What is SMEA and FMEA?

Success Modes and Effects Analysis

An organization is likely to succeed if it understands the system that runs its business. It can then identify where it needs to make improvements and use its system to succeed. QMII help clients to develop their process-based management systems by using success modes and effects analysis (SMEA). SMEA conversely to FMEA focuses on the success areas (opportunities) the organization is trying to achieve and determining what are the potential risks to achieving them. They then taken action to address these risks. While all risks cannot be eliminated based on resource constraints, SMEA provides an opportunity for organization to prioritize the risks and take appropriate action.

To implement SMEA, top management need to analyze and document what their organization does to convert customer needs into cash (success modes). This enables them to see where waste can be eliminated by applying lean principles to achieve lean design, lean manufacturing, lean administration and lean service.This determines the key processes in the system that runs the business. The next step involves working with the process owners to analyze each of the key processes for the fulfillment of process objectives (effects analysis). This results in a flowcharted procedure for each key process.  If you’re not fond of flowcharts then any other method of documentation will do. These procedures refer to the interacting processes and supporting documents.

Competent employees, from the recruiting and training processes, are coached by their leaders to use their system to eliminate causes of waste and succeed. These systems include procedures for creating new products and new processes with inputs from successful designs (see FMEA below).

Organizations can use SMEA to build and grow the success of their organizations.

Failure Modes and Effects Analysis

FMEAs during product and process design prevent failures of products and processes. A team, representing customers, designers, manufacturers, installers, users and suppliers agrees upon the rules for evaluating risk. The team works through each of the ways in which the process or product could fail (potential failure modes) and assign a score per the rules to signify the frequency and impact of each type of failure (effects analysis).

Failure modes that potentially are the most frequent or could have the biggest impact (or both!) are the highest priority. Teams remove the root causes of such failure modes to prevent their occurrence. These preventive actions make processes and products much more reliable from the beginning.

As you might expect the entire automotive industry now uses FMEA to improve reliability. Yes, not one car maker considered the sudden loss of global financing; a rare failure mode with dire consequences! Organizations that fail to use FMEA have to suffer the many losses due to incapable processes and poor products. Repeated failure may enable them to learn the hard way if they remain in business.

FMEA works best as a preventive action tool within a process-based management system (see above).

QMII facilitates failure modes and effects analysis (FMEA) and success modes and effects analysis (SMEA) for our clients.

Management review: A Necessity or Improvement driver

The management review is a critical step to ensure sustained success of the management system, yet this is often left to the relevant manager to document to meet the system standard requirements. A myriad of reasons is given for a management review not being done within the timeframe as defined by the organization. These include unavailability of senior management due calendar conflicts, waiting on inputs from department heads and sometimes just a lack of commitment by leadership.

Even when conducted ‘timely’ the review is often done purely out of necessity of meeting the requirements of the standard. The review, however, is a critical step for the success of the system and enables the continual improvement of the system. Leadership may, at times question, why money invested in a Quality Management System; that certification to ISO is not delivering the intended ROI. The answer often lies in their lack of commitment to the system as perceived by the users of the system.

Why are my reviews not driving improvement?

Management reviews when done out of necessity become a documentation exercise. The responsible manager collects all the data and analyzes/evaluates it for presentation to management. They proudly share these presentations with whomsoever asks about the management review. The ISO standards (e.g. ISO 9001, ISO 14001 and others) in clause 9.3 give the requirements for what shall be included in a management review. However, the review need not be limited to just these topics.

In consulting, QMII has often heard, “But we do daily reviews with our team and weekly updates with the managers”. Why not record these as a part of your management review? Do keep in mind that ISO standards ask organizations to conduct management reviews at planned intervals. It does not say it has to be a meeting or be held in a boardroom or the planned intervals need to be equally spaced. When the system is incorrectly implemented, or the standard incorrectly interpreted it often leads to a weak foundation of the system. Soon users of the system are complying and doing what has been documented rather than asking “is this really correct for us?”

