Category: ISO 9001 – Quality Management Systems

ISO 9001 Implementation: Clarifications on Interpretation

ISO documentation practices, requirements, records

Question:

We are in the process of implementing ISO 9001 for our Organization and have several questions regarding clarifications on the interpretation.

1.  We have an Engineer Requirements Document (ERD) that is written for every single feature for the product.  Sometimes it is just one ERD for a product.  What should this be classified under?  Currently we are classifying it as a Quality Record as this is generated every time we have a product or a feature.  Initially we wanted to classify it as a Level 2 document, however it is not static and happens every time we come up with feature or a product.  Is this the right way of classifying?  This applies to the Marketing Requirements Document, drawings, specification etc.

2.  Can a Quality record be amended, changed, or it should not be changed?  If we follow the above process, the ERD will keep changing during the entire product realization process.  Is this ok?

3.  For control of external documents, is it sufficient that we have all the standards under one location in a server and have authorized personnel access it?  Also, could you suggest how could be notified when any of the standards are changed or updated for a newer version?  Is it a manual process to check the standards periodically or is there a way to have this automated using any service?

Response:

Thank you for contacting ASQ’s Ask the Experts program.

With regard to your first question, based upon the information provided, your Engineering Requirement Document (ERD) should be classified as a form.  It is important to know that the purpose of a form is to provide a standard format for documenting information that may be related to in-house, customer or industry requirements.  The completed form will then serve as a record to provide evidence that requirements have been met. Consider assigning a form number to your standard ERD format.  Once this is accomplished, each ERD should be assigned a unique number such as a product, job, sales or contract number to facilitate tracking.

In response to the second question, a record is normally considered to be a static document and should not be changed or amended.  In most cases where changes are made, revised inputs should be signed/initialed and dated along with an explanation for the change.  As mentioned earlier, a record provides objective evidence that requirements have been met.  Most companies use a work order, shop traveler or other similar form to document and communicate product requirements that will be needed by the process owners during product realization.  This form may be updated as each process step is completed.  At the end of the product realization process, the completed form (work order, shop traveler or other) serves as evidence that all requirements have been met.

Regarding question number three, please be aware that the method selected to store external documents is strictly an in-house decision.  However, external documents must be identified and their distribution controlled (see ISO 9001:2008, clause 4.2.3, sub f).  One of the best ways to ensure that your organization is kept informed about the availability of the most current edition of external documents such as industry standards, is to sign up for “Standards Alert”.  This is a free service provided by the TECHSTREET Store at www.techstreet.com.

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services
www.astontechconsult.com
Kingwood Texas

For more on this topic, please visit ASQ’s website.

ISO 9001 Implementation

Audit, audit by exception

Question:

As Quality Manager I have been assigned the task of getting the company ISO Certified. Certification was granted in 2000, but their old system is in bad condition. The structure is incomplete, the organization and wording were created by an accountant and a shop foreman with little formal education. And it shows.

I have a copy of ISO 9001:2008, and attempting to integrate the old into the new is disheartening. Restructuring the system is the only answer, and so my question is:
Should all (8) sections, and all associated sub-sections of the ISO standard be the same in my standard?

I’m speaking in terms of the section and sub-section naming, and organization. The details of each I will define in accordance to our specific applications, but for ease of auditing am I on the right track?
Thank you for your time in this matter.

Response:

Thanks for contacting ASQ’s Ask the Experts program.  Based upon the information provided, I would suggest that you consider developing your new quality manual using the same or similar layout of sections and clauses found in ISO 9001:2008.  Although it is up to every company to select a format, or structure, for their QMS that will best support their own needs, using a format that is consistent with the layout of ISO 9001:2008 will help facilitate future audit activities.

Since your company was previously certified as mentioned in your inquiry, most of the work with regard to section and clause references should have already been completed.  Likewise, it should be noted that the structure, or format,  of ISO 9001:2000  vs. ISO 9001:2008 is essentially identical.  So, all section and clause references should already exist in your current quality manual.

