The story so far …ISO 9001 since the 1980s…

The story so far…ISO 9001 since the 1980s…

Also on LinkedIn

Why now?

This article tells the story of ISO 9001 since the 1980s, as I’ve observed it, anyway!

It’s about trust...

It comes from the purchaser side

ISO 9001:2000 is based on a closed loop model that fits PDCA



The scenario that…

…identified the problem

AQAPs & Defence Procurement

Prime Contractors, Subcontractors & Stockists

Links with industry -


Enter the dragon #1 - assessors

Beyond customer assessment

Third party assessment

BS 5750:1979

Enter the dragon #2 – The UK National Quality Campaign

Enter the dragon #3 – DTI & their register

Other early adopters…

Beyond the UK

BS 5750 becomes ISO 9000

Take up


Accredited independent third-party certification

1st, 2nd & 3rd parties in the supply chain

and the 4th party is…?

Accreditation vs certification!

The certification process

….so what?

For example, if Company x got it wrong…

The conflict that never goes away..

How has the standard progressed over the years?

Where are we now?

The ISO 9001 Certification Issue

Sector Schemes

The future?


Also on LinkedIn

This article is also​​ published on LinkedIn

Why now?

I first wrote this paper in 2006 for my boss and our HR Director both of whom believed "competency based training"​​ was a new concept way beyond ISO 9001. You see, I kept telling them ISO 9001 had never required anything else!

Recently, it's become clear to me from contributions to LinkedIn's ISO 9001 Group and others in the same vein, that this story is not well​​ known. For example, I asked "If ISO 9001 is a solution, what problem does it solve?" ​​ None of the 65+ excellent contributions indicated any awareness of the genesis of ISO 9001. ​​ The discussion is​​ HERE​​ 


This article tells the story of​​ ISO 9001 since the 1980s, as I’ve observed it, anyway!

Whether you love it or hate it, know it well or haven’t got a clue, trust it or think it’s irrelevant, ISO 9001 is the most successful​​ international standard the world has seen to date.

It’s been around in one form or another since the late 1960s. ​​ 

The International Organisation for Standardisation (ISO) in Geneva runs an annual survey on the worldwide take- up of ISO 9001. ​​ The 2015 survey indicated that over a million certificates of conformity were held by organisations in 194 countries. ​​ 

Over the last 40 years, ISO 9001 and its antecedents have probably influenced the way most organisations work – even those that have tried to avoid​​ it.​​ 

This article attempts to tell the story of what it’s all about, where it came from and what the claim of conformity implies.

It’s about trust...

Contrary to popular belief, ISO 9001 is not a blue-print for a complete quality management system; rather​​ it is a litany of the minimum criteria against which to assess the reliability of a contractor (a supplier in other words). ​​ 

Accordingly, a failure to meet its requirements says more about the extent to which an organisation can or cannot be trusted than​​ about the scope and efficacy of its internal quality assurance systems.

It comes from the purchaser side

Contrary to the popular understanding, ISO 9001 derives from the purchasing side of a supply contract, not from the supplier side. ​​ 

Indeed ISO 9001​​ has always been intended for use in individual purchasing contracts as an external audit tool. ​​ Validated statements of conformity provide purchasers with confidence that a supplier has what it takes to deliver in full, on time, in specification and on budget before a single order​​ is placed or a first-off is delivered. ​​ 

Ongoing compliance with ISO 9001 is a genuine leading indicator of performance that an external customer can see. ​​ 

Hence committed conformity at the heart and soul level is an internal leading indicator for a supplier’s own managers. ​​ Unfortunately, few see it that way.​​ 

ISO 9001:2000 is based on a closed loop model that fits​​ PDCA

In 2000, the format of ISO 9000 was completely revised so that it fitted better Dr W Edwards Deming’s Plan-Do Check-Act Model. ​​ 

Introduced by Dr Deming in the late 1940s, PDCA had been pivotal in the post war emergence of Japanese industry as the benchmark in quality assurance. ​​ 

None of this came to light in the West till there was public reaction to the city of Philadelphia's decision to​​ buy Kawasaki rolling stock for its mass transit system. ​​ 