With the passage of time, the lack of commitment percolates through the system to where the person tasked with championing the system, such as a quality or environmental manager, is fighting a lone battle. This lack of commitment may be apparent from the lack of decisions by management to issues presented in the review.  At times the concerned departments are trying to drive their own agendas, and this creates conflict and disconnect. Also, in recording the outputs of the review, the decision and actions from management must be recorded. QMII, often finds these missing.

How do I improve my management reviews?

To do so the organization must first understand the intent of this clause in the ISO standards. Clause 9.3 (under the high-level structure) asks management to review their systems to ‘ensure its continuing suitability, adequacy, effectiveness and alignment with the strategic direction of the system.’ This, in essence, must be the guiding principle for the management reviews.

This is the reason why these reviews must be done holistically. It is this guiding principle that will determine the intervals for the review. Clause 5.1 of the ISO standards (those aligned per the HLS) asks leadership to take accountability for the effectiveness of their systems. The management review is the platform via which they can assess if the system is effective in meeting their policy as set. The management review is also where management reviews the system and determines the required changes in the context of the organization, the needs of the interested parties to determine new risks,  if any changes to the policy / strategic direction needs to be made and resourcing needs.

Engaging Leadership and the rest of the team

There is no mantra that will deliver sure-shot success. I wish there was one, for I know many an organization that would willingly invest in it! However, educating management on the WHY of the management review has often helped. If need be consider external consultants to deliver the message. Additionally, you can consider these three steps to get more engagement:

  1. Gather review inputs from management team: This is a good method to get everyone involved. Pass around a draft meeting agenda so all system users can prepare for the review (should you be having a meeting) and can provide their inputs /items that they need management’s decision on. It is also an opportunity for them to gather opportunities for improvement from users of the system.
  2. Use a review format that works for leadership: Document how your reviews are done exactly the way they are done within your organization. Perhaps some agenda items are discussed on a quarterly basis and others on a weekly basis. The intent is not to please an auditor but to use this tool to drive improvements through the system, as needed. Remember, the guiding principle discussed above.
  3. Communicate the outputs of the review …. including leadership’s decisions. While the standard does not require this, it is implicit in ensuring continual improvement. Communication is important but the outputs of the review need not to be communicated to the entire organization. Perhaps relevant parts to the concerned managers and their teams. It demonstrates to the users of the system that management is involved, is aware of the problems and has provided decisions on various matters presented.

Management Reviews ….  Improvement Driver

When done correctly management reviews become the springboard for improvement throughout the system. It comes at the end of the ‘Check’ stage of the PDCA cycles leading into the ‘Act’ stage for continual improvement. It enables leadership to assess how well their system is doing. It delivers, in the long run, the engagement needed from users of the system and the ROI that leadership are seeking in their quality management system.

Subchapter M: Bane or a Boon?

Request a free copy of IJ's Subchapter-M Presentation 


Integrated Management Systems AKA ‘A balanced lifestyle’

Integrated Management Systems (IMS) when well implemented enable improvement across various facets of the system. Management system implementation reminds me of the orientation that my gym instructor gave me when I first enrolled at my local health club:- “Losing weight doesn’t happen just in one day and with crash diets: you gotta workout, gotta sleep the right amount, have a little fun in life and yes, food is the most important factor, but everything is in moderation. A combination of all that will give you a satisfying result and you’ll be a happier person. No shortcuts.”

When I look at the anatomy of an organization, I remember these words and know they are applicable to those looking to implement management systems, especially Integrated Management System (IMS). With IMS, they are looking to address multiple concern areas such as quality, environmental protection, safety, security, and overall happier stakeholders.

What is an Integrated Management System?

These days search engines like Google are the go-to source for all the answers, angles, interpretations and everything else. As I thought about the IMS and its benefits, I too turned to the ‘Google’ for insights! This is what I understood: “A management system is a set of policies, processes and procedures used by an organization to ensure that it can fulfill the tasks required to achieve its objectives. These objectives cover many aspects of the organization’s operations including financial success, safe operation, product quality, client relationships, legislative and regulatory conformance, and worker management.” (Source: Wikipedia)

Another applicable example that I can give is how a country runs? There is politics, religion, economics, business all in a blender with a spoonful of “science” and “logic” to it, which is rarely used (winking). A successful balance is needed and the country well-managed for it to be successful and have happy citizens.

