Can Boeing Ship a Lengthy-Time Period Approach to their 737 MAX Issues?

Dr. IJ Arora

Boeing is within the highlight once more with its 737 MAX planes, that have already had a deeply bothered historical past. Buyer center of attention (which is clause 5.1.2 of ISO 9001 and AS9100) turns out to were misplaced someplace.

I’ve learn a number of contemporary articles on those incidents in addition to Peter Robison’s ebook Flying Blind: The 737 MAX Tragedy and the Fall of Boeing, all of which level to a worsening scenario for Boeing. The general public belief of this nice American corporate, which has all the time been dedicated to top-class engineering and depended on merchandise, is converting from one among admire to one among warning. Vacationers are questioning, “Must I fly in a 737 MAX?”

Boeing and the aerospace {industry} normally have excessive requirements for high quality and product protection. On this article, I postulate whether or not an organization’s high quality control machine can ensure that not anything is going fallacious for patrons. Can it make certain perfection? If no longer, what are the choices—and why have one in any respect?

What took place and who’s accountable?

For the ones no longer acquainted with the 737 MAX incident in January, in a while after an Alaska Airways flight departed from Portland, Oregon, a cabin door panel blew off. As investigations are nonetheless ongoing the reasons have no longer but been totally decided. Boeing additionally had a tool factor at the 737 MAX, ensuing within the crash of a Lion Air flight in 2018 and an Ethiopian Airlines flight in 2019.

Right here in the US, the Federal Aviation Management (FAA) performs a vital function in offering laws to make sure flight protection, and likewise supplies oversight of plane producers, airports, and upkeep suppliers. On the subject of the Alaska Airways flight, it kind of feels that the FAA didn’t uphold its depended on function. The FAA’s a large number of assessments and balances, maximum of that are meant to concentrate on buyer protection, had been like aligning holes in slices of Swiss cheese. It’ll be fascinating to peer what adjustments this incident brings about on the FAA. On the other hand, can regulatory oversight ensure protection of flight?

The AS9100 same old, which is restricted to the aerospace {industry}, isn’t the brainchild of a unmarried entity, however fairly a collaborative effort pushed by means of two key gamers:

  1. The World Aerospace High quality Staff (IAQG). This global group brings in combination representatives from aviation, house, and protection firms around the Americas, Asia/Pacific, and Europe. They actively take part in growing, keeping up, and updating the AS9100 same old.
  2. Standardization organizations. Those our bodies, such because the Society of Automobile Engineers (SAE) within the Americas and the Ecu Affiliation of Aerospace Industries (now the AeroSpace and Defence Industries Affiliation of Europe), formally submit and distribute the usual.

You will need to word that AS9100 builds upon the root of the extra normal ISO 9001 high quality control machine same old. Whilst ISO 9001 lays the fundamental framework, the IAQG provides industry-specific necessities a very powerful for making sure protection and high quality within the aerospace area.

Along with the producer and the FAA, the landlord/lessor of the plane additionally performs a task in making sure the aircraft is correctly maintained. This comprises settling on a reliable upkeep supplier, hiring competent engineers, and having powerful processes in position. With such a lot of other stakeholders, can blame be attributed to only one when injuries occur? Moreover, must blame be the secret? Possibly no longer! You will need to word that the machine is applied to toughen every consumer and that each one stakeholders within the worth chain play their phase as effectively.

Audits, inspections, and control methods: Are those the answer?

In the back of each tragedy, casualty, and mishap is a series of comparable occasions. The instant suspect when these kind of vital screw ups happen are deficient inspection protocols, possibly even the feared “human error.” On the other hand, this can be the low-hanging fruit and a deeper dive would possibly establish different causal elements, akin to asking if the standard audit failed.

