NEED HELP? TALK TO AN EXPERT
Select your ISO Interest
“How Auditing Helps Prevent Tragedy,” presented by Dr. IJ Arora with Wendy Edwards (Project Director of Exemplar Global) at the Exemplar Global’s Excellence in Auditing Expo!
Click the link here to understand the critical role auditing plays in averting potential disasters. Whether you’re in risk management, quality assurance, or simply interested in safety and security, this discussion offers valuable perspectives and actionable takeaways.
Dr. IJ Arora
Boeing is within the highlight once more with its 737 MAX planes, that have already had a deeply bothered historical past. Buyer center of attention (which is clause 5.1.2 of ISO 9001 and AS9100) turns out to were misplaced someplace.
I’ve learn a number of contemporary articles on those incidents in addition to Peter Robison’s ebook Flying Blind: The 737 MAX Tragedy and the Fall of Boeing, all of which level to a worsening scenario for Boeing. The general public belief of this nice American corporate, which has all the time been dedicated to top-class engineering and depended on merchandise, is converting from one among admire to one among warning. Vacationers are questioning, “Must I fly in a 737 MAX?”
Boeing and the aerospace {industry} normally have excessive requirements for high quality and product protection. On this article, I postulate whether or not an organization’s high quality control machine can ensure that not anything is going fallacious for patrons. Can it make certain perfection? If no longer, what are the choices—and why have one in any respect?
What took place and who’s accountable?
For the ones no longer acquainted with the 737 MAX incident in January, in a while after an Alaska Airways flight departed from Portland, Oregon, a cabin door panel blew off. As investigations are nonetheless ongoing the reasons have no longer but been totally decided. Boeing additionally had a tool factor at the 737 MAX, ensuing within the crash of a Lion Air flight in 2018 and an Ethiopian Airlines flight in 2019.
Right here in the US, the Federal Aviation Management (FAA) performs a vital function in offering laws to make sure flight protection, and likewise supplies oversight of plane producers, airports, and upkeep suppliers. On the subject of the Alaska Airways flight, it kind of feels that the FAA didn’t uphold its depended on function. The FAA’s a large number of assessments and balances, maximum of that are meant to concentrate on buyer protection, had been like aligning holes in slices of Swiss cheese. It’ll be fascinating to peer what adjustments this incident brings about on the FAA. On the other hand, can regulatory oversight ensure protection of flight?
The AS9100 same old, which is restricted to the aerospace {industry}, isn’t the brainchild of a unmarried entity, however fairly a collaborative effort pushed by means of two key gamers:
You will need to word that AS9100 builds upon the root of the extra normal ISO 9001 high quality control machine same old. Whilst ISO 9001 lays the fundamental framework, the IAQG provides industry-specific necessities a very powerful for making sure protection and high quality within the aerospace area.
Along with the producer and the FAA, the landlord/lessor of the plane additionally performs a task in making sure the aircraft is correctly maintained. This comprises settling on a reliable upkeep supplier, hiring competent engineers, and having powerful processes in position. With such a lot of other stakeholders, can blame be attributed to only one when injuries occur? Moreover, must blame be the secret? Possibly no longer! You will need to word that the machine is applied to toughen every consumer and that each one stakeholders within the worth chain play their phase as effectively.
Audits, inspections, and control methods: Are those the answer?
In the back of each tragedy, casualty, and mishap is a series of comparable occasions. The instant suspect when these kind of vital screw ups happen are deficient inspection protocols, possibly even the feared “human error.” On the other hand, this can be the low-hanging fruit and a deeper dive would possibly establish different causal elements, akin to asking if the standard audit failed.
