Preparing to Implement a QMS

I was recently asked if there are preparations necessary before taking on the implementation of a Quality Management System (QMS) in an organization.

My take is involve the TM (Top Management) from the word go, collect their clear objectives. If they are not committed or clear with their policy and objectives the organization deciding to implement QMS will be an uphill task. Sure TM have asked the QM to do it, perhaps not because they believe in the system approach, but because business pressures have necessitated the certificate as a pre-requisite for gaining the business. Therefore having the objectives clear from the TM is essential. 

Once you have this TM buy in please capture the "as-is" of the system. That will start you at the correct stage of the P-D-C-A cycle which is P! This then should be followed by a gap analysis (please do not start with a gap analysis- that would be starting at the C stage of the cycle!). The gap analysis will give you the additional (missing) processes required to meet the requirements of the standard ISO 9001:2008 (or for that matter any other standard). You now will have a system ready for use by your organization. 

Then consider "what is in it for me"- as the employees question. The employees, particularly in a service industry will only buy in if they know what is in it for them. Clause 5.5.3 of ISO 9001 internal communications. Simultaneously plan some orientation to bring on board the employees so they see the advantages of a system. A bad system will let down a good man(woman) every time (Dr. Deming). 

Comments on CEO Transocean admitting to mistakes related to the tragedy of Deepwater Horizon

In a recent article in the Maritime Explorer, "Transocean Ltd. CEO Steven Newman said the company’s crew on the Deepwater Horizon “should have done more” to prevent the rig’s 2010 explosion in the Gulf of Mexico". http://www.maritime-executive.com/article/Transocean-Should-Have-Done-More-Before-Blowout-CEO-Testifies-2013-03-20/

This is indeed a pleasant change and in a way a pioneering effort for which Transocean's CEO needs to be congratulated. The maritime industry, in general, avoids taking blame. There are reasons for that wherein for example P&I clubs do not really pay unless someone is blamed. A bad system will defeat a good person every time” – W. Edwards Deming.  This reminds me of a quote from the Cain Mutiny, which in essence says, “Navy is a master plan devised by the genius for execution by idiots”.  This master plan is the system, which should be so created that there is no need to blame the individual.  Every time the system fails, the management reviews and acts to work on the procedures that comprise the system.  Improve the system enabling better protection of the individual. It is ironic that individuals who are assigned the designing and then implementing of the system often consider it a burden – little realizing that the system approach takes management away from asking, “Who” to asking, “How and Why”.  This results in further development of the system rather than blaming the individual who was simply working within the system.

In this article, however,the CEO talks of both good people and a good system. I agree with the good people bit. In any case if analysis reveals that the employees lacked competence or were negligent it would again point to the system, meaning the weak HR (Human Resources) procedures which hired incompetent personnel. So it is always the system which lets down the organization. So my objection and suggestion to Transocean (for that matter any maritime organization) is not to say that their system too was “wonderful” but to re-look at the system and analyze how the system let down the personnel they selected. I have a quote which I use when I work with organizations as I develop their systems as a consultant and that is “the only bad NC (Non Conformity) is the one you do not know about”. The system therefore should be created with the environment matched to encourage NCs to be reported. After all corrective action and correction are NC driven. And as the NCs collected contribute to the data base increase, they will provide the information which can be analyzed and trends obtained to predict potential NCs. The company becomes a mature organization when it can predict potential NCs before they occur. Potential NCs are data driven. Therefore Transocean needs to work towards that end. So, yes the CEO has indeed taken a very positive step by accepting the deficiencies and will no doubt now look ahead to going back to the Plan stage of the P-D-C-A cycle (Plan Do Check and ACT) and review the system.