What’s the distinction between an audit and an inspection? Can they change every different or are inspections by myself sufficient? The straightforward resolution is not any! Each are wanted because of elementary variations in method. Audits take a look at the processes to make sure the control machine produces conforming services and products. An effective control machine should come with the next, to call a couple of:

  • It should be well-defined, beginning with the “as-is” state of the machine.
  • Dangers should be known (clause 6.1) according to the context of the group (clauses 4.1 and four.2).
  • A transparent definition of the product should be known.
  • Efficient audits and periodic evaluation should be undertaken by means of control.
  • Outsourced processes should be managed.

Inspections play the most important function by means of figuring out defects previous to unlock, thus protective no longer most effective the buyer/buyer/consumer/warfighter, and so forth., but in addition the recognition of the group itself. With that stated, inspections don’t give a contribution to power development as a result of they center of attention on fixes versus long-term answers. In impact, they don’t in reality upload worth for the reason that group has already incurred the price of generating the faulty phase or product. The creators of the Toyota Manufacturing Machine (i.e., lean) got here up with the Andon procedure to catch a defect as early within the procedure as imaginable as a way to repair it sooner than the issue went too a ways down the road.

Control methods aren’t only a choice of paperwork. To serve as correctly, they require dedication in any respect ranges of the group, together with height control offering the wanted assets. It takes time to construct a tradition of high quality wherein shortcuts are have shyed away from and there’s no worry of talking up. Buyer center of attention should no longer be compromised. As an example, unlock of conforming product must cross throughout the procedure particularly referred to as out by means of clause 8.6; any interference by means of height control to truncate this procedure would suggest the lack of buyer center of attention. Is that this an opportunity? Possibly, however the investigation should expose the reality. On this case of the Alaska Air incident each the Boeing consumers and Boeing as an organization have suffered. It’s my hope that investigators will establish all failed portions of the machine from every accountable birthday celebration. Those would possibly come with no longer most effective failed inspections, but in addition suboptimal processes. This may finally end up taking us again to an insufficient high quality control machine.

High quality control methods: Can they ship?

Given the above, can a correctly designed and well-audited control machine (supported by means of excellent inspection tactics to assist make certain conforming product) ensure that not anything is going fallacious with a company’s output? My opinion is that no person can ensure this utterly. On the other hand, possibility can indisputably be very much decreased when the entirety is applied effectively. This comprises the educational of team of workers, which correlates strongly to competence; sadly, that is ceaselessly the primary price range to get minimize when assets are scarce.

When high-visibility incidents like those happen, it can be forgotten that airplanes stay the statistically most secure mode of go back and forth on earth. That is essentially because of powerful high quality control methods, well-adopted regulatory frameworks, and common oversight. People play the most important function within the good fortune of the control machine, from the dedication on the height to the buy-in by means of the body of workers (clause 5 to clauses 7.1.3, 7.1.4, and 10.3). Taken in combination, this is helping create an atmosphere the place high quality can flourish inside the group.

Boeing could also be doing so much accurately, and but the consequences may well be unacceptable relying at the efficiency of outsourced processes (clauses 8.41/8.4.2/8.4.3). In spite of everything, the fuselages for the 737 MAX are made by means of Spirit AeroSystems Holdings Inc. Spirit AeroSystems is positioned in Wichita, Kansas; as soon as those fuselages are manufactured, they’re shipped by means of rail to Boeing’s facility in Renton, Washington. Due to this fact, no longer most effective is a significant part of the 737 MAX outsourced, however the delivery and preservation of product (clause 8.5.4) additionally may just give a contribution to the product’s nonconformity. General, Boeing stays chargeable for all the provide chain (clause 4.3), with their legal responsibility to “make certain conformity of its services and products and the enhancement of shopper delight.”

