SECURING THE MARITIME IoT FRAMEWORK

As technology advances, there are a growing number of providers that are developing products and services based on the IoT (Internet of Things) framework. In the maritime industry, it is increasingly common for vessel containers to be tracked from ashore and even machinery performance metrics, providing remotely automated readouts, to those ashore. With the increased use of technology, the risk of these networks being compromised also increases. There are a growing number of incidents in the maritime industry where systems were compromised leading to losses in millions of dollars.

On an average when these breaches occur it may take over 100 days before they are even detected! Various maritime organizations and associations have published guidelines on measures to be taken to prevent/deter such a compromise, but history has shown that the maritime industry tends to be more reactive than proactive. Even the ISM code now includes as an appendix a circular on guidelines for maritime security. As part of the implementation of the ISM Code measures for cybersecurity should be included in the system. From the security of networks to machinery to contingency plans in case of breaches occur.

The implementation of cyber-security measures includes the need for protection of three aspects of the system; the IT aspect, the human aspect, and the physical aspect. Organizations need to consider the cyber-security risks at the planning stage of the system and determine where vulnerabilities lie and how to address them. Instead of reinventing the wheel organizations may consider the implementation of an information security management system based on ISO 27001. ISO 27001 lays the framework for the IT security of the system. Once implemented and used, based on industry feedback the standard includes an annex of controls for implementation to secure the system. ISO 27001 has a total of 114 controls split across 35 control categories.

If an organization already has an ISO management system framework in place, for example, an ISO 9001 based system, integration of ISO 27001 into the existing management system would be a simple exercise. This integration has been made easier by ISO through the use of the High-Level Structure across standards. QMII has over 30 plus years encouraged its clients to “appreciate your management system”. As such we build upon your existing measures and documentation to fill the gaps for requirements set by the standard. This ensures continuity in system acceptance by the users, the changes to the system are minimal and easier to implement. For successful implementation of your system beware of templates that promise conformance to the requirements. They may enable you to gain certification but will not ensure any long-term success least of all cybersecurity.

Learn more about how you can improve your management system and integrate the requirements of ISO 27001 into your existing management system.

Monitoring Outsourced Processes is a Primary Responsibility of Every Organization

The international standards provide a world of wisdom enabling robust planning to achieve results by the organizations. In this global economy, often doing all the work in-house is not a cost-effective solution. Moreover, with super-specialized industry requirements, perhaps a lot of quality products and services can be procured at reasonable prices. Yet it seems organizations fail to act in the spirit of the standard when putting in place requirements for monitoring outsourced processes. Clause 8.1 of ISO 9001:2015 in operational planning and control has a sting in the tail with a clear whip requiring that “the organization shall ensure that outsourced processes are controlled.”

Statutory requirements are created to provide the required oversight, maintain customer focus and protect the interests of the customer when products and services are cleared for use. The caveat is that the statutory body should be well resourced, have the infrastructure, maintain organizational knowledge levels (Clauses 7.1.5.1, 7.1.3 & 77.1.6 of ISO 9001) with competent manpower (Clause 7.2). This often is not possible or with time not sustainable due to budgetary constraints, knowledge level dropping with time, Leadership forgetting their primary role (Clause 5.1.1) of taking accountability for the effectiveness of the QMS (Quality Management System). As such, the resources (5.1.1 e) needed for the QMS are not provided or budgets not available. The statutory bodies rationalize it by their helplessness since the government does not provide the funding and budgetary support for this.

Whatever the reasons, the question is who suffers? A ship is sunk, and aircraft with all on board has crashed, dangerous drugs are in use. It is the customer who suffers. In helplessness on their ability to do their duties, the statutory bodies outsource the work to contracted parties or worst to the manufacturer itself! The whole logic of creating a statutory body is lost with this.

What then is the remedy? The essential rulemaking that implements compliance requires competence, resources, and infrastructure with a committed Leadership ensuring continuing suitability, adequacy and effectiveness of the system. When budgetary constraints do not allow this role to be fulfilled, the risk to the system along with the products and services it provides must be assessed and mitigated or the opportunity for improvement taken (Clause 6.1 of the ISO 9001).  This would require the authority to appreciate the FMEA (Failure Mode Effect and Analysis) and take measures to remedy this. If this risk is not appreciated as NC (Non-conformity) the CA (Corrective Action) will not take place nor will the government know of the consequences of underfunding or of recognizing the failure and finding alternatives/ considering options. If the manufacturer has the resources, the government may consider this an asset and avoid duplication of resources, thinking in national terms. Outsourcing to the manufacturer as has been seen can mean losing customer focus and is strict counter to the very philosophy of statutory work. It would call for aggressive, proactive and strict monitoring of the outsourced processes.

