Surviving ISO 9001:2015, 2nd Edition: What Went So Wrong with the World's Foremost Quality Management Standard and How to Implement It Anyway

Surviving ISO 9001:2015

What Went So Wrong with the World’s Foremost Quality Management Standard and How to Implement It Anyway

Second Edition

About the Author

Introduction: I Don’t Like This Any More Than You Do

Part One: Frankenstein Sets to Work

The Grand Promise

The Ballad of Timmy Graspbottom

SNIKT!

Bow Chicka Wow Wow – Inputs and Outputs

The Revision That Wasn’t

Meet the Frankensteins

Scheming Schemers

Rise of the Planet of the Consultants

Consensus: Doubleplusgood Bellyfeel

ISO, Unfriended

Decree from the Ivory Tower: Annex SL

The Secret Origin of Risk-Based Thinking

Octoquimps Rebooted

Part Two: The Creature Raids the Village

Introduction

Opening Clauses: The Bits Nobody Reads

Forward, Foreword!

Antici....................pation

I Reject Your Principles, On Principle

The Process Approacheth

Peedeeseeay

Risk-Based Co-opting

If You Like That, You’ll Love This!

1.0 Lasciate Ogni Speranza, Voi Ch’entrate

2.0 Abnormative References

3.0 The Part They Use for Padding

Clause 4.0 Context of the Organization, or The Only Time Self-Love Isn’t a Euphemism

4.0 Narcissus Unbound: The COTO Exercise

4.2 If This Party Gets Any More Interesting, the Neighbors Are Gonna Call the Cops

4.1 A Guy Who Dresses Up as a Bat Clearly Has Issues

4.3 Up Periscope!

4.4 Approaching the Process of Processing Approaches to the Process Approach

4.5 COTO Interruptus: The Missing Clause on Strategic Direction

Clause 5.0: Leadership, and Other Mythical Beasts

5.0 Like a Boss

5.1.1 Obey or Be Destroyed

5.1.2 The Customer is Always Blight

5.2 In Xanadu Did Kublai Khan a Stately Pleasure Dome Decree

5.3 Borg Charts

Clause 6.0: Planning, or Saying You Were Thinking When You Were Really Just Staring at That Poster of Kate Upton

6.0 Like a Dog Chasing Cars

6.1 Cake or Death

6.2 Stop Objectifying Me!

6.3 Death is the Road to Awe

Clause 7.0: Support, or 10 Signs You’re Not Getting Your Needs Met

7.0 Gentle Support in All the Right Places

7.1.1 Gimme Gimme Gimme

7.1.2 Hell is Other People

7.1.3 Sounds Like a Japanese Giant Robot

7.1.4 Scented Candles and Meditation Mats

7.1.5 What a Precise Tool You Have, James

7.1.6 Knowledge is Power, Except When Power is Power

7.2 The Opposite of Incompetence

7.3 Wake Up, Dummy

7.4 Blather, Rinse and Repeat

7.5 Control of Rockuments and Drecords

7.5.1 Document What Thou Wilt Shall Be the Whole of the Law

7.5.2 Summon the Scribes!

7.5.3 Like Herding Cats, But Cats on Crack

7.5 ¾: Configuration Management

Clause 8.0: Operation, and Not the Kid’s Board Game

8.0 The Art of Doing Stuff

8.1 Control Yourself, Lad

8.2.1 When the Divining Rod Breaks

8.2.2 Requiring Required Requirements is Required

8.2.3 C.Y.A. A.S.A.P., O.K.?

8.2.4 Make Up Your Mind, Already!

8.3 Secret Designs

8.3.1 The Dream Factory

8.3.2 Use Your Imagination, But Don’t Hurt Yourself

8.3.3 Who Asked for Your Input?

8.3.4 Color Within the Lines, Please

8.3.5 Break Out the Pointy Pencils

8.3.6 Now Grab the Correction Fluid

8.4 Blame the Vendors!

8.4.1 For External Application Only

8.4.2 When Bribery Isn’t an Option

8.4.3 The Clause About Purchase Orders

8.5 Production and Service, But Mostly Production

8.5.1 Listen carefully, Feyd, the Baron said.

8.5.2 Put Stickers On Everything

8.5.3 Like Overdue Library Books

8.5.4 If You Break It, You Bought It

8.5.4 ½ The Missing Clause on Delivery Activities

8.5.5 Cigarettes and Pillow Talk

8.5.6 Let’s Kill Hitler!

8.6 Inspection Is a Four Letter Word

8.7 You Made This Mess, So You Clean It Up

Clause 9.0: Performance Evaluation, or I Swear, This Has Never Happened to Me Before