Even with a cast high quality control machine in position, this or identical screw ups can happen. There’s no technique to guarantee the general public of 100-percent acting (i.e., highest) output. The worry within the minds of air vacationers is legitimate and can stay so till an exhaustive root motive research of this factor is carried out and the ones root reasons are resolved. The present occasions beg the query: Did Boeing make stronger their control machine after the Ethiopian Airways 737 MAX crash? If that they had bent to the oars and long gone deep into their evaluation to discover and completely repair the holes of their control machine, this tournament would possibly by no means have happened. Floor corrections, or what some organizations name “repair -it” answers, most effective take away the indications. The foundation reasons should be addressed and resolved (clause 10.2.1). There aren’t any shortcuts to high quality.

In conclusion

It has taken years for air vacationers to really feel protected and unconcerned about air protection. I go back and forth so much the world over, and ceaselessly select an airline according to their carrier and luxury, however now I (in addition to the wider public, I might consider) want to imagine which plane will delivery us. This can be a new worry about product protection that has its genesis in Boeing no longer working its control machine successfully and shedding buyer center of attention. The worst is the erosion of public self assurance in federal oversight and its intent to stay the client protected.

I’ve spent my lifestyles learning identical complicated issues and main groups in serving to organizations in finding long-term sustainable answers. This calls for daring and dynamic management (clauses 5.3 and 5.1) for leaders to plot and enforce alternate. Appreciating and accepting dangers (i.e., protecting the client in center of attention) and transferring ahead is integral to true management. Ethics continues to be no longer a clause of ISO 9001 and AS9100, however moral management is ready doing the proper factor for all stakeholders.

In seminars at which I provide, I ceaselessly ask senior managers: “When you have a decision between following the process and/or doing the proper factor, what would you do as a pace-setter?” The solution—I’m hoping—is to do the proper factor always. However then, hope isn’t a plan. Air protection can’t be according to hope and religion. Boeing wishes the management to revamp their machine if they’re to carry the general public consider again for this nice American corporate.

Concerning the writer

Dr. IJ Arora, Ph.D., is the President and CEO of QMII. He serves as a workforce chief for consulting, advising, auditing, and coaching relating to control methods. He has carried out many lessons for the US Coast Guard and is a well-liked speaker at a number of universities and boards on control methods. Arora is a Grasp Mariner who holds a Ph.D., a grasp’s level, an MBA, and has a 34-year file of accomplishment within the army, mercantile marine, and civilian {industry}.

Hyperlink to the thing characteristic in Exemplar International e-newsletter – “The Auditor”

10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

Controlling Sub-Sea Infrastructure


The recent implosion of the 
Titan, a sub-sea submersible used for taking elite, high-paying tourists to see the wreck of the Titanic, brought the safety protocols of both vessels into focus. There were no statutory requirements for regulating the Titan and neither were there any when the Titanic sank in 1912! As a reactive measure, the maritime community came up with the Safety of Life at Sea (SOLAS) Convention soon after the sinking of the Titanic. Ironically, after the Titan submersible imploded, we have come to realize there are no requirements covering this vessel. Perhaps with time, the involved counties will react.

The question is, why was nothing done proactively? Tourists go up in hot air balloons all the time. Is there any statutory requirement that these tourist companies must meet? Is there even a requirement to have a management system in place so that these companies work systematically, appreciate the risks in the context of the organization, and plan their operations keeping risks in mind? It is true that entrepreneurs do not like regulations and consider requirements a hindrance in a free business environment. And yet the Titanic, which was declared to be “unsinkable,” did, in fact, sink! In the United States, the domestic towing vessel industry functioned without statutory requirements until recently. The industry avoided regulation, but tragedies occurred, and now the industry is regulated under the U.S. regulatory framework. A process-based management system is the best systematic structure to produce conforming products and services, ensure continual improvement, and implement the statutory requirements if available.

The intent of this article is to proactively start a discussion on the need for regulating sub-sea infrastructure to reduce its affect on the marine transportation system. The phrase “sub-sea infrastructure” refers to equipment and technology placed on or anchored to the ocean floor. This infrastructure may include, but is not limited to, cables for telecommunication, cables for power transmission, pipelines for transmission of fluids, and other stationary equipment for scientific research.

