Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
AS91xx Transition
Supplemental rules for the transition to
AS9100, AS9110, and AS9120, including the
implementation of AS9104/1 and use of the
updated AS9101, were published by the
IAQG-OPMT last month. These rules support the
transition timeline described in our December
2009 newsletter.
The rules apply to the following:
1. Sector Management Structure (SMS)
2. Accreditation Bodies (ABs)
3. Auditor Authentication Bodies (AABs)
4. Authenticated Aerospace Auditors (AAs and
AEAs)
5. Training Provider Authentication Bodies
(TPABs)
6. Training Providers (TPs)
7. Certification Bodies (CBs)
8. Organizations seeking certification to the
AS91xx:2009 standards
The rules for groups 4 and 8 are described
below. You can read the full document at this Rules
for AS91xx Transition web site.
4. Authenticated Aerospace Auditor (AA & AEA)
All currently authenticated auditors are
required to take the AS9100:2009 sanctioned
training by a TPAB approved TP. All currently
authenticated auditors are required to take
the sanctioned training for all other
standards the auditor is authenticated to,
i.e., AS9110:2009 and/or AS9120:2009.
Auditors must provide evidence of successful
completion of the sanctioned training to the
AAB that has their existing authentication.
Auditors must successfully complete the
AS91XX:2009 sanctioned training prior to
conducting any AS91XX:2009 audits. Auditors
not authenticated for the AS91XX:2009
standards as described above will no longer
be able to do Aerospace QMS audits as of 1
July 2011.
8. Organizations seeking certification to the
91xx:2009 AQMS standards
Organizations must formally declare to their
CB conformance to 91XX:2009 prior to the CB
conducting 91XX:2009 audits. Organizations
that have not been certified to the 91XX:2009
AQMS standard by 1 July 2012 will have their
certificate withdrawn from OASIS.
Risk Management
Last month, the newsletter included an
article on ISO 31000:2009, Risk Management -
Principles and Guidelines. The article also
referenced a supporting standard, ISO
31010:2009, Risk Management - Risk Assessment
Techniques. These two risk management
standards provide organizations of all types
with a well-stocked toolbox for tackling
situations that could affect the achievement
of their objectives.
Risks affecting organizations may have
consequences in terms of:
societal, environmental, technological,
safety, and security outcomes
commercial, financial, and
economic disciplines
social, cultural, and political
reputation impacts
When risks occur, organizations always have
to ask the question: "Is the level of risk
tolerable or acceptable, and does it require
further treatment?"
Risk assessment is an integral part of risk
management which provides a structured
process for organizations to identify how
objectives may be affected. It is used to
analyze the risk in terms of consequences and
their probabilities, before the organization
decides on further treatment, if required.
Risk assessment provides decision-makers and
responsible parties with an improved
understanding of risks that could affect
achievement of objectives, as well as, of the
adequacy and effectiveness of controls
already in place. The ISO 30010 standard
provides a basis for decision about the most
appropriate approach to be used to treat
particular risks and to select between
options.
ISO 31010 will assist organizations in
implementing the risk management principles
and guidelines provided by ISO 31000, itself
complemented by ISO Guide 73:2009 on risk
management vocabulary. ISO 30010 deals with:
Risk assessment concepts
Risk assessment process
Selection of risk assessment techniques.
The standard reflects current good practice
and answers the following questions:
What can happen and why?
What are the consequences?
What is the probability of their future
occurrence?
Are there any factors that mitigate the
consequences of the risk or that reduce the
probability of the risk?
The application of a range of techniques is
introduced, with specific references to other
International Standards where the concept and
application of techniques are described in
greater detail. Risk assessment is not a
stand-alone activity and should be fully
integrated into the other components in the
risk management process.
ISO 31010 has been developed for application
by both the risk management novice and the
seasoned risk professional. It forms part of
an integrated risk management structure of
standards, developed with a view to providing
a 'best practice' approach.