Security and Training – Intrinsically connected

A Process-Based approach to security based on training

One could conclude that the process-based approach where implemented correctly should ensure efficiency and lead to ‘cash in the bank’*. The ‘people>processes>system approach’ *  based on the international standard ISO 9001has been well tried, as the global economy has come closer necessitating standardization of procedures to ensure systems don’t conflict and adversely affect efficiency. Economy today is globally dependent and the process approach brings a system approach to it. Using the approach, one would think organizations would ensure continual improvement, innovate and grow the organization. The process approach as envisaged in the ISO 9001 however leaves out the risk aspects, pollution and the by-products of a process! To stay in business therefore the organizations implement the global standard ISO 14001 encompassing the Environmental Management System (EMS) requirements in addition to the Quality Management System requirements (QMS).

Consequent to the tragedy of 9/11, the post 2001 scenario underwent a negative sea change. Lack of security could wipe away the business totally! It is not that security was not a concern pre-2001; however, the vulnerability of the very symbols of American economic power changed the international equations, which adversely affected the business continuity. If the only superpower on earth was vulnerable and unable to protect its economic center from terrorists then it required a drastic change in the priorities of the business if they were to remain viable. It changed the priorities of the government’s worldwide. For a business to remain sustainable, ensure continuity it was not just essential to be process based and ensure pollution control, environmental protection, be risk based and catering to the by-products, but also of the utmost importance to ensure security of the business. Security became a prime concern. All investment in business can be lost in a moment if a security breach takes place.

The maritime industry is intrinsically involved with the world economy, in that more than 90% of world trade is by vessels trading the globe. The maritime world had its process approach to safety and pollution prevention covered by the SOLAS convention published and implemented as the mandatory ISM Code. Pollution aspects of vessels are specifically addressed by the MARPOL convention. The security uncertainty post 9/11, quickly lead to the implementation of the mandatory ISPSCode for all internationally trading vessels and for the ports where these vessels came in. With the implementation of the ISPS Code, the maritime assets are protected.

The global supply chain is however, not limited to the maritime assets! The concept of maritime asset protection needed to be broadened, as the assets were vulnerable to breach both ‘up-stream’ and ‘down-stream’ of the ISPS Code. Breach of security anywhere in the global supply chain could have catastrophic consequences on the global economy. The introduction of the global standard ISO 28000 filled this vacuum and provided the requirements for implementing procedures to create a system to protect the global supply chain.

Ninety percent of the US homeland imports come in by sea. Inspecting such a large quantity has colossal challenges. Only about 3 to 5% of the containers coming, for example are inspected! It is a daunting task for the USCG and CBP. The CBP initiative in terms of C-TPAT relies on partnership with the industry and encourages those trading with the US to make their security systems compliant with these requirements. It is essentially a process-based approach to security aligned and based on the ISO 28000.

Just the planning and implementation of the security requirements is not sufficient. Individual responsibility is integral to security and when combined with the system approach can pay dividends. All the standards be it ISO 9001, ISO 14001 or ISO 28000 or as applicable in the maritime world: ISM Code, ISPS Code or the MARPOL convention, each requires a system approach. It is vital to the success of this approach that the top managements (TM) are conscious of their responsibilities. Other stakeholders, be they owners, operators, auditors, statutory or regulatory bodies, flag State Administrations do their bit, but TM remains totally responsible for security.

This alignment of TM responsibility being paramount has another variance in the security scenario. I think this vital difference needs recognition by all parties involved in the security of the global supply chain. The major difference is epitomized (particularly for the maritime industry) in Clause A/ 19.1.3 of the ISPS Code. The clause is often considered just advisory in the verification process. However, the sting in the clause is applicable to the entire body of security. The clause virtually requires the Flag State to 'guarantee' full proof security following verification by the Administration! No other international or maritime standard requires this assurance from a regulator. All security related industries, not just the maritime industry (who in any case have no choice!) must take cue from this clause as it leads to a fresh interpretation of security responsibilities for all stakeholders in the global (particularly maritime) supply chain. The auditors, inspectors, the involved organization, regulators et al take due responsibility for the security.  To broaden the implications of the thought behind the clause each entity looking at the security aspect must be fully satisfied and guarantee 100% security. No deficiencies/ NCs (Non-Conformities) are acceptable. Howsoever minor the NC it must be addressed promptly. The strength of the global supply chain is defined by the weakest link in it, and as such, the deficiencies need to be completed before any verification certificate is given.

