The risk is always there

Last Wednesday—a week ago yesterday—I read two stories that had nothing to do with each other, except they somehow breathed the same air. In a funny but uncanny way they echoed each other.

Amazon lays off 16,000 employees

One story was widely reported. On that day, Amazon laid off 16,000 workers ... and notified them by accident. You can find the basic story multiple places around the Internet—for example, here. Discussion on LinkedIn (for example here and here) fleshed out some of the details. In principle it is no surprise these days when a tech giant announces layoffs. What was surprising in this case was precisely that Amazon failed to announce them! The layoffs just kind of happened all by themselves, or so it seemed, and then were referenced off-handedly in other, subsequent emails. Finally there was an official announcement (you can read it here), but only after the damage had been done.  Amazon employees shared their experience on Reddit. [Quotes are mostly as-is, and not edited for grammar or spelling.]

I work in SLU. I went to check on my baby at 2am and got and email at 230 that I've been let go. What a great day.... 

i got a txt saying check your personal email before coming to work; work email was disabled. so yeah, break up over txt. 

I didn't know until I got to Blackfoot at 0530 this morning, and my badge didn't work. Tried to slack my boss, and no slack access. Went to email, no email access. After being escorted out of the lobby, got the email in my personal account that my position was eliminated.

Dam I’m at Blackfoot and had to pack up my coworkers stuff.

Again, what's remarkable about this story is not that thousands of people were laid off, but that the communications were handled so ineptly.

Dorx Communications shuts off one account

The second story was a lot smaller. A blogger I follow was moving from Rhode Island to Maryland, and tried to cancel the Internet service at his old lodgings. John Michael Greer tells the story as follows:

In the process of getting all my Rhode Island utilities shut down and all my Maryland ones switched on, I contacted my former [Internet] provider―to keep the lawyers at bay, let’s call the firm Dorx Communi­cations, shall we? You can get almost any other imaginable service from the Dorx website with a few clicks, but shutting off service is a different matter entirely. You have to go to chat, put up with the maunderings of their clueless robot, and get trans­ferred to a supposedly live agent, who then does everything possible to keep you from doing what you’ve come there to do. I slogged patiently through the process, and finally got the allegedly live person to agree that my service would be shut off on January 30.

The moment the chat ended, my phone and internet access shut down. When I walked three blocks to the local public library to get online and contacted Dorx to inform them politely that they’d made a mistake, I found that my shutoff order had been redated to that day, January 18. What’s more, once I was in my account, I was unable to access the chat function at all. It was a pretty obvious middle finger from the dorks at Dorx.

What do these stories have in common?

Both stories involve companies doing something unpleasant. In each case, the company behaves in ways that look to be at best careless and callous; and in each case it is easy to slide from that (admittedly generous) perspective towards one that evaluates the company's actions as "a pretty obvious middle finger." But I have to disagree with Greer. When he reads Dorx's behavior as hostile, he is forgetting an important principle that the Internet calls Hanlon's Razor.

"Never attribute to malice that which is adequately explained by stupidity."

Stupidity is always a risk. It is especially a risk in the actions of corporations, and even more especially in the actions of large corporations. 

But why?

At the most basic level, stupidity is always a risk because we are all human beings, and human beings make mistakes. That's why there is such a discipline as Quality in the first place—to protect against the inevitability of human failure.

Stupidity is a risk in the actions of corporations because many of the "actions" that corporations take aren't based on the decision of any single individual. Multiple people have to work together, often through business processes, and nobody sees the whole picture. Outcomes are the result of the processes themselves rather than of a concrete decision. And if a process is not very well-designed, it can misfire. This is why John Seddon says that his first step working with a new client is to send top management to the front office to watch a single order come in, and then to track that order through its life-cycle. Invariably they learn that the company's systems actually work very differently from how they are supposed to work! (I discuss the point at greater length in this post here.)

And stupidity is especially a risk in the actions of large corporations because those organizations have disporportionately many employees on the inside, where their only contact is with other employees and they are insulated from customers. This means that they are (overall) more likely to trust their business processes than the employees of small companies, because they have fewer opportunities for disconfirmation or falsification.* If unhappy customers can walk into your store and disrupt your day, you are more likely** to take care to keep them happy regardless what the process tells you to do.

