Featured Product
This Week in Quality Digest Live
Standards Features
ISO
MSMEs are encouraged to uphold the highest standards
Steven Brown
21st-century standard candles at NIST
Kath Lockett
ISO standard for the cleaning, inspection, repair of firefighter PPE
Ann Brady
From farm to fork, how safe is your food?

More Features

Standards News
Run compliance checks against products in seconds
Aug. 25, 2022, at 3:00 p.m. Eastern
Could be used for basic performance information on raw materials used in the most common 3D printers
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Collaboration produces online software for collecting quality inspection data
First responders may benefit from NIST contest to reward high-quality incident command dashboards

More News

Bud Weightman

Standards

Potential Risks of ISO/DIS 9001:2015 to the Oil and Gas Industry

Imagine a trust-based system for operation and safety procedures where oil and gas are produced

Published: Wednesday, May 6, 2015 - 10:49

The fifth edition of ISO 9001, which is slated for publication in late 2015, has some good ideas regarding improvement and harmonization with other management system standards such as ISO 14001. However, ISO/Draft International Standard (DIS) 9001:2015 has taken away prescriptive language for a documented quality manual and documented procedures, and has minimized several important requirements that were in ISO 9001:2008.

This lessening of requirements will put additional pressure on service companies, manufacturers, and supply chain and quality organizations in the oil and gas industry. For example, if determining an organization’s level of conformance to a standard is placed into the hands of certification auditors, there will be inconsistencies. The variance between auditors and certification companies is not standardized.

Purchasers will be motivated to institute additional controls such as:
• Reviews of the supplier’s quality manual and procedures
• On-site audits of quality management systems (QMS)
• On-site surveillance and final inspections
• Formalized quality plans and inspection as well as test plans will be required
• More contractual audits will be scheduled, particularly for oil and gas projects, to verify a supplier’s technical conformity abilities

Suppliers to the oil and gas industry should consider implementing the American Petroleum Institute (API) Specification Q1 because it has prescriptive language for an organization to document and implement a quality manual and a minimum amount of QMS procedures. Once implemented, the documented QMS will correlate to API product specifications when there is a requirement for a documented procedure, and for purchasers’ technical contractual requirements.

ISO/DIS 9001:2015 proposes to eliminate the need for a quality manual. The loss of a “required” quality manual may seem irrelevant, but this affects how customers place a supplier on their approved suppliers list, and it increases the due diligence necessary to ensure a robust QMS is in place and being used. The quality manual is essential for:
• Gaining a high-level understanding of a supplier’s degree of QMS competence and understanding
• Providing a customer a level of assurance that a supplier understands basic QMS requirements
• Allowing the QMS requirements to flow cross-functionally throughout a supplier’s organization

I am curious as to why ISO/DIS 9001:2015 proposes to eliminate the need for the management representative’s position. Most oil and gas industry suppliers tend to have a quality assurance department. The management representative position ensures that a supplier has delegated one of its own managers with the responsibility and accountability for quality.

For the oil and gas industry, it’s astounding to think that ISO 9001 has been moving from a conformity model to a trust-based model and has been shedding requirements for documented procedures since the ISO 9001:1994 edition, which had approximately 21 requirements for documented procedures. In contrast, the ISO 9001:2008 edition has six requirements for documented procedures, and now, ISO/DIS 9001:2015 has removed any need for documented procedures.

Figure 1 provides an overview of the requirements in API Specification Q1 9th edition compared to the 1994, 2000, and 2008 editions of ISO 9001.



Figure 1: API Specification Q1 9th edition requirements compared to the 1994, 2000, and 2008 editions of ISO 9001. Click here for larger image.

A trust-based system will better facilitate many different business types serving a wide variety of industries; however, it’s contrary to the direction of the oil and gas industry. Imagine a trust-based system for operation and safety procedures where oil and gas are produced with:
• Extreme high and low processing temperatures
• Extreme geographical temperatures, from deserts to locations near the north and south poles
• Internal system pressures up to 30,000 psi
• Subsea pressures operating at 10,000 feet or more
• Environments containing hydrogen sulfide gas

Although some may feel the inclusion of risk to ISO/DIS 9001:2015 is a positive indication, it is more of an expansion of the preventive action clause in ISO 9001:2008 (which is no longer available). ISO/DIS 9001:2015 does not focus specifically on risk associated with quality and delivery of product. It’s left up to the organization to determine the degree of formality and applicability that risk has to the QMS and its processes and activities.

