On 2005 Mar 21, at 1:48 PM, Theo de Raadt wrote:
Claiming ISO-9001 when you are not following the processes can get Adaptec into serious legal problems.
The Internet is a fascinating thing. I certainly won't claim to be an expert on these matters, but the quick research I've done since I got Theo's note has done plenty to back this statement.
(For those of you just joining us, this Slashdot article has links to relevant emails: http://bsd.slashdot.org/article.pl?sid=05/03/20/1944233 )
I make no claims for the validity of the sources I cite. This is not a formal investigation of the matter. Corrections are most welcome.
First, as to the question of Adaptec and ISO 9001, this press release, dated 1995 September 13
http://ftp.isu.edu.tw/pub/Hardware/ADAPTEC/literature/0913nr.txt
states:
The Electronics Industries Quality
Registry has granted ISO 9001 certification to Adaptec for the "design and
manufacture of integrated circuits," according to a statement released
today by Adaptec CEO Grant Saviers.
My casual search provided no indication that the certification has been revoked. Since I would think that such revocation would be big news, I assume that they still hold their certification.
We have already heard from a former Adaptec employee that the quality of their RAID products is questionable:
http://www.sigmasoft.com/~openbsd/archive/openbsd-misc/200503/ msg01250.html
I don't know when Scott worked at Adaptec, but I rather suspect that he was there for at least some time in the past decade.
Next, we move on to what ISO 9001 specifies. The document is expensive to obtain, but there are free summaries available, including this one:
http://praxiom.com/iso-9001.htm http://praxiom.com/iso-9001-b.htm
Everything that Theo has been asking for is easily covered by what's described in those documents. (I *knew* I wasn't nuts for thinking that these requests are standard outside the IT industry!)
Some particularly relevant bullet points include:
7.3.2 Define design and development inputs * Specify product design and development inputs. * Record product design and development input definitions. * Review product design and development input definitions.
7.3.3 Generate design and development outputs * Create product design and development outputs. * Approve design and development outputs prior to release. * Use design and development outputs to control product quality.
Now, I know the bureaucratic mind well enough to realize that, in the full ISO 9001 specification, this might be defined into uselessness. Perhaps ``input'' and ``output'' in this context are more closely related to ``shotput'' and ``kaput.'' But I doubt it.
It would also seem that we are, AT THIS VERY MOMENT, witnessing a breakdown of ISO 9001's remedial requirements.
8.2.1 Monitor and measure customer satisfaction
* Identify ways to monitor and measure customer satisfaction.
* Monitor and measure customer satisfaction.
* Use customer satisfaction information.
Here we have customers who have purchased THOUSANDS of units from Adaptec up in arms...yet there is no indication that Adaptec is using that information in any productive fashion at all. Since we seem to be talking into a black hole, it may well be that they aren't even monitoring customer satisfaction--let alone measuring it.
Again, I'm brand-new to this whole ISO 9001 thing. It's obviously quite comprehensive, but it also looks like it's mostly common sense. Plan what you're going to do before you do it, follow (and amend) your plans, document and test everything. Get help from your customers and give them what they ask for.
Even if Adaptec has been following the letter of ISO 9001, this recent brouhaha pretty clearly demonstrates that they haven't been following its spirit.
Cheers,
b&
PGP.sig
Description: This is a digitally signed message part
