The Q001 standard has only been published for a few days, and already we have volunteers translating it into Spanish, Croatian, French, Norwegian, and a host of other languages. Better yet, we have possible CBs lining up to offer Q001 certification in Europe, Asia and South America.
As I mentioned earlier, Oxebridge will not provide certification. We don’t want to become a certificate mill, after all. At the same time, handing the standard over to the IAF players to manage isn’t something anyone would want.
I’ve decided instead to follow the CMMI model, and that of the CMMI Institute. Oxebridge will become the sole accreditation body for Q001 certifications, authorizing and managing the various CBs, and doing so outside of the IAF structure. We will be following the core principles of ISO 17011, and may even develop our own international standard that improves on it. Oxebridge will also manage a directory of Q001 certified companies.
Some of you may know my previous attempts at devising an improved certification scheme model, borrowing the best from CMMI. Those efforts included my non-profit organisation The M3 Development Council, which aimed to develop a Management Maturity Model (“M3”) standard. That effort was eventually abandoned, since the CMMI Institute is doing a far better job than M3 ever could have.
But the M3 research and ideas have now allowed us to build a better QMS certification scheme for Q001. We are developing a series of supporting accreditation documents and procedures — again, based on many of the requirements of ISO 17011 — which will define the Q001 scheme.
Scoring – Not Pass/Fail
First of all, Q001 certification won’t be issued on a pass/fail basis like ISO 9001, but on a three-tiered scoring system closer to the CMMI “maturity model” level system.
Audits will be scored on the basis of the results of the various audit aspects, with two optional aspects that a client can choose to participate in to potentially increase their score. The M3 Dev Council developed this model based on studies of companies that provided Independent Verification & Validation (IV&V) services, often for projects or software development activities. Under this model, Q001 certification levels will be:[ultimatetables 7 /]
Companies can enter into the Q001 certification family at the initial level and then receive additional recognition as they mature their systems over time. Better still, companies who require their customers to have a certified QMS can require a specific level of certification based on the risks presented by the suppler; for example, low-risk suppliers could be told to achieve Level 1, while more critical suppliers could be pressed to achieve Level 2 or 3.
This leaves the model open for an “Excellence Model” rating in the future, as well if the scheme takes off. I can imagine a “Level 4” being roughly akin to the Baldridge criteria.
Minimum Audit Scoring Aspects
Q001 certification audits will look somewhat familiar when the auditors are on-site, but off-site things are very different. The Final Certification Score will be calculated as the total of three separate scores, derived from three audit activities:[ultimatetables 8 /]
Under the current scoring model — the math of which is still being developed — the highest achievable rating for a company audited under these three criteria would be Certified Level 2.
Optional Scoring Aspects
The Q001 model then adds two optional aspects which organizations can choose to invoke or not.[ultimatetables 9 /]
Each of these provides additional “bonus” points which can help increase the Final Certification Score to either offset a lower score during the three mandatory aspects, or to help achieve the highest Certified Level 3 with Honors certification.
The organization has to decide if opting into these two aspects presents more or less risk for their score. Companies with high levels of customer satisfaction and willing to undergo longer, “Deep Dive” audits are thus more likely to achieve the Level 3 with Honors designation. But it wouldn’t be easy.
FYI, the math shows it’s possible to get the Certified Level 3 with Honors score without opting for the Deep Dive, but it requires getting zero nonconformities, which is not likely under this scheme.
Semi-Annual Audits, No Surveillance
The IAF model of surveillance audits and 3-year recert audits doesn’t work. It’s cumbersome, expensive, confusing and isn’t really providing any benefit.
The Q001 model takes a more CMMI-minded approach, and revisits the company at a fixed schedule — every two years — treating the subsequent recertification audits identical to the initial certification audit.
If that sounds more expensive, it isn’t. First, that over a four year period — that’s two 2-year Q001 audit cycles — you only udnergo two audits. Under the IAF model, you undergo four audits. As you’ll see, the fact that those are abbreviated “surveillance” audits don’t matter when you total the numbers.
Despite the additional steps and scoring method, the final cost of Q001 audits is lower. We are reducing the required man-days for on-site audits almost across the board, but trying to balance this with ensuring the audits are actually meaningful and trustworthy. I think the Deep Dive option helps offset this risk.