The real risk associated with the ISO/DIS 9001:2015 is the systematic elimination of the requirements discussed in this article. Oil and gas companies should evaluate how these changes will affect their current contracts, suppliers, subcontractors, and contractors alike.

The oil and gas industry changes have increased risk, liabilities, and regulatory requirements; now is not the time for a trust-based system. In fact, the opposite is more appropriate. A “risk-based” quality management system is needed to prepare the oil and gas industry for its future and the mitigation of systemic risk.

As mentioned by one of the pioneers of quality, W. Edwards Deming: “In God we trust; all others bring data.” This appears to best counter the ISO/DIS 9001:2015 changes for critical materials, parts, components, equipment, and equipment packages for the oil and gas industry.

Discuss

About The Author

Bud Weightman’s picture

Bud Weightman

Bud Weightman is president of Qualified Specialists International, a consulting, training, and management systems technology company that specializes in The American Petroleum Institute (API) Spec. Q1 and Q2 conformity, API product specifications, and industry nonproductive time. Weightman has been active in regulatory compliance and management systems for more than 35 years. He is an RABQSI Skill examiner, a Center for Offshore Safety lead auditor, a trainer and lecturer, and holds numerous other certifications. Weightman is also the chairman of API SC 18 Task Group 6, Welding Requirements, and has worked on numerous other API task groups and work groups.

Comments

Oil and Gas & API

In the oil and gas industry, a conversation about which standard is "better" or has more merit isn't really applicable.

One thing API has done well, is convince the large companies (Shell, Exxon, BP, etc.) that their API Q1/Q2 are valuable.  These companies then pass the requirement down to their suppliers who pass them down to their suppliers, etc.

Regardless of which specification has more merit, if you are in the oil and gas industry and your company's QMS is not at least API Q1 or Q2 compliant then you will be in for some audit findings from your customers.  My specific experience is in the US, so international experience may vary.

ISO Changes

The author is full of gas on this one. He must be connected to API somehow to have this kind of slanted "journalism". Not truthful and not objective at all.

Rebuttal to a few points

I think we need to bring out some actual facts here regarding the 9001:2015 DIS and correct some issues that have appeared to been spun a bit or maybe just inaccurate.

First, "taken away prescriptive language for a documented quality manual and documented procedures".

Fact: There are at least 34 areas within the DIS that have "prescriptive language" regarding required documented information which include very key areas such as measurements and metrics, scope training and competence, documented information of external origin... and it goes on.

The standard specifically states:”

"The organization shall maintain documented information to the extent necessary to support the operation of processes and retain documented information to the extent necessary to have confidence that the processes are being carried out as planned".

Section 7.5 is dedicated to Documented Information. It also notes (realizing there is no "one size fits all" QMS) that:

The organization’s quality management system shall include

a) documented information required by this International Standard (those 34 areas I mentioned)

b) documented information determined by the organization as being necessary for the effectiveness of the quality management system.

NOTE The extent of documented information for a quality management system can differ from one organization to another due to:

a) the size of organization and its type of activities, processes, products and services;

b) the complexity of processes and their interactions;

c) the competence of persons.

The new standard supports organizations reviewing their QMS and eliminating redundant useless documentation, forms, procedures and the like that the thousands of audits have shown to have just served as dust collectors.

As far as the quality manual is concerned, again, there is no "requirement" but organizations can keep it if they feel it serves a purpose or may be required by a customer or regulatory requirement. Reality is most organizations QM is a re-write of the standard with additional language stating that they do these things and serve as a cross-walk to the policies and procedures that cover the specific section of the standard. That can be accomplished in many ways other than a formal QM.

If you can't describe what you are doing as a process, you don't know what you're doing. ~Deming~

Your statement "if determining an organization’s level of conformance to a standard is placed into the hands of certification auditors" makes no sense and has no substance. The role of Certified Bodies has always been to 1.) Provide third party verification and validation that the organization meets the requirements of the standard (including internal, regulatory and customer/industry requirements) and 2.) Validate that the QMS is working as specified and is effective. That has always been the idea behind certification so purchasers do not have to implement additional checks as you specify.