Mary Walton's excellent book "The Deming Management Method" is essential reading for anyone claiming to understand modern quality systems (Dodd Mead & Co, ISBN 0-396-08895-3)

ISO 9001:2000 starts by requiring management to understand customer expectations, then to apply resources to meeting them. ​​ 

It goes on to require control on how products and services are delivered accordingly, and what monitoring, analysis and improvement is required to ensure​​ customer satisfaction.​​ 

Even at this level it’s obvious that the assured availability of resources in advance of committing to supply is a pivotal requirement. ​​ 

No retailer or wholesaler in their right mind would advertise their wares with no access to stock or no validated reliable source of supply. ​​ 

Likewise no rational professional services firm would contract to do work in the absence of a quantified and reliable resource of suitably qualified people. ​​ 

Whilst common sense dictates that this is the case, ISO 9001 makes it contractually enforceable. ​​ 


Let me start with the history, and then I’ll cover what accredited third party certification means.​​ 


International standard ISO 9001 derives from national standards that in their turn derive​​ from the work of a North Atlantic Treaty Organisation (NATO) committee founded in 1955 and called AC 250. ​​ It still seems to exist; here’s a link to the NATO website -​​ ​​ 

The scenario that…

This committee, now called the “Group of National Directors for Quality Assurance”, was charged with dealing with​​ the scenario where the next major military confrontation was​​ being fought along the border with Eastern Europe using predominantly American equipment, but the Atlantic was closed to shipping. ​​ Don’t forget that in 1955 WW2 was still a recent event and that the Battle of the Atlantic had consumed huge defensive resources in convoy protection. ​​ Also, the Atlantic was only cleared for good when Germany’s offensive capability in France had been destroyed so that the Allied invasion of Europe could proceed on D-Day (6 June 1944). ​​ 

…identified the problem​​ 

Since they realised that long range Soviet naval forces were indeed able to blockade the Atlantic, the supply of all the consumables and replacements necessary to support a war effort would have to come from suppliers in Western Europe. ​​ 

The problem was the reliability​​ of the supply chain bearing in mind the multitude of suppliers that would be needed and the multiplicity of NATO member​​ states (now 19, I think). ​​ For example, how could they be sure that a bullet made in Belgium would work in a rifle made originally in the US but fitted with a replacement barrel made in the UK? ​​ Or that a flak jacket made in Scotland would fit battledress made in the Netherlands? ​​ 

Initially convinced that it was possible to get what they wanted by employing inspectors on the ends of production lines in factories, it took them 14 years to come up with something that gave them the leading assurances they sought. ​​ It came down in the end to quality management system standards and a process for the assessment of contractors. ​​ It was NATO’s AC​​ 250 that came to the realisation that quality could not be inspected into a product or service it had to be inherent in the design of the processes involved and the management systems of the contractors they selected. ​​ Dr W Edwards Deming had told the Japanese the same thing in 1949 but Deming remained unknown in the west until 1984.

AQAPs & Defence Procurement

In 1969 under NATO standardisation agreement STANAG 4107, AC 250 published the Allied Quality Assurance Procedures (AQAPs). ​​ 

AQAP-1 was the most complete set of requirements. ​​ It listed a set of 20 criteria for a quality management system (QMS) that started first with the need for top management to set and promulgate a quality policy stating the need to meet customer expectations. ​​ The second criterion demanded the provision of sufficient competent resources to operate the QMS with clear delegations and channels of communication. ​​ The third concerned the review of contracts to ensure there was “capability to meet contract or order requirements” – which applied to people, supplies, equipment and information.  ​​​​ The remaining 17 requirements covered elements concerned with design, production and delivery. ​​ 

NATO commissioned the Defence ministries in each member state to enshrine the AQAP requirements in​​ supply contracts and to set up assessment processes both to ensure that defence contractors were not only committed to comply with the AQAPs, but also were assessed (audited) and registered as competent by the defence procurement agency in each country. ​​ 

This is how and why defence industry procurement agencies went through the metamorphosis from inspecting products to assessing the competency of managers and their systems. ​​ The former failed to supply reliable deliverables, the latter provided leading assurances. ​​ 


By the way, the latest version of the quality system AQAPs is AQAP 2110 that calls up ISO 9001:2008.