The challenge and requirements are then clear. The question is how is this to be ensured? Perhaps by getting the best available equipment? Hiring top-notch security personnel? Will just the participation of competent professional manpower and best of surveillance equipment do the magic? Alternatively, perhaps the putting in place of the correct procedures to complete the system is the guarantee of an impregnable security system.

                   

What it requires, I think, firstly is the total TM commitment, to ensure and motivate their teams by care and coordination to ensure the security system works. The security policy published by the TM should be totally in keeping with the actual security requirements of the organization and based on an in-depth study of the threat perceptions. The policy if well thought over and reflecting the actual of the organizations security threats will then lead to measurable objectives and goals for the security team. The team then can have the organization and procedures aligned and resourced to meet these objectives. Once the procedures are ready and introduced the vital phase of training and training alone will determine the outcome of the desired results. Both prevention in terms of preparing for a security eventuality and the response in consequence to a security tragedy will require the systematic P-D-C-A (Plan-Do-Check-ACT cycle)* approach. A good security plan based on a through security assessment (SA) as it moves to the working phase/ Implementation stage (Do) requires aware leaders leading their team through constant training.

Drills to practice and work the security procedures and build the required confidence level will require regular, well-planned training. Drills must exercise each security element of the global supply chain. The success in drills will then need to be bridged by training to ensure each element in the global supply chain (for that matter the domestic supply chain too) is exercised. The more innovative and realistic these drills and exercises the greater will be the confidence level of the management and employees (as also all stakeholders) in their ability to both prepare and be able to react to a breech in security of the supply chain or any of its elements.

SA is essential and integral to a security plan (SP). However, emphasis on carrying out a detailed and thorough threat perception as a must ‘pre-cursor’ to SA before a SP is made should be part of the system ensuring security. Each security drill and exercise should encompass the elements of ‘lessons learnt’ at each level, finally leading to the TM review. TM must remain involved and committed to the security ensuring continual improvement is taking place and innovation encouraged. It must be remembered that the terrorist organizations recruit and train a very motivated work force on their well-tried methods! These terrorists are often two steps ahead of the security measures the industry takes and are ever ready to circumvent security. The security of the global supply chain can only be ensured by the training system being innovative, proactive and capable of recognizing potential threats to the security. Following up on NC by correction and corrective action is essential, but an indicator of the organization being a step behind the ‘bad elements’. Following up on NCs against the security system at its best can be defined as reactive. The security team will be effective; the security system will function as planned when the indicators point to the capability of the system to predict potential security breaches (NCs) by analyzing security threats and trends from available security warnings, threat perceptions. The occurrence of a NC always costs the organization, however small or catastrophically. However, there is a cost associated.  With good training, the team with its involvement and commitment can recognize the potential NCs and add value to the system protecting the global supply chain and each element in it. The security system must therefore drill and exercise the team members to ensure competence and provide them the ability and confidence level to understand the security system so well that analysis of indicators is carried out with professionalism and correct TM decisions taken to secure the global economy from unscrupulous elements.

Should Auditors seek to find Non-Conformities?

Is the audit not complete unless a NC has been found?

“During a recent internal audit an employee performing a certain job, listed her actions slightly out of order from the written instruction.  The change did not affect the outcome in any way - it was basically comparable to making a pot of coffee and choosing to add the water first, even though the instruction says to add the coffee first.  Half of our team felt that it was a 'non-conformity' and the other half felt it was not. ” 

This is an interesting situation that was posed to me after a recent QMS LA (ISO 9001) course I led. I thought of sharing it on my blog as it touches on the principles of auditing, wherein auditors should look for conformity and not non conformity.  The answer lies in the difference between an auditor and a registrar. A good auditor, audits with no subjective opinion and does not go looking for NCs. Good Auditors go looking for conformity. When a preliminary audit conveys the impression of a NC an auditor should still give the Auditee the chance to show conformity. An auditor should not be there to "fix the Auditee", somehow give NCs and so on. Please refer clause 8.2.2 of ISO 9001 with regard to internal audits. The clause requires the organization to conduct "internal audits at planned intervals to determine whether the quality management system" "conforms to the planned arrangements" - it does not say go find how it does not conform! The clause requires the system to be "effectively implemented" not how it is not effective or not implemented. Sure if it is a NC it should be reported, as the only bad NC is the one we do not know about.