9.0 Awkward Pauses

9.1.1 The Thousand Eyes of Dr. Mabuse

9.1.2 Leave $20 on the Dresser Before You Leave

9.1.3 Freud’s Couch

9.2 Infernal Auditing

9.3 Donuts in the Conference Room

Clause 10.0: Improvement, the Undiscovered Country

10.0 The Myth of Continual Improvement

10.1 A Ten-Step Program in Only Three Steps

10.2 A Bull in the China Shop

10.2 ⅞ Preventive Action

10.3 Ad Infinitum Ad Nauseam Ad Absurdum

Part Three: Bride of the Monster

Building the Perfect Beastess

Task 1: Skip the Gap Analysis

Task 2: Implement the Process Approach

Task 3: The COTO Exercise – First Pass

Task 4: Scope the QMS

Task 5: Develop the Quality Policy

Task 6: Determine Your Approach to Documentation

Task 7: Define Roles and Responsibilities

Task 8: The COTO Exercise – Second Pass

Task 9: Risk and Opportunity

Task 10: Corrective and Preventive Action

Task 11: Address Leadership and Commitment

Task 12: Change Management

Task 13: Organizational Knowledge

Task 14: Communication

Task 15: Human Resources and Training

Task 16: Facilities and Equipment

Task 17: Third-Party Property

Task 18: Operational Planning

Task 19: Calibration

Task 20: Contract Review

Task 21: Design and Development

Task 22: Outsourced Processes

Task 23: Purchasing

Task 24: Production / Service Control

Task 25: Identification and Traceability

Task 26: Preservation

Task 27: Inspection and Testing

Task 28: Delivery and Post-Delivery Activities

Task 29: Nonconforming Product and Service

Task 30: Customer Satisfaction

Task 31: Analysis and Evaluation

Task 32: Conduct QMS Training

Task 33: Control Your Records

Task 34: Conduct Internal Audits

Task 35: Write Up CPARs

Task 36: Continual Improvement

Task 37: Develop Quality Manual

Task 38: Close CPARs

Task 39: Management Review

Task 40: ISO 9001 Certification Audit

Part Four: Rise of the Wolf Man

Appendix A: Abbreviations Used

Appendix B: Important Standards

Appendix C: Oxebridge Templates

Appendix D: Feedback Methods

For Alec.

ISO 9001 is comprised of really simple things written by really stupid people in really confusing ways.

Special thanks to some people smarter than me, rare and endangered creatures such as they are.

David Hoyle

Julius Hein

and

Haruo Nakajima

Sweden’s Stefan Tangen

SECOND EDITION

Edited by Amy Frushour Kelly and Paige Wheeler

Cover photo and design by Arturo Valdezate Álvarez

ISBN: 978-0-692-96267-1

© 2017 Oxebridge Quality Resources International LLC. All rights reserved. This publication may not be copied in whole or part without permission; unlawful distribution of this document will be prosecuted.

Oxebridge Quality Resources International is a registered trademark of Oxebridge Quality Resources International LLC.

About the Author

Christopher Paris is the founder of Oxebridge Quality Resources International LLC, an international provider of ISO 9001, AS9100 and related consulting, training and implementation services. His former clients include Northrup Grumman, NASA, L3 Communications, Lufthansa, the US Marine Corps, and hundreds of small to medium sized suppliers to various industries.

A former political satirist, Paris wrote the world’s only satire standard, Eyesore 9000: A Smartass’ Guide to ISO 9001:2000 in 2004, and published a second edition in 2010. He followed that up in 2012 with DumbAS9100: A Smartass’ Guide to AS9100 C.

An outspoken defender of the rights of ISO 9001 users, Paris became the accidental industry watchdog and whistleblower after spending ten years attempting to get the industry to improve from the inside. Not seeing sufficient results, in 2010 Paris switched gears and began pressing for outside investigations into conflicts of interest and corruption within the ISO certification scheme. His reporting has uncovered an unprecedented amount of scandal, cronyism and even lawbreaking.

In 2012, Oxebridge opened an office in Lima Peru.

Paris calls himself bicontinental, and lives in both Florida and Lima, but not at the same time. He’s not quantum.

Paris is seeking to testify before the US House Committee on Science, Space and Technology in order to raise Congressional awareness of some of the problems defined herein. If you have influence with your local US Representatives, contact Oxebridge at OQR@oxebridge.com to see how you can help.

Introduction: I Don’t Like This Any More Than You Do

Let’s start off by making something completely clear: I want ISO 9001 to work. I love the concept of a quality management standard which provides a common language for tackling issues of quality. I want third-party certification to be trusted and worthwhile. I am, in my heart, an ISO 9001 fan. I chose to build a career in ISO 9001 because I believe in it. I truly think it can ease trade, ensure quality, and drive up profits for those who adopted it.

So believe me, it’s frustrating to write this book. Now, however, I am faced with the reality that the ISO 9001 certification scheme is conflicted and corrupt and that the standard itself is a product of those illnesses since eventually any corruption in the certification scheme backgasses into the standard. But we can never fix the problem if we refuse to acknowledge it, and this book hopes – in some small, if noisy, way – to raise awareness of the issues affecting ISO 9001 so that maybe we can start down the path of fixing it.

Whether you agree or not, the reality as a user of ISO 9001 is that you may not have a choice but to implement it. It is likely you are being forced to do so by some large government agency, a huge private corporate customer, or some other external driver. If you don’t implement ISO 9001 then you won’t have access to customers and their contracts. My company estimates that between the years 2010 through 2014, nearly 80% of all ISO 9001 certificates in the US were the product of external mandates, not because companies were adopting ISO 9001 voluntarily as a means of improving their quality systems.

Hold on! you say, slamming your cup of Fair Trade coffee from Costa Rica or Puerto Rico or someplace otherwise rico. We aren’t one of those companies. We want ISO 9001 because it will drive improvements!

Fair enough, and thank our overseers in Asgard that you still exist, you rare flower. The implementation techniques and approaches put forth herein are utterly agnostic as to your motives, but at the same time they keep a careful eye on satisfying the often contradictory and whimsical expectations of both customers and third-party auditors. If you want improvements, you’ll get them here, too. You just may have to slog through some eyerolls, clenched teeth, and facepalms along the way. Pretend it’s a yoga class for your face.