What’s the distinction between an audit and an inspection? Can they change every different or are inspections by myself sufficient? The straightforward resolution is not any! Each are wanted because of elementary variations in method. Audits take a look at the processes to make sure the control machine produces conforming services and products. An effective control machine should come with the next, to call a couple of:
Inspections play the most important function by means of figuring out defects previous to unlock, thus protective no longer most effective the buyer/buyer/consumer/warfighter, and so forth., but in addition the recognition of the group itself. With that stated, inspections don’t give a contribution to power development as a result of they center of attention on fixes versus long-term answers. In impact, they don’t in reality upload worth for the reason that group has already incurred the price of generating the faulty phase or product. The creators of the Toyota Manufacturing Machine (i.e., lean) got here up with the Andon procedure to catch a defect as early within the procedure as imaginable as a way to repair it sooner than the issue went too a ways down the road.
Control methods aren’t only a choice of paperwork. To serve as correctly, they require dedication in any respect ranges of the group, together with height control offering the wanted assets. It takes time to construct a tradition of high quality wherein shortcuts are have shyed away from and there’s no worry of talking up. Buyer center of attention should no longer be compromised. As an example, unlock of conforming product must cross throughout the procedure particularly referred to as out by means of clause 8.6; any interference by means of height control to truncate this procedure would suggest the lack of buyer center of attention. Is that this an opportunity? Possibly, however the investigation should expose the reality. On this case of the Alaska Air incident each the Boeing consumers and Boeing as an organization have suffered. It’s my hope that investigators will establish all failed portions of the machine from every accountable birthday celebration. Those would possibly come with no longer most effective failed inspections, but in addition suboptimal processes. This may finally end up taking us again to an insufficient high quality control machine.
High quality control methods: Can they ship?
Given the above, can a correctly designed and well-audited control machine (supported by means of excellent inspection tactics to assist make certain conforming product) ensure that not anything is going fallacious with a company’s output? My opinion is that no person can ensure this utterly. On the other hand, possibility can indisputably be very much decreased when the entirety is applied effectively. This comprises the educational of team of workers, which correlates strongly to competence; sadly, that is ceaselessly the primary price range to get minimize when assets are scarce.
When high-visibility incidents like those happen, it can be forgotten that airplanes stay the statistically most secure mode of go back and forth on earth. That is essentially because of powerful high quality control methods, well-adopted regulatory frameworks, and common oversight. People play the most important function within the good fortune of the control machine, from the dedication on the height to the buy-in by means of the body of workers (clause 5 to clauses 7.1.3, 7.1.4, and 10.3). Taken in combination, this is helping create an atmosphere the place high quality can flourish inside the group.
Boeing could also be doing so much accurately, and but the consequences may well be unacceptable relying at the efficiency of outsourced processes (clauses 8.41/8.4.2/8.4.3). In spite of everything, the fuselages for the 737 MAX are made by means of Spirit AeroSystems Holdings Inc. Spirit AeroSystems is positioned in Wichita, Kansas; as soon as those fuselages are manufactured, they’re shipped by means of rail to Boeing’s facility in Renton, Washington. Due to this fact, no longer most effective is a significant part of the 737 MAX outsourced, however the delivery and preservation of product (clause 8.5.4) additionally may just give a contribution to the product’s nonconformity. General, Boeing stays chargeable for all the provide chain (clause 4.3), with their legal responsibility to “make certain conformity of its services and products and the enhancement of shopper delight.”
Even with a cast high quality control machine in position, this or identical screw ups can happen. There’s no technique to guarantee the general public of 100-percent acting (i.e., highest) output. The worry within the minds of air vacationers is legitimate and can stay so till an exhaustive root motive research of this factor is carried out and the ones root reasons are resolved. The present occasions beg the query: Did Boeing make stronger their control machine after the Ethiopian Airways 737 MAX crash? If that they had bent to the oars and long gone deep into their evaluation to discover and completely repair the holes of their control machine, this tournament would possibly by no means have happened. Floor corrections, or what some organizations name “repair -it” answers, most effective take away the indications. The foundation reasons should be addressed and resolved (clause 10.2.1). There aren’t any shortcuts to high quality.