In this case, since the employee knows what she has to do, this should not be a NC. In any case knowing everything verbatim is never the intent unless it is a requirement as in the case of a nuclear reactor where actions in an incorrect sequence could cause a catastrophe.

TITANIC TO COSTA CONCORDIA – USING THE ISM CODE IN THE TRUE SPIRIT OF THE SYSTEM APPROACH

Time, like an ever-rolling stream keeps moving.  Technology advances.  Civilization brings more and more rules.  Every tragedy from the Titanic to the Herald of Free Enterprise to the recent sinking of the Costa Concordia demonstrates one thing that does not change – human nature has its weaknesses.  Technology, to an extent, can produce the best of missiles but the man behind the launching mechanism retains the control and continues to be relevant.  Better educated, exposed and aware, perhaps, but still vulnerable to human frailties.  When organizations adopt the system approach, they set in place an atmosphere of continual improvement.

“A bad system will defeat a good person every time” – W. Edwards Deming.  This reminds me of a quote from the Cain Mutiny, which in essence says, “Navy is a master plan devised by the genius for execution by idiots”.  This master plan is the system, which should be so created that there is no need to blame the individual.  Every time the system fails, the management reviews and acts to work on the procedures that comprise the system.  Improve the system enabling better protection of the individual.

It is ironic that individuals who are assigned the designing and then implementing of the system often consider it a burden – little realizing that the system approach takes management away from asking, “Who” to asking, “How and Why”.  This results in further development of the system rather than blaming the individual who was simply working within the system.

In the maritime world, the P&I clubs may well be paying the insurance dues only after an individual is blamed, but the ISM Code in contradiction does not encourage the blame culture.  Good management personnel understand this.  Both the ISM Code and the process-based management system standard, ISO 9001, take management away from the blame culture and require continual improvement of the system.

Management, which can connect the clauses 4, 5, 8 and 9 of the ISM Code will understand and appreciate the fundamentals of the Code.  These members of management will reap dividends in terms of “cash in the bank”.  The term, “cash in the bank”, coined by QMII over 25 years ago, implies fewer to no accidents, resulting in greater customer satisfaction and an increase to the bottom line.  In the maritime world, the difference between a detention and a catastrophe really is the cost the company pays – the loss in revenue, the cash in the bank lost.  It implies loss of life, which in bare terms costs the organization.  Loss of a vessel can ruin the company.

If it is as simple as the correct implementation of the process-based approach, then why does management not get it?  Is it because the maritime industry is so drowned in day-to-day activities that it is more concerned with avoiding being detained, somehow getting away from Port State Control (PSC) scrutiny, to be unable to implement the ISM Code in the real sense?  Alternatively, is it that the old-fashioned top management (after all, those who go into management are a generation or two behind those who actually go to sea and operate the vessels) are not fully exposed to the true meaning of the system approach?

This analysis is not new.  Justice Sheen investigating the loss of the Herald of Free Enterprise found a “disease of sloppiness” and negligence at every level of the corporate hierarchy.  What did that mean?  It meant the system was not working.  In present-day man-made tragedies, we, too, conclude the system is not working.

Shore management and those at sea should already know the value of a correctly implemented process-based management system (ISM Code in conjunction with ISO 9001:2008).  The implementation of the Safety Management System (SMS) to prevent detention is not acceptable.  It should be one of the benefits of a good system. Aligning the system to just meet auditor requirements or take measures to prevent PSC actions is weakening the system.  The system will do that, however, the system should have a more honest, larger purpose where it welcomes nonconformities (NC)to enable management (both at sea and ashore) to fulfill their obligations under the ISM Code (clause 9).  Correction of NCs, followed by Root Cause Analysis does not end the cycle.