A few caveats: despite living partly in South America now, I’m originally from the US, and my experience comes from that heady land of pioneers, provocateurs, and porn stars. As a result, this book provides a good deal of insight and perspective from the US point of view, with a smattering from Europe. Other nations should not feel neglected by their lack of coverage herein; in fact, you might be relieved once you’ve finished the book, and realize I haven’t trashed your country.

This book does not provide the exact, full text of ISO 9001:2015 in full, because ISO prefers to grant that option to people it’s unlikely to sue. If you’ve read the Oxebridge website, you know I don’t fall into that category. While not required, it’s highly advisable to follow along with a legally-purchased copy of ISO 9001:2015 from your local street corner standards seller; you will be able to identify them because they look like someone who is oddly comfortable standing on a street corner all day, selling stuff. I do not recommend you search Scribd.com or somewhere for a free, pirated copy. I would never recommend such a thing, nor would I suggest you use Bittorrent to find one, either. I would never suggest searching South African accreditation body websites for copies they probably uploaded and forgot to hide from the public. I certainly never, ever recommend you ask your friend to hand you their copy. You see, Switzerland’s entire economy relies on the sale of ISO standards, and if such sales drop due to illicit file sharing, the Swiss may grow beards, build boats, sharpen battleaxes, and invade Greenland. We, as civilized people, must do our part to prevent such horror.

This book is divided into three parts, albeit not quite equally. You may read them in any order you like, and can even ignore one part in favor of the other. Pretend this is a Kerouac novel, and you’re all set.

The first part (Frankenstein Sets to Work) deals with the development and release of ISO 9001:2015, the latest version of the famous international quality management system standard; I feel this is important in order to understand the context of the actual requirements, specifically as to where they came from, and why much of what ISO and the so-called experts claim is so impossibly untrue. This is not to merely to posture as a truth-giver, but because understanding that context is critical to understanding how to implement ISO 9001 in the most practical sense. Those that are exposed only to ISO’s talking points will be left to flounder when they find it contradicts the literal text of the standard, or the expectations of customers and auditors. Based on thousands of hours of interviews with nearly every major player in the ISO 9001 sphere – some against their will, strapped in a chair in my basement with screwdrivers thrust into their thigh meat – as well as unprecedented access to internal ISO records and documents, this first part will also be of interest to standards geeks and those interested in the history, melodrama, and politics that go into making an ISO standard.

The second part of the book (The Creature Raids the Village) is dedicated to understanding and implementing – in a real-world practical way – the requirements and expectations of ISO 9001:2015. Many readers may skip to this part, and that’s fine; the book is well-suited for jumping around, so feel free to do so. Caution: despite all bluster by ISO to the contrary, ISO 9001 is still manufacturing-biased, this book will largely reflect that. I’ve done my best to provide implementation tips for both manufacturing and service organizations, but the ultimate cause of this bias still must fall back on ISO itself, which has resisted common-sense calls to split ISO 9001 into two standards for its two disparate audiences.

The third part of the book (Bride of the Monster) should probably be read last, since it puts the entire mess together into a step-by-step implementation guide. But if you’re like me and have no patience for long, drawn-out crime procedurals, and just fast-forward to the reveal of the murderer, then go crazy and read Part Three first. Just don’t spoil the ending for everyone else and reveal that Snape killed Jon Snow.

It’s important to point out that this book is the result of actual work with actual clients, implementing ISO 9001:2015 in the real world, alongside real people. This is why the book was not published – nor even written – prior to the release of ISO 9001:2015, unlike nearly every other ISO 9001 book on the market today. Too many authors flooded the market with books written before the September 2015, making it a near certainty that none of them had any actual experience implementing ISO 9001:2015 and they’re just talking out the puckerpipes. This has not stopped them from claiming mastery in it, though, like a man writing a repair manual for a new automobile that hasn’t even been built yet. Instead, this book is the product of the experiences gained from doing the actual work, rather than making empty, fact-free exhortations based on no actual experience at all.

And unlike my published peers, I don’t claim that all of these solutions will work for everyone; the best any ISO 9001 author can hope for is that most of his or her suggestions will prove useful, but never all of them. The beauty of ISO 9001 is that there are a million ways to skin every cat, and this book contains just some of those ways.

I recommend hiding this book from your cat.

Part One: Frankenstein Sets to Work

The Grand Promise

ISO 9001 began with a grand promise: to provide a single, universally-accepted model for a quality management system (QMS) that could achieve reliable and consistent product or service quality, and which could be used for objective, third-party certifications to replace the seemingly unending flood of customer quality audits. Those who implemented ISO 9001 would see improvements in their quality, and those who certified to it would be fast-tracked into the vendor rosters of major customers, because the certification would be highly trustworthy.

Then, quickly, everything went to shit.

Throughout the 1950s to 1980s, companies in key industries were faced with multiple annual audits from each of their prime customers; a fortunate company with many large customers might undergo as many as ten such audits a year. While every audit was similar, none were identical, and each customer brought their own expectations and requirements to the table: different required procedures, different methods of nonconformity control, different contract review rules. It was common in the 1970s for a successful machine shop to have a huge, bloated set of documents, divided into individual chapters each dedicated to the requirements of a one customer, and which often competed with all the other chapters dedicated to all the other customers.

It was chaos for the federal government as well; the redundant audits were a drain on contractors’ resources, requiring huge auditing teams to run around the country imposing those competing and contradictory requirements. While the costs of supporting the audits were often absorbed by the auditee supplier, this wasn’t always the case, and for certain much of those costs were hidden inside the prices of products eventually sold back to the customers.