ISO 31000:2009 and ISO 31010:2009 can be
ordered at the ANSI Web
Store.
Integrated Systems
This article on integrated management
systems was written by Rich Barish.
Globalization, advancement of technologies,
and heightened concerns for controlling
environmental risks have motivated many
organizations to implement quality,
environmental, and occupational health and
safety management systems. A significant
number of U.S. industries are driving these
implementation efforts along the supply
chains, prompting customers to require
management system certifications of their
suppliers.
Integrating quality, environmental, and
occupational health and safety management
systems increases an organization's ability
to strategically manage its mission, vision,
and objectives through policy development,
system design and implementation, adherence
to protocol, increased control of risks, and
improvement of processes.
Quality, environmental, and health and safety
management systems are based on a number of
similar, if not identical, requirements such
as policy, roles and responsibilities,
objectives, processes, procedures,
operational control, monitoring and checking,
audits and reviews, improvement, competence
and training, and statutory and regulatory
requirements. Organizations have found
that integrating these systems together makes
fundamentally good business sense.
The organizations which stand to gain the
most benefits from system integration are
those that have more than one management
system standard and wish to achieve maximum
value from the combined systems. Other
organizations which would benefit from system
integration include those that wish to have
one holistic system to manage their
organization, those that wish to introduce
several management systems at the same time,
and those that have one management systems
standard already and wish to introduce
another one.
Many organizations choose to implement one
management system standard at a time,
building off of the structure of the previous
system implementation and lessons learned.
This approach is sound, but the key to the
success is to implement the management
systems standard with the most rigorous and
extensive requirements first. If this is
done, all additional management systems can
utilize the pre-existing systems in place,
e.g., document control, record control,
management review, corrective/preventive
action, and internal audits, then add only
the specific requirements of that management
system, e.g., aspects, impacts, and external
communication. This technique reduces
redundancy and inefficiency, saving time and
resources, which usually equates to saving
money.
For those organizations with existing,
separate management systems, the Process
Approach is key to the success of system
integration. A process is any set of
interrelated or interacting activities that
uses resources to transform inputs into
outputs. The process approach systematically
identifies and manages the linkage,
combination, and interaction of a system of
processes within an organization. These
processes could be operational,
service-related, or production-related, but
they also support processes like training,
maintenance, engineering, purchasing, and
internal audits. Organizations that have been
successful integrating their current
management systems have benefited from
understanding their management system process
flows, both operational and support, then
integrating the common processes together.
Flow charting can be quite advantageous for
those organizations wishing to integrate
their systems. However, for those
organizations who just do not know where to
start integrating, corrective action,
preventive action, and internal audits are
always good starting points.
ISO 9001, ISO 14001, and OHSAS 18001 are
based on a process approach to management.
The process approach emphasizes the
importance of understanding and meeting
requirements and objectives, obtaining
results of process performance and
effectiveness, and continual improvement. The
understanding of process flow and sequencing
is vital to the success of system
integration. Many organizations have stumbled
upon non-value added processes when
implementing systems together and were able
to reduce costs by eliminating these
unnecessary activities.
The integration of management systems
provides benefits at all levels. Top
management will realize strategic benefits
since all systems will be seen as part of an
overall business management system,
contributing to the continual improvement of
the results of the organization. Integration
also increases an organization's ability to
strategically manage its mission, vision, and
objectives through policy development, system
design and implementation, adherence to
protocol, increased control of risks, and
improvement of processes.
Integrated management systems are especially
important for organizations where a design
change may introduce downstream environmental
or safety and health risks. Personnel in
operations and support can benefit from a
streamlined, consistent approach to doing
business and an improvement in communications
between processes. The overall organization
will realize financial benefits achieved
through the reduction of resources and the
avoidance of duplication in systems. With all
things considered, integrating management
systems simply makes good business sense.
Rich Barish has integrated multiple
management systems and can help you achieve
the same benefits. Call me if you are
interested in integrating your management
systems and improving your business results.