The growth of sub-sea infrastructure is a global phenomenon. As an example, is in the interest of all nations, and particularly here in United States, to promote wind farms, which are a source of renewable energy. When these wind farms are placed in selected geographical locations along the continental shelf, they need sub-sea cables. But are there any laws controlling the systematic development of the industry to enable an effective marine transportation system and its protection of maritime community interests and environmental interests? Is there a central agency responsible for this coordination to allow for a balanced approach to risks? The amount of cabling piling up needs management and oversight.

Sub-sea infrastructure, the definition of the problem

Numerous industries have a stake in sub-sea infrastructure. Examples include oil and gas, telecommunications, fishing, scientific research, and perhaps military/defense applications such as sonar and other arrays and obstacles. This infrastructure is a requirement, but it also faces various challenges including those that can lead to accidents, environmental damage, and possible breaches in national security. All these bring out very significant concerns related to sub-sea infrastructure and the lack of comprehensive and globally accepted standards, requirements, obligations, and assurance mechanisms. It is not that organizations such as the United States Coast Guard, the National Oceanic and Atmospheric Administration, the Bureau of Safety and Environmental Enforcement, the U.S. Army Corps of Engineers, the Environmental Protection Agency, and other federal and state agencies do not look at these issues.

Nevertheless, it remains a concern that there is no single agency or overarching requirement to provide a framework to the industry on harmonized implementation of requirements. This lack of harmonization can mean inconsistencies in design, installation, and maintenance practices which may not address risks uniformly. This can generate consequential risks, leading to increased accidents, mechanical failures, and costs to the industry and the nation.

Recent tragedies and accidents

Recent tragedies and accidents involving sub-sea infrastructure have been limited, and yet must not lead to complacency by the agencies involved. The few that have occurred indicate the challenges and trends pointing to the need for proactive requirements. The recent tragedies include:

  • Deepwater Horizon. The potential consequences and challenges inherent in deep-water oil drilling were brought out by the Deepwater Horizon tragedy in 2010. The oil rig explosion in the Gulf of Mexico caused a massive oil spill and resulted in the loss of 11 lives. Although not technically a sub-sea incident, it highlighted a series of failures in design, maintenance, and company oversight—all factors pointing to the importance of robust safety standards and requirements, and the implementation thereof. The Deepwater Horizon incident was not directly related to sub-sea infrastructure; however, it heightened the risks associated with offshore oil and gas production and the potential for catastrophic environmental damage.
  • Nord Stream 1 and Nord Stream 2. Occurring in September 2022, the damage to these gas pipelines in the Baltic Sea highlighted concerns around sub-sea infrastructure. These pipelines transport natural gas from Russia to Europe; in this incident, they sustained multiple leaks. The exact cause of the damage is unclear, though deliberate sabotage was suspected and is still under investigation. Regardless of the ultimate findings, this incident exposed the vulnerabilities of sub-sea infrastructure to sabotage, and the potential for significant environmental and economic consequences are real. Intentional attacks to the sub-sea infrastructure have the potential for widespread disruption of energy supplies. Apart from the Nord Stream, there have been other sub-sea incidents affecting the gas and oil industry. In 2021 a fire broke out on a sub-sea production control umbilical off the coast of Brazil, causing significant damage to the underwater equipment and resulting in a major oil spill.
  • English Channel Internet Disruption. In 2021, a ship dragging its anchor on the seabed in the English Channel cut the three main internet cables to the Channel Islands. Although this only resulted in slower broadband speeds in this instance, there remains the possibility that it could have resulted in a complete outage.

Looking ahead

These incidents represent leading indicators of a tragedy in the making should proactive action not be taken. The critical importance of safety for sub-sea infrastructure underscores the need for a more comprehensive and rigorous approach to standards and assurance. Industry stakeholders together with regulatory bodies within the United States and global organizations such as the International Maritime Organization must work together to establish a harmonized set of safety standards, implement robust assurance mechanisms, and foster a culture of safety throughout the sub-sea industry.