Then there was the labor involved: not only did the auditing customers have to pay wages, travel, and expenses for their globetrotting audit teams, the suppliers had to support it all, by ensuring every audit was hosted by a team of guides and auditees. Nonconformities, which were often contradictory from one customer to the next, had to be resolved, with manuals, forms and procedures written to satisfy them. Stuck in the pre-PC era, these documents were then supported by physical libraries, mimeograph copies, and support staff dedicated to doing nothing but typing, typing, typing.

The US Department of Defense knew this was insane, and so pushed forward on the idea of a single standard which could be used to pare this down to a manageable size. The result was Military Specification MIL-Q-9858: Quality Program Requirements, an official US standard published in 1959 that was designed to, at least, provide a single consistent set of QMS requirements to combat the endless labyrinth of competing contractor standards. Contractors could then adopt MIL-Q-9858 as their auditing standard, as well, to ease redundancy and reduce the value-lost costs of the entire second party auditing scheme.

Nearly all of the requirements of MIL-Q-9858 will sound familiar to those already knowledgeable of ISO 9001. MIL-Q-9858 intended to present some established known good practices that could be adopted by those companies who might not have otherwise been exposed to them. For the first time, requirements related to how a QMS might operate were written down and published by a respected source. For many the ideas were old hat, but for others they were new and revolutionary. The truth is that MIL-Q-9858 just documented the obvious, wrote it all in simple terms, but still managed to surprise some people. For example, while many companies were doing some of the following activities, most were not doing all of them, and some weren’t doing any at all:

•Reviewing contracts before agreeing to sign them

•Inspecting their products before shipping them

•Fixing defects before shipping product

•Keeping records

•Designing products in a structured way

•Controlling their suppliers

•Using suitable equipment and tooling

•Calibrating inspection devices

•Utilizing formal corrective action when things go wrong

MIL-Q-9858 was a hit, despite the fact that it was, at its core, a government-imposed hurdle. So popular was MIL-Q-9858, in fact, that it was decided to make it international; NATO adopted it in 1968 and published it as AQAP-1. This was then flowed down not only to US companies serving the US government, but also to international firms providing products to the various NATO members abroad.

Remarkably, MIL-Q-9858 even included a progressive concept that ISO 9001 has never once addressed, much to the chagrin of any respectable quality expert: cost of quality. This fact is largely lost to time, since so few remember MIL-Q-9868, but it was there in black and white, albeit in a primordial form:

3.6 Costs Related to Quality. The contractor shall maintain and use quality cost data as a management element of the quality program. These data shall serve the purpose of identifying the cost of both the prevention and correction of nonconforming supplies (e.g., labor and material involved in material spoilage caused by defective work, correction of defective work and for quality control exercised by the contractor at the subcontractor’s or vendor’s facilities). The specific quality cost data to be maintained and used will be determined by the contractor.

Today, we could not even imagine such a thing being included in ISO 9001, as it’s simply too progressive, too prescriptive, and far too political to even be considered. Today, ISO 9001 is comprised of really simple things written by really stupid people in really confusing ways, the reason for which will become apparent soon enough.

A fact that is even more forgotten is that MIL-Q-9858 was, first and foremost, a supply chain contract vehicle. It was not interested in helping government contractors design and build a QMS, nor was it in any way interested in continual improvement. It was a set of minimum requirements demanded by the US Department of Defense, to be satisfied if a company intended to enter into contracts with the DoD, or anyone else who adopted the standard as a procurement tool to impose on their vendors. If by adopting MIL-Q-9858 companies did find ways to improve their quality systems, then that was a happy side effect. But the purpose was to give government procurement agencies and contracting officers a single set of guidelines to invoke when evaluating and selecting contractors and vendors. That’s it.

And more remarkable still: MIL-Q-9858 managed to do all of this in only nine pages, with fewer than 4,700 words.

So, what happened? If MIL-Q-9858 was the precursor to ISO 9001, how did it mushroom into a 40-page, 12,000-word monstrosity of charts, annexes, notes, definitions, and vague shall clauses that are devoid of actual requirements, all supported by a host of additional ISO standards, guidance documents, technical supplements, PowerPoint presentations, and a nearly endless inundation of articles, seminars, and books written by ISO functionaries?

The easy answer is, of course, commerce. In fact, there’s a single reason for this, one that is so apparent you will be shocked you never noticed. But I’ll drop that truth-bomb on you in a bit, after we have a little history lesson.

By 1970, the International Organization for Standardization (ISO) had already existed for decades, but had little actual influence. Then, in the era of bell bottoms, black light posters and shooting Vietnamese people, ISO’s Secretary General Olle Sturen of Sweden announced what he called "the end of technical nationalism, which sounded a lot like a declaration of technical socialism, except what he really imagined was a future where nations would no longer publish standards themselves, but instead just buy them from him. It was, thus, technical privatization," but that had no ring to it.

At that time, however, ISO was still taking its baby steps in this area, and the top standards body of the day was the British Standards Institution (BSI). It was a bold and craven bit of self-promotion, with Sturen essentially announcing his company as the new Emperor, and he apparently pulled it off purely on the basis that he spoke with authority, said so with great public flair, and had balls the size of watermelons.

In the 1970s, it was BSI who published a number of quality management standards, each borrowing portions of MIL-Q-9858: BS 9000 was published in 1971 and targeted at electronics manufacturers, with BS 5179 in 1974 tweaking the BS9000 standard and making it workable for the purposes of certification. Such certification would then be provided by … of course … BSI.¹ Finally, in 1979, BSI published BS 5750, which borrowed liberally from MIL-Q-9858, but added some more contemporary, intellectual approaches beyond mere inspection and testing, such as internal auditing and a more holistic management review. BS 5750 was thus the first standard to attempt to encompass the entire quality system, and not just the inspection system. Still, however, it was intended as a supply chain standard, to be used to qualify companies for possible use as vendors.

