New Ideas and Expanded Use
by John E. “Jack” West
With more than a half million organizations certified or registered to ISO 9001 and 14001, many say the development of management system standards (MSSs) has ended. But wait; is this really where things end? I would say the answer is no.
The truth is the application of ISO 9001 has continued to increase, and much of that is now related to the international sector documents built around it. The use of Technical Specification (TS) 16949 in the automotive industry, AS9100 for aerospace and the other sector specific documents continues to grow. (See sidebar “A Brief History of QMS Standards.”)
More importantly, new MSSs and sector specific documents related to the use of ISO 9001 continue to be developed in various industries. The development of standards in two sensitive sectors—food and IT—is particularly significant in these times of great concern about national security.
In the food sector, concepts such as hazard analysis and critical control point (HACCP) for food safety are being recast as management systems. New documents are emerging related to the application of ISO 9001 to food and agriculture, and in IT, two recently developed documents set requirements and a code of practice for IT security.
HACCP and ISO 9001
The HACCP approach to food safety has been used for a several years by food processors and is endorsed by regulators such as the U.S. Food and Drug Administration1 and the Codex Alimentarius Commission (an international food standard setting organization that produces standards that can be used in national laws and regulations).2
HACCP has seven principles that appear in ISO 22000:2005, the food safety MSS:
- Conduct a hazard analysis. Application requires listing all potential hazards, hazard analysis and consideration of control measures.
- Determine critical control points (CCPs).
- Establish critical limits for each CCP.
- Establish a monitoring system for each CCP.
- Establish corrective actions. Application requires determining actions to be taken when monitored results exceed critical limits.
- Establish verification procedures. Application requires verification planning and establishing procedures to confirm the HACCP system is working effectively.
- Establish documentation and record keeping.
The food MSSs maintain the HACCP principles while providing implementation requirements and guidance in a convenient management system format.
ISO 15161 was developed to apply ISO 9001 to the food and drink industry. Its principles seem like a good fit with the quality management system (QMS) requirements of ISO 9001.
In the late 1990s, the International Organization for Standardization (ISO) technical committee (TC) 34 on food products started to develop a guideline on application of ISO 9001 incorporating the HACCP concepts to the food and drink industry.
This notion seemed reasonable to some, but others saw it as a difficult mix of food safety with other considerations for food quality such as taste and appearance. In any event, the first edition of ISO 15161 was issued in 2001.3
The introduction of ISO 15161 states in part, “The internationally recognized principles and steps of HACCP are defined by the Codex Alimentar-ius Commission in its recommended international code of practice on general principles of food hygiene. Any other accepted food safety system can, of course, also be integrated into the QMS. However, considering the fact that HACCP is widely used comprehensively, this system was chosen to demonstrate how integration may be achieved.”
The standard follows the format of ISO 9001:2000 with the ISO 9001 clauses in boxes followed by unboxed implementation guidance.
ISO 22000:20054 was published in 2005 and, unlike ISO 15161, is not a guide. Rather, it specifies requirements for a food safety management system. It is intended for application by organizations in the food chain that need to demonstrate the ability to control food safety hazards.
The purpose of ISO 22000 is to ensure food is safe at the time of human consumption. ISO says ISO 22000 specifies requirements to enable an organization:
- To plan, implement, operate, maintain and update a food safety management system aimed at providing products that, according to their intended use, are safe for the consumer.
- To demonstrate compliance with applicable statutory and regulatory food safety requirements.
- To evaluate and assess customer requirements and demonstrate conformity with those mutually agreed customer requirements related to food safety to enhance customer satisfaction.
- To effectively communicate food safety issues to the organization’s suppliers, customers and relevant interested parties in the food chain.
- To ensure the organization conforms to its stated food safety policy.
- To demonstrate such conformity to relevant interested parties.
- To seek certification or registration of its food safety management system by an external organization or make a self-assessment or self-declaration of conformity to ISO 22000.5
Although concepts from ISO 9001:2000 can be found in ISO 22000, it does not contain the full text, and the format and clause numbering are similar but not identical.
ISO 22000 also includes some concepts such as emergency preparedness and response that are not included in ISO 9001. Some people have described ISO 22000 as HACCP in a QMS format. While it can be implemented as a standalone program, it is designed to be compatible with ISO 9001.