There has been an increased demand for integrated management systems in recent years. Organizations are beginning to recognize how these systems enable improvement across various facets of the business. For organizations looking for continual improvement and efficiency as also ensuring the security of information, the question is: why to implement two different systems when one can meet both requirements. Think of a cocktail – If you want Vodka and Tequila together, why not order a Long Island Iced Tea instead of two separate drinks.

The International Organization for Standardization (ISO) has, since 2013, been aligning its standards to the new High-Level Structure in which all ISO requirement standards are published with 10 clauses and identical sub-clauses. The High- Level Structure allows for easier integration of management systems into our existing system and ensures that the policies and objectives for each standard do not conflict with those of another. ISO standards use the basic Plan-do-check-act cycle to achieve continual improvement through vigorous use of the system.

Benefits of Integrated Management System

Integrated management systems allow organizations to identify and address various and different kinds of risks to their system: financial, strategic, competitor, security, safety environmental and others. All this while ensuring continual improvement of the organization. This approach enables organizations to meet the needs of its stakeholders and to adjust to the changing needs through systematic and planned changes.

Back in the good ol’ days, we did not have to worry about computer hackers, though there were other means by which our security was threatened. An information security breach can be a large liability for many organizations these days. How do we ensure that our organization is prepared for such potential breaches? We do not want a cyber-security system operating outside of our business system. We want it integrated into it.

Integrated management systems also are more cost-effective in the long run. There are cost savings in implementation, training, and auditing. Why spend on two/three different system audits in order to meet with the requirements of each Standard, when an integrated audit can assess the common requirements of each standard at the same time. These include competence, control of documented information, system measurement and analysis, etc. For the users of the system, benefits include objectives that align with the integrated policy, reduced duplication of effort and no conflict in the expectations of the management with respect to each policy. This makes the system more efficient, effective and very progressive. It also makes the system more flexible and adaptive in nature to the changing context of the organizations and needs of the relevant interested parties.

Conclusion

Integrated Management Systems can help the organization align its existing system to the requirements of multiple international standards using a single common factor in lieu of discrete systems. Hence, reducing duplication or redundancies. This includes its scope, policies, objectives, programs, processes, protocols and many more. In the maritime field ISO 9001:2015 can easily be merged with ISM Code or in the aviation industry, aerospace requirements along with requirements for occupational health and safety. To meet the growing demand of stakeholders for environmental sustainability, you can also add on the requirements of ISO 14001. Add Security to it, and you got your self a perfect Long Island Iced Tea, I mean your perfectly integrated system.

A lot of time and money is saved in implementing integrated management systems. It also helps in maintaining accountability and consistency for one perfect integrated system. Once your management system is integrated, you will notice reduced bureaucracy along with a reduction in duplication of efforts, redundancy, and expense. It will optimize resources and streamline the process. Integrated management systems will also help with the following: –

  • Curbing conflicting objectives
  • Eliminates conflicting responsibilities and relationships
  • Improves Internal and External communication
  • Harmonizes practice for each Standard in one
  • Business focus is unified to maintain its objective/goal
  • Customer focus is one and not for various tasks

Oh and continuing my health analogy, a well-integrated management system will give you the desired outputs and satisfaction as does those number reducing on the weighing scale! Lastly, remember that there are no shortcuts. Templates come with many promises but do not enable the long-term gains that a well-implemented system will afford. Refer QMII’s time tested approach here.

Stop the Firefighting: Use Effective Root Cause Analysis

Root Cause Analysis (RCA) or Causal Analysis when applied correctly should help to prevent the recurrence and occurrence of similar issues within the organization. Why then is such little time, money and or effort afforded to it?

Heroes save the day! Yet again! How often have we come across news articles that laud those who manage the crisis, stop the plane from crashing or save the patient. The reality in any casualty is that, a system failure has resulted in a non-conforming product/service, including failed inspection. Organizations should laud and appreciate those who prevent incidents/ accidents/non-conformities and those who perform effective root cause analysis. Those who recognize near misses and perform CA  should receive equivalent if not more praise.