While BSI was publishing these standards, ISO was gaining ground in the world standardization field. Ironically, BSI had helped create ISO, but after Sturen’s announcement, the relationship grew … well, weird. ISO would technically compete against BSI, while using BSI people and standards to support itself, an awkward and deeply conflicted arrangement that still exists today. At the time, however, some forces in BSI wanted the Brits to remain the world’s source of standards, and argued that ISO should not be allowed to exist at all, but ISO had gained a headwind and momentum was favoring it. Keep in mind, though, that this gentle tugging was between two private organizations, each seeking to take on the role of standards developer to suit its own financial goals, not for any altruistic international trade reasons.

Then came the 1980s, when they got an even greater push.

MIL-Q-9858 was the product of an era when standards were developed by governments, and imposed on industry. In the anti-government 1980s of Ronald Reagan, however, the mood shifted and the US began to abandon its government-developed standards entirely. The song of the day was private industry can do it better, and so the US shifted its policies to adopt third-party standards instead. This tune kept playing through the Bush and Clinton years, and by 1993 it was official: the White House Office of Management and Budget (OMB) issued Circular A-119, killing government standards and establishing "policies on Federal use and development of voluntary consensus standards and on conformity assessment activities."

The UK government followed suit, and the suddenly BSI found itself with unsteady footing to compete with its bastard nephew, ISO. Some powers in BSI welcomed the change, adopting a long view that predicted if BSI couldn’t contain ISO, it would at least run it; as we will see, that’s been largely successful for BSI, at the expense of ISO’s alleged principles.

And so in 1987, ISO appropriated BS 5750 and published it as ISO 9001, carving aside the entire 9000 series of standards as homage to the precursor BS 9000 standard. And since BS 5750 had lifted entire paragraphs from MIL-Q-9858, thus ISO 9001:1987 included much of the same text, albeit with the typical word-mangling one can expect from ISO.

ISO also borrowed an idea originally floated by BSI’s earlier attempts, and split the standard into three versions. ISO 9001 featured all the clauses, while ISO 9002 removed the design-related clauses, allowing it to be used by contract manufacturers who held no design responsibility. Finally, ISO 9003 could be used by those who only inspected products, without any design or manufacturing activities. All three, however, were manufacturing-biased, in that they were not readily suitable for use by service organizations.

This trifurcation caused no end of problems. First, some companies with design responsibility opted for ISO 9002 – which excluded design – as a means of getting certified without impacting their antisocial, nerdy, slide rule-wielding design engineers; they used this loophole to bypass certifying the entire company, and allowed the engineers to continue to operate as they liked.

At the same time, other companies took a different approach, and implemented ISO 9001 even when they didn’t do any design work. This resulted in confusion between the different standards, as buyers came to the conclusion that 9001 must be better than 9002 because it had more clauses in it. Of course, that made no sense, but ISO failed utterly in educating its user base, and soon 9002 developed a reputation as an inferior QMS standard. Meanwhile, ISO 9003 nearly died on the vine entirely, as it was seen as the redheaded stepchild one covers in ketchup and then leaves on the front porch to be eaten by dingoes.

Through aggressive marketing by both BSI and ISO, the UK came to adopt ISO 9001 at a faster rate than other nations, and by 1993, the UK held two-thirds of the world’s total certificates.² As some European companies began to require ISO 9001 as a supplier criterion, a rumor emerged that "ISO 9001 is a European thing and that you have to have it in order to do business in Europe." This fueled growth in countries like Australia and South Africa, but also led to a xenophobic backlash in nations such as the US, where companies resented the idea that a certification was being imposed on them by people who spoke with funny accents and ate cheese all day. This led to the beginning of a generally negative reputation for ISO 9001 in the US, as well as for ISO itself. Worse, this also led to conspiracy theories in the US, that ISO was an arm of the Internal Revenue Service, and it was all just a huge tax scam; remnants of these arguments still appear today in online forums, promoted by the tinfoil hat crowd.

ISO rules require that standards be reviewed every five years to see if they should be updated, to (allegedly) accommodate for advances in technology or practices that may have occurred since the last revision. At the five-year mark, the review is undertaken; it may be years later that a resulting revision is actually published, assuming the review determines a need to revise the standard at all. And so, in 1992, ISO Technical Committee 176 determined they would only make a minor revision to ISO 9001, and two years later published ISO 9001:1994. The changes were relatively insignificant, and ISO maintained the three-standard structure of ISO 9001, 9002 and 9003. The primary shift was that the 1994 version abandoned its predecessor’s Scope language, targeting ISO 9001 as a contract vehicle to be flowed down to suppliers as part of a supply chain contract. ISO recognized that those words greatly limited ISO 9001’s potential market, and so subtly shifted the scope language from being about contracts, to being about customer satisfaction.

Here’s the language from the original 1987 scope:

This International Standard specifies quality system requirements for use where a contract between two parties requires the demonstration of a supplier’s capability to design and supply product.

And here is the revised scope appearing in 1994:

This International standard specifies quality system requirements for use when a supplier’s capability to design and supply conforming product needs to be demonstrated. The requirements specified are aimed primarily at achieving customer satisfaction by preventing nonconformity at all stages from design through to servicing.