Indeed the clause layout is very similar to ISO 9001, and a table shows correspondence between ISO 22000 and ISO 9001 clauses.
ISO TC 34 has also provided implementation guidance for ISO 22000 in the form of a technical specification, ISO/TS 22004:2005.6
New QMS Project For Crop Production
Farming operations in the United States have QMSs registered to ISO 9001, and there has been an effort to standardize guidance on use of ISO 9001 for farms.
The project started with a focus on grain production and is still called the “AG 9000” project by some participants.
The effort has developed into ISO TC 34’s working group 12 assignment to create a new guidance standard on applying ISO 9001 to the somewhat broader topic of crop production. It now appears the number of the document will be 22006.
The work of the AG 9000 group (along with input from other countries) likely will be key to the international effort. The most recent version of the AG 9000 drafts use a format similar to the one described earlier for ISO 15161.
In addition, AG 9000 has 11 process tables that are very specific to real life crop production processes and provide guidance for product realization planning required by ISO 9001, clause 7.1. Since U.S. farms tend to be much larger than those in many parts of the world, work is ongoing to make certain the planning guidance will be useful for small farms. ISO’s publication target date is mid-2009.
New IT Security Standards
In addition to new sector specific QMS standards, new areas are being covered by MSSs. IT security is a recent example.
Two key international standards in this area—ISO/IEC 270017 and its companion ISO/IEC 177998—were issued during 2005.
These two documents were developed by joint TC 1 of ISO and the International Electrotechnical Com-mission (IEC). The latter deals with international standardization in areas related to electronics.
ISO/IEC 27001 uses the process based approach of ISO’s MSSs—ISO 9001 and ISO 140014—and includes the plan-do-check-act cycle required for continual improvement. ISO/IEC 27001 is intended to be suitable for several different types of use. For example, it can be used by organizations:
- To formulate security requirements and objectives.
- To ensure security risks are managed cost effectively.
- To ensure compliance with laws and regulations.
- As a process framework for implementing and managing controls to ensure the specific security objectives of an organization are met.
- As an aid in defining new information security management processes.
- As an aid in identifying and clarifying existing information security management processes.
- To provide relevant facts about information security policies, directives to trading partners and other organizations with which they interact for operational or commercial reasons.
- To implement business enabling information security.
- To provide relevant facts about information security to customers.
- ISO/IEC 27001 also can be used:
- By the management of organizations to determine the status of information security management activities.
- By the internal and external auditors of organizations to determine the degree of compliance with the organizations’ policies, directives and standards.
As with many other international standards, ISO/IEC 27001 was preceded by national standards. In this case, British Standard BS 7799 Part 2 is the most noteworthy predecessor.
ISO/IEC 17799 is a companion to ISO/IEC 27001. It establishes general principles and guidelines for best practices for controls and associated control objectives in information security. It covers such areas as:
- Security policy.
- Organization of information security.
- Asset management.
- HR security.
- Physical and environmental security.
- Communications and operations management.
- Access control.
- Information systems acquisition, development and maintenance.
- Information security incident management.
- Business continuity management.
ISO/IEC 17799 can be used alone or as a guide along with ISO/IEC 27001. In any event, the document is intended to meet requirements that result from a risk assessment.
Onward and Upward
While it is not raining new MSSs, their numbers are increasing every year. There are two somewhat different developments:
- More disciplines are being added.
- There are more sector specific QMS standards.
The new disciplines tend to be situations such as security management with an apparent need to standardize ways to manage various types of risks. These new MSSs tend to use a model and format similar to ISO 14001.
This is quite different from the increasing development of sector specific QMS standards. In this case, the perceived need is for a sector to add more specific detail—either in the form of more detailed requirements or implementation guidance—to the requirements of ISO 9001.
There have been calls to create a single integrated MSS to cover the various disciplines. In some countries work is already being done on such documents, but it is likely to be several years before we know if this can be successful.
What is generally forgotten in these efforts is that the expanding number of sector specific QMS standards is a different issue, and the need for greater specificity by a sector is not going to be eliminated by an integrated standard.
A Brief History of QMS Standards
Sector specific quality management system (QMS) standards have been around in various forms for a long time.
By the late 1960s, large companies developed quality systems documents to help manage their supply bases. As these organizations talked to one another, agreements were often reached to develop national consensus standards for quality systems in their sector or industry.