In my opinion, monitoring the outsourced processes diligently, as clearly prescribed in the standard is the answer. New options may not be necessary, if the existing clauses of ISO 9001 and related industry-specific standards, where applicable, are understood in the spirit of the standard and vigorously implemented.

  • Dr. IJ Arora

AUDITING RISK-BASED THINKING

 

As we work with clients, we find increasing examples of certification bodies requiring risk to be documented within an organization. This despite ISO 9001 specifically not requiring so!

This then brings up the question, “How should we audit the requirements of risk-based thinking within an organization when the same has not been documented using a formal risks management system or methodologies such as FMEA?”.

Let us start with the intent of including ‘risk-based thinking’ in the standard, replacing the previous requirement for ‘preventive action’. Risk-based thinking has been included as a preventive measure with the intent of making an organization more proactive to identifying and addressing potential non-conformities (NCs) than to be reactive to NCs. Additionally, rather than limit preventive action to the end of the PDCA cycle it is now addressed throughout the standard with the concept of risk-based thinking. To therefore answer the question posed above auditors need to evidence risk-based thinking throughout the system starting with the management down through the operator/service provider.

Before we begin to discuss the process for doing this let us for recall how many times a preventive action has been raised within our organization when the requirement did exist under ISO 9001:2008. In my auditing experience the answer is rarely! This in essence defeats the purpose of what the standard was trying to achieve.

Before we begin to audit risk based thinking the auditor should get an understanding from management of the context of the organization and the needs of the interested parties relevant to the organization as identified by them. Keep in mind the requirement of Clause 4.1 and 4.2 also need not be documented. Further what are the risks that management has associated with the organization achieving its strategic direction. We can also evidence the records of the management review to assess the inputs provided to management per Clause 9.3.2 e.

Once we have the above understanding from leadership, we then look for evidence on how the organization has addressed the risks as identified by leadership. These may include as an example risks to meeting business/process objectives, risks from loss of personnel, risks from new legislation that may impact the organization etc. As we audit the organization, we are looking to assess how the processes have been resourced and controlled in order to manage the risk of not meeting the process objective or customer/regulatory requirements. Risk based thinking is inherent in the clauses for design where organizations are asked to consider the potential causes of failure, in the purchasing process where the organization is asked to select external providers based on their ability to provide products/services meeting requirements, in the planning of audits, in the determination of customer requirements (intended use & unstated requirements), in the resourcing of the system, in the fitness for purpose of monitoring and measuring equipment and in the determination of potential similar non-conformities when taking corrective action.

The above is but a sample of where the application of risk-based thinking can be evidenced. Further information from analysis of data per clause 9.1.3 is further sued as a source for improvement as per clause 10.1 and all of this can be evidenced in the system.

So then why are certification body auditors seeking a documented risk-management system? Auditees too often do not push back when such a “requirement” is brought up. It does make the audit easier if everything is documented including risk but then are, we really ensuring the effective application of the standard. The organization could meet this “requirement” for documentation of risk by just documenting two or three risks and monitoring the effectiveness of actions taken to address them. This would meet the auditors requirement but then what about other applicable risks? These would then do unaddressed as the organization will tend to focus on the documented ones, killing the system!

Let us determine the need to document the risks within our system or NOT and not be pressured into documenting our system to meet the needs of auditors.

Avoid These 3 Common TSMS Implementation Pitfalls3

Do you face any of these symptoms with your TSMS:

  1. It does not add any benefit to the work you do
  2. You spend more time filling out paperwork than doing the actual work
  3. It does not reflect your work – the way you do it

If you answered YES to any of the above, then read ahead to see how QMII can assist you in simplifying your system to one that works for the inspector …. and YOU! 

Historically, 99% of towing vessels were never required to have a Certificate of Inspection (COI) commensurate with that of cargo ships, tankers and passenger vessels (including small passenger vessels).  All towing vessels are now required to be “in compliance with” the new inspection requirements when Sub Chapter M became effective July 20, 2018 (46 CFR 136.172).   Despite the new requirement, there are towing vessels that are not fully in compliance. 

In this age of Safety Management Systems, the working definition of “being in compliance” might best be thought of as having “documented evidence” of the requirements being in place (physically on the vessel) and being done hands-on (routine and emergency drills). Non-conformities must be documented.  Audits and other quality checks must have evidence.  Think of a cop show on TV where the detective says to the suspect, “I’ll believe the evidence.”

