt, Dominguez and others then went on to perform a detailed, line-by-line study of the current ISO 9001:2015 standard for possible language changes, impacts, etc. Someone at TC 176 has already drafted a “Secret Draft” of the new version, which adopts the updated Annex SL language.

Preventive action is still removed from that draft.

At the same time, Hunt is trying to burnish her credentials with the ISO HQ in Geneva by adding “climate change” and other United Nations sustainability goals to ISO 9001, even though ISO itself determined they are not appropriate for the standard. Using her position as Chair of the annual ISO 9000 conference, Hunt is promoting the idea of adding climate change to ISO 9001 at that conference, thus making seeding the idea into the mainstream.

So preventive action will still be out, but obscure, off-topic concepts like climate change (and, possibly, gender equality) will be added.

Meaning that the ISO 9001 standard will no longer really be about quality management systems, but a Chinese menu of various topics that were inserted solely to improve the careers of the consultants writing it.