Constant vigilance

Of course, at some level everyone knows all this. As noted, the only reason we have a Quality discipline in the first place is that everyone knows people are fallible. But it is important to understand that the most any Quality system can ever do is to help. No system can ever eliminate the risk of human stupidity.

And even the best system can grow flabby and ineffective over time. In earlier posts, I have cited Amazon as a company that strove to avoid bureaucratization. Back in November 2019, Franklin Foer wrote in The Atlantic that "In contrast to the dysfunction and cynicism that define the times, Amazon is the embodiment of competence, the rare institution that routinely works."*** And yet here was Amazon, just one week ago, laying off 16,000 employees without remembering to let them know! 

"The embodiment of competence"? Well, times change. (For other examples, search this blog site for "Boeing.")

Ultimately the only way to avoid stupid mistakes is through constant vigilance. Quality systems can help. Caring about your work makes a huge difference. Paying attention, following through ... all these things are pretty basic. But they are also frighteningly easy to lose track of.

Constant vigilance.   

_____

* In the sense made famous by Sir Karl Popper. See also, for example, this discussion of bureaucracy, which highlights the connection to size.  

** Of course this is no guarantee. Small companies fail too. 

*** Franklin Foer, "Jeff Bezos's Master Plan," The Atlantic, November 2019, p. 58.      

      

Getting regulatory standards for free

How do you get a copy of a standard?

Let's say you need one for work. You want to check what ISO 14001 says about management review, to make sure you are doing it right. Or you want to know what the American Welding Society says in Z49.1 about "Safety in Welding and Cutting." Where do you find the document?

You could try the organization's website. Some standards (such as Z49.1, in fact) are available for free. But many of them are for sale. So someone—you, or the organization you work for—has to pony up cash to get a copy. 

That's the normal expectation. And the assumption has always been that if you don't want to pay for the standard, no one is forcing you. There's no law that you have to hold management review, after all. If your customers expect it from you—because your customers expect ISO 14001 certification—that's a cost of doing business. And you are free to choose whether it is better to pay for the certification (which includes paying for the standard) or to forego the chance to hang that diploma in your lobby.

But there's a catch. Sometimes there is a legal requirement to comply with one of these standards. And that complicates the calculation.

In what follows, I explain how this came about, and then I tell you how to get the documents you need for FREE. 

How can you be required to follow a "voluntary" standard?

Let's back up a minute. In the United States, many industries operate within guidelines defined by federal regulations. In some industries—the design and manufacture of medical devices is a prime example—those regulations became so numerous that they ended up covering the same scope as the relevant "voluntary" quality standards (in this case, ISO 13485, "Medical devices — Quality management systems — Requirements for regulatory purposes"). 

For a while, medical device companies had to comply to two complete sets of rules, those from the Food and Drug Administration (FDA) and those from ISO. This mandate was awkward, because there is no way that two different sets of rules can ever completely coincide. Finally, the FDA repealed those detailed individual regulations which duplicated the terms of the ISO standard, and replaced them all with a general regulation that medical device companies must comply to ISO 13485. Technically this means that Title 21 of the Code of Federal Regulations now "incorporates ISO 13485 by reference." (The same thing happens in other industries.)

Did that solve the problem?

Yes and no. It clarified the rules for medical device manufacturers. But ISO 13485 is a document sold by the International Organization for Standardization (ISO) for CHF196. On the other hand, it's a basic principle of American law that Federal regulations are made available for free. The idea is that it's not fair to hold someone accountable to a law and then charge him a fee to find out what the law says!

But if 21CFR Part 820 now incorporates ISO 13485 by reference, doesn't that mean that medical device companies should have access to the standard for free? And likewise for other industries whose regulations incorporate standards by reference?

What's the answer?       

In the end, the regulatory agency has to come to some kind of agreement with the standards-developing organization to make the standard "reasonably available" to persons who are affected by the law. For standards written by a dozen major organizations—including ISO and IEC (International Electrotechnical Commission)—there is a one-stop shop hosted online by the American National Standards Institute (ANSI) where you can download for free read-only copies of those standards which have been incorporated by reference into legislation or regulation.