It was a clever, and devious, marketing ploy, and no one really noticed. While the requirements themselves had not changed at all, suddenly the new version claimed that it was "primarily aimed at achieving customer satisfaction all along. ISO would repeat this rewriting of history gimmick decades later, as we will see with their branding that risk has always been implicit in ISO 9001."

Already, however, the standard was showing its age, and generating negative buzz. In many nations, the 80s had been an era of reawakening to W. Edwards Deming, considered the godfather of modern quality assurance, and by 1994 it was glaringly obvious that ISO 9001 was in outright contradiction to many of Deming’s most famous teachings, including his 14 Points:

1. Create constancy of purpose toward improvement of products and services.

2. Adopt the new philosophy.

3. Cease dependence on inspection.

4. End the practice of awarding business on the basis of price tag.

5. Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease costs.

6. Institute training on the job.

7. Institute leadership.

8. Drive out fear, so that everyone may work effectively.

9. Break down barriers between departments.

10. Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Eliminate work quotas and management by objective.

11. Remove barriers that rob the hourly worker of his right to pride of workmanship.

12. Remove barriers that rob people in management and in engineering of their right to pride of workmanship (i.e., annual or merit ratings and management by objectives).

13. Institute a vigorous program of education and self-improvement.

14. Put everybody in the company to work to accomplish the transformation.

Nowadays, Deming is considered a demigod, and this needless hero worship obscures some truths. First, he was a shit communicator. Few in his day listened to him, and he had to famously search the world for someone to take his advice, eventually landing in Japan, where even there he received only piecemeal support.

Next, Deming’s view was naïve and tone-deaf to sociopolitical economic realities of the day. He imagined himself engineering an egalitarian society, but did so while offering solutions that sniffed indignantly at management, while snorting even more arrogantly at workers. It’s not clear if Deming aimed to create a cult of personality for himself, but he seemed to posit himself as the only solution and everyone else – from the board room to the boiler room – as idiots. This chestbeating only worsened the first point, making his communication style even shittier. You should be able to convince people of something on its merits, not by insisting you’re smarter than everyone else in the room.

This is not to say that Deming’s 14 Points were bad; they remain useful and worthwhile pursuits. But Deming himself has been raised to holiness while all around him ignore the 14 Points nearly entirely. Moses came down from Mount Sinai bearing two tablets which defined the Ten Commandments, a simple moral code that everyone immediately began ignoring for the rest of human existence. In retrospect, Moses too was a shit communicator, since we’ve since had to create entire social infrastructures to get people to stop killing and stop coveting, with poor effect. But Moses’ failings are ignored, and suggesting he had any is heresy. So, too, with Deming. In the Quality profession, I stand as much a chance of being condemned to Hell for suggesting Deming wasn’t very good at his job, as I do for suggesting Moses might have benefitted from working on his communication skills.

But the various quality professionals writing and promoting ISO 9001 ignored Deming, or worse, contradicted him outright, even while publishing endless articles in ASQ journals and Quality Digest magazine that promote Deming. No one wants to be the guy who publishes something saying, Deming was wrong, for fear of career suicide, but likewise no one in the quality profession has the stones to tell management you shitcan your objectives.

And so TC 176 went on to contradict nearly the entirety of Deming’s 14 Points, by obsessing over inspection, urging management by objectives, enforcing slogans (Quality Policy) and endorsing a top-down, command-and-control culture that ensures the workforce is ignored. As we will see, the departure from Deming only worsens in time.

That’s not to say the ISO 9001 of 1987 was terrible. It remained lean and elegant, coming in at only nine pages, the exact size (not coincidentally) of MIL-Q-9858. The requirements for a proactive preventive action system moved the ball forward, forcing companies to resolve problems before they ever occurred. At the time, this was fairly radical, only because the majority of companies simply didn’t know any better. But the standard was still manufacturing-biased, and assumed all organizations operated in the same manner. It wasn’t flexible and, like its 1987 older brother, addressed service organizations not at all. And, of course, it defied Deming and the rest of the quality gurus.

Before we continue with the history of ISO 9001’s evolution, however, it’s worth taking a brief detour to understand what, exactly, ISO is and more importantly, what it isn’t. Buckle up, because this is going to blow your mind.

The Ballad of Timmy Graspbottom

What I am about to tell you will break your worldview. It will shatter your assumptions, shake your faith, and possibly cause the lights in your house to flicker menacingly for a minute or two. It’s revelatory, it’s profane, and it happens to have the benefit of being absolutely, irrefutable true. And in a few minutes, you will never be able to look at ISO standards the same way again. Some who previously worked on TC 176 quit after reading this chapter; others swore off ever working on standards committees again. Everyone else suddenly understood why everything coming out of ISO is so impossibly bad, making the picture crystal clear.

In short, you can’t un-see what you are about to read. It begins with the following premise:

ISO is not a standards developer.

That sentence, right now, makes no sense to you. Everyone knows ISO develops standards. This is like saying the blue sky is actually red, or that tomatoes are actually socket wrenches. And yet, as we will see, it’s absolutely true.

ISO insists it develops standards, of course. On its webpage, ISO has page after page insisting that it develops standards, and then explaining a process on how it does so. The problem is that if you read those process descriptions, ISO reveals the game right there, and actually contradicts itself. The process goes something like this:

1. Someone – whether internal to ISO or external from industry – decides a standard for a thing is necessary.

2. ISO conducts a justification study to ensure it’s worthwhile to pursue.

3. An ISO technical Committee (TC) is formed to draft the standard.

4. The ISO member nations send volunteer delegates to represent their countries on the TC.

5. The volunteer delegates write the draft standard, resolving any differences between the members.

6. The draft standard undergoes various voting steps by the member nations to allow progression.

7. Upon final review and approval, the standard is published by ISO as an international standard.

While simplified, this nevertheless sums up how an ISO standard is made. This process is what the US Office of Management and Budget signed up for with Circular A-119, as did nearly every other country on the planet. So don’t worry if you still don’t see the problem, since you’re in good company.