The root cause of many diseases is lack of a healthy lifestyle. Presumably, annual medical check-ups would show the flaws and enable risk appreciation to prevent a disease or illness from manifesting itself. This data however may not be enough to provide an accurate diagnosis or prevent a serious medical condition. Perhaps some may see the regular check-ups as a waste of money and time! This may help to explain why companies are reluctant to do root cause analysis when non-conformities arise. Their instincts are to do the firefighting when something goes wrong. This basic firefighting often appears to be less expensive, quick and seemingly more convenient. However, as has been proved again and again in various fields (quality, safety, security, etc.) prevention is better and more cost effective than the cure.

Why Problems Persist?

There are many methodologies for root cause analysis (RCA). It is not the intent of this article to educate its readers on the various RCA methodologies. Before we delve into why problem persists let us considers why problems occur. Problems usually occur because of the lack of a functional well implemented management system. This includes the lack of management commitment, timely identification of risks and lack of controls/adequate resources for the processes. Despite repeated warnings from their doctor, patients choose to continue living their current lifestyle. During incident investigation interviews this comment is often heard ‘this is the way we always did it’. Humans are not always accepting of changes and ‘if it ain’t broke then why fix it?’ Management of change is never easy. The larger the organization the more difficult it is to enable the change. Often in management systems, problems are ‘fixed’. This makes the issue go away albeit temporarily. Everyone likes a good score card and ‘fixing’ the issue makes everything look good again. However, when the root cause(s) are not addressed this dragon will raise its ugly head again.

When root cause analysis points toward leadership or top management, the job security aspects may prevent the middle managers from completing the RCA process. This political limitation, to avoid exposing process issues within the ranks of leadership are counterproductive, and yet a reality. As preposterous as it may sound, in some cases leadership may opt for paying the fine when things go wrong and then proceeding as is. This is seen as the ‘less expensive’ option than resourcing actions to prevent the recurrence/occurrence of problems. Conflicts of interest in the workplace, can often be a reason for a lack of effective root cause analysis.

Stopping the Firefighting.

With all due respect to firefighters and other emergency personnel, organizations want to solve the problem, so they do not have to call them back! This means getting to the root cause(s) of the incident. Very often when identifying the root cause(s), the work group or practitioners often stop short of finding the actual “root cause.” These may be the immediate direct or indirect causes. The root case may lie in another part of the organization and often gets missed. Root Cause Analysis when done correctly drives systemic changes to prevent similar issues from cropping up again. As with everything else the RCA team needs the backing of the leadership including the needed resources to be effective.

In conducting effective root cause analysis, the inputs of customers and other stakeholders may be needed. For effective root cause analysis is of interest to all organizations that are integral to the successful implementation of a management system. The element of social responsibility in the defined duties of leadership need to be audited and have consequences when customer focus is lost. The new root cause analysis model should have an element of responsibility attributable to the top management. The intent, not to encourage a blame culture, but a responsibility culture. As a part of QMII’s management system implementation we train selected candidates as a problem-solving team to enable and empower continued success of the system. To sit in the fire house and focus on other initiatives such as innovation, social responsibility etc. an organization has to proactive rather than be responsive.

Conclusion

Leadership often questions why money spent on management systems, particularly when based on ISO Standards do not work? Why a conforming product or service is not constantly delivered by an organization? Mature organizations recognize that the only bad nonconformity (NC) is the one that they do not know about. Once the NC is identified, the system must drive Correction and CA (corrective action, based on RCA). Closed NCs added to the database, along with the proper analysis of the information, will allow system users to appreciate risks and trends to identify the opportunities for improvement (OFI). However, all this will fail if the MS (management system) users do not understand the value of RCA.

For the success of a Management System, its outputs based on inputs must deliver conforming products and services.  When the Management System does not achieve this, all stakeholders should be interested in the root cause analysis and corrective action.

Re-thinking the ISM Code

The ISM code, when implemented in 1998, was meant to encourage organizations to take ownership for the safe operations of their ship and the safety of the environment they operate within. Many years hence and the benefit of the ISM code is still being debated. Has it been a boon or a burden to the maritime industry?