Start here: https://ibr.ansi.org/Default.aspx 

Now to be clear, none of these organizations have relinquished their copyrights on the documents in question. And in order to respect those copyrights, ANSI's access is not exactly convenient. 

• You cannot print the documents you download from this site. 
• You cannot select text and copy it. 
• You cannot highlight it or add notes. 
• Before you can open any of these documents, you have to download a special plug-in for the Acrobat Reader, and then you have to open them in Acrobat (not in your browser). 
• You have to register with your name and address for each document you download, each time you download it. 
• There is a Frequently Asked Questions page with more information at https://ibr.ansi.org/Faq/Default.aspx. 

If you want access that doesn't suffer from all these limitations, you have to pay for the document like a regular customer.

But strictly speaking, you can get access to these standards for free—just like any other federal regulation.

      

How do the bad units know where to go?

When your customer returns a failed product, there are things you regularly do to understand the problem. Depending on the product, you might check its serial number against your production logs, to see when it was manufactured. Was it part of a batch that you already know had problems? Maybe you check its composition. Does it include components that have given you trouble before? There are multiple avenues you can explore, as part of your root-cause analysis investigation. But do you remember to ask your customer, What exactly were you doing when the product stopped working?

This is not who the story is about!
But I found the illustration on the
Internet and couldn't resist. 

Last week I heard the craziest story. Some customer had an accident that left him unable to walk. But his job required him to move around a lot, so he got a motorized wheelchair. After a month, the engine burned out, and he had it replaced. A month later, the new engine burned out, so he had that one replaced too. And the month after that ... well, you get the idea.

It seems that the wheelchair manufacturer and the customer's insurance company let this cycle go on for some time before they finally began to investigate. What exactly was this guy's job, anyway? It turns out he was a high school football coach. And his idea of how to do the job involved racing back and forth on the sidelines during games, so he could get a close look at what was going on. On the grass. In the mud. All through football season. If he got stuck in a mud patch or a gopher hole, he just jammed the wheelchair into overdrive until he got free. And somehow the engines in his wheelchair kept burning out.

Gosh, who would have guessed?

It reminded me of a story I heard years before, in a problem-solving class. A large manufacturer of high-end cookware kept getting pans returned where the ceramic finish had melted in a way that made the pans unusable.* They studied their manufacturing process, spent a lot of time and money on improvements, and it made no difference to the return rate for this particular failure.

Finally, after a lot of frustration, they hired a problem-solving expert who looked at the overall return data. This company shipped product throughout North America, but all the returns with this problem came from Toronto. Right away he told the company to stop wasting time and money reengineering their manufacturing process.

"Why?" they asked. "How can you be sure that's not the problem?"

"If the problem was caused by manufacturing, it would be evenly distributed across all your customers. But look at this map. How do all the bad pans know to go to Toronto?" 

"Then what's the cause?"

"Put me on the next flight to Toronto, and I'll tell you."

In the end, he discovered there was a popular cooking program on a local TV station which recommended that viewers clean their pans in a certain way. That cleaning method just so happened to destroy the ceramic finish on this company's pans. I don't remember how they finally solved the problem. But until they asked how their customers were using the products, their investigations were fruitless.

So remember to ask. If you see failure data that doesn't fit the patterns you expect, what other pattern does it fit instead? There has to be one. And when you have all the facts, the picture is going to make sense. As long as the failures make no sense, you don't have all the facts.

Just remember: How do all the bad pans know to go to Toronto?

It's a powerful question.

__________

* I heard this story years ago, so I may have some parts of the story slightly garbled. But the point should be clear.      

Upcoming Changes in ISO 9001

Late last week, Quality Magazine published my article, "Upcoming Changes in ISO 9001." In it, I review the recent DIS9001 and explain the changes that it introduced:

Quality culture and ethical behavior

Opportunity-based thinking

Changes to the terms and definitions

Other changes 

I also explain my conclusion (which I have already stated in other venues) that any company which is securely certified to ISO 9001:2015 should have no trouble upgrading to the new version ... unless some new, massive, unforeseen change is snuck in at the last minute. 