In conclusion
It has taken years for air vacationers to really feel protected and unconcerned about air protection. I go back and forth so much the world over, and ceaselessly select an airline according to their carrier and luxury, however now I (in addition to the wider public, I might consider) want to imagine which plane will delivery us. This can be a new worry about product protection that has its genesis in Boeing no longer working its control machine successfully and shedding buyer center of attention. The worst is the erosion of public self assurance in federal oversight and its intent to stay the client protected.
I’ve spent my lifestyles learning identical complicated issues and main groups in serving to organizations in finding long-term sustainable answers. This calls for daring and dynamic management (clauses 5.3 and 5.1) for leaders to plot and enforce alternate. Appreciating and accepting dangers (i.e., protecting the client in center of attention) and transferring ahead is integral to true management. Ethics continues to be no longer a clause of ISO 9001 and AS9100, however moral management is ready doing the proper factor for all stakeholders.
In seminars at which I provide, I ceaselessly ask senior managers: “When you have a decision between following the process and/or doing the proper factor, what would you do as a pace-setter?” The solution—I’m hoping—is to do the proper factor always. However then, hope isn’t a plan. Air protection can’t be according to hope and religion. Boeing wishes the management to revamp their machine if they’re to carry the general public consider again for this nice American corporate.
Concerning the writer
Dr. IJ Arora, Ph.D., is the President and CEO of QMII. He serves as a workforce chief for consulting, advising, auditing, and coaching relating to control methods. He has carried out many lessons for the US Coast Guard and is a well-liked speaker at a number of universities and boards on control methods. Arora is a Grasp Mariner who holds a Ph.D., a grasp’s level, an MBA, and has a 34-year file of accomplishment within the army, mercantile marine, and civilian {industry}.
Hyperlink to the thing characteristic in Exemplar International e-newsletter – “The Auditor”
IJ Arora, Ph.D
Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.
Understanding cybersecurity in the maritime industry
Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.
Current challenges in maritime cybersecurity
Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:
Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.
The 10 steps
When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.
Step 1: Leadership commitment
Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:
Step 2: Use a system framework
Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.
Step 3: Contextualize risk
Step 4: Risk assessment (3D framework)
Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.
Step 5: Build controls into processes
Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:
Step 6: Maintain basic measures
Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:
Step 7: Employee awareness
It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:
Step 8: Emergency preparedness
No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.
Step 9: Assess effectiveness
The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.
Step 10: Continual improvement
Conclusion
Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.
Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.
About the author
Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.
Above article is featured in the following:-
ISO 9001 has proactively kept up with various industry expectations, over the years, to allow
application by a broad spectrum of industry including the defense forces. The 2015 revision was
a thoughtfully planned giant step. It defined risk (ISO 9001 Clause 6.1) in the context of the
organization (ISO 9001 Clause 4.1 & 4.2) and removed exclusions provision from certification by
redefining what an organization does not do or outsources in the scope (ISO 9001 Clause 4.3). It
also removed preventive action, a reactive concept, and introduced proactive risk appreciation
(Clause 6.1 of ISO 9001 & Clause 8.1 in industry specific standards as AS9100).
This took preventive action from the delayed “Act” stage of the PDCA (Plan-Do-Check-Act) stage
to the more logical sensible “Plan” stage. After all, “look before you leap”, as the historical
fundamental, could not be left as a preventive action decision. It had to be at the look – plan
stage! Risk also needed not just mitigation, but also acted as an input, to be used to bring in
innovation in terms of OFI (opportunity for improvement).
These were all positive steps in keeping with technical advancements and computerization and
AI (artificial intelligence) tools. The HLS (high level structure), later updated to HS (harmonized
structure), recognized the need to enable ease of implementation of integrated management
systems. This in turn leading to efficiency, ROI (return on investment) and where applicable
environmental protection, security of the global supply chain, business continuity, cyber
security and health and safety.
