Be it ISO 9001 or ISO 14001 (The Quality and or Environmental Management System) standards or for that matter any of the updated standards in the HLS (High Level Structure), there are some things which were the practice all these years perhaps 3 decades or more, which suddenly find no mention in the standard! What happened to the backbone of process-based management system approach which was based on Preventive Action? Why has the QM (quality manual) vanished? Do we as an organization have to do everything? What happened to our exclusions?
Have the technical committees for each of the standards blundered by throwing the baby with the bath water?
Reminds me of a time, I visited an organization which manufactured children’s toys and prams and the like. This was some 12 years back. In preparation for the visit I studied their web site. To summarize my visit, I was surprised that what they promised on the site was the moon! What they actually gave the customer was what was in the QM and on their invoices written in font and size so small the client could not read it! Was the organization ISO 9001? Yes, it was. Auditors audited per what was in the QM. QM was in the scope, the website where they made promises was not in the scope? The point being the QM had restricted the scope. The revised and updated standard in HLS format has done away with the restriction. The revised standard does not say do not have a QM? It is merely silent on it. As a consultant, do I recommend a QM? Yes, I do. Does not the industry specific aerospace standard AS 9110 recommend it? Yes, it does.
There are organizations, which outsource major design and development aspects. With the exclusion provision of past standards, it tended to bring in complacency, wherein a ISO 9001 certified company could use its exclusion to not even have SMEs (subject matter experts) to make correct decisions on selecting contractors. With this provision of exclusion removed, is the implication that an organization will do all its own work? Does it imply no outsourcing to experts? No, the organizations will outsource work, but without the exclusion provision of the obsolete ISO 9001, they now need to have the expertise e.g. to be able to show how they select contractors and vendors for outsourcing.
Are we not to make our management systems (MS) proactive? Are we moving to a reactive MS, with removal of PA (preventive action) clause from the standard? Certainly not. ISO 9001 has merely replaced the PA with Risk and moved it up to planning stage in the P-D-C-A (plan do check act) cycle. It is important to appreciate this major change. ISO 9001:2008 and before the PA took place at the A (act) stage of the PDCA cycle. Take the case of any industry, including e.g. aerospace, and wait for a response phase to implement CA after the inputs at the C (check) stage of the PDCA cycle. Now the revised ISO 9001, AS 9110, AS 9100, ISO 14001, ISO 45001, ISO 20000 and ISO 27001 as also the other standards expect the organization to appreciate the risk at the plan stage of the PDCA cycle. Not use at plan stage, but then throughout the operation and at each stage. Prevention as a concept is inherent in appreciating the risk, in the context of the organization based on study of internal and external issues and looking at aspects and impacts to all parties involved.
Competence of employees is important to the functioning of the MS to achieve desired results. However, the previous version of ISO 9001 and other standards did not consider the knowledge level in the organization. The organization could have hired competent in-date top of the line employees some 10 years back, but is their knowledge current today? This question was not addressed in previous version of the ISO 9001 and other standards. For example, an organization could employ ex nuclear submarine Captains to meet the objectives of the navy in designing future tactics. With time, these competent, Captain’s knowledge level would reduce or some of them may leave and the expertise go with them. Clause7.1.6 of ISO 9001 has made organizational knowledge maintenance a requirement.
The standards have strengthened the fundamentals taking into account the modern technology, availability to search engines as Google with their vast data resources to enable generic risk appreciation at the plan stage. It has also recognized the ability of organizations to where applicable, use the risk input to search for opportunities for improvement (OFI).
So yes, the updated standard, ISO 9001 and the other standards have not thrown the baby with the bath water!