It's their article now so I won't post the text of it here, but you can find it by following the link. I hope you find it useful!

Write documentation you can use

People often associate Quality with documentation. To some extent, this is unavoidable: you need a written record of inputs and outputs to make sure they both match the requirements, for example. But it's also partly because of the enormous influence of ISO 9001, which—especially in its earlier editions—stated a number of specific documentation requirements.

In principle the association isn't a bad thing. Documentation is incredibly useful. The problem comes when companies start documenting things without regard to whether someone is going to use the documentation later. Pro tip: If nobody is ever going to read it, then writing it down might have been a waste of time.* By the same token, if you write something down it is only considerate to think about who is going to read it, and what it will take for your writing to be useful.

One of the best examples I ever saw for the latter point was implemented by a contract-manufacturing company my firm used to do business with. They were a small company, but they had carved out a specialty niche in the larger ecosystem of manufacturing for the high-tech market. Because they were a small company, they had only a few large machines and the rest of their product assembly was done by hand. This meant that each workstation along their assembly line needed work instructions, to tell the people there what to do.

Manufacturing work instructions can be handled in a lot of different ways. This company started with the drawings we gave them, along with all of our assembly notes, but then wrote their own instructions based on them. 

• Their manufacturing engineer wrote one document per workstation, so the people at Workstation 2 wouldn't get distracted by instructions for Workstation 3.
• Since most employees had a native language other than English, each document was bilingual in English and the other language.
• Each document included a photograph showing what the product was supposed to look like when it came into that workstation, and then when it left.
• After their manufacturing engineer generated this series of documents (based on our drawing), he sat down with his contact on our side to review the whole stack of them, to clarify any confusing points, and to get our approval.
• And of course these documents were kept under strict version control.  

Ironically, this company was not certified to ISO 9001. They had investigated what certification would require, and concluded that they already had plenty of business and didn't need it. They were also the only supplier of ours that never once caused us a serious problem! (I allude to them briefly in this post here.)

But they understood what they needed in order to do excellent manufacturing in their specific industry niche. So they focused on that, ignored distractions that didn't matter to them or weren't useful, and turned out flawless work. Every time. 

_____

* Of course there are exceptions. If I write something down, the very act of writing also helps me remember it. That's why I said "might have been."     

      

Feedback on Santa's audit!

Wow! I got a lot of comments on last week's post about how far Santa Claus complies with ISO 9001. Thanks especially to Pia Hamrin, Dawn Ringrose, Petro Shoturma, and Jeremy Panitz for their detailed feedback!

What interested me was the remarkable level of unanimity among the responses. Of course each commenter had a unique perspective. But since Santa Claus is fictional,* any commonality among the responses must be traceable to the second half of the discussion—namely, to the expectations that grow naturally out of working with ISO 9001. Those of us who work with the standard regularly have come to know that some clauses need a lot more attention than others, because the impact they have on organizations is so consequential.

Even if you aren't worried about Santa Claus, ask yourself whether these same clauses aren't important topics in your organization.

Common concerns

It was no surprise to me that the two topics which attracted the most attention were Internal controls and Complaint handling. Businesses differ a lot: organizational contexts can be very different, as can the quality of customer requirements. For some companies those topics might require a lot of attention, while for others the same topics might manage themselves. But internal controls always matter—to everyone. And without complaint handling, you have no feedback on your operations to make sure your customers are satisfied. So nearly everyone agreed to focus on those areas.

Naughty or nice?

Everyone knows that Santa Claus checks whether each child is "naughty or nice," but how does this happen? Dawn's reply assured me that Santa uses a proprietary algorithm. But Pia asked how that algorithm is validated, and whether the sources are documented? Jeremy suggested that Santa consults with children's deities around the world to make his determinations.

Complaint handling

Petro and Pia both raised the issue that there is no publicized mechanism for complaint handling. Jeremy suggested a resolution to this topic, though, by arguing that "If the customer isn't satisfied with the gift they got from Santa Claus, the gift did not come from Santa Claus."**

Less worried

By contrast, nobody was very worried about document retention. Dawn suggested that the children's letters must be fully digitized, and nobody else took up the subject. I think this lack of concern reflects our common experience that yes, of course document retention is important; but on the other hand documentation findings are generally the weakest kind of finding in any audit.