You forgot to mention that the new standard now requires organizations re-visit their scope by reviewing the "Context" of the organization to "Determine relevant external and internal issues that affect the ability to achieve the intended outcome(s)" including identifying the interested parties and addressing the needs of those interested parties.

You forgot to mention that the new standard requires extensive rigor around ensuring the Leadership of the organization is hands on involved with planning, rolling out and managing the QMS at an enterprise level not just giving lip service. They must show how they ensure the QMS is in line with the organizational objectives and "integrate the management system requirements into the organization’s business processes". How they provide proper resources and communicate the importance of effective management and of conforming to requirements? How they ensure the management system achieves its intended outcome(s)?

You say that (API) Specification Q1 has "prescriptive language for an organization to document and implement a quality manual and a minimum amount of QMS procedures. Once implemented, the documented QMS will correlate to API product specifications when there is a requirement for a documented procedure and for purchasers’ technical contractual requirements". You just said you have a problem with the reduced requirement for documentation in the new standard yet specifically point out that API Q1 requires "a minimum amount of QMS procedures".  A bit of a contradiction. Secondly, the standard covers product specifications under 8.2.2 Determination of requirements related to products and services and then under 8.2.3 Review of requirements related to products and services which is very specific and detailed around the requirements. It even states that "where the customer does not provide a documented statement of their requirements, the customer, requirements shall be confirmed by the organization before acceptance". Oh yes, let's not forget that requirement for a change management system.

Management Representative: The logic behind eliminating the formal title of Management Representative is to instil ownership of quality to everyone within the organization, not just the quality department as you state. Are you serious in suggesting that the accountability for the success or failure of a QMS should sit with one person? Reality is (if you read the standard) that management "must assign responsibility and authority for ensuring that the management system conforms to the requirements of the International Standard reporting on the performance of the management system to top management". So yes there will still be someone coordinating the efforts, but the responsibility for the success of the QMS and the organization as a whole, lies with every employee. Deming stated that "Quality is everyone’s responsibility" .

Risk: Your statement that "ISO/DIS 9001:2015 does not focus specifically on risk associated with quality and delivery of product. It’s left up to the organization to determine the degree of formality and applicability that risk has to the QMS and its processes and activities" is totally wrong. Again, read the standard. It is very specific:

Consider the issues referred to in 4.1* and the requirements referred to in 4.2** and determine the risks and opportunities that need to be addressed to:

  • give assurance that the management system can achieve its intended outcome(s);
  • prevent, or reduce, undesired effects; (mitigate)

  • achieve continual improvement

    *4.1 Understanding the organization and its context

    **4.2 Understanding the needs and expectations of interested parties

    The organization must then plan actions to address these risks and opportunities and integrate and implement the actions into its management system processes and show how they evaluate the effectiveness of these actions.

    Does the ISO 9001:2015 rely totally on trust as you say? I think my "data" has just proven that there is a level of trust is within every management system ISO or not. But trust and verify is the key. As Deming said "You don't inspect in quality, it is already there".

    The changes to the international standard are to ensure that the issue of quality is now in the board room not a bottom up process. It is there to ensure the culture of the organization is always customer focused. It is there to ensure that mitigating risks to the organization and customers are addressed up front rather than reacting to failures. There is no reason to re-create the wheel when the current standard allows and specifies organizations must address industry, customer and regulatory specific requirements as part of the overall QMS. The new changes are aimed not only at increasing quality, top management involvement and survival of the organization, but reducing costs by eliminating waste. What you are suggesting is a very prescriptive cost heavy process that has already been proven to add no value, just reduce the bottom line.

    While we are quoting Deming, how about this one: "It's not necessary to change. Survival is not mandatory".

    This is just to bring out all the facts so people can assess this issue from a more educated view point.  

NOTE: These comments and views are my own and not necessisarily those of my organization or it's mangement.

 

The organization shall maintain documented information to the extent necessary to support the

987 operation of processes and retain documented information to the extent necessary to have confidence

988 that the processes are being carried out as planned.