To ensure that your objective of obtaining ISO 9001 recertification is accomplished in a timely and cost effective manner, I recommend that your company consider the following steps:

  1. Identify the timeline for completing the development, implementation and recertification of your QMS.
  2. Contact a Registrar to determine their costs, requirements and availability to meet your timeline for QMS recertification.
  3. Assess the availability of internal resources (personnel) that will be required for the development, implementation and maintenance of the QMS.
  4. Identify your company’s need to obtain external support from a qualified QMS consultant to assist with the recertification of your QMS.

Before beginning your QMS recertification project, it is highly recommended that your company first conduct a gap analysis of the present quality management system and all related processes.  This will greatly help to identify what actually needs to be done to meet ISO 9001 certification requirements. This information can be used to establish a realistic project timeline, and estimate required man-hours and associated costs for recertification.

Please review ASQ’s Ask the Experts, Blog for other related posts such as “The Cost of ISO 9001 Implementation”.  I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, Texas
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Best Practices for Non-Compliance Reporting in ISO 9001

Reporting, best practices, non-compliance reporting

Question:
I have just assumed the role of Quality Assurance Manager for a worldwide manufacturer and installer of transportation systems.  As part of learning my new responsibilities and getting familiar the existing Quality Management System (we are currently ISO 9001:2008 certified), I have  encountered some things that I think may need to be changed.  Any opinions and/or advice would be greatly appreciated.

Here’s the issue; our current system for generating and tracking Non-Compliance Reports (NCRs) seems flawed.  The way it is set up, all NCRs that are generated include a check box to show any Corrective Actions or Preventative Actions.  If these boxes should be checked, the report is now called a NCR/CAR/PAR, all on the same form. The creator can then enter any actions taken.  There is also a section to enter the “solution” for the non-compliance.  The way this system works, it is not possible to create just a Corrective Action or Preventative Action Report (CAPA); they are shown as results, or solutions, to the NCR. Is this a good practice?

Are there better ways to utilize this process?  In going through the report from last year’s third party ISO audit, it was mentioned that we needed to improve on this process, and that the NCR/CAR/PAR should be tracked separately.  Any suggestions?

Response:
Generally, it is a good idea to use the same process for internal corrective action, a supplier corrective action, or a preventative action activity.  This will ensure that all required steps will be followed. As a Senior Quality Director for a company, we had our computer system log each type  separately as we set different deadlines for our corrective actions and preventatives.

The issue may be resolved by having the reporting system separate each type with aging timeless. I believe  each type needs to be tracked and reported monthly as well at Management Review meetings.

Ron Berglund
ASQ Fellow

For more on this topic, please visit ASQ’s website.

ISO 9001 Cost of Implementation

Question:

What are the estimated costs of implementing ISO 9001?

We are a company of five divisions, Contract Manufacturing, Structural Fabrication (AISC & ASME cert), Steel Service Ctr, Rebar (CRSI vert) & Metal Castings. We employ approximately 200 people and operate out of two facilities. Our Metal Casting division is a separate location from our other operations. I am trying to generate an ROI and a time frame of implementation.

Answer:

The effect of ISO 9000 certification on financial perfomance

Thank you for contacting ASQ’s Ask the Experts program.  This is an excellent question and one that is often asked by companies that are considering ISO 9001:2008 certification.  In order to accurately estimate those costs that will be associated with obtaining ISO 9001 certification, the following approach should be considered:

The first step should include contacting a Registrar to identify the following:

  1. Cost of application fee.
  2. Cost associated with conducting required stage 1 and stage 2 audits for ISO 9001 certification.
  3. Hourly and per day rates charged for offsite and onsite audit activities.
  4. Administrative fees, if any.
  5. Travel time costs (minimum and maximum daily charges).
  6. Other associated costs for airfare, hotel, meals and car rental.
  7. Frequency and cost for surveillance audits to maintain certification.
  8. Cost for quality management system re-certification.

Discuss your company’s plans and timeline with the Registrar to obtain QMS certifications at separate locations.  There may be an opportunity to share or save costs.  As an example, consider establishing a single corporate quality manual and QMS procedures that will be common to both facilities.  Also discuss the availability and location of potential Auditors that the Registrar may assign to your facilities, usually the closer they are, the better.