Given the number or maritime accidents and loss of lives, most would opine that safety would be second nature to those at sea. Something like wearing a seatbelt when driving a car where the person does it for their own safety and for those travelling with them. It is not done out of fear of the enforcement authorities. So then why has the ISM code not driven a similar safety culture within the maritime industry?

Boon or Burden?

In many companies, the ISM code implementation has become a paperwork drill; where it is seen as a means of demonstrating to regulators that the requirements have been met. The reasons for this culture are many, including but not limited to:

  • Lack of effective communication between ship and shore staff (one of the key issues the ISM code aimed to address)
  • Fear of reporting of non-conformities / near misses (lack of job security)
  • Hierarchical structure of companies
  • Authoritarian leadership (my way or the highway)
  • Systems not customized to the vessel (generic to the fleet)
  • Poor system implementation

The ISM code provides a system approach to continual improvement but only when the code is implemented in the right spirit. Personnel often do not understand the ‘WHY’ for implementing an SMS and their need to do the right thing. Often conformity/compliance is stressed even when the actions may not be the right thing to do. Measures such as Bridge Resource Management are add-ons to ensure effective communication of risks and challenging of group thinking. However, often the training is not sufficient to enable challenging a senior officer unless they are encouraged to do so. Most mariners today view the SMS on board as a burden. Over-documentation is slowly killing the system and once incorporated into the system, requirements rarely get removed. SMS reviews done by the Master do not truly evaluate how the SMS is adding value to the effectiveness of the system.

The Case for Risk-Based Thinking

ISO 9001 in its revision in 2015 introduced the concept of risk-based thinking, wherein organizations shall assess the risks to their system given the changing environment they operate within and then plan to take actions to address these risks. This concept of risk-based thinking is driven down to awareness of the entire staff of the need to contribute to the effectiveness of the system. While the ISM code in its objectives requires companies to identify and safeguard against all risks this has in many cases become a paperwork exercise of completing a risk assessment form and filing it. The ISM code in essence has encouraged companies to identify potential emergencies, prepare contingency plans for them and the drill in these. Often these are limited to the same 10 or 12 scenarios such as grounding, oil spill, man overboard etc. Many maritime companies are ISO 9001 certified but often the scope of this certification only extends to the shore-based offices. While the certification scope may be limited, there is nothing stopping companies from extending the system to vessels or at the least the concept of risk-based thinking.

The safety culture must start with the commitment of the leadership and then be reinforced throughout the organization. The fear of reporting non-conformities must be eradicated. This can only be achieved when personnel are confident that there will be no repercussions. Regardless of the safety culture of organizations however, given the contractual nature of employment at sea, it is often difficult to inculcate a sense of commitment to the SMS. Mariners in general tend to work safely and watch out for safety of their shipmates. At times though, the culture of “follow the procedure” leads to actions being taken even when they may not be the best, given external influences and circumstances.

Consultation and Participation

ISO 45001, a standard for occupational health and safety management systems, introduces the need for ‘organizations to maintain a process for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers’ representatives, in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system’. Getting inputs from the entire workforce enables quicker and easier buy-in to the system. The SMS while capturing the various requirements should be designed for easy use by the users of the system. Often SMS manuals on board are bulky and rarely referenced. Personnel choose to follow the practices they have learned over the years from other ship mates and mentors rather than reference the SMS.

When asked for feedback on how to improve the system, many mariners have ideas but the system at times does not provide an avenue for this feedback to be captured and formally implemented within the SMS. Best practices often remain limited to a vessel as a result. Following the concept of risk-based thinking, organizations need to consider the risk of barriers to participation and take measures to reduce these. Many accidents/incidents and near misses could be addressed if mariners could have asserted themselves in the situation and alerted someone to the problem/potential non-conformity.

Conclusion

Some in the industry are calling for increased regulation to improve the maritime industry in ensuring ships are operated safely. However, regulators can only do spot checks. They are not on board 365 days of the year. Operational pressures play a major role in how risks are assessed. The grounding of the Torrey Canyon is a prime example of this as is perhaps the Titanic.