The increasing reliance on sub-sea infrastructure for various industries (including wind farms) necessitates a proactive approach to safety and risk management. There is definitely a need to invest in research and development to enhance the resilience and monitoring capability of sub-sea infrastructure. The various companies in the sub-sea industry are holding their proprietary information close to the vest. This is understandable. However, these organizations are in competition with totalitarian governments, in which control of business practices is the exclusive dominion of the state. It is necessary to enhance transparency and information-sharing among industry stakeholders to facilitate better risk assessment and incident prevention.

Conclusion

Promoting a culture of safety that prioritizes risk identification, risk mitigation, and continual improvement is essential. There is no common ISO standard for sub-sea management systems. Of course, ISO 9001 is interpretable and can be used as the basis for now. Environmental protection is a challenge for a developing industry, and as such, even greater urgency is needed for statutory requirements encompassing all aspects of stakeholder interests, the marine industry in general, and the protection of the environment for generations to come.

Marine transportation remains the most important way for goods to be shipped across the world, as approximately 80 percent of the world’s goods are transported by ships. Vessels need a place to anchor in normal operating conditions as also in emergencies. A crowded seabed in harbors makes this a challenge for the entire maritime industry.

Without adequate and effective regulatory oversight, it may be too late to take action once cables and other sub-sea equipment have already been laid. Further, multiple agencies regulating the same aspects of the industry can potentially lead to bureaucratic delays.  There is therefore an urgent need to create a single statutory body to regulate the sub-sea infrastructure industry, which will greatly benefit all parties invested in the maritime transportation system.

Exemplar Global Publication “The Auditor”

Looking Ahead at ISO 9001

ISO 9001 has proactively kept up with various industry expectations, over the years, to allow

application by a broad spectrum of industry including the defense forces. The 2015 revision was

a thoughtfully planned giant step. It defined risk (ISO 9001 Clause 6.1) in the context of the

organization (ISO 9001 Clause 4.1 & 4.2) and removed exclusions provision from certification by

redefining what an organization does not do or outsources in the scope (ISO 9001 Clause 4.3). It

also removed preventive action, a reactive concept, and introduced proactive risk appreciation

(Clause 6.1 of ISO 9001 & Clause 8.1 in industry specific standards as AS9100).

This took preventive action from the delayed “Act” stage of the PDCA (Plan-Do-Check-Act) stage

to the more logical sensible “Plan” stage. After all, “look before you leap”, as the historical

fundamental, could not be left as a preventive action decision. It had to be at the look – plan

stage! Risk also needed not just mitigation, but also acted as an input, to be used to bring in

innovation in terms of OFI (opportunity for improvement).

These were all positive steps in keeping with technical advancements and computerization and

AI (artificial intelligence) tools. The HLS (high level structure), later updated to HS (harmonized

structure), recognized the need to enable ease of implementation of integrated management

systems. This in turn leading to efficiency, ROI (return on investment) and where applicable

environmental protection, security of the global supply chain, business continuity, cyber

security and health and safety.

The differentiating of knowledge (ISO 9001 Clause 7.6) from competence (ISO 9001 Clause 7.2)

was also a clever needed change. Organizations needed to define their corporate knowledge

aspects and differentiate it from the individual knowledge of personnel. Knowledge and

competence needed merging and a healthy marriage but needed recognition that they were

different. Removal of the reference to Quality Manager (QM) and Quality Manual from the

standard, took away the narrowness of thinking in quality, and brought the clarity to leadership

to remain accountable and to differentiate authority delegation from retaining the

accountability.

I am a member of the TAG-176 group, and yet have not really contributed much to the next

expected changes to ISO 9001. I am sure the TC-176 is working on this. Nevertheless, it is time

to debate and consider updating the standard.

