ISO 9001:2015 is being received as the worst revision of the famous QMS standard ever, mostly because of the horrible word salad that the authors ended up publishing. They took previously well-understood concepts and turned them into vague, confusing messes.

The new version suffers from two serious problems, both of which were absent from prior revisions. First, there are entire clauses that don’t actually contain requirements — I call these “blank clauses” — where they essentially leave you to fill in the blanks yourself. The other is what I call the “nonrequirements,” which are things that used to be dead-simple nonconformities under previous editions, but which now can’t be written up under ISO 9001:2015 because the language was mangled so badly, the old rules no longer apply; I’ll have a separate article on the “nonrequirements” shortly.

Because many ISO 9001 fans suffer from “Emperor’s New Clothes Syndrome” whereby they trust ISO so implicitly they don’t actually see that the clauses are blank (making me wonder if we should change the victim disorder “Stockholm Syndrome” to “Geneva Syndrome”.) They think there are requirements there because ISO told them there are, but a simple reading of the literal text proves otherwise. Other readers are simply so confused by the language, they aren’t sure what to make of it, and just rely on their registrar auditor to tell them what it means; that’s never a good idea. So let’s unpack this.

Understanding ISO 9001’s Primary Function

First, understand that ISO 9001 is primarily intended for third-party certification, and not for the “organizational improvement” that ISO has tried to spin it as. If ISO 9001 was only for “improvement,” then ISO would not have colluded with the IAF to set an arbitrary certification transition deadline, would they? ISO and IAF are partners in the certification scheme, no matter how many times ISO insists it has no role in certification; ISO’s sales drop when they don’t have auditors threatening de-certification if companies don’t buy updated standards.

Next, remember that any standard intended for use in third-party certification schemes must include requirements that can be verified during independent assessments. Vague platitudes and charming marketing spin can’t be assessed objectively; “hard” requirements can. While ISO was already pushing its luck by trying to take a nebulous thing like “quality management” and convert it into a set of hard requirements that could be audited, with ISO 9001:2015 it went into a whole new direction of crazy. No longer are the problems merely limited to ISO struggling to define requirements in an auditable way, now the standard doesn’t bother to define any requirements at all, leaving the development of the requirements up to the reader, which makes the entire point of ISO 9001 moot.

Finally, you have to understand that standards like ISO 9001 are designed to tell you what you must to in order to comply with them, but are prohibited from telling you how you will meet that requirement. For example, ISO 9001 tells you that you must control your documents, but they cannot tell you how to control the documents; that’s called “being prescriptive,” and ISO management system standards cannot be prescriptive.

The Blank Clauses

There are three “blank clauses” in ISO 9001; the first is within clause 6.2 “Quality Objectives and Planning to Achieve Them”:

6.2.2 When planning how to achieve its quality objectives, the organization shall determine:

  • what will be done;
  • what resources will be required;
  • who will be responsible;
  • when it will be completed;
  • how the results will be evaluated.

If you don’t see the missing requirements, it’s okay, there’s an optical illusion in play here that tricks many readers. Because there are a lot of words there — a total of 83 words in all — your brain convinces you that ISO actually said something. Look at the following illustration:The image at left is the ISO 9001 clause blurred, so you can’t read it; nevertheless, your brain is tricked into believing that the image on the left contains more information than the blank image on the right, simply because it sees content (shapes, letters, etc.). To recognize that both are actually “blank” requires you to exercise your intellect and overcome your basic, lizard-brain optical assumption. If you read the clause again, and go slow and interpret the words literally, you find it’s actually blank. There’s no “there” there.

Why is this? Let’s read it together. The clause opens by saying “the organization shall determine“; this literally means you (the “organization”) will have responsibility for everything that follows. That makes sense, easily enough. But what follows is a bullet item that only demands you to determine “what will be done.” They literally used the word “what,” offloading the making of the requirement onto the reader. Now you not only have to figure out how to meet the requirement, but what the actual requirement is!

This is the equivalent of saying, “the organization shall determine what to do.” When you read it this way, you realize there’s no point in having ISO 9001 at all, if they are just going to have you fill in the requirements. They may as well sell a $180 document that is comprised of a single page that says, “you fill in the blanks, we can’t be bothered.”

Let’s look at a different clause, where ISO 9001:2015 gets it right: clause 9.1.3 “Analysis and Evaluation.” Here the clause begins with a statement telling you that you will have to do something, and then provides a bulleted list of what, exactly, you’ll have to do:

The organization shall analyze and evaluate appropriate data and information arising from monitoring and measurement.The results of analysis shall be used to evaluate:

a) conformity of products and services;
b) the degree of customer satisfaction;

…etc…

In that case, the opening sentence tells you to evaluate something, and the subsequent bulleted list defines that “something.” For example, you are either measuring customer satisfaction or not; an auditor can verify this. The methods (“how”) are still left up to you, in accordance with the normal approach to writing standards.  But the Blank Clauses don’t bother with this. Take a look at the Blank Clause 7.4 on “Communication”:

The organization shall determine the internal and external communications relevant to the quality management system, including:

  • on what it will communicate;
  • when to communicate;
  • with whom to communicate;
  • how to communicate;
  • who communicates.