In some countries, this resulted in combining the company and sector standards into national generic quality system standards. In the 1970s, ASQ was involved in publishing several of the generic standards that were developed.
Of course, the United States was not the only country where this was taking place. With growing international commerce, a need to develop an international quality system standard to facilitate cross border trade was perceived. In 1980, the International Organization for Standardization technical committee (ISO TC) 176 on quality management and quality assurance started working on what became the ISO 9000 family of standards.
The family includes standards with requirements for quality systems that could be passed to suppliers in different countries. The first version of these requirements included ISO 9001:1987.1 The need for replacement of the many national generic standards drove creation of ISO 9001, and the rest is history.
But some large global organizations, including automotive and aerospace companies, stuck to their own company management system standards (MSSs) for their suppliers. As ISO 9001 was becoming a success in the early years of its existence, these industries began to recognize the value of getting together to harmonize the MSSs used for their supply bases.
While recognizing the value of ISO 9001, these companies had more extensive requirements that were not generally applicable to all industries. So, they started creating sector specific documents based on ISO 9001. One of the most familiar of the early documents was QS-9000, which was adopted by Ford, General Motors and Chrysler as their supplier quality system standard.
Similar things happened in the automotive industry in other countries, and ultimately the automotive industry around the world got together to produce an MSS within ISO—ISO Technical Specifica-tion (TS) 16949. Other industries started creating sector specific documents, such as TL 9000 for the telecommunications industry, AS9100 for the aerospace industry and ISO 13485 for medical devices.
These changes took a long time and were painful for many suppliers, but much progress has been made to reduce the number of company specific and national standards that an individual supplier must contend with.
ISO 9001:2002 then introduced to the generic QMS specific requirements related to customer satisfaction and continual improvement.2 It has also provided a greater focus on processes and process control instead of inspection as a means to ensure requirements are met. This shift has been greeted generally with great acceptance. In fact, in a recent survey conducted by ISO TC 176/subcommittee 2/working group 18, about 90% of respondents indicated they were happy with the process approach of ISO 9001:2000.
In the early 1990s the popularity of ISO 9001 and its related certification or registration processes stimulated interest to create standards related to environmental management systems. This effort evolved quite quickly into ISO 14001 in 1996.
During the development of ISO 14001 and during the revision processes for both ISO 9001 and ISO 14001, there was much effort to ensure the two standards would be compatible. Thus, organizations can implement common elements together without unnecessary duplication or conflicting requirements.REFERENCES AND NOTES
- Published in the United States as ANSI/ASQ Q91-1987, Quality Systems—Model for Quality Assurance in Design/Development, Production, Installation and Servicing, ASQ, 1987.
- ANSI/ISO/ASQ Q9001-2000, Quality Management Systems—Requirements, ASQ, 2000
REFERENCES AND NOTES
- FDA Backgrounder, www.cfsan.fda.gov/~lrd/bghaccp.html, accessed Jan. 25, 2006.
- Codex Alimentarius, www.codexalimentarius.net/web/index_en.jsp, accessed Jan. 25, 2006.
- ISO 15161, Guidelines on the Application of ISO 9001:2000 for the Food and Drink Industry, ISO, 2001.
- ISO 22000:2005, Food Safety Management Systems—Requirements for Any Organization in the Food Chain, ISO, 2005.
- This and other information on ISO 22000 can be found on the ISO Store portion of the ISO website at www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=35466 (case sensitive), accessed Jan. 26, 2006.
- ISO/TS 22004:2005—Food Safety Manage-ment Systems—Guidance on the Application of ISO 22000:2005, ISO, 2005.
- ISO/IEC 27001:2005—Information Technol-ogy—Security Techniques—Information Security Management Systems—Requirements, ISO, 2005.
- ISO/IEC 17799:2005—Information Technol-ogy—Security Techniques—Code of Practice for Information Security Management, ISO, 2005.
JOHN E. “JACK” WEST is a management consultant and business advisor. He served on the board of examiners for the Malcolm Baldrige National Quality Award from 1990 to 1993 and is past chair of the U.S. technical advisory group to International Organization for Standardization (ISO) technical committee 176 and lead delegate to the committee responsible for the ISO 9000 family of quality management standards. He is co-author of several ASQ Quality Press books.