Since the 2015 version was a major fundamental change, I doubt there would be a significant

departure from this 2015 version in the next major update. Unlikely that the next version may

have revolutionary updates. The emphasis, I think would be to clarify and strengthen the

present thoughts in the 2015 version. I would consider the following:

1. Two Standard Concept: I have over the years thought about the two prongs:

manufacturing and service, approach. Both the service and the manufacturing industry

have been using the standard. Some may consider the need for a separate

manufacturing and a service standard as the next step. However, over the years I have

feared too much bureaucracy which the two standards approach brings. I think the two

standard approaches may actually cause more issues than to resolve them. Might I

opine that Clauses under 8.3 for D&D can, if needed, be strengthened, clarified or more

useful notes as applicable to service version incorporated to assist implementers,

consultants and auditors?

2. Risk be better defined and OFI be clarified, to avoid auditors using it as a tool to sneak in

recommendations. OFI is the outcome of considering risk as an input for innovation. It is

not a recommendation.

3. The knowledge clause needs meat to strengthen it, and to better make it inclusive to

systematizing the requirements for organizations to systematize lessons learnt.

4. An annex added to bring clarity and ease to designing and implementing a combined

management system for an organization.

5. Clause 4.3 Scope, in defining scope requires consideration of the context of the

organization, which is based on Clauses 4.1 and 4.2. However, while the scope has to be

available as documented, 4.1 and 4.2 do not require documentation. I would suggest

both clauses 4.1 & 4.2 to have context as a documented requirement.

In conclusion, I think, updating the standard ground up is not a wise idea at this stage. Perhaps

slight tweaking to include some minor changes would give stability in implementation of an

already robust standard.

How to Alleviate Common Management System Pain Points

Implementing ISO standards is not mandatory, however a management system conforming to a standard can have numerous benefits. Some benefits include increased efficiencies, proactive risk management, better interaction among departments and alignment with the needs of interested parties. However, once you are actually in the process of implementation, you may experience the following pain points: 

  1. Lack of top management commitment 
  1. Limited resources to effectively implement the program 
  1. Lack of buy-in from the workforce  
  1. Over documented systems  
  1. Lack of measurable objectives driving improvement  
  1. Teams lack adequate interaction and alignment  
  1. Company is focused on keeping certification at all costs  

Quality Management International, Inc (QMII), having over 37 years of providing sustainable solutions for our clients, recognized how these hurdles can impact an effective management system. QMII has developed and provided solutions to address and alleviate these pain points that continue to benefit our clientele. 

A management system consulting project cannot start without top management present to map the process of what they do (core process) and to identify the core objectives for the system. Policies, objectives, and motivation must be demonstrated from the top-down and evidenced by all the team players. To further reinforce commitment, we get top managers to develop a presentation to launch the system and that will then be used for awareness training as the system progresses. This is done using our Awareness Leaders Workshop. Without authority, responsibility, and resources, middle management and individual contributors cannot improve the business management system.  

We understand that companies have financial restrictions. With a mission to get organizations to appreciate the benefits of a process-based management system, we provide multiple options to work around this challenge. 

(1) We provide free information on our website so you can carry out ISO implementation at your organization.  

(2) Attending a lead auditor training course is a relatively minimal cost. You and your team will gain a comprehensive understanding of the desired ISO standard and gain the skills necessary to implement requirements and conduct audits to determine conformity.  

(3) If you need a little more guidance, we provide scalable consulting services. Our consultants are here to assist you with exactly what you need. You will not have to pay for the full package.  

(4) Our alumni have free email and phone support, for life, to get over average hurdles.  

As far as reluctance among employees, it’s human nature to be reluctant towards change. Keeping this in mind, QMII consultants get key process owners to evidence top management’s commitment and ensure that they are involved in QMS (Quality Management System) development. We analyze with them to capture the system AS-IS and what-should-be. It is essential to get the team buy-in during this process and get their input on the process’s actualities. Teams must also interact and be aligned. We provide team-building workshops where we align objectives to the vision and processes to meet objectives. 