In addition to determining the Registrar’s costs, it is equally important to determine the Registrar’s certification requirements.  Some require that at least four (4) months of records be available to provide evidence of conformance and implementation of the QMS. Consider contacting a couple of Registrars, and compare their costs and requirements. Another important point is to select a Registrar that is familiar with your industry or business sector.  Be picky and ensure that the Registrar can assign an Auditor that has past experience that relates to your QMS processes or product line.

Step number two is to determine the availability of in-house expertise that will be required to develop and implement a quality management system for certification.  If these activities are going to be outsourced, contact an experienced QMS consultant and request that a quote for a gap analysis be provided.  Do your homework before selecting a QMS Consultant!  Contact a few QMS Consultants, compare their rates and request contact information for past clients, or other references, to verify their experience and reliability. Again, select a Consultant who has past experience with your industry, processes and/or product line.

Confirm that the results of the gap analysis will document all areas that meet certification requirements as well as those that do not, preferably by clause number.  The results of this gap analysis will be used by the Consultant to estimate the number of the man-hours that will be required to develop and assist with the implementation of the QMS for certification.

The bottom line is that the cost to obtain ISO 9001 QMS certification cannot be effectively estimated without knowing these four (4) items:

  1. The Registrar’s cost for ISO 9001 registration.
  2. The company’s current level of conformance with ISO 9001 requirements.
  3. The amount of resources that the company will dedicate to this project for development and implementation.
  4. The amount of support that will be required from a Consultant and the associated costs.

The following link to a flow chart provides a general overview of the ISO 9001:2008 QMS certification process.

ISO9001.2008.Cert.Process

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services,
Kingwood, TX
Website: http://www.astontechconsult.com
email: quality@astontechconsult.com

For more on this topic, please visit ASQ’s website.

ISO 9001 Management Checklist

About ASQ's Ask the Standards Expert program and blog

Question:

Is there a list of duties for implementing ISO 9001:2008 for the management representative? I am interested in a checklist of responsibilities for that individual to use as a guide to help a company prepare for an ISO 9001:08 external audit leading to certification.

Response:

Thank you for your question.

In answer to your question, I must mention section 5.5.2 of the ISO 9001:2008 Standard. Here is the first place you will see a list of duties and responsibilities for the Management Representative (MR). While the points noted in 5.5.2 a, b, and c cover a lot of areas, I think you are looking for an expanded list and one with more specifics.

One important beginning step is a Gap Analysis. This will help your organization and your MR to see where you are at and where you need to go. From the results of your Gap Analysis, your MR and the Planning Team (if you have one) can generate a Gantt Chart. This will be a good guide to help everyone involved recognize where your company is during the implementation process.

The management representative (MR) has the responsibility of getting the quality management system (QMS) put in place. He/she must also keep the QMS effective and up to date. Your MR must report the current status of your QMS to top management.

The MR must also be well aware of management concerns and be capable of representing the company. I remember reading somewhere that a good MR is;

  1. A member of management (not necessarily a QC Manager).
  2. Willing to learn.
  3. Willing to teach.

All three of these items require capability. Capability to manage, learn, and teach.

As a final point on this question; I would advise that you acquire a book or more than one which can be used as a guide. ASQ has numerous publications which would help you to generate a list of your MR’s duties. The list can be long or short, depending on your company. It is always necessary for a management representative to be good at communicating, learning, researching, training, standing firm when necessary, and recognizing the importance of team work.