You should also be able to reduce the time
spent on internal and external audits by
reducing the audit overlap.
Website Design
If you'd like to have a web site,
improve the look of your current one, or
increase its business results, contact Frogtown
Media. We offer web design and search
engine optimization.
Larry Whittington
678-947-6188 (work)
770-880-1301 (mobile)
678-947-4275 (fax)
ISO/TR 20000-3:2009
ISO/TR 20000-3:2009, Information
Technology - Service Management - Part 3:
Guidance on Scope Definition and
Applicability of ISO 20000-1.
The new ISO/TR 20000-3 standard provides
guidance on scope definition, applicability,
and demonstration of conformance for service
providers who are:
aiming to meet the requirements of ISO
20000-1
planning service improvements and using
ISO 20000 as a business goal
It can also assist service providers who are
considering using ISO 20000-1 for
implementing a service management system
(SMS) and need specific advice on whether ISO
20000-1 is applicable to their circumstances
and how to define the scope of their SMS.
ISO/TR 20000-3 supplements the advice in ISO
20000-2, which provides generic guidelines
for implementing an SMS in accordance with
ISO 20000-1 requirements. ISO 20000-2
represents an industry consensus on guidance
to auditors and offers assistance to service
providers planning service improvements or to
be audited against ISO 20000-1.
Service providers who wish to implement an
SMS based on ISO 20000-1 are required to
define the scope of their SMS. Most service
providers are dependent on a complex supply
chain for the delivery of the overall
service. Most service providers provide a
range of services to several different types
of customer. This makes the definition of
service management scope, and the agreement
of the scope statement, a complex stage in
the service provider's adoption of ISO 20000.
ISO/TR 20000-3 provides guidance on the
applicability of ISO 20000-1 and scope of the
SMS based on practical examples.
ISO/TR 20000-3 takes the form of
explanations, guidance, and recommendations.
It provides practical examples of the scope
statements to service providers, irrespective
of whether they have any previous experience
with other management system standards.
ISO 20000-1 defines the requirements for a
service provider to deliver managed services.
It may be used:
by businesses that are going to tender
for their services
to provide a consistent approach by all
service providers in a supply chain
to benchmark IT service management
as the basis for an independent assessment
to demonstrate the ability to meet
customer requirements
to improve services
ISO 20000-1 promotes the adoption of an
integrated process approach to effectively
deliver managed services to meet business and
customer requirements. For an organization to
function effectively, it has to identify and
manage numerous linked activities.
Coordinated integration and implementation of
the service management processes provides the
ongoing control, greater efficiency, and
opportunities for continual improvement.
Organizations require increasingly advanced
facilities (at minimum cost) to meet their
business needs. With the increasing
dependencies in support services and the
diverse range of technologies available,
service providers can struggle to maintain
high levels of customer service. Working
reactively, they spend too little time
planning, training, reviewing, investigating,
and working with customers. The result is a
failure to adopt structured, proactive
working practices. Those same service
providers are being asked for improved
quality, lower costs, greater flexibility,
and faster response to customers.
In contrast, effective service management
delivers high levels of customer service and
customer satisfaction. It also recognizes
that services and service management are
essential to helping organizations generate
revenue and be cost-effective. The ISO 20000
series enables service providers to
understand how to enhance the quality of
service delivered to their customers, both
internal and external.
The ISO 20000 series draws a distinction
between the best practices of processes,
which are independent of organizational form
or size and organizational names and
structures. The ISO 20000 series applies to
both large and small service providers, and
the requirements for best practice service
management processes are independent of the
service provider's organizational form. These
service management processes deliver the best
possible service to meet a customer's
business needs within agreed resource levels,
i.e., service that is professional,
cost-effective, and with risks which are
understood and managed.
ISO 20000-1, Specification; ISO 20000-2, Code
of Practice; and ISO/TR 20010, Guidance, are
available from the ANSI
Standards Store.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, TL 9000, AS9100, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