As the use of technology increases and reliance on electronic systems, consequently new risks will be introduced to the maritime industry. This new era will benefit from a re-think of the ISM code to encourage the inclusion of risk-based thinking (beyond just a documentation exercise) and the participation of mariners to actively improve the SMS and embrace safety. In conclusion, maritime companies (with or without a change to the ISM code), in the interest of their mariners and the maritime industry at large need to rethink their approach to implementation and maintenance of the SMS.

Myth: Management system implementation – documentation must align to the ISO standard

Companies use different management system implementation methodologies to understand the requirements / inputs of their customer and then plan to deliver outputs meeting requirements as a conforming product / service. The International Organization for Standardization (ISO) publishes standards which when correctly interpreted enables companies to systematically and consistently provide desired outputs while addressing risks. Using the framework/methodology provided by ISO, companies design systems / processes to work together to deliver desired outputs.

The endeavor of the organization should be to define the outputs (products/services) accurately, after understanding customer requirements, both stated and unstated. ISO standards allows companies of any size and industry to implement them. Hence a lot is left open to interpretation. Despite this, certification of these systems delivers confidence to potential and existing customers that the company is implementing a process with the intent of continual improvement. Across the globe, an ISO certification gives confidence of a certain basic framework being implemented and followed.

The risks are appreciated in the context of the organization. The core process of the organization has its objectives directly derived from the company policy. The Key and Support procedures ensure the objectives of the core procedure are met and deliver a confirming product and or a confirming service.

Why ‘ISO-ized’ systems fail?

This understanding of how a management system works and delivers products and services must be understood in the spirit of the ISO standard. The use of the standard is not like a magic wand which will guarantee excellence or success. The Standard needs careful interpretation to design the processes necessary to meet stakeholder requirements. Many an ‘ISO-ized’ management system implementation do not deliver sustained success because, when written around the clauses of the standard the system is not actively used and therefore does not deliver the feedback that a good system should.

The process needs to be documented around what the users do. These processes then need to be resourced, controlled, monitored, audited and reviewed for continuing suitability, adequacy and effectiveness. Organizations blunder into believing that ‘ISO-izing’ their system is the panacea to all their problems. It is not. These systems documented to the clauses only benefit the external auditors of the system. The system should be documented for easy use by the users of the system. Auditors and auditing are an integral part of the system; meant to provide objective inputs for improvements and not to dictate how the system functions.

The process approach to management system implementation

The process-based approach is the fundamental to management system implementation. The success in ISO standard implementation (be it for efficiency, managing risk, security, environment, aerospace quality or food safety etc.), lies in a good plan that accounts for system risks given the organizational business context. Management system implementations should ideally capture the “as-is” of the system, compare it to requirements and identify the gaps enabling design of new procedures and an update of existing procedures. These procedures are designed to meet measurable objectives, that are based on the policy of the leadership. Users of the system do the work to meet the objectives and the procedures must capture the ‘how’ of what they do.

The chain from understanding requirements, risks and inputs to creating the policy should be systematically considered in designing the management system prior resourcing it. The system approach as prescribed by ISO standards allows for involvement of the leadership from cradle to cradle i.e. from the planning to implementing to monitoring and reviewing of performance for improvement. This approach gets Top Management (TM) to take personal ownership of their management systems.

Conclusion

ISO standards are not prescriptive and need interpretation by the users of the system. Using the Plan-Do-Check-Act (PDCA) cycle approach leaders convey their policy to the users of the system. The system ensures adequate controls and resources, so outputs meet the inputs and the measurable objectives as set. Management system implementation, when done correctly, allows for feedback to be captured so risks and opportunities for improvement are identified and addressed in a timely manner. As for the auditors let us have them use their innovative approaches to identify how the system meets the requirements and intent of the standard. To make it easy we could provide them with a cross-reference matrix to demonstrate where the requirements of the system are met within the documented procedures. Bottom line: Embrace your system when developing it to meet requirements, including those per ISO standards, and you will see the benefits of ‘De-ISO-ized’ system.