Prime Contractors, Subcontractors & Stockists

The AQAPs dealt with three categories of supplier in three different contractual arrangements. ​​ 

Put simply, prime contractors worked directly for the Defence procurement agencies and had responsibility for the design/development of the deliverable such as an aircraft, a flak jacket or even a TACAN system. ​​ . ​​ 

Next, subcontractors supplied the primes​​ with the components the primes designed – often, of course, against black-box specs for reasons of national security. ​​ 

In their turn, the stockists supplied subcontractors with materials, proprietary items and consumables. ​​ 

Obviously, the scope of the quality management system requirements in the AQAP standards for each type of supplier ranged from complex for the primes to simple for the stockists. ​​ If you were a prime contractor you needed to meet all the requirements in AQAP-1 for design/development,​​ production, inspection and testing. ​​ A subcontractor needed to meet only the production, inspection & testing requirements, and a stockist only the inspection & testing. ​​ Despite the three levels of certification, prime contractors were always held responsible for the quality of the supplies they procured. ​​ 

Links with industry -​​ 

As it went about meeting its brief and refining the AQAPs, NATO’s AC-250 committee worked with defence contractors from its member nations; after all, it needed them on-side if the whole shooting match was going to work. ​​ 

This was the 60s, so the industry organisations involved were those who built the QE2, Concorde, and the European Nuclear Energy programme. In the States there was NASA and all the major American defence contractors all seeking to be approved to meet NATO’s requirement and thereby have direct access to NATO’s enormous buying power. ​​ 

Not only that, but NASA’s procurement system emulated the AQAP system and still does so far as I know.


In the UK, the Procurement Directorate of the Ministry of Defence (MoDPE) adopted the AQAPs as the Defence Standards (DEF STAN) 05-21/24 series. ​​ 

By 1972 they had run a comprehensive road show that introduced “The New Approach to Defence Procurement” as it was​​ called under its advertising campaign, and they’d introduced the standards as mandatory conditions of contract for all suppliers. ​​ 

By the end of the decade not only had all the rime contractors and thousands of their subcontractors and stockists been​​ assessed and registered by MoDPE, but Rear Admiral Derek Spickernell had become Director General of Defence Quality Assurance (DGDQA). ​​ 

Not only that, but his retirement from the senior service became imminent and he found a job as the new Director General of the British Standards Institution (BSI).

Enter the dragon #1 - assessors

The MoDPE approach was simple – satisfy the assessor who comes to check out your quality management system against the standard or we won’t award you a contract. ​​ And if you’re a​​ subbie or a stockist, you’ll have to be registered too – but if you lose your registration the prime contractor is still responsible. ​​ 

Thus the need came about for professional quality management system assessors (as we used to be called – we’re auditors​​ now!). ​​ 

A formal training programme was set up as a five day 60 hour course (and darn hard yakka it was too!) as an element in a qualification programme that required, for the fire breathing rank of “Lead Assessor”, 5 years relevant QA related experience​​ and a relevant qualification pertinent to the technical area in which you expected to work (and it's "lead" as in head-honcho, not "lead" as in ballast!).

Beyond customer assessment

The idea of the assessment of quality assurance management systems spread​​ beyond the concept of assessments done solely by customers. ​​ In 1966, the United Kingdom Government led the first national campaign for quality and reliability with the slogan "Quality is everybody's business."

In 1969, the UK and Canada developed quality​​ assurance standards for suppliers. ​​ By this time, though, suppliers were being assessed by any number of their customers. ​​ Accordingly, a UK committee report on the subject recommended that suppliers' methods should be assessed against a generic standard​​ for quality assurance systems, to avoid duplication of effort. ​​ 

In 1971, the British Standards Institution published the first UK standard for quality assurance, BS 9000, which was developed for the electronics industry.  ​​​​ In 1974, BSI published BS 5179,​​ Guidelines for Quality Assurance. ​​ 

Third party assessment

In order to shift the burden of inspection from the customer, quality assurance was guaranteed by the supplier through third-party assessment, though none of the assessing bodies at that time accepted any legal liability for the quality of their decisions. ​​ 