The differentiating of knowledge (ISO 9001 Clause 7.6) from competence (ISO 9001 Clause 7.2)
was also a clever needed change. Organizations needed to define their corporate knowledge
aspects and differentiate it from the individual knowledge of personnel. Knowledge and
competence needed merging and a healthy marriage but needed recognition that they were
different. Removal of the reference to Quality Manager (QM) and Quality Manual from the
standard, took away the narrowness of thinking in quality, and brought the clarity to leadership
to remain accountable and to differentiate authority delegation from retaining the
accountability.
I am a member of the TAG-176 group, and yet have not really contributed much to the next
expected changes to ISO 9001. I am sure the TC-176 is working on this. Nevertheless, it is time
to debate and consider updating the standard.
Since the 2015 version was a major fundamental change, I doubt there would be a significant
departure from this 2015 version in the next major update. Unlikely that the next version may
have revolutionary updates. The emphasis, I think would be to clarify and strengthen the
present thoughts in the 2015 version. I would consider the following:
1. Two Standard Concept: I have over the years thought about the two prongs:
manufacturing and service, approach. Both the service and the manufacturing industry
have been using the standard. Some may consider the need for a separate
manufacturing and a service standard as the next step. However, over the years I have
feared too much bureaucracy which the two standards approach brings. I think the two
standard approaches may actually cause more issues than to resolve them. Might I
opine that Clauses under 8.3 for D&D can, if needed, be strengthened, clarified or more
useful notes as applicable to service version incorporated to assist implementers,
consultants and auditors?
2. Risk be better defined and OFI be clarified, to avoid auditors using it as a tool to sneak in
recommendations. OFI is the outcome of considering risk as an input for innovation. It is
not a recommendation.
3. The knowledge clause needs meat to strengthen it, and to better make it inclusive to
systematizing the requirements for organizations to systematize lessons learnt.
4. An annex added to bring clarity and ease to designing and implementing a combined
management system for an organization.
5. Clause 4.3 Scope, in defining scope requires consideration of the context of the
organization, which is based on Clauses 4.1 and 4.2. However, while the scope has to be
available as documented, 4.1 and 4.2 do not require documentation. I would suggest
both clauses 4.1 & 4.2 to have context as a documented requirement.
In conclusion, I think, updating the standard ground up is not a wise idea at this stage. Perhaps
slight tweaking to include some minor changes would give stability in implementation of an
already robust standard.
Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.
The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.
With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.
This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.
In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.
QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.
With the HLS (high-level structure) common to all standards ensuring the ten-clause structure an organization can ensure the best results to its management system by having an integrated management system. A divided approach to managing an organization based on several standards can often result in environmental and quality policy being in conflict. If occupational health and safety (ISO 45001) are also to be integrated, it enables the management to consider the risks in the combined context of the organization. When these are separated the combined risks can be mixed. Further, if security is to be also part of the management system (ISO 28000 – still not in the HLS format), integrating the system would ensure a functional management system.
Environmental management system based on ISO 14001, has integral it the consideration of aspects, their impacts, recognition of significant impacts, and prioritization of the same. Experience shows that implementing ISO 14001 is easier and simpler and more readily accepted by the employees when the organization already has a functioning Quality Management System (QMS) based on ISO 9001 in place.
A well-implemented EMS, EMS ensures cost savings by recycling, reduction in consumption, and cost savings in waste. This gives tremendous advantages over competitors for projecting the organization as a responsible company but when tendering for business. Managing risks is more comprehensive, as the leadership is able to see combined risks to the organization in quality, safety, occupational health, and security. The demonstration of commitment to improving the environment in a socially responsible manner is more systematically implemented by interpreting the ISO 14001.