Defining Measurable Objectives/ Metrics to Drive Continual Improvement

Measurable objectives are an essential input for all levels of the management and come from the top management (TM). These objectives guide personnel at the work level to help ensure the success of a management system. The need for a set of value-based metrics is met by looking carefully at the company policy (based on the strategic direction) and then drawing the measurable objectives from it.

My thought is for any organization giving more than the desired value is a challenge! Values in today’s business world are often related solely to the ROI (Return on Investment). Providing value to the customer is a goal. The question is at what cost? Due to budgetary concerns, no organization wants to do more than what is required. Availability of funds is input to the design of the final product and or service. Consequentially, the values that an organization sets for itself must be based on trying to meet the objectives and expectations of the customers, or the statutory bodies (if relevant) within the constraints of the resources. Where a statutory body is involved, it is the vital responsibility of that body to precisely define expectations and what metrics they will accept.

My opinion is that the statutory bodies such as the FAA, FDA, EPA, and USCG, would have concerns about continual improvement by the external service providers. It is therefore critical to conduct an analysis and conduct management reviews internally to achieve the intended purpose of Clause 10.3 of ISO 9001:2015. However, it all starts with defining, providing and monitoring these clear expectations. This means that the statutory body should provide guidelines for stated requirements, as the IMO does in the ISM Code, within Resolution A.1118(30) & MSC-MEPC.7/Cir8. In a similar manner, the USCG could provide clear guidelines for TPO (Third Party Organization) and for the towing companies for the Subchapter M.

Statutory bodies, understandably, may struggle with defining their policy in the initial stages and clearly converting it to a set of measurable objectives (Value based metrics) for external providers. The need for the Leadership (TM) is to spend time and resources well at the plan stage of the PDCA cycle (Plan-Do-Check-Act) by understanding the context of the organization (Clauses 4.1 and 4.2 of the ISO 9001) and appreciate the various risks (Clause 6.1 of ISO 9001) keeping the customer focus in mind. The Standard here provides useful clauses to make the decision. An objective audit of the internal procedures of the statutory body (Clause 9.2 of ISO 9001) would provide the inputs for the Management Review (Clause 9.3) and ensure a robust decision-making process. This then should be followed by regular audits of the organization to which the processes have been outsourced (meeting the requirements of Clause 8.4.1 and 8.4.2 of ISO 9001). The organization which provides the outsourced service or product needs the information in terms of clause 8.4.3 to perform to the total satisfaction of the statutory body. As such providing clear requirements is a vital role of the statutory body.

Once requirements are clear, then the organization providing a product or service will use these inputs to design their Policy (Clause 5.2 of ISO 9001) 5.2.1d. This policy would then ensure that the feedback loop will help to drive continuous improvement efforts of the QMS. This policy would then provide the framework for the “value-based metrics” which in Quality terms would be the measurable objectives in terms of clause 6.2. Both 6.2.1 and 6.2.2 would put the organization on the correct path to success. The statutory body would vigorously and regularly audit the correct implementation itself or by using an independent professional service provider.

In effect, what this means is that just being certified to e.g. ISO 9001:2015 is not enough for any organization. What is required is a functioning PBMS (process-based management system) based on the chosen standard and other criteria implemented by committed leadership and motivated manpower.

(The author Dr. IJ Arora, is the President and CEO of QMII)

SECURING THE MARITIME IoT FRAMEWORK

As technology advances, there are a growing number of providers that are developing products and services based on the IoT (Internet of Things) framework. In the maritime industry, it is increasingly common for vessel containers to be tracked from ashore and even machinery performance metrics, providing remotely automated readouts, to those ashore. With the increased use of technology, the risk of these networks being compromised also increases. There are a growing number of incidents in the maritime industry where systems were compromised leading to losses in millions of dollars.

On an average when these breaches occur it may take over 100 days before they are even detected! Various maritime organizations and associations have published guidelines on measures to be taken to prevent/deter such a compromise, but history has shown that the maritime industry tends to be more reactive than proactive. Even the ISM code now includes as an appendix a circular on guidelines for maritime security. As part of the implementation of the ISM Code measures for cybersecurity should be included in the system. From the security of networks to machinery to contingency plans in case of breaches occur.