The collapse of a jetty at Dover, which had been assessed by Lloyds Register, an assessing body, and the subsequent court case forced a rethink. ​​ 

BS 5750:1979

Through the 1970s, BSI organized meetings with industry to set a common standard.  ​​​​ The result was BS 5750 in 1979, which however much consultation there was, turned out to be an almost exact replica of the DEF-STAN 05-21/24 series of military quality assurance standards. ​​ 

No surprises there, of course, because the effort was driven the same Rear Admiral Spickernell who had implemented NATO’s AQAPs at MoDPE. ​​ Key industry bodies agreed to drop their own standards and use it instead.​​ 

The purpose of BS 5750 was to provide a common contractual document, with generic requirements covering both industrial production (manufacturing) and the supply of services. ​​​​ 

The claim that these standards are​​ only about “manufacturing” has never been valid.

Enter the dragon #2 – The UK National Quality Campaign

In 1982 the UK government under Margaret Thatcher published a White Paper, entitled 'Standards, quality and international competitiveness”. ​​ 

Produced by the Department of Trade & Industry (DTI) this paper pointed to management system deficiencies as the root of all evil in the national failure to supply decent products in international marketplaces. ​​ 

It introduced the concept of certification of a company's quality management system both as means to reduce the burden of repetitive external assessment to the same standard by different people and as a marketing tool. ​​ 

Obviously an independent third party was needed to ensure impartiality because the switch had been made from an assessment being funded by the customer to one being bought by the supplier. ​​ 

Since the supplier became the customer of the certifier, a system was necessary to assure purchaser confidence in this arrangement. ​​ 

The original idea in the White Paper was that BSI would partner with Trade Associations to produce industry sector specific variants of BS 5750, but since these variants were never allowed to exceed the basic requirements of BS 5750, and few Trade Bodies had the necessary resources, BSI became the first de facto assessors. ​​ 

What transpired in the end was the birth in 1984 of the National Accreditation Council for Certification Bodies (NACCB) now known as the UK Accreditation Service (UKAS) and the emergence of a choice of accredited independent third party certification bodies to include BSI QA, Lloyds Register QA, Bureau Veritas Quality International, Det Norske Veritas QA, SGS QA and several others.

Enter the dragon #3 – DTI & their register

But setting up the accredited certification system was only a part of the deal in what became the DTI’s UK National Quality Campaign in 1984. ​​ 

The crux of the White Paper was to improve QA systems in UK companies, so the certification scheme was at the end of the process not the beginning. ​​ 

At the sharp end, DTI set up a system of grants whereby any UK owned company employing less than 600 people could be reimbursed two-thirds the cost of up to 15 days consulting from a DTI approved consultant if it achieved NACCB accredited​​ certification to BS 5750. ​​ At that point the grant would be paid and the company’s name could be entered on the DTI Register for all its actual and prospective customers to behold as the leading indication of their capability.  ​​​​ 

Well, what you measure is​​ what you get, so instantly there was a huge demand not only for consultants but also for certification bodies. ​​ 

I joined BVQI in the middle of this in 1988 but by the time I came to NZ in 1992, there were about 18,000 companies on the DTI register.​​ 

Other​​ early adopters…

Not long after MoDPE got underway with their system of defence contractor assessment, British Telecom and the electricity supply industry followed suit. ​​ 

Following some serious problems with the supply of sterile dressings from India, the​​ UK health ministry set up its Manufacturer Registration Scheme for suppliers of all types of medical devices to the National Health Service, the biggest integrated health service in the world. ​​ This covered the supply of everything from bandages to beds,​​ and from sterile implants to multi-million dollar installations of medical imaging equipment. ​​ The DHSS Good Manufacturing Guides that consisted of a blend of BS 5750 Pt 2 and the US FDA’s 21 CFR 820 are now known as ISO 13485.