Similarly, Dawn and Jeremy both assured me that internal audits were done by impartial elves, where "no one audits their own toy line." And I think we have all experienced that even in organizations where the Quality Management System is informal or not very mature, it is generally possible to find people who can treat the process objectively, and who can therefore do reliable audits.

Unique observations

Then there were the unique observations, that pushed the discussion in an unexpected direction.

Jeremy argued that Santa Claus is thought of as a toymaker, but that the real focus of his design expertise is in logistics. In commenting on clause 8.3.2 (Design and development planning), he explains, "Santa has only 24 hours to deliver toys and other gifts all across the world. That means he's got to know the weather patterns. So his design and planning is less on toys and gifts and more on safety and delivery of the goods." Jeremy doesn't use this example, but I assume he would compare Santa (in this respect) to McDonald's, who didn't redesign the hamburger but revolutionized how it was delivered to the customer.

For her part, Dawn answered the question about children changing their minds by enunciating the rule, "Last Wish Wins." But that rule means that the audit plan has to spend a lot more time checking scrap and rework under clause 8.7 (Control of nonconforming outputs). As long as the only topic was the elves' workmanship, we could assume that the elves are magical and don't make mistakes; so overall scrap should be minimal. But if children can change their minds late in the game, there is sure to be scrap as earlier gifts are replaced with later ones. Thus does any answer in one part of the audit open up new trails in another part—and this, too, is a familiar experience to all of us.

Naturally I don't mean to suggest that any clause is unimportant. In the right (or wrong) circumstances, any clause can trip you up. But I found it interesting and reassuring that the feedback on this topic aligned so closely with my own sense about where the critical risks are in any ISO 9001 implementation. Again, even if the North Pole doesn't interest you much, your own organization does. And it is worth looking over where your own risks are.

__________

* Or at any rate I'll assume so for the purposes of this post! 

** It's an interesting idea, to which I note only that, however this principle might work for Santa, it's not available for the rest of us.     

         

Does Santa Claus comply to ISO 9001?

Years ago, when my kids were little, they would spend an hour or so every Christmas Eve watching the NORAD Santa Tracker. You've probably heard the story behind how NORAD tracks Santa's progress through the skies every year. And indeed every year there are press releases updating the public on the current status of the Santa-tracking program.

These days I'm out of touch with the latest developments in aviation, but I'm correspondingly more interested in international standards. So today I find myself wondering, How far does Santa Claus comply with ISO 9001?

It's not an idle question. Last year an investigative reporter went to the North Pole—at least, that's what the article said—to check the operations of Claus Enterprises against OSHA's Top 10 workplace-cited standards for 2024. The results weren't pretty, though Santa himself put the best face on what he called "“an unfortunate misunderstanding," and pledged a prompt corrective action plan.

But even if safety issues have been addressed, what about Quality? Millions of children rely on Santa for presents each year. Can he really be counted on to come down all the right chimneys? Does he stand behind his work, or does he just fly away "like the down on a thistle"?

Up till now I have been unable to find an ISO 9001 certificate* for any part of Santa's operations, neither his workshop nor his delivery service. Partly the problem may be geographic: I'm not aware of any formal Certifying Body with jurisdiction over the North Pole. All the same, surely it's a good idea to do an advance check—like a pre-audit—to find which clauses need the most attention. So Santa, if you are reading this, treat it as a little free consulting, to help you get positioned.**  

These, then, are some clauses of the standard where I would expect discussion in an audit:

4.1 Understanding the organization and its context

Ever since the climate change amendment last year, this clause has included the requirement, "The organization shall determine whether climate change is a relevant issue." Well if the Polar ice cap is about to melt, that sounds relevant to me! Does Santa have plans to relocate? And where?

4.2 Understanding the needs and expectations of interested parties

How often are these needs and expectations reviewed or updated? I assume that the desires of little children have been broadly similar for centuries. But what about other players in the same market? Does Santa face competition from online retailers, or has he worked out some kind of deal?