Auditing the integrated management system, if that be the choice (recommended), or just the EMS based on ISO 14001 requires the auditors to first interpret the standard based on company policy, the organization’s goals based on consideration including expectations of the interested parties and the external and internal issues aligned to statutory requirements. Auditors, particularly internal auditors must ensure the interpretations of ISO 14001 are aligned per guidelines for the industry. ISO 14001 certification can improve an organization’s reputation and result in improved relationships to the mutual benefit of stakeholders and the organization.
Auditors must not forget that internal auditing is not to judge the legal compliance of the processes. Legal compliance is a requirement and is best judged by compliance auditors. Internal auditors audit to see that the organization has the processes to ensure compliance. Internal auditors look at the plans of the organization to ensure processes monitor environmental aspects and mitigate as required, systematically address them.
QMII (www.qmii.com) has for 30 plus years integrated management systems and training lead auditors for various standards including ISO 14001. With our vast consulting experience in ISO 14001, we reinvest our field experience into the content development of our courses. The real-world experiences back our instructors and training material in ensuring auditors understand ISO 14001.
A good internal audit process, for any standard, particularly the ISO 14001, should start with a good plan. Good QMII training ensures, auditors prioritize audits, and allocation of time-based on risks, previous results, the importance of the process. The audit cycle is often one year (can vary), and so depending on the environmental importance of the process and past performance-critical environmental aspects can be audited.
The ISM (International Safety Management) Code, in itself, is not a magic wand, that will bring safety or prevent pollution. It depends on the organization on how it implements the Code. Safe operation of ships and the prevention of pollution should have been any organization’s objective. Yet all over the world owners to save money compromise these objectives. Did not the Titanic on April 15, 1912, sink, trying to create a record of crossing the Atlantic, by going North to cut distance, run into the iceberg?
The sinking of the Titanic, with a loss of nearly 1500 passengers and the crew was an eye-opener. It led to the SOLAS (Safety of Life at Sea) convention. Did the negligence and continued operation of ships compromising safety stop with SOLAS? Sadly not. The investigation by Justice Sheen into the sinking of the Herald of Free Enterprise, on March 6, 1987, looked at why SOLAS had not helped prevent the tragedy. It brought out the necessity for a process-based management system, and the SOLAS Chapter IX was updated to authorize the ISM Code. It provides the guidelines for the implementation of a system to ensure the safety of vessels at sea.
The Flag State Administrations whose flag the ships sail under, legitimize the use of the code making it mandatory for internationally trading vessels. If any company is bent upon not implementing it in the spirit of it, then of course the objectives of the code as also the functional requirements will not be met. Owners and Operators of the vessels often look to short term gains wherein they compromise the standards and bypass the rules. They have to understand that behind every casualty at sea are many detentions and behind them indicators like Major NCs (non-conformities) and near misses.
The Flag States who do not strictly inspect and audit vessels to the ISM Code and issue SMC (safety management certificates), are actually, to retain the business of ship owners, jeopardizing the same ships! Even some responsible Flag States, due to shortage of manpower outsource their duties to ROs (recognized organizations), often represented by class societies. This results in diluted control, as an outsourced process needs strict monitoring of the process to ensure the performance is not affected. Not managing an outsourced process is as good as not taking responsibility. Authority can be delegated, bot the responsibility.
NCs (non-conformities) drive correction and CA (corrective action), and as such should be welcome as inputs to ensure continual improvement of the system based on the ISM Code. Yet, there are every day common examples of Masters of ships negotiating to somehow get the auditors to not give NCs. This is because the management ashore is not mature to realize, that keeping the master’s pressurized and performance being judged by NCs reported is creating an environment of fear and hiding of NCs. A good SMS (safety management system) based on the ISM Code, if correctly implemented should welcome NCs. The DP (designated person) should know that the “only bad NC, is the one which the organization does not know about.”
