by Simon Feary
One certificate accepted by all. That was the dream in the 1980s as third-party certification to ISO 9001 popularized and industry was presented with the opportunity to reduce duplication of supplier audits. Since then, the raw numbers reflect success: There are more than a million ISO 9001 certificates in almost all corners of the world, and more than 50,000 individuals taking International Register of Certificated (IRCA) certified auditor training in some 120 countries each year. However, since those beginnings the environment has changed and some of the assumptions about management systems standards and certification have been challenged. Life is not quite as simple as we thought.
IRCA’s new auditor certification schemes for energy management systems auditors (ISO 50001) and pharmaceutical quality management systems auditors (ICH Q10), and our briefing note on ISO 17021:2011 reflects this ongoing change and increasing complexity.
The variant factor
Industry in a number of sectors, such as aerospace and automotive, have opted out of the generic ISO 9001 approach and established sector-specific variants to cater to their specific risks and issues. At the same time, a number of these sectors have also opted out of generic third-party certification and instead established governance structures to ensure that their own requirements are met. This approach is a result of these organizations’ doubt that their sector-specific risks were being adequately managed. The approach recognizes the value of accredited certification to reduce duplication of supplier audit, but it also requires beefing up the requirements and controls in areas such as auditor competence and audit program management.
It’s my view that variants of ISO 9001—within and without the accredited certification infrastructure—will present as a growth market in the future.
The auditor competence factor
Second, and perhaps related to the first factor, is the development of ISO 17021:2011 and its focus on increased requirements for the auditor competence of sector-technical auditors to be assessed and evidenced by certification bodies. Organizations that have previously relied exclusively on experience-based evidence of auditor competence will need to do more to evaluate the competence of their people. For example, where a certification body may previously have relied on a curriculum vitae or résumé review as evidence of technical auditor competence, such records alone are now likely to be insufficient. As well as technical auditor competence, ISO 17021 makes it clear that certification audits are required to evaluate the whole management system, not only for conformity with criteria but also to evaluate its ability to meet the needs of the client organization, it customers, and regulators. Although this may not be new to many, for auditors more used to determining conformance with a set of procedures, it will be a significant change.
The standards proliferation factor
Third, the management systems approach established by ISO 9001 is being applied to an increasing number of risk areas from information security to business continuity. The latest of these, ISO 50001, Energy management, was published in June 2011. The fact that this standard was fast-tracked by the International Organization for Standardization (ISO) is a reaction to the growing pressure on energy demand and the need for industrial plants, commercial facilities, and entire organizations to improve energy efficiency and drive reductions in carbon emissions. The aim is not only to reduce costs but also as a way for businesses and governments to meet and exceed existing national and international carbon emission targets. British companies that implemented the European precursor to ISO 50001, BS EN 16001:2009, experienced up to 30 percent reductions in their energy costs. What next? Well, there is talk of a management systems standard on bribery…
However, with this proliferation of standards, many users are unhappy that redundant requirements—expressed slightly differently—are included in several management system standards. This has allowed auditors to interpret the requirements differently. With this in mind, the current work on ISO Guide 83 to harmonize the generic management systems elements of standards is a welcome move. It also highlights the importance for organizations and auditors to understand the business management system in terms of policy deployment, measurement, review, and improvement as well as allied quality and improvement tools such as root cause analysis and the essential focus of the business management system in meeting the meet the needs of the client organization, its customers, and regulators: a clear link with elements of ISO 17021:2011. While not intended for standards users or certification, the effect that Guide 83 may have on the certification industry in terms of combined and integrated approaches will be interesting.
The global supply chain factor
The risks attached to global outsourcing have prompted a number of industries to develop their own quality management standards to support second-party supplier audits. We see this in the ethical supply area in sectors such as the information and communications technology (ICT) industry, which has developed supplier standards; audit regimes; and audit report sharing through the Electronics Industry Citizenship Coalition Inc. (EICC) and the Global e-Sustainability Initiative.
This is also happening in the pharmaceutical sector, which has seen a steady trend toward the contracting out of operations to complex supply chains that increasingly need understanding, detailing, and control to satisfy supplier, customer, and regulatory requirements. This is crucial in an industry where safety is paramount and where offshoring has occurred to parts of the world where the regulatory function has been less robust and where there is also an increased risk of counterfeiting though supply chain infiltration. The pharmaceutical industry standard—ICH Q10—provides a variant of ISO 9001 and requires a strong quality management approach. Increasingly and rightly, companies and regulators are asking for evidence of relevant training and experience for pharmaceutical auditors and confirmation of credibility and qualification to perform the audits required. The new IRCA pharmaceutical quality management system (PQMS) scheme provides this confirmation of training and experience.
What this means for IRCA
IRCA, like all global certification bodies, operates in this increasingly complex world. This means operating auditor certification schemes under contract to the likes of the aerospace industry and the ICT industry. It means providing auditor certification services to support the emerging challenges of the external environment, such as the supply chain initiatives in the pharmaceutical sector and field of ethical sourcing. And with the issue of ISO 17021:2011, it also means talking to employers of auditors, especially certification bodies at the moment, to align our services to the needs of a rapidly evolving industry.
About the author
Simon Feary started his career as a biologist involved in the genetics of cancer and leukemia, followed by performing drug safety testing for the pharmaceutical industry. The latter involved a move away from the laboratory bench into management, and, through exposure to Good Laboratory Practice and other regulatory requirements, he gained a practical appreciation of the value to organizations of effective quality management.
In 2008, he moved to his current position as Chartered Quality Institute’s (CQI) chief executive with a mission to promote the role and contributions of the quality professional within business and industry and to champion the CQI’s role as the leading professional body for quality and a positive contributor business worldwide.
His background and interests are both business and quality, two attributes very relevant to managing the CQI. He is also active within standards making, and, through the International Register of Certificated Auditors (IRCA), retains an involvement in the International Accreditation Forum and other groups charged with developing standards, guidance, and best practices.