Now let’s consider Timmy Graspbottom, a 16 year old US high school student who just finished his first science fiction novel, called Sand Planet of the Virgins. Yes, Sand Planet of the Virgins steals nearly the entirety of its themes and plots from Frank Herbert’s beloved Dune series of books, probably because Timmy had just read Dune the year before, and yes it includes a lot of bikini-clad virgin women digging through the sand because, let’s face it, Timmy is only 16 years old and these are the things that appear foremost in his mind. Ultimately, therefore, Sand Planet of the Virgins is a hot mess.

The publishers agree. Timmy submits his manuscript to multiple publishers and literary agents, and receives multiple rejection letters. Timmy’s parents, Lauren and Todd Graspbottom, insist their son is a prodigy, but then they would, since they are arrogant shits who never even read Timmy’s manuscript, as they are too busy with their own problems, and it’s just easier to say your kid is a genius than actually apply any effort to make him one. This leaves Timmy with a sense of entitlement: his book is great, and people should be paying him to publish it, and better yet, paying him for the sequel, Sand Planet 2: Queen of the Sand Planet of the Virgins of the Apes, which he dreamed up after seeing some movie on Netflix. Because that’s how publishing works: authors get paid to publish their books, after all.

But they don’t get paid if they get rejection letters, and Timmy was flooded with them. After nearly six months of rejections, Timmy did what any modern American does, by engaging in inward-focused, deep-dive analysis of what went wrong and how to fix it; and by this, I mean he searched Google.

There, Timmy found that there were publishers who never sent rejection letters, they would publish anything, guaranteeing with 100% assurance that a manuscript would be published. Finally, Timmy was on the path to having Sand Planet of the Virgins published, to have the printed book in his hands, and to be able to go sign copies at the local library. There was only one problem: the publishers that guaranteed publication wouldn’t pay him, the way a normal publisher would, but instead he’d have to pay them. Still, though, he’d have his book and all the bragging rights that come with being a big-shot writer. Timmy stole Lauren Graspbottom’s credit card from her knockoff Coach purse, and ordered 6,000 copies of his book. He was now a published author.

Timmy had accidentally discovered the world of vanity presses. In the publishing industry, vanity presses are considered the bottom of the barrel, and are often associated with outright scams and all sorts of nefarious behavior. Under a normal publishing agreement, a book publisher pays the author and then sells the book, keeping any money it makes; the money it receives beyond what it paid the author and the printing costs is profit. The author earns a living through this arrangement, and as they become more popular, they can negotiate better terms with the publisher, to receive more money up front (an advance) and even a percentage of sales. But in the end, no matter what, the publisher pays the author.

Under the vanity press model, this is reversed. The author pays the publisher, who then gives copies of the book to the author to do with as he likes. Therefore, a vanity press has no concern over the quality of the books, since their customer is the author, not the reader. If an idiot wants to print a book on how to use a chainsaw to change a baby’s diaper, the vanity press will be more than willing to publish it. But to be clear: under normal publishing arrangements, authors get paid; under a vanity press arrangement, authors go broke.

Now fast forward 30 years, and imagine Timmy Graspbottom had come to his senses, realizing he had failed in his attempt to write science fiction, and was still facing stern looks from his mother, Lauren, for that time he stole her credit card. Timmy works as a quality manager for Dolt’s Bolts in Felchwater Michigan, but continues to have aspirations of fame, even if it’s in his own profession. So he signs up to be a member of ISO Technical Committee 176, through its US delegate body, and starts writing the next edition of ISO 9001.

Which means Timmy Graspbottom learned exactly nothing from this experience, because he just set to work for ISO, the most sophisticated vanity press operation on the planet.

Now you’re starting to reach the point of un-un-seeable. It’s coming together, but you’re not fully there yet. Keep reading.

If you recall the ISO standards development process above, you will see that ISO itself does not actually develop the standards, they merely facilitate the development by outside volunteer delegates. In the model above, ISO is only using its limited infrastructure to organize the work of other people, but it is those other people that do the actual work; they conduct the justification study, they hold the meetings, they write the words that will eventually appear on paper. ISO sits back, managing this to ensure some reasonable level of order and decorum, but generally lets the inmates run the asylum.

In fact, actual employees of ISO are prohibited from writing anything in an ISO standard, and prohibited from influencing the writing of others, except in the (many) cases where ISO staffers have simultaneous positions in other organizations, such as BSI. Then, they can do as they like, provided they switch hats and do so while representing their other employer, and not ISO. But those few people who are 100% ISO employees cannot actually draft ISO standards, because they technically represent no one. (As we will see, they do it anyway, but bear with me for now.)

Meanwhile, the ISO home office creates reams of procedures and rules and directives designed to provide the order and decorum necessary for the development of standards by other people. The presence of these endless rulebooks is exactly because standards are developed by others, and under such an arrangement, some universal ground rules are necessary.

Is ISO only a facilitator then, helping the world’s delegates draft documents? Not quite. Not only does ISO not pay its authors, it charges them for the privilege of having their intellectual property (IP) taken from them. The primary source of revenue for ISO – over half of its annual income – is derived from membership fees it charges the nations of the world to participate in this backwards arrangement. This means that ISO literally meets the industry definition of a vanity press : it charges authors to publish their works. In 2014, ISO raked in over $21 million just in membership fees alone, or 55% of its annual revenue.³

Take a moment to digest that, because now you can’t un-see it: ISO takes the intellectual property of other people, and then keeps that intellectual property for its own use, paying the authors exactly nothing.