Bud Salsbury, CQT, CQI

Some additional resources available through ASQ:

ISO 9001:2008 Explained and Expanded
Optimizing your QMS Success
Charles A. Cianfrani and John E. “Jack” West
Print Book: http://asq.org/quality-press/display-item/?item=H1446

A Practical Field Guide for ISO 9001:2008
Erik Valdemar Myhrberg
Print Book: http://asq.org/quality-press/display-item/?item=H1369

ISO Lesson Guide 2008
Pocket Guide to ISO 9001:2008, Third Edition
J.P. Russell and Dennis Arter
Print Book: http://asq.org/quality-press/display-item/?item=H1344

ASQ Gantt Chart: http://asq.org/learn-about-quality/project-planning-tools/overview/gantt-chart.html

ISO 9001 Quality Policy

Audit, audit by exception

Question:

ISO 9001:2008 clause 5.3 regarding quality policy requires that it should include commitment to continually improve the effectiveness of quality management system. Our Registrar is saying that for compliance these same words should be included in the quality policy. Our opinion is that our policy includes commitment to continually improve the standard of services to that client which in real terms is how the effectiveness of QMS would be measured. We feel that copying words from the standard will not add any value. Any suggestions on how we should respond to the Registrar.

Response:

Good Morning,

I read your question and can understand why you might be somewhat confused. Please notice that the words in the standard say that you are to “continually improve the effectiveness of the quality management system.” I’m sure that your quality management system (QMS) covers all parts of your organization, not just your ‘standard of service.’ The intent of the standard is not to insist that your quality policy is copied word-for-word from the standard itself. Nonetheless, the word “shall” at the beginning of 5.3 indicates a requirement. You are required to include those main points in your policy, which will help your entire organization remain compliant.

Consider this-it is common practice that companies generate their Corporate Quality Policy first. Everything after that, the procedures, the work instructions, etc. fall in line under the main points delivered in that policy (5.3c “provides a framework for establishing and reviewing quality objectives”). If your organization’s quality policy only suggests improving your ‘standard of service’, then is the rest of your QMS to be left on its own as “good enough”? That question is just to make a point. I hope you see the point I’m making. Your registrar can be a valuable member of your team. You would be wise to consider what that particular team mate has to contribute.

Thank you very much for sending your good question to Ask The Experts.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

TS 16949 Conformance for a Non Value Add Company

Automotive inspection, TS 16949, IATF 16949

Question
We’re a fabless semiconductor company, Tier 2, who is in the process of designing and developing an automotive product to deliver through our TS 16949 certified subcontractor, Tier 3, to an auto supplier Tier 1, for an OEM.

We know and understand that we cannot get TS 16949 certified, but we are still working at bringing up our ISO 9001 processes certified for 14 years to withstand a TS 16949 audit.
As we do our internal process audits in preparation for our ISO 9001/14001 Surveillance audit in June/13 we’re looking for TS gaps which we’ll document and work to close.
We’re looking for a registrar who would audit us to TS 16949 and give us a report that basically states that, assuming we do, have withstood the audit and that if we were an Mfg’r qualified to be TS 16949 certified company that we would pass a TS 16949 audit.
Are you aware of any other companies who have done this or of any registrars who provide this type of service?

We’re either setting precedence for other fabless semiconductor companies designing to deliver for auto, or it’s already been done.  If it has, then what is this type audit of called and do you know anyone who has done it?

Thanks for any input you may provide.

Answer
Thank you for your question. There are two issues here. Firstly, contact your existing registrar with this question and see if they can comply with your request.

Secondly, this is about your obligation to provide a proper PPAP submission for these parts, whether they are manufactured by you or by a supplier. If you are the supplier for these parts, there are likely terms and conditions in your Purchase Order that require you to submit a level 3 PPAP. If these requirements are present, they are auditable as a customer-specific requirement whether you are registered to TS 16949 or not.

I hope this answers your question.

Denis J. Devos, P. Engineer
A Fellow of the American Society for Quality
Devos Associates Inc.
Advisors to the Automotive Industry
http://www.DevosAssociates.com

For more on this topic, please visit ASQ’s website.

ISO/TS 29001:2010 Standard in Oil and Gas Production

Oil and gas industry, petroleum industry

Question:
We are an Oil & Gas production testing, frac flow back, and trucking company and while in the beginning stages of instituting ISO 9001:2008 standards, we ran across Oil & Gas industry specific standards ISO/TS 29001:2010 and we are curious as to whether or not we have to apply TS 29001:2010, ISO 9001:9008, and maybe some ISO standards for trucking to receive our ISO certification.