I have drawn this graph above to show the benefits of respecting NCs (CARs). As the data base builds information can be obtained from the data to objectively analyze it and get the trends and predict potential NCs. When a system is first implemented, the number of NCs will increase. This is because the system is now recording the deficiencies. As the data base builds the analytical ability of the system is able to get the desired information for the managements to resource the system (be it in hardware, equipment, training or manpower) and most importantly to recognize potential NCs. This then positively affects the bottom line as now we are tackling potential NC and not being reactive to NCs. There is a point in the system development of an organization where the NCs drop and the PARs (Preventive Action Requests) increase indicative of the employees having matured and embraced the system. This is the place where the management also sees innovative ideas coming up and the management taking a more socially responsible role.

Preventing detention too often becomes the Master’s primary responsibility to the shore based management.  For PSC activities not to reveal NCs is a daily short-term goal.  Actually, this is counterproductive to the expectation of the Code and the system approach in general.  It encourages “hood winking” the PSC officers.  In my experience at sea and in my interaction with seafarers I have come across incidents of seafarers being paid ‘bonuses’ to get a clean audit report. If management takes that path, true safety cannot be achieved.  The PSC officers are stakeholders in maritime safety at sea.  Why have the PSC officers come in?  They meet a public outcry and demand following the numerous tragedies over the years.  They detain vessels in order to prevent disaster at sea from occurring.  What would the management prefer – a catastrophe or a detention?  Which is less expensive?

In the selection of Top Management (TM) at sea, be it the Captain, the Chief Engineer or the Hotel Captain (on passenger vessels from the Titanic to Costa Concordia) – if the Master does not perform or does not conduct him-self professionally or as per expectations, whose fault is it?  Management ultimately picks the crews.  The hiring procedure needs to be targeted.  Those at sea are performing to the best of their abilities and working hard; it is their profession and life.  We must never forget that they are performing as per the selection criteria that management has set!  Often for seafarers the relationship with the vessel is from ‘gangway to gangway’. How does a company go about ensuring that its seafarers are equally invested in the success of the system? Some say that retention of seafarers is the answer. But is a high retention percentage indicative of a good ISM culture? The answer again lies in a better management system.  The Culture should filter top down. The blaming of individuals should shift to blaming the system in order to encourage a more open system.  There should be no fear in exposing NCs.

The only bad nonconformity is the one we do not know about.  A system should be created which welcomes nonconformities.  A detention is a NC, which has saved an organization from a likely catastrophe.  Detentions are expensive; therefore, the need to create an SMS in the true spirit so it ensures NCs are detected internally, well in time, enabling management to take corrective action to determine the root cause.  To do that after each mishap, management should not jump to the CHECK stage of the Plan-Do-Check-Act (PDCA) cycle.  

They should instead go back to the ACT stage and carry out better management reviews, leading to better planning followed by correct implementation (DO) of the system.  The system approach, correctly implemented, will lead to a system, which will work.  Moreover, when the system works, one of the many benefits will be few to no detentions.  The ISM Code is the basis for such a system.  An investment in a correctly designed system and the implementation together with active participation by management will ensure requirements are met.  When requirements are met, there will not be any detentions. Let us not prepare for audits, detentions and PSC exams.  That principle is incorrect.  Let management encourage those at sea, and those who manage the vessels from shore, (as the Superintendents, Port Captains, DPs and CSOs, etc.) to work together in the interest of a system which functions and leads to safety at sea.

The sinking of the Costa Concordia has brought into focus several SMS-related failures, from which timely and correct lessons must be learned to prevent the recurrence of similar catastrophic events.  These accidents will shape industry’s culture and motivate industry stakeholders to make vessel operations safer in an effort to continue to sustain the shipping business and ultimately create “cash in the bank”.