It stands to reason that the “evidence” has to be “Ready for Inspection” at the request of the Coast Guard.  The records and other documents that vessels need to have readily available are the heart of the matter in any Safety Management Program.  This has been the case with vessels that have been required to have a Document of Compliance issued by a classification society in accordance with International Safety Management.  The idea of an SMS is nothing new.  QMII experts have over 50 years of combined experience in helping regulated industries (afloat and ashore) pass their inspections. 

More importantly, QMII has experience in implementing management systems that work for the organization. Why spend money implementing a system for the inspector/auditor and get no benefit out of it? Sure, it is easy to take a template (easily available on the internet) and fill in the blanks to have a ‘compliant’ system. However, the common pitfalls with this are the same as those faced during the early years of ISM Code implementation:

  1. Overly documented management systems – Perhaps you do not need some of the procedures in the template given the nature of your work. Perhaps you already have existing documentation that meets the requirement.
  2. Lack of buy-in of personnel – This is because personnel has not been explained the benefits of having a TSMS in place. The question “What’s in it for me?’ must be answered.
  3. Template system – These are systems built of a template that do not meet the requirements of the organization or reflect the “as-is” of what they do.

At the end of the day, the shortcomings always fall on the shoulders of the “Industry Afloat.”  Take, for instance, the lack-of-communications syndrome.  We cannot overemphasize the idea of clear communication between these three stakeholders, the CG OCMI, the vessel owner (or managing operator) and the TPO.   

Based on our experience, QMII is committed to working with the maritime industry, so that we can help the industry segment that is regulated by the sub-chapter.   

What Makes A System Work?

What Makes A System Work And Successfully Meet Objectives, Expectations And Requirements?

Successful companies have visionary leadership, are able to understand the changing context of their businesses, look ahead and adapt. The 20th and 21st century has been fertile with innovation. Many history-defining breakthrough inventions have been developed. Innovation is growing at a pace never known before.  The inventors and innovators are naturally accepted as leaders for their ability to clearly define their vision. These leaders can at times be harsh taskmasters; nearly dictatorial in pursuit of their passion (invention/vision). However, where the innovators are part of the team as a group and the leaders of the organization separate the leadership challenges are different. A professionally lead organization without a system cannot be only driven by the passion of its leader and this is certainly not a recipe for prolonged success.  

The need to put a system in place is but, of course, the result of a decision made by the leadership/ top management (TM). TM must have the desire to operate in a systematic manner to achieve desired results and outputs. That desire is indeed key to the motivation of the rest of the organization and crucial to gaining their involvement.  The PDCA (Plan-Do-Check-Act) cycle has to be understood and correctly aligned to the desired standard. There is also a need for commitment from the leadership to the unrelenting pursuit of their policy being systematically converted into measurable objectives and implemented throughout the organization, the implementation monitored and reviewed to ensure continual improvement. 

As experienced consultants, QMII has over 32 plus years, been implementing management systems to achieve results. Consultants never hold the recipe for success but can facilitate and guide the leadership and the organization in the right direction. The key to success is a motivated leadership. Trusting consultants to perform miracles using the perfect templates is a medicine for disaster in the making. A commitment to excellence starts with the leadership and needs the organization’s team to build a system ensuring consistency in meeting the requirements of the customer, stated or unstated. Then alone can an organization attain the success it seeks.  

As the year ends and reminiscing on my experience, education and learning from association with numerous varied organizations, my conclusion in differentiating between successful and not so successful organizations take me to the intent and determination of the TM to be committed to the system approach.  

Environmental Best Practices in Vineyards

The number of vineyards in the United States, and abroad, have grown substantially over the last 20 years.  New technology and controlled stainless steel fermentation processes have improved the product of even relatively small vineyards.  Many of the best vineyards are also focusing on their environmental impacts to ensure sustainability.  They are finding that taking a hard look at some of their processes can reduce negative environmental impacts, and in fact, reduce operating costs. 

Implementing an ISO 14001:2015 based Environmental Management Systems can help a vineyard archive sustainability and reduce operating costs.  It can also get the organization recognized as a responsible business neighbor in the community with happy and proud employees.  It starts with the owner’s decision to implement an environmental management system, then getting all employees aware, and on onboard to help improve operational processes.  