Once again, ISO 9001 abdicates its only responsibility: it just told you to fill in the requirement by definining “what” you are going to communicate. As a result, clause 7.4 is actually blank — there’s no actual requirement!

Finally, the last Blank Clause appears in 9.1 “Monitoring, Measurement, Analysis and Evaluation”:

9.1.1 General

The organization shall determine:

a) what needs to be monitored and measured

Here again the standard does not define what must be monitored and measured, but offloads that responsibility onto the reader. This violates the sole purpose of having a standard in the first place. What do we need ISO for if they are just going to push their responsibilities on the reader? By this measure, ISO should be paying each of its readers $180, and not the other way around. ISO 9001:2015 is like buying a coloring book for your kid, but which requires them to draw the black-and-white illustrations themselves, before they even color them; essentially, a book filled with blank sheets of paper.

Just Say No

There’s an even more problematic aspect to this. Most companies will simply dismiss this argument as semantics, and ignore the fact that it’s literally true and violates the entire reason for having a standard. Most companies will simply push ahead and define the requirements, and then describe how they meet those requirements they just made up themselves. Some may even say this is desirable. Most of the time, these companies will do this within the “spirit” of ISO 9001, and define robust methods for determining quality objectives, internal communication and monitoring & measurement.

But here’s the thing: when something is optional, it means there are other people who won’t follow the spirit of the standard, and do something entirely contrary. In this case, it means some may answer the Blank Clauses by simply saying, “No.” For example, when clause 6.2.2 says ,”When planning how to achieve its quality objectives, the organization shall determine what will be done,” a company could quite literally — and legally — respond by saying “we’ve determined nothing will be done.” That’s an entirely valid response to what is, essentially, a question being asked by ISO, rather than a statement. It would actually hold up in court.

Pause on that thought, because you’re probably thinking it’s crazy. But a literal reading of the standard — which is how standards are intended to be read — shows that ISO 9001 is only telling you to come up with something, but not to actually do something. If you elect to do nothing, and then actually do nothing, you’d have satisfied the clause entirely.

Likewise, the next sentence in 6.2.2 asks you to determine the “what resources will be required,” to this you can also answer, “none.” And it’s entirely acceptable under ISO 9001. No auditor could ever write you up for this.

When clause 9.1 says, “The organization shall determine what needs to be monitored and measured,” you can say “nothing.” It’s a valid answer when the question is viewed literally, which is the way standards are to be viewed.

How to Fix This

Never one to simply complain, I like to offer solutions. If we lived in a world where ISO wasn’t more obsessed with its image and marketing, it would recall ISO 9001 as a defective product, and release an early “corrected” update to fix these problems. For the Blank Clause issue, ISO would rewrite the clauses to form actual requirements, while leaving the user the freedom to determine how to implement them.

Let’s go back to 6.2.2 on quality objectives again, as an example. What ISO 9001 should have done, of course, is have an opening sentence that reads something like this: “The organization shall plan the quality objectives by determining…” and then defined its bulleted list. That would have made the list an auditable set of requirements, rather a a set of un-auditable suggestions. The list would need tweaking too, so the entire clause would have to look something like this:

6.2.2 The organization shall plan the quality objectives by determining:

  • how objectives planning will be done;
  • the appropriate resources for objectives planning;
  • responsibilities and authorities for objectives planning;
  • time frames for achieving the objectives;
  • how the results will be evaluated.

That provides a set of hard requirements which can’t be dodged merely by answering “none.” Furthermore, it’s entirely auditable by a third party.

Remember that ISO 9001 was written by conflicted consultants who sought to make ISO 9001 as confusing as possible so you’d have to hire them later to decode the mess. ISO just wanted to get the thing in print, so never bothered to hire an editor. Not a single TC 176 member had professional writing skills (that I can see, anyway), and the leadership wasn’t about to let any minor player who might have suggested such changes have any input anyway. The result is a highly defective work product that fails in doing the only thing it’s tasked with doing: defining requirements.

For the user, the only way to proceed in implementing ISO 9001:2015 is to pretend that ISO isn’t a bunch of idiots, and pretend they didn’t just leave you with a blank sheet of paper. this means ignoring what’s written on the pages of ISO 9001 and, instead, clearly define what you are going to communicate, what you are going to monitor and measure and what your quality objectives are.

It’s stunning that it’s come to this, but ISO is now more interested in its inane Twitter feed than doing the one job it gave itself. No wonder their grip on international standards is imploding.

 

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 25 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015, which can be purchased here.