ISO implementation is not an overnight process, it may even seem daunting. QMII’s Action Plan Checklist is readily available, and it focuses on the big picture to simplify the process. If you need more assistance, our consultants would be happy to work with you through the checklist. We appreciate the system you already have; we are simply helping you enhance it to meet requirements and set objectives. Documentation is a significant part of ISO implementation. To remove complexities, we incorporate existing documentation and use a format that works best for you. 

At the end of the day, ISO certification is primarily a marketing decision. QMII strives to help you develop a resilient, integrated management system so that you receive actual benefits. Once set up, your system will work independently and continue to improve while managing risk proactively.  

ISO 27001:2022 – what are the changes?

ISO 27001:2022, the international standard for information security management systems (ISMS), was updated in October of 2022 to reflect the latest developments in the field of cybersecurity. These changes are aimed at helping organizations better manage their information security risks and protect their sensitive data.

What are the key changes?

The majority of changes to the standard were in the Annex A controls which went through a re-structuring to include a change to how the controls were organized and the controls in total were reduced from 114 to 93.

Of the old 114 controls, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added. The controls are split into the following domains: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technology (34 controls).

ISO 27001:2022 introduced new requirements for managing the risks associated with emerging technologies such as cloud computing and Internet of Things (IoT). These technologies bring significant benefits to organizations but also introduce new risks that must be managed.

The updated standard also has a new control on threat intelligence that will enable organizations to remain proactive in their approach to information security as also controls to address data masking and web filtering.

The order of the main mandatory clauses remains the same with clauses from 4 through 10 and the structure aligning with the harmonized structure of other ISO management system standards. The clauses with significant changes include those to:

  • Clause 4.2 requires the ISMS to conduct an analysis of which of the interested party requirements are relevant to the system and will be addressed by it.
  • Clause 4.4 aligns with that of ISO 9001 to require the organization to identify necessary processes and their interactions within the ISMS. As such, those essential for the organization to achieve ISMS objectives.
  • Clause 6.2 provides further clarity about planning to achieve objectives and documenting them.
  • Clause 6.3 was added to reflect the need to systematically plan for system changes.
  • Clause 8.1 now requires the ISMS to establish criteria for mitigating action for risk identified in Clause 6 and to implement control in accordance with the criteria set.

There are a few more minor changes to the wording of some of the mandatory clauses

How can you upgrade your system to conform?

The first step would be to gain an understanding of the changes and the new requirements. Consider taking an updated Lead Auditor training or transition course that has been recognized by a personnel certification body. In choosing your training provider consider their reputation, the experience of the instructor, as also virtual course options.

With the new knowledge conduct a gap analysis of your existing system against the requirements of ISO 27001:2022 and draw up a list of priorities and owners for each. Assign deadlines for the items to be completed and conduct at least one internal audit and management review before approaching a certification body.

Update your existing SoA, should one exist, to reflect the new/updated controls. Train all system personnel in the changes to the system and drive awareness of information security among all personnel.

In conclusion, the changes to ISO 27001:2022 reflect the changing context in the field of information security. The QMII team would like to understand your system needs and support your goals of attaining conformity to ISO 27001 and a competent workforce trained in the requirements.

10 Steps to Bolster Maritime Cyber Security

QMII President and CEO, Dr. IJ Arora presented the topic “10 Steps to Bolster Maritime Cyber Security” at the Passenger Vessel Association at MariTrends. The presentation was well received and applauded by the packed room. The PVA Annual Convention was held at the Hyatt Regency Long Beach in Long Beach, California this year. The convention featured a variety of captivating sessions with various guest speakers that are leaders in the passenger vessel industry.

Click here for the full presentation.