You’re likely stunned that the truth was sitting there all along, in broad daylight. If the lights in your house are flickering along with your faith in humanity, I apologize; sudden revelations can have long lasting effects.

But wait, it gets worse, much, much worse. ISO not only adopted the vanity press model for attracting talent, in the form of desperate idiots willing to pay ISO to take possession of their IP, it took the best of the traditional publishing model, to create a hybrid publishing scheme that – once you put it on paper – sounds nearly illegal. Whereas the vanity press may charge its authors, at the end of the day it at least the idiot authors get copies of the resulting book to sell and make some money. Not so with ISO: under its scheme, ISO not only keeps that IP for itself, it then sells the resulting books, retaining 100% of all profits. The authors get absolutely nothing, not even copies of their work, and they actually had to pay for the privilege of having their intellectual property published by someone else. In 2014, book sales represented over $6.7 million, or 17% of its annual revenue. Keep in mind, 2014 is a year of low sales, with the sales of ISO standards ready to spike with the release of multiple new editions, such as the ISO 9001:2015 standard; seeing the Annual Report published in 2017 should be interesting.

We’re still not finished. ISO ultimately has three main sources of revenue: the highest being membership fees, and the lowest being the sales of its books. A third chunk resides in the middle: licensing and copyright fees, which accounted for $8.7 million in 2014, or 22% of annual revenue. Here, ISO clearly breaches all ethical considerations whatsoever; remember, it has already charged the member nations a fee for creating content which it then sells itself for additional money. The actual authors didn’t even get copies of the book to sell, like they would under the shadiest vanity press models.

If a member nation does want to publish copies for themselves, ISO invokes final copyright, and will only allow such third-party publication if they member nation pays licensing fees back to ISO. So, not only would Timmy Graspbottom have to pay to have his book published, and then pay to buy it, if he wanted to sell the books himself, he’d have to pay ISO yet again.

But wait, there’s more. On top of that, if any reader of an ISO standard wants to use the document in another work – such as a book like this, or an article or training event – they have to pay ISO one more time, for copyright permission. This means that ISO has unburdened itself from the problems facing normal publishers, such as having to pay people, and instead receives money from all the parties in the loop, for nearly every possible circumstance.

Meanwhile, the number of dollars that ISO spends on actual standards development is, according to their own annual reports, exactly $0. Not a penny. The only major expenditures ISO has are for its building rent and, of course, the salaries of its officials. This proves, without a shadow of a doubt, that ISO does not develop standards; it takes the intellectual property of others, and publishes it, keeping the profits for itself.

This creates additional conflicts and pressures, since ISO can’t allow its authors even the limited autonomy of a duped vanity press author. Since its bottom line is based on book sales, it has to exert editorial control over the content to ensure a maximization of those sales. This shows up in odd and unexpected ways, but – again – once you see it, you can’t stop noticing.

Let’s start with page count. ISO calculates the market price for a published standard based on page count; ISO standards average about six Swiss francs per page. This creates an incentive to make some standards – especially flagship ones like ISO 9001 – as long as possible. ISO currently charges 138 CHF for ISO 9001:2015, but, had it kept the standard at its original 9-page size; it might only have commanded a price of 64 CHF. As we will see later, this explains why ISO pushed TC 176 to adopt phrases like Control of externally provided processes, products and services – eight words – to replace the single word purchasing. It explains why an ISO 9001 standard can never go back to only nine pages, and requires so many tables and annexes; it explains why if there is ever a chance to explain something poorly by using more words with less clarity, ISO will do it. The goal is to bulk up the final product so that it is physically larger – even if it’s mostly distributed as an electronic PDF file – justifying a higher cover price.

Next, consider publication deadlines. While a government standards committee can publish a standard only when it’s actually finished, ISO is obsessed with getting standards out of committee and onto its online shop shelves, because that’s where it makes money. Government standards are issued for free, and the authors – typically soldiers – were paid no matter what. ISO doesn’t get paid so long as a standard is stuck in committee, so (as we will discuss later) had to rush the standard towards a predetermined September 2015 publication date, ignoring key and required drafting steps along the way to ensure the book was published on time.

These are the kinds of problems government standards bodies don’t have to worry about, but which quickly dominate when standards are developed by private publishing houses like ISO.

ISO loves to call itself an altruistic NGO, as if it’s Médecins Sans Frontières, Whale and Dolphin Conservation, or International Rescue.⁴ But unlike an actual NGO, ISO does not tirelessly work to improve the world through ethically-motivated activities funded by donations. ISO is an organization that sells books, and then keeps the revenue for itself, while charging money for any other possible use of those books, even by the authors themselves. As a not for profit organization, the money then flows nearly singularly into the pockets of its executives, with no requirement to give anything back. ISO doesn’t even pay to host TC events or standards meetings, and instead requires the member nations to do this for them, too. The Sicilian Cosa Nostra wishes it had dreamed up a scam of this magnitude.

It is fairly stunning that anyone would sign up for this lopsided arrangement. But if you’re a national government looking to reduce taxes, offloading the responsibility on some private organization like ISO makes sense, especially if you don’t care how conflicted or corrupt the process is. If – or rather when – ISO is finally investigated for this scheme, nations like the US can simply claim they were duped; they have plausible deniability. But meanwhile,