For domestic vessels, and for that matter towing and small vessels, and perhaps in due course of time for domestic passenger vessels, one would think a new standard would be required? Sub Chapter M for the towing industry in the USA, is nothing else but the ISM Code domesticated. The ISM Code is a useful well thought of document which provides strong fundamentals based on hundreds of years of sea experience, loss of life, cargoes, ships, and fortunes. The process-based management system it propagates would systematize operations. However, for an effective management system, the implementers have to be motivated and committed. The Flag States have to be strict and vigilant in their issue of certificates. When they outsource the certification to Ros, they must not wash their hands of their responsibility. The strict monitoring of the ROs by ensuring good clear concise MOUs (memorandums of understanding) with clear provisions to audit the ROs must be put in place. The owners and operators through their organization should put in place a robust internal auditing program that gives the objective inputs on the implementation of the ISM Code.
– by Dr. IJ Arora
Quality Management Systems (QMS) are today extensively a part of an organization. If the TM (top management) is committed, it uses the ISO 9001 based management system to meet customer requirements, ensure customer focus and provide desired outputs. Where the TM/ leadership is immature, they often may implement a quality management system to get the ISO 9001 certification. This decision to have a QMS certification without effective implementation is a waste of money and resources. It is not worth the paper the certificate is on. Or perhaps it is, because having that ISO 9001 certificate may be the passport to win a contract or run a business.
Failed management systems (MS) invariably have a lack of management commitment or worse a leadership who do not understand the cost of not having quality. Such quality management systems are aligned to ISO 9001, but for easy auditing written to the clause structure of the standard. Such systems are written for auditors, who then audit it effortlessly as they can see the system written to the clause structure of the ISO 9001. Leaders forget that MSs should be designed for implementation by their employees.
Organizations do not work to clauses of the ISO 9001. They use the clauses to design a better MS. The organizational structure of any organization takes its direction from the policy (clause 5.2 of the ISO 9001). The policy leads the organization and its functional departments to convert the policy into measurable objectives (clause 6.2 of ISO 9001). These functional division of the organization work to achieve their objectives by functioning per their key and support processes. A quality management system based on ISO 9001 requires the system to work using a process-based management system approach. The idea is to be systematic about working so that customer requirements and expectations are analyzed before being accepted. Once accepted, the organization with the efficient interaction of its processes produces the desired outputs meeting the requirements and specifications as the case may be, and also ensures, where applicable that the statutory directions are met.
ISO 9001:2015 emphasizes customer focus not only in clause 5.1.2 but throughout the standard to ensure that the Quality Management System based on ISO 9001 appreciates the risks in the context of the organization and consistently produces confirming products and services. It is important that customer focus is maintained throughout, integrity of the quality management system always maintained and if for any reason a non-conforming product is produced then such non-conforming product or service is handled in a manner that the customer is never sent such a product.
For this reason QMSs based on ISO 9001 or for that matter any ISO standard, or an industry specific standard like AS 9100 or say a MS based on ISM Code (for maritime safety) and so on, should work using the accepted PDCA (Plan Do Check Act) cycle. Processes are designed, documented or undocumented to ensure that a good preparation is made at the Plan Stage. Any good QMS interprets the clauses of ISO 9001 for its QMS using clauses 4, 5, 6 & 7 to appreciate the risk and make a good plan before going to the do stage. The implementation of executing the inputs to convert them into desired outputs is done using ISO 9001 clauses under 8.
Any quality management system based on ISO 9001 has to sustain its processes delivering the final product or service by designing them well, resourcing them and monitoring them. Therefore, a strong objective check stage is required to conduct internal audits and to analyze data so that the information provides inputs for better resourcing. Clauses 9 and 10 of ISO 9001 address the check and act phases synonymous with monitoring and decision making by leadership before the next cycle of the PDCA cycle is implemented. The act stage is a vital stage associated with the leadership wherein a management review of the performance of the quality management system is conducted.
For the quality management system to deliver what ISO 9001 is designed around, is only possible if the leadership is genuinely committed to not just have a QMS based on ISO 9001, but uses it to make decisions. The business system and the QMS should be married in a strong unbreakable bond.