5.2.1 Establishing the quality policy

What exactly is Santa's Quality Policy? Does he strive for 100% satisfaction? We know that every year some children are disappointed; so if the policy calls for 100%, there might be a problem. And what if a gift is defective, or has to be returned? Does Santa replace it himself, or does he require the parents to do the work? (See also clause 8.4 Control of externally provided processes, products and services.) 

7.5.3 Control of documented information

Children write letters to Santa from all over the world. Are those kept for future reference, in case there is some dispute over what a child really requested? And in what form? (For example, are the original letters kept on paper, or are they digitized?) If the letters are kept on paper, how are they preserved in the harsh Arctic climate?

A second topic is the retention policy: how many years is a letter kept? Santa is always said to be wise and to have a long memory; but the storage requirements for each new year's batch of letters must be enormous. Are they kept for a year? For a decade? For centuries? How are they indexed? How easily can they be retrieved?

8.2.3 Review of the requirements for products and services

There's another kind of control needed for the children's letters: regular review. Some children might request toys that are dangerous, or that are illegal in their place of residence. How is this review conducted, and how are conflicts resolved?

In addition to all the other reviews, subclause 8.2.3.1(c) requires a review of "requirements specified by the organization." Presumably this includes comparing all requests against the List of Who's Naughty and Nice. But how is that list managed and kept up to date? And how often is a naughty child really given a lump of coal instead of some other present? (I can think of children over the years that I thought had earned a lump of coal who never seemed to get one!) 

8.2.4 Changes to requirements for products and services

What about children who change their minds about what they want, and who send multiple letters? Is there a tracking system to allow the second letter to be filed with the first one, or to replace it completely?

8.3.2 Design and development planning

What is the ratio of customized gifts to off-the-shelf toys? The publicity photos of Santa's Workshop look like they are mass-producing toys, but there must be a lot of specialized requests as well. How is this handled? (See also clause 8.5.2 Identification and traceability.)

8.4 Control of externally provided processes, products and services

How much of Santa's work is subcontracted to local merchants, or to parents? And on what terms? Does Santa still get all the credit, in all cases?

8.5.2 Identification and traceability

How far is lot-traceability a relevant issue? (Note that if every job were custom—see also clause 8.3.2 Design and development planning—then lot-traceability would not be a requirement.)

8.5.4 Preservation

The North Pole has a cold, harsh climate. The same is true for much of the lower atmosphere. How does Santa preserve presents in good condition, and keep them from being damaged by the harsh environment?

8.6 Release of products and services

Does Santa keep records of every gift, and are those records filed with (or cross-indexed to) the corresponding request letters? This raises some of the same questions we discussed above under clause 7.5.3 Control of documented information. 

9.1.2 Customer satisfaction

What is Santa's current level of customer satisfaction? Has it been trending up or down? In case of any downward trend, has Santa chosen to implement corrective actions, and what do those look like?

9.2 Internal audit

Who does internal audits for Santa's enterprises? Are the auditors selected in a way that "ensure[s] objectivity and the impartiality of the audit process"? Is the scope of the internal audits the same as the scope of the enterprises, or are there some areas that are off-limits to the auditors? Can I see the results of the latest full audit?

9.3 Management review

Can I see the records of the latest management review? Has Santa ever introduced a major change to the operations as a result of findings in management review?

• If yes, what was it?
• If no, then is the organization really using the management review, or is it just a dog-and-pony show?

10.3 Continual improvement

Tell me about the latest continual improvement initiatives.

Having said all this, I have to admit that it would be the chance of a lifetime to audit Santa's Workshop at the North Pole. An operation with such vast scope, that has to achieve such delicate precision in its outputs, would be amazing to review.

So Santa—again—if you are reading this and want someone to do a test-audit before you call a regular Certifying Body, leave a comment on this post with your contact information and I'm sure we can work something out.

And to everyone else, have a jolly day, a delightful holiday season, and a very happy New Year! 

__________

* I did find one article here that claims Santa Claus is certified to ISO 9001 and a host of other standards as well, but it offers no links to objective evidence.  

** And with a little luck, giving away free consulting might be enough to move me from Naughty to Nice!