Beyond the UK

Beyond the UK​​ the story was similar with respect to the adoption of AQAPs and its industry equivalents but no other government resorted to massive sponsorship to get their companies to buy in to quality management system certification. ​​ 

Once again with the intention of​​ forcing leading indications of capability, but this time with product safety as the main driver, in 1980, the Food & Drug Administration in the US enshrined AQAP’s requirements in chapter 820 of the Code of Federal Regulations and made them enforceable under the law for medical device producers.

Heavily influenced by The Royal Dutch Shell Oil Company, the Dutch government had set up its national accreditation body, Raad voor Certificatie (RvC) in 1984 at about the same time as the NACCB appeared in the UK​​ but it took until the late 80s for other nations to follow suit. ​​ 

The Canadians & Swedes were next, then the Belgians, as I recall it. ​​ The French did it all quite differently, of course, and still do. ​​ The Americans got into it in 1990, and so did the Swiss. ​​ 

Here in the antipodes, the Joint Accreditation System for Australia & New Zealand (JAS-ANZ) did its first accreditation in August 1992 – and KPMG-QCI was the certification body (I was personally involved in all of this, but that’s a different story). ​​ 

Major purchasers in Australia and New Zealand had been using ISO 900x standards as a qualification for suppliers in an emulation of what had occurred in Europe a decade earlier – classic examples were the NZ Dairy Board, and the ANZAC Frigate Project.​​ ​​ 

And governments did make some grant money available, although at nothing like the levels in the UK.

BS 5750 becomes ISO 9000

BSI is a member of ISO, the International Organisation for Standardisation along with its counterparts from around the world. ​​ ISO took on BS 5750 and its supporting standards and adopted it as the ISO 9000 family in 1987. ​​ BSI ran the ISO secretariat for ISO 9000. ​​ The technical committee is still called TC 176.

QR-008 is Standards Australia’s and Standards New Zealand’s contribution to TC-176. ​​ I served on QR-008 for ten years.

Take up

According to the ISO survey of ISO 9000 & ISO 14000 certificates, by the turn of the millennium over 400 000 organisations held accredited independent third-party certification to an ISO 9000 standard in 158 countries. ​​ 

The biggest take up for the year 2000 came from China at 10 000 new certificates. ​​ Whilst the UK accounted for 64 000, there were only 35 000 in the USA. ​​ On the other hand, Australia contributed 25 000 and New Zealand 2500, which,​​ on a per capita basis placed Australia & NZ second and third only to the UK. ​​ For the record, in ​​ 2011 had China with 250,000 certificates, in 2015 nearly 293,000.


The history indicates that ISO 9000 is not a flash in the pan – a million certificates in 194 countries can’t all be wrong. ​​ So it’s obvious that “the world” knows what ISO 9001 contains and has an expectation that those claiming and demonstrating conformity have the capability and will not hoodwink their customers. ​​ 

The point is that​​ even if a supplier's managers don’t understand what ISO 9000 conveys, the chances are that wise customers do. ​​ 

Not only that, but the chances are that they understand firstly that a public declaration of conformity is contractually binding even if conformity is not specified in a contract. ​​ And secondly, they know that if an organisation is faced with having its certification withdrawn for reasons of serious non-conformity, the certification system will protect its own reputation by advertising widely the​​ indiscretions of its client. ​​ It doesn’t happen often because frankly, it doesn’t have to – a commitment to conformity is the easier option.

In order to get the point here, it’s important to understand how certification works; at least the kind a supplier​​ buys from certification bodies or registrars as they are better known in the US.

Accredited independent third-party certification

1st, 2nd & 3rd​​ parties in the supply chain

The first party in a supply contract is the customer; the second party is the supplier.

Common sense in risk management demands that the first party assesses the trustworthiness of the second party before doing business. ​​ Wise purchasers don’t believe all the lies they hear. ​​ 

So, either the first party (customer) employs someone to​​ assess the second party on their behalf, or the second party (supplier) engages a trustworthy third party (certifier) to save the first party the trouble. ​​ The issue here is the extent to which the first party (customer) will believe the third party (the second party’s certifier) - particularly if they’re being paid by the second party (supplier). ​​ 

and the 4th party is…?

Enter the fourth party, namely the agency that will declare the certifier as being free from conflicts of interest and competent.