Environmental Management Systems (EMS) address recycling, and water conservation. These are important elements that are common to all vineyards.  One company that was spending over $50,000 a year on recycling, not only reduced their recycling cost, they actually saved over $7,000 a year after introducing a new recycling program as a part of their EMS. The program included 95% of its solid waste, packaging, and recycling.  New approaches to water use and heat exchange were able to reduce water use by over 35%.  Water used in the winemaking process is now processed on site and used in the vineyards, instead of being flushed down the drain. 

An EMS gets organizations to address the environmental aspects of their business and the impact they have taken into consideration the business environment they operate in, the needs of the stakeholders and risks associated with their business. Let us consider the aspect of energy use and the impact it has on the business including the organization’s carbon footprint. Taking the example further installing solar panels on buildings reduces energy operating costs and produces no carbon emissions.   One company was able to use solar for 75% of its energy use. 

QMII, with its 32 plus years of experience, can help a vineyard educate its employees so they are aware of the requirements of the internationally recognized and accepted standard for Environmental Management Systems – ISO 14001. Our course will outline the next steps the vineyard can take to begin implementing an EMS within their business.  We offer introductory environmental management system courses that will help a vineyard conform and/or become certified to the Standard.

Eight Steps for a Successful Audit

ISO standards such as ISO 9001, ISO 14001 and ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations, certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or yet the evidence may not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the jng the organization in the art of getting audited? In well-functioning systems the organization should never have to prepare for an audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven . The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps an organization can take to build employee confidence in the system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given.

 

Here are eight steps an organization can do to have its employees get that confidence:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility and compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

 

By CEO and President, Captain Inderjit Arora

UPDATE ON STANDARDS

In the past year there has been a lot of activity in the development and revision of ISO standards. Highlighted below are a few key updates:

ISO 41001 – Facility Management

This new standard applies the concept of the Plan-Do-Check-Act cycle to the discipline of Facilities Management. This standard provides the requirements for a facility management system where an organization needs to demonstrate effective and efficient delivery of services. The standard is aligned with the High Level Structure adopted by ISO thus ensuring easier integration with other standards. Benefits of implementing this standard, per ISO, include improved productivity, communications, service consistency and costs benefits.

ISO 19011 – Guidelines for Auditing

ISO 19001 has become the primary guideline for all audits conducted globally. The FDIS was recently cleared and the updated revision is due to be published in July 2018. One of the main changes lies in the new auditing principle “Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.” This approach is evident in all the clauses of the standard which not follows the High level Structure. We will further update our readers as the standard is published.

ISO 9004 – Guidance to achieve sustained success

The standard has been updated to reflect the guidelines to achieve sustained success of and ISO 9001:2015 QMS. Per ISO, factors affecting an organization’s success continually emerge, evolve, increase or diminish over the years, and adapting to these changes is important for sustained success. The document addresses systematic improvement of overall performance and includes a self-assessment tool for reviewing the extent of conformity by the organization.

To Err is Human- React or Correct?

The only bad nonconformity it the one we do not know about. Understanding this fact is the key for leaders and their managers being careful not to create a culture that hides nonconformity.

Even so it is common for managers to demand no mistakes and to react badly to errors.

Leading organizations provide employees with management systems that help them to understand and fulfill the requirements. And servant leaders provide a management system to help their employees to eliminate the causes of nonconformity. They do this gradually, according to the 80:20 (or 50:4) rule, so they always start with the vital few nonconformities that cost the most.

Zero Defects (zero nonconformity actually) has to come with humble managers who take responsibility for their management system causing the nonconformity. Care and respect remain to most powerful parts of such management systems. It should not require courage for employees to talk about problems in doing the right work right.

These organizations welcome nonconformity reports to show where the management system needs further improvement to prevent failures to fulfill requirements. They know the only bad nonconformity is the one that remains hidden.

Month of May is International Internal Audit Awareness Month

The International Institute of Internal Auditors (IIA) is encouraging Internal Auditors around the world to actively promote internal auditing’s value during Internal Audit Awareness Month .

IIA is recognizing Internal Auditing.

QMII has over 30 plus years propagated the importance of internal auditing and the need to have competent internal auditors. Any tragedy can be connected back to a nonconforming product, which in turn is invariably the outcome of a failed procedure. Internal Auditors play a vital role in recognizing NCs (Non Conformities), and thereby enabling Correction and CA (Corrective Action) to NCs. Managements have to maturely understand the importance of recognizing internal NCs as an integral part of improving process improvement and continual improvement of the system. Internal auditors have a vital role in providing objective inputs at the C-check stage of the P-D-C-A cycle.

Share a video on your social media accounts about Internal Audit Awareness Month!

We want to hear from you—Comment below a way you have showcased Internal Auditing this month!