The ISM Code recognizes that human error is the cause of the majority of accidents.  The Code requires delineating responsibilities of the ship and shore side management, creating the system and then addressing the coordination of the ship-to-shore support.  If about eighty percent of marine incidents are caused by human error, companies then have the responsibility to create true organizational management systems, which help humans, prevent and mitigate such incidents.  The management system is documented to the extent necessary for effective planning, prevention, operation and control.  The most important parts of any management system are not documented as they involve leadership, care and coordination.

The fish-bone diagram above  indicates the principled working of a system. The inputs are worked on using the system to produce the desired output. The passengers coming on board will need the entire work spectrum indicated in the fish-bone diagram to work together under the Top Management exercising care and coordination for the output to be positive. For the satisfied passengers, to continue to patronize the company because, their expectations have been met in terms of the holiday, safety, and security and pollution prevention.

The fish bone diagram above has the vital rib – Care and Coordination – implying active and constant participation of the top management. The PDCA cycle at the Act stage (please see diagram above) requires the TM to act based on the review of the system. Audits are not meant to deliver changes or improve the system. If audits and auditors could improve a system, then auditors would be the CEOs of the shipping companies! It is the management that improves their systems. For this, they must understand their systems and lead the implementation of the system by example.  To do this, management must admit they also need to be trained.

The correct implementation of the SMS, based on the ISM Code, will ensure that ships operate safely.  The Code addresses the key provisions such as SMS objectives, safety and environmental protection policy, company responsibility and authority, designated person, master’s responsibility and authority, resources and personnel, shipboard operations, emergency preparedness, reports and analysis of nonconformities, accidents and hazardous occurrences, maintenance of the ship and equipment, documentation, company verification, and review and evaluation.  All of the provisions of the Code are designed to work interactively and in harmony with each other to enable the management system to be effective.  However, none of this can deliver the desired results without the total involvement and commitment of the company’s top management. Blaming individuals will only correct one person and not the system.  To improve the system, the root cause should be considered.  The management must take the blame for having a poor hiring process and lead the change by re-designing that process.  When the Captain at sea fails in his role, management must read it as the process having failed, not having been designed correctly.  It requires going back to the PLAN stage of the PDCA cycle.

One of the main risks that any shipping company encounters is the potential disconnect that can occur when the procedures in the SMS are not being followed by shore side personnel, seagoing officers and crew.  The worst that can happen to a company is when those ashore believe that the procedures are being followed, when in actuality, due to, for example, over documentation or lack of awareness and training, they are not.  Seafarers in our courses share experiences of over-documentation in certain companies where the ‘paper’ eventually takes more importance that the actual procedure. This disconnect again is indicative of a system not functioning.  It is indicative of a cookie cutter system based on generic templates (a common culture in the maritime industry).  The designing of a system must be based on the “As-Is” or current state.  If consultants are used to assist in designing the system, beware of those who promise to do it cheaply sitting in their offices and providing master solutions!  If you accept these, then as TM you have already sown the seed of a weed.  Do not expect it to give you roses!  Good investment at the PLAN stage of the PDCA cycle is vital, in terms of both money and time.  Investment in designing the correct system based on the existing state is vital to the success of the system.

Any major marine incident investigation, like the Costa Concordia, should focus on the ability of a company to effectively implement their SMS procedures and whether or not there were any gaps in how the SMS procedures were applied.

If a company believes it has a perfect system and rests on its laurels, it is doomed to failure.

ISO 28000: Using the International Standard in the ever deteriorating global security environment and its impact on the homeland security.

In his introduction to the National Strategy for Global Supply Chain Security, published on January 23, 2012, the President has clearly emphasized the United States commitment to ensuring “efficient and secure transit of goods through the global supply chain system”.  Any disruption to the supply chain can adversely affect the economy of our nation or for that matter any nation.  Our homeland cannot be safe if the global supply chain remains vulnerable.  Adopting the process-based management system (PBMS) approach to global supply chain security can guarantee the rejection of the misconception that security and efficiency are not possible together.