But who​​ is to say the fourth party is trustworthy and competent, is there a fifth party? ​​ Well, yes, government is the answer to that, these fourth parties are called Accreditation Bodies and their role is to accredit certification bodies (certifiers) to provide​​ independent third party certification. ​​ 

There is only ever one fourth party per country, and they are operated as government agencies under the auspices of the Minister of Commerce, usually. ​​ 

Accreditation vs certification!

Hence accreditation is not the​​ same as certification - even if the words are used as synonyms in this part of the world. ​​ Accordingly, “accredited external third party certification” is about as transparent as it gets.

The certification process

The certification process starts (or it should do!) with an organisation assuring itself that it complies with ISO 9001 by checking that its management systems are in conformity with the requirements and stating a commitment to comply. ​​ 

Just like you would engage an accredited testing lab to assure you a measuring instrument met national or international standards of accuracy and precision, the organisation then engages an accredited certification body (CB) to come in and test its quality management system by taking samples over a short period​​ of​​ time. ​​ CBs call this auditing but it’s really an assessment because, unlike laboratory testing there are no defined criteria. ​​ Once the CB is satisfied that their audit/assessment validates the claim of conformity made by their client, a certificate is issued as a statement of agreement between the CB and their client.​​ 

There are two aspects to the CB’s certificate, which is very like a vehicle Warrant of Fitness (WoF) in NZ, or an MoT vehicle inspection report in the UK;

  • It amounts to them declaring that,​​ in the context of the scope statement on the certificate itself, they have assessed a sample of their client’s QMS against the generic requirements in ISO 9001, and;

  • The sample did not reveal any significant evidence that their client’s claim to comply with ISO 9001 was misrepresented;

However, just as the vehicle inspector isn’t given the time to dismantle your car to check it out thoroughly, neither is the CB given the time to pull their clients' systems apart extensively. ​​ Hence, if you steer them away​​ from areas where you know there's a problem, the chances are they won’t detect the duplicity - except that like experienced vehicle inspectors, they didn’t come down with the last shower of rain…mmmmm….

….so what?

The rules under which certification bodies​​ are accredited include requirements designed to protect the integrity of the accreditation system above all else. ​​ ISO 17021 is the basis. ​​ 

That means that if a certification body’s client is caught claiming compliance with ISO 9001 (say) then blatantly​​ ignoring the requirements, and the misdemeanour becomes a big issue, both the certifier and the accreditation body will protect themselves. ​​ If that means the CB denigrating its client and the accreditation body denigrating the CB then so be it. ​​ 

For example, if Company x got it wrong…

For example, if Company X took a contract under its nationally accredited certification to ISO 9001 to supply high grade steel plate for a pressure vessel, then it transpired that the vessel failed because the material wasn't up to specification, the risk is that the customer would complain not only to Company X but also to CB.

If the CB failed to take action to control its client's behaviour and/or publicly withdraw the certification, the complaint might go to the national accreditation​​ body (AB) who would take whatever action they needed to protect their accreditation. ​​ Note here that accreditation bodies audit CBs annually and their audits always look at complaints.​​ 

If they found that the CB had complied with accreditation​​ requirements (which they always do coz it’s their business), would reserve the right to make a very public declaration in support of CB, that the supplier was at fault, and couldn’t be trusted. ​​ Note that it’s the Minister responsible for the AB who carries the can for all this.

That declaration could be made via the International Accreditation Forum (IAF) whose membership consists of all the accreditation bodies from all the nations that have one. ​​ 

Accordingly, there’s a significant risk that a supplier's reputation would suffer. ​​ 

The issue is that regardless of what the certification body does or doesn’t do or say, conformity with ISO 9001 is an obligation on the organisation claiming to comply. ​​ Declaring conformity when you know you don’t is the organisation’s risk pure and simple. ​​ 

Company X would cut no ice with anyone if it tried to claim it didn’t know about ISO 9001 when it was a registered client of an accredited CB and had sent a copy of its certificate with every proposal that asked for it.

The conflict that never goes away..