The implementation of cyber-security measures includes the need for protection of three aspects of the system; the IT aspect, the human aspect, and the physical aspect. Organizations need to consider the cyber-security risks at the planning stage of the system and determine where vulnerabilities lie and how to address them. Instead of reinventing the wheel organizations may consider the implementation of an information security management system based on ISO 27001. ISO 27001 lays the framework for the IT security of the system. Once implemented and used, based on industry feedback the standard includes an annex of controls for implementation to secure the system. ISO 27001 has a total of 114 controls split across 35 control categories.

If an organization already has an ISO management system framework in place, for example, an ISO 9001 based system, integration of ISO 27001 into the existing management system would be a simple exercise. This integration has been made easier by ISO through the use of the High-Level Structure across standards. QMII has over 30 plus years encouraged its clients to “appreciate your management system”. As such we build upon your existing measures and documentation to fill the gaps for requirements set by the standard. This ensures continuity in system acceptance by the users, the changes to the system are minimal and easier to implement. For successful implementation of your system beware of templates that promise conformance to the requirements. They may enable you to gain certification but will not ensure any long-term success least of all cybersecurity.

Learn more about how you can improve your management system and integrate the requirements of ISO 27001 into your existing management system.

Monitoring Outsourced Processes is a Primary Responsibility of Every Organization

The international standards provide a world of wisdom enabling robust planning to achieve results by the organizations. In this global economy, often doing all the work in-house is not a cost-effective solution. Moreover, with super-specialized industry requirements, perhaps a lot of quality products and services can be procured at reasonable prices. Yet it seems organizations fail to act in the spirit of the standard when putting in place requirements for monitoring outsourced processes. Clause 8.1 of ISO 9001:2015 in operational planning and control has a sting in the tail with a clear whip requiring that “the organization shall ensure that outsourced processes are controlled.”

Statutory requirements are created to provide the required oversight, maintain customer focus and protect the interests of the customer when products and services are cleared for use. The caveat is that the statutory body should be well resourced, have the infrastructure, maintain organizational knowledge levels (Clauses 7.1.5.1, 7.1.3 & 77.1.6 of ISO 9001) with competent manpower (Clause 7.2). This often is not possible or with time not sustainable due to budgetary constraints, knowledge level dropping with time, Leadership forgetting their primary role (Clause 5.1.1) of taking accountability for the effectiveness of the QMS (Quality Management System). As such, the resources (5.1.1 e) needed for the QMS are not provided or budgets not available. The statutory bodies rationalize it by their helplessness since the government does not provide the funding and budgetary support for this.

Whatever the reasons, the question is who suffers? A ship is sunk, and aircraft with all on board has crashed, dangerous drugs are in use. It is the customer who suffers. In helplessness on their ability to do their duties, the statutory bodies outsource the work to contracted parties or worst to the manufacturer itself! The whole logic of creating a statutory body is lost with this.

What then is the remedy? The essential rulemaking that implements compliance requires competence, resources, and infrastructure with a committed Leadership ensuring continuing suitability, adequacy and effectiveness of the system. When budgetary constraints do not allow this role to be fulfilled, the risk to the system along with the products and services it provides must be assessed and mitigated or the opportunity for improvement taken (Clause 6.1 of the ISO 9001).  This would require the authority to appreciate the FMEA (Failure Mode Effect and Analysis) and take measures to remedy this. If this risk is not appreciated as NC (Non-conformity) the CA (Corrective Action) will not take place nor will the government know of the consequences of underfunding or of recognizing the failure and finding alternatives/ considering options. If the manufacturer has the resources, the government may consider this an asset and avoid duplication of resources, thinking in national terms. Outsourcing to the manufacturer as has been seen can mean losing customer focus and is strict counter to the very philosophy of statutory work. It would call for aggressive, proactive and strict monitoring of the outsourced processes.

In my opinion, monitoring the outsourced processes diligently, as clearly prescribed in the standard is the answer. New options may not be necessary, if the existing clauses of ISO 9001 and related industry-specific standards, where applicable, are understood in the spirit of the standard and vigorously implemented.

  • Dr. IJ Arora