AS 9100 – Getting Employee Engagement in the System

AS 9100 aerospace quality management systems enable organizations a framework for using a process-based approach to meeting customer requirements. AS 9100 in clause 5.1.1h requires the leadership to show their commitment to the system by “engaging, directing, and supporting persons to contribute to the effectiveness of the quality management system.” Further clause 7.3 asks organizations to ensure that those working under their control are aware of their contributions to the effectiveness of the system, to product safety, product conformity and the need for ethical behavior. Many organizations struggle to get employee buy-in to the system. Some organizations reward best teams and performers but how do we get intrinsic involvement and buy-in from all. This article discusses some steps that companies can take to encourage intrinsic employee involvement in the system. 

Setting Challenging Objectives 

AS 9100 asks organizations to set objectives at relevant functions, levels and processes. When setting objectives, QMII encourages organizations to set objectives for each process/procedure. These can further be broken down into smaller goals for individual process team members. The objectives must flow from the policy so in doing their work to achieve the goals it is clear to the employee on how they impact the customer. The objectives when too easy do not encourage improvement or motivate the workforce. When too challenging affect morale as the goals/objectives are never reached. Review the objectives at periodic intervals to monitor progress and readjust as necessary.  

Management Involvement 

The workforce is more willing to pitch in when they see the leader pitching in. This must be something they do often rather than once in a while. The workforce must get representation at meetings on quality. This may be in the form of their suggestions for improvement being presented to the management at the management review and then receiving feedback on their suggestions rather than never knowing what happened. Management may choose to present to the workforce on a monthly or quarterly basis on the state of the system so the workforce knows where the organization stands and where it is heading. The workforce must feel like the part of a team and a valued team member. Only then will they willingly contribute. 

Customer Focus 

Often each worker may not know who the end customer is or get to see the end product in use and how the product benefits customers and their business and further end users. Organizations must make known to the users who the end customer is, share positive feedback received from customers, accolades received by the company and perhaps even arrange to see the end product in use.  

Personal Development 

Investing in personnel is a great way for an organization to show the workforce that they care. That you are willing to invest in them because they invest so much in what they do. Consider AS 9100 training for your workforce. It will also better help them understand why they do what they do. QMII offers a number of different training formats for AS 9100, including an overview, internal auditor and lead auditor format.  

 

Audits VS. Inspections

There is often confusion about the difference between audits and inspections. The purpose of each may seem the same, but they are slightly different.  Audits focus on why, while inspections focus on what. The purpose of an audit is to get the confidence that processes are working well.  An audit involves various layers to answer a “why” question. It involves exploratory reviews involving documentation, risk assessments, and nonconformities, etc.  While an audit may need more effort in finding an answer, an inspection is less complicated. The answer to an inspection question will involve a straightforward yes or no answer.

Inspections focus more on the action, while audits are about the process.  Inspections review a single point in time, but an audit follows a process from start to finish.  An inspection simply looks at the product or service. The process of an inspection is quite simple, it either clears the project if it meets the requirements specification or rejects it. If it is rejected, its loss can be reworked at an extra cost. Inspections must be conducted at every step to minimize the chances of product failure.

Why are audits and inspections important to an organization?  Inspections deal with things that cause immediate accidents or other issues. Inspections protect the customer, so the customer is not harmed by a non-conforming product yet from an organization’s point of view that they are too late.  The audit is to cover the root cause of these problems. The audits provide the input and ensure continuous improvement and it is where we take on nonconformities.

Here at QMII, we provide valuable information when it comes to our auditing services. We can give insight on where your system is working well as well as the risks and suggest opportunities for improvement. QMII’s audit services reduce the fear of an audit. Some individuals fear being blamed for non-conformities and often dread the idea of an audit. Our services are to ensure auditees are put at ease while QMII auditors look to find the effectiveness of controls in the system.

Although there is often confusion when differentiating audits and inspections, it can be easier to think of it as the Plan-Do-Check-Act cycle. Inspections are a “do” while audits are a “check.”  Inspections are required to do, and the audits are the process of checking and making sure inspections have been done.