The conflict in all this is that if the CB pulls a certification it loses the revenue that client generates.​​ 

Similarly if an accreditation body pulls a CB’s accreditation they lose the business. ​​ 

Hence, the withdrawal​​ and cancellation of certification and accreditation is a rare event but that’s not to say it never happens. ​​ 

In my 15 years or so of managing certification bodies, I can recall three instances where my CB pulled a certificate, one where another CB lost its accreditation, and two occasions where we came within the diameter of a gnat’s eyebrow of losing ours! ​​ 

The fact of the matter is that the integrity of your quality system is in your hands.


How has the standard progressed over the years?

In short:

  • NATO​​ AC250 published the AQAPs in 1969 to replace ineffective inspection systems and to provide an assurance that at least a minimal set of quality management procedures would be in place for the products and services covered by the individual contract.

  • The​​ AQAPs were to be called-up as quality management system (QMS) criteria in NATO procurement contracts and subjected to pre-award conformity assessment by the Procurement Directorates of Member State Defence Ministries. ​​ The scope of assessments was only the​​ contract for which the supplier was bidding. ​​ There were 3 levels of AQAP standards:

    • Design, development, production, inspection and supply (for the prime contractors),

    • Production, inspection & supply (for the prime’s subcontractors – because the primes did the design work),

    • Inspection & supply (for the suppliers of materials and consumables for the primes & their subbies).

  • In the UK in 1971, the AQAPs were promulgated to industry as the DEFSTAN 05-21 series, MoD’s ex-factory inspectors were re-trained as​​ assessors and contractor assessment started in earnest.  ​​​​ This was all done under the auspices of the Ministry of Defence Procurement Executive (MoDPE) under Rear Admiral Derek Spickernel.

  • Quite quickly there was a burgeoning awareness that the DEFSTANs had commercially beneficial side-effects for suppliers who previously had no quality systems procedures at all. ​​ 

  • Rear Admiral Spickernel retired from MoDPE amd joined BSI, shortly beceme Director General

  • DEFSTANS were published as BS 5750:1979 in the midst​​ of general government and public concern that Britain’s poor export performance was due to lousy product quality. ​​ There were three part in BS 5750 to emulate the 3 tiers in the DEFSTANs.

  • UK National Quality campaign injects huge funding into BS 5750 certification, 10s of thousands of companies become certified against “15 day” QMSs; a new profession is born! ​​ The assumption here was that ensuring conformity with BS 5750 after 15 days of consultancy would miraculously improve the quality of products and services in UK’s export trade.

  • BSI runs the secretariat of ISO committee TC 176 that produces the ISO 9000 family in 1987. ​​ The three levels are retained, internal auditing is added as the only really significant change. ​​ Nobody knew anything about it at the​​ time!

  • Minor revision in 1994, same three levels retained.

  • ISO 900x gets called up in private and public sector purchasing.

  • ISO 9001:2000 is a major revision, the clauses are re-ordered into a Deming PDCA cycle, the emphasis on using the standard as a business improvement model is enhanced, despite that the Scope retains the focus or delivery vs a supply agreement. ​​ It is now necessary to define processes, their sequence and interaction and measure their performance. ​​ The requirement for 20 sets of documented procedures is reduced to six. ​​ There’s only one level but it’s permitted to “exclude” clauses deemed non-applicable.

  • Minor revision in 2008, no significant changes.

  • Major revision in 2015 introduced “risk based thinking”, a series of “soft” requirements​​ and serious reduction in documentation requirements. ​​ ISO imposes Annex SL as the high-level structure for all management system standards vs no cogent rational explanation.

Where are we now?

ISO 9001 was created by purchasers as a set of criteria against​​ to select reliable suppliers; it’s an audit standard, in other words. ​​ Nothing has changed that role in my opinion. ​​ Indeed, the scope of the standard has not changed in that regard either. ​​ And it used to say it was only for external use!


Hence it has only ever made 100% sense when viewed in the shoes of a prospective customer seeking an assurance that a potential supplier will supply reliably. ​​ In other words, it makes sense only when interpreted from the buyer’s side of the supply agreement.