Response:
All of the TS should include ISO as the back bone with Industry specifics. The customers dictate which is required. For Auto Industry it is TS 16949 and for Aerospace AS9004. The technical specifications shall include ISO 9001 and the company is registered to the ISO with a TS. A little confusing but eliminates a vast set of international standards. The QMS is ISO 9001. I will always go on the side of using the industry specifics if that is the only industry that they work within as most TS requirements require the use of core tools. If you have these particular TS requirements I will review them but I very sure about this answer.

Ron Berglund
Global Quality Coach

For more on this topic, please visit ASQ’s website.

ISO/TS Standards Exclusions

Checklist, Conformity, Go/No Go

Question

I have a question regarding exclusions from the ISO/TS standards.

The majority of our business is the design and manufacture of enclosure hardware. Recently though, a small portion of our business has become the sole North American Distributor for an Italian company. Their product lines are similar to ours. However, we procure their products and simply resell/distribute to their customers stateside, to Canada and Mexico. We do not have Design or Process Control for these items; they are pass-through product.

Therefore, my question is related to permissible exclusions from the ISO standard. Should we seek exclusions regarding certain clauses of Clause 7 of the standard, for this certain “supplier”, and/or for certain product groups that are sold on their behalf?

Any assistance you could provide would be helpful.

Answer

Hello,

At first, your question seemed relatively uncomplicated and I am inclined to say that you can simply sell or provide the products in question with a disclaimer or something identifying the fact that your company is not the designer/manufacturer of the product. My company occasionally has purchased parts inserted into or added to the products made (like bushings or threaded inserts, etc). We don’t have to add anything to our QMS for those as long as those items meet regulatory and statutory requirements.

However, I should mention, the standards make it clear that exclusions are permissible if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.”

Therefore, stepping away from the initial ‘simple’ answer, I would say that such exclusions would not be permissible. This is due to the fact that your organization is ultimately responsible for meeting customer requirements. Although you do not design or manufacture that specific product, you provide, and are responsible for what the customer requests.

You are also responsible for seeing to it that the OEM is meeting customer as well as any statutory or regulatory requirements. This would be of particular importance if these are electrical enclosures or intended for hazardous services, such as NEMA 7 (explosion proof enclosures).

Since you already design and manufacture your own products and have the Clause 7 included in your QMS, it would be counterproductive to add more documentation to exclude what you have mentioned. It would be wise to notify customers up-front, in the sales/purchase order process, that the product you are distributing is from a separate company.

Thanks much for this good question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

Audit by Exception

Audit, audit by exception

Question:

I would like information regarding the use of the internal auditing method referred to as “audit by exception”. While this method sounds like it may provide a much more efficient use of my time and my Manager’s/employees time, I have no idea how this is accomplished in a manner that can still be compliant and what proof would be deemed acceptable when going through my external RAB certified audit. I am referring specifically to ISO 9001:2008 in regards to auditing. I currently audit every process/process owner every 6 months in a calendar year and it is a full week of audit time each audit. Thank you.

Response:

Thanks for contacting ASQ’s Ask the Expert program. With regard to your inquiry, I suggest that you continue to use an audit methodology that best serves your organization’s requirements. As you are aware, “auditing by exception”, is a practice that is utilized in the financial sector. The terminology “audit exception” in this case, has the same meaning as an “audit finding”. Since internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement their quality management system, auditing by exception may not provide the level of information needed to keep your organization’s top management and it’s process owners adequately informed.
In my opinion, an effective internal audit will focus as much on identifying opportunities for improvement (OFI) as documenting audit findings. A robust internal audit report will identify nonconformances, but will equally focus on areas that can be improved or that have improved. To sustain continual improvement of a new or a matured QMS, the process owners and employees must be kept informed and engaged. One of the ways to accomplish this, is to share audit results that report on findings, OFI and the status of objectives or targets that have been established. Auditing by exception, usually will not provide this level of reporting.

Please note, ISO 9001:2008, clause 8.2.2, does not prescribe any particular audit methods to be used for 1st, 2nd or 3rd party audits. Each organization is expected to select audit techniques that best suit the scope and objective of the audit to be conducted.

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services
Kingwood, Texas