The audit model also tosses out the ridiculous on-site “Stage 1” audit scam conducted by CBs now, and returns to an off-site QMS Document Review, at a much reduced cost since there are no travel expenses for these activities.
Remember that 2-year recertification cycle? That typically results in savings, too. Comparing a traditional IAF 3-year audit cycle vs. a four year cycle under the Q001 model (two 2-year audits), and assuming a US industry rate of $1300 per audit day, a company of 75 employees would save almost $8,000. That doesn’t include the savings related to reduced auditor expenses. These numbers assume the company was not opting for the Deep Dive option, of course.
Factor in, as well, the fact that we’ve reduced expenses by conducting the initial activities off-site and the amount saved goes up.
So far, the math shows huge savings for nearly all companies. The exception is very small companies of under 10 employees or so would actually see a slight increase in costs. The IAF’s solution for this has been to reduce audits for such companies to half-day “drive by” audits that are an industry joke. We don’t want to do that under Q001. But I’m still working the numbers.
Other Big Changes
The model will also correct a lot of the current flaws in the IAF scheme.
- No OFIs, ever: Under Q001 audits, only nonconformities can be issued. Auditors are prohibited outright from offering “opportunities for improvement” or any possible nonconformity requiring preventive action. Only actual, real and “right-now” nonconformities are written up, requiring corrective action. This removes entirely the plague of auditors engaging in consulting during audits. Qo01 audits do not pretend to be able to “drive improvements” in a company, but only determine conformity with the standard; any improvements the company gains should come from its implementation of Q001 and the certification itself.
- No softgrading / hardgrading. In combination with the “No OFI” rule, the Q001 scheme eliminates the possibility of auditors softgrading nonconformities in order to retain clients, or hardgrading nonconformities in order to punish clients. This is because the definitions of “Major” vs. “Minor” nonconformities are clearly defined, and all nonconformities are reviewed by Oxebridge for compliance.
- Major Fallout Clauses: five clauses in the Q001 standard are deemed “Major Fallout Clauses” and result in lower scores if nonconformities are found in them. These are 4.3 Quality Management System Processes, 8.7 Control of Nonconforming Product or Service, 9.3 Management Review, 10.2 Corrective Action and 10.4 Incident Investigation. This simultaneously reduces the importance of lower-risk clauses like document control, which rarely result in actual defective product being shipped.
- Defined Minimum Audit Requirements: we’ve already worked up a full document on the minimum evidence required to be gathered by CB auditors. This will be published, too, so client organizations will know what they need to have ahead of Audit Day. This dramatically reduces sampling problems or lazy auditing.
- Final Decision: Oxebridge: we;re not fully decided yet, but following the CMMI model, I think the final certification decision will be left to Oxebridge, not the CB. This ensures we review every audit report and CB performance report to ensure the audit was valid before issuing a final ruling. I frankly think CBs will appreciate being relieved of this responsibility, but it will also ensure the accreditation body (us) sees every certification single audit report ever. This will reduce CB shenanigans.
No Oxebridge Consulting
In case you were worried, we won’t be providing Q001 consulting. This will remove any conflict of interest. I hope the standard doesn’t require much in the way of consulting anyway, as it’s supposed to be self-explanatory. I will probably require consultants who want to offer Q001 services to get licensed, the way CMMI consultants are. This will reduce scammers.
I will probably issue a template kit, however, making implementation even less costly. But don’t get crazy: the strict and scripted nature of the Q001 audits and evidence gathering won’t allow companies who merely cut-and-paste to pass an audit. It will only help fast-track their implementation.
What’s Not Solved
What Q001 still hasn’t solved is the problem of financial conflicts of interest. Clients will still pay their CB, the CBs will still pay their accreditation body (Oxebridge.) Without a government-sponsored ombudsman body to collect the revenue and dole it out equally, there’s no way around this for now.
The hope is the strict rules of Q001 accreditation, the scripted audit process, and the general robust oversight will overcome the rampant corruption we see in the current IAF scheme. But I’m not pretending that we’ve turned water into wine, here.
Get More Info
Stay tuned for publication of the accreditation program procedures. If you’re a CB or other organization and interested in offering Q001 certification, contact me here.
If you’re a user organization and want to grab the free Q001 Standard and supporting documents, click here.
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.