Back in​​ 1987 its 20 clauses were laid out in a sensible workflow that the customer’s external assessor could follow through the supplier’s system. ​​ It went something like this: ​​ Management & objectives OK? ​​ Documentation present and controlled OK? ​​ Sales agreement​​ understood OK? ​​ Design & development OK as per sales agreement? ​​ Purchasing OK? ​​ Production OK? ​​ Testing OK? ​​ Calibration OK? ​​ Packaging & delivery OK? ​​ Internal audit OK? ​​ Training OK? ​​ Statistics OK? (shamefully added as an afterthought but that’s another story!).


The shuffling in 2000 destroyed the elegant logic of this simple approach in what looks like a thinly veiled attempt to make the standard look more like a business model ​​ On the other hand, it did bring out the closed loop approach that had always been there in reality if you understood what the customer was really looking for.


The tweak in 2008 added nothing of consequence but the major revision in 2015 wound back the clock on the basic tenets that come with the concept that the standard is there for the use of purchasers.


We’ll have to wait and see if it survives.


The ISO 9001 Certification Issue

The history of the ISO 9000 family is based on a series of standards was written by purchasers for their own use to select their own suppliers as​​ the 2nd​​ party in a supply agreement.


When it became used as a 3rd​​ party certification standard, not only did the auditor need to be credible in the eyes of the customers of the certification body’s client, but the CB needed to be credible in the marketplace where it offered its certification services. ​​ At the outset, NACCB (now = UKAS) and RvC (now = RvA) understood this plainly and clearly, just that the UK National Quality Campaign seemed to make NACCB more serious about it!


In 1988 when I set out in this industry, certification scope control was tightly managed regarding this kind of credibility; it’s what “cred” meant in “accreditation”! ​​ 


But it was tedious; I used to say if you had accreditation to certify manufacturers of bolts, you needed to go through the darn scope extension process to cover manufacture of the nuts that fitted them, as for the washers, don’t go there! ​​ 


For the record, this scope extension process required each CB to write supplementary guidance (Quality Standard Supplements - QSSs) for its customers and auditors alike, and the guidance was quoted on the certificate. ​​ Not only that, but the guidance had to be signed off by the CB’s technical committee of industry experts: such a TC was mandatory under accreditation rules at the time (this predates ISO 17021 by a long time….).


What followed was pressure to relax all this discipline because the UK National Quality Campaign demanded quicker certifications, the CBs demanded faster billing opportunities with less admin overhead, and there was no appetite to invest in the the meagre accreditation headcount and facilities even though the integrity of the whole shooting match was dependent on it; and still is of course. ​​ 


The accreditation system just rolled over into its current moribund form.


Sector Schemes

Slowly but surely sector schemes popped up to cover the professional gap left by avaricious certification bodies and moribund accreditors.

Industry groupings from the automobile, aviation, telecommunications and food sectors have set up their own schemes using their own editions of ISO 9001 tailored to fit their view of their own industry requirements, to include the specification for qualifying auditors and the conduct of audits. ​​ This is exactly the model that was conceived back in​​ the early 1980s to be under the auspices of CBs and ABs themselves. ​​ Now the sector schemes need to qualify the CBs and ABs.


In the regulatory sector, for medical devices, for example, ISO 13485 regurgitates ISO 9001 with a reduced scope but it adds extra clauses many of which re-instate the documentation requirements relaxed from the 2000 edition onwards. ​​ And ISO 13485 has honest application when it’s called up under regulations as per Health Canada’s Canadian Medical Device Conformity Assessment System​​ (CMDCAS) that qualifies CBs against its own criteria, again this is not left to the discretion of CBs and ABs.


The future?

The jury is out on ISO 9001:2015, we’ll just have to wait and see.


My preference would be to see it under the auspices of​​ procurement agencies once more and for it to return to its entirely logical workflow driven structure. ​​ If that means abandoning ISO then let’s get on with it.


It still works in the purchasing model, my view is that’s it’s only true application. ​​ NATO still calls up ISO 9001:2008 in AQAP 2110, and still uses the three-level classification system. ​​ Here in NZ, ISO 9001 certification is called for by food packaging purchasers and for contractors supplying defence contracts and by the New Zealand Transport Agency for the national roading programme.


I hope this helps.


Ian Hendra

Clearline Services Ltd

August 2017