ISO 28000 is a generic security management standard based on the PDCA cycle (Plan, Do, Check, Act) already extensively employed by businesses globally to bring in efficiency, continual improvement and innovation using the international standard ISO 9001.  Companies, which are already compliant with the ISO 9001 standard, are in a ready state to incorporate the additional requirements of ISO 28000.  Where companies are not compliant with ISO 9001 and considering ISO 28000 as the initial standard to adopt the PBMS approach, they prepare themselves to benefit from the approach when they further widen their scope.  The adoption of the Customs and Borders Protection (CBP) initiative, C-TPAT by companies within the US and those trading with the US benefit as the C-TPAT initiative is based on the ISO 28000 standard and can therefore be implemented in a seamless manner.

Those companies which are considering a process-based approach to management for the first time, not only ensure the security of the global supply chain but also then prepare their systems for gaining the benefits of efficiency, continual improvement and innovation to their management systems.  Apart from C-TPAT, the other international initiatives similar to ISO 28000 include the World Customs Organization (WCO), which has adopted the Framework of Standards to Secure and Facilitate Global Trade, SAFE Framework security requirements, International Maritime Organization (IMO) / Safety of Life at Sea (SOLAS) security requirements (as included in Chapter XI-1 & 2) leading to the International Ship and Port Facility security requirements, EU Authorized Economic Operator
(AEO) security requirements.

At one time, just ensuring efficiency based on ISO 9001 was an option for companies to remain in business and to operate profitably.  However with time, to stay in business the companies had to take care of the risks, pollutants and adverse effects to the environment from the by-products of their processes.  ISO 14001 (Environmental Management System – EMS) took care of this.  However, following the tragedy of 9/11, this was not sufficient and protection of the business from security breaches became vital to ensure business continuity and profitability.  In 2001 – 2002 following the tragedy, it was the maritime community who realized their vulnerabilities and took the initiative to protect the maritime assets by adopting the IMO’s ISPS Code (International Ship and Port Facility).  This protection of the maritime assets, however, left the supply chain vulnerable to security breaches both upstream and downstream.  ISO 28000 fills this gap and brings the PBMS approach to the security of the entire global supply chain.

The supply chain globally connects the world economy today.  With the dependence on Middle East oil remaining a reality, global security of our supply chains is more critical than ever.  Terrorists and bad elements seeking to disrupt the supply chain can best be prevented by a system approach to security.  The dangers to our maritime assets in ports come from outside the ports, up and down the supply stream, so just protecting the ports is not sufficient.  The entire supply chain upstream and downstream needs planned protection using a fail-safe system.  One vessel destroyed in just the right location will affect a country’s economy for years.  One train with HAZMAT cargo destroyed in a vital location can cause great loss of life, cause mass hysteria and not only adversely affect the economy but also demoralize a nation.  Consider a remotely detonated nuclear device being exploded anywhere in the route of the long global supply chain and its impact.  In US neighborhoods, a lot of our trade from the North and South is carried out on trucks.  Securing the trucking routes can be a nightmare without a system approach.

Shipping unites the world by its complex intermodal transportation and is crucial to the world economy.  This then also makes it vulnerable to pirates and terrorists.  While the ISPS code ensures the requisite security of the maritime assets, these threats come into the ports and ships from outside.  Ninety-five percent of our imports are by sea.  The security of the ports upstream and downstream is a national necessity.  The United States also needs to consider the effects of the Panama Canal widening which will allow for new super carriers to come to our Eastern ports.  This will slow down the inspection process.  These implications will bring in nonconformities (NC) occurring over time as we receive this larger amount of shipping on our eastern shores.  Can the nation wait for the NCs to occur and then apply correction and corrective action, or should ISO 28000 be adopted across the supply chain to use the PBMS approach and ensure the security of the global supply chain?

Complexities of the supply chain cannot be managed without a system approach.  An end-to-end view of the entire operation needs to be the focus.  It will require coordination and protection carried out in a systematic manner.  The probability of a supply chain vulnerability causing harm by disruption will continue to grow without a system approach to the management of its security.  This risk can be mitigated by the adoption of the system approach fundamentals provided in this international standard .