Internal Audits

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing

Question

Can the Management Representative be part of the internal auditor team?

Answer

Thank you for contacting ASQ’s Ask the Experts program.  Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work.  So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard.   ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Approved Supplier List

Mr. Pareto Head and Supply Chain comic strip

Question

I would like to know how supplier status in the Approved Supplier List (ASL) should be managed so that there is complete traceabilty.  For instance, a vendor status is changed from approved to not approved in the ASL for reasons other than substandard performance which is documented in an audit report, how should QA document such change to ensure that these changes are tracked. Could QA make changes in the ASL without notifying the Purchasing Department and without any documentation?

Answer

Thanks for contacting ASQ’s Ask the Experts program.  Concerning your questions, about supplier status traceability, and ASL management, the following response is provided.

Dependent on the number of suppliers involved and the availability resources, an organization may choose to utilize a single or combination of methods to monitor supplier performance and supplier status.  These methods may range from using an MS Word or Excel spreadsheet, Access database to a multi-user database.

As you are aware, ISO 9001:2008, Clause 7.4.1, requires the organization to establish criteria for selection, evaluation and re-evaluation of suppliers.  This clause also requires records of results of evaluations to be maintained.  This includes any necessary actions taken as a consequence of the evaluations conducted, such as the removal of a supplier from the ASL or changed approval status.

ISO 9001:2008 does not limit a company’s ability to remove a supplier from the ASL.  This is an internal decision based on the company’s established criteria.  So there could be various reasons for removing a supplier from the ASL.  Likewise, with changing a supplier’s status from pending, approved to not approved.  As mentioned, ISO 9001:2008, Clause 7.4.1, requires records of supplier evaluations to be maintained, and any actions taken as a result of the evaluation to be retained.

The a primary purpose of the ASL is to ensure the placement of purchase orders or contracts are limited to those suppliers that meet the company’s established criteria for supplier selection, evaluation, and re-evaluation.  For this reason, Purchasing must be included in any changes made that may affect their use of the ASL.

Generally speaking, Purchasing is responsible for maintaining and updating the ASL, which includes ensuring the current status of suppliers of products and services are identified.   The company’s internal audit process is typically used to assess Purchasing’s conformance with established criteria for supply chain management.

In summary, I would not recommend that changes be made to any QMS process without the involvement of the QMS process owner and management as applicable.  ISO 9001:2008, Clause 5.4.2, sub b., requires top management to ensure that the integrity of the QMS is maintained when changes are planned and implemented.  If changes are made to the ASL, Purchasing should certainly be involved.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Auditor’s Responsibilities

Root cause analysis figure

Question

Is it an auditor’s responsibility to seek the “root cause” while conducting an audit?

Answer

An auditor should not seek the root cause for an audit finding. An auditor’s responsibility is to verify compliance with a requirement (e.g. ISO 9001 standard) and determine if there is compliance with the requirement or not. In doing so, there is objectivity in making that assessment.

If an auditor determines the root cause, it introduces subjectivity and potential conflict of interest to the audit process and in correcting an issue. In addition, the auditor may not have the full information about the issue thus the “root cause determined by the auditor” may not correct the non-compliance to the requirement.

Best Regards,

Dilip

Dilip A. Shah ASQ Fellow, ASQ-CQE, CQA, CCT,
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services
Past Chair, ASQ Measurement Quality Division (2012-2013)
Past Member of the A2LA Board of Directors (2006-2014)
Tel: 330-328-4400
Fax: 1-888-226-9533
E-mail: emc3solu@aol.com

For more on this topic, please visit ASQ’s website.

TS 16949, ISO 9001

Automotive inspection, TS 16949, IATF 16949

Question

Our company designs and manufactures commercial and automotive semiconductor products. We used to maintain dual certification (ISO 9001 and TS 16949) for all of our manufacturing and assembly locations, but recently dropped the ISO9001 certification.  My questions are as follows:

1) If we manufacture automotive and non automotive products in the same location “site”, without dedicated separation, does the TS certification eligibility apply to the entire site?

2) Can we include the non automotive design RSLs in the TS 16949 certificate scope, or would we need a separate ISO 9001 certificate to cover those activities?

Answer

Thank you for your question.   Yes, TS 16949 requirements would apply to all of your “automotive” processes whether they produce/support only automotive products or not.   This is actually the way you’d want to do it:  it would be more complicated to try to have two systems for automotive and non-automotive products.    If you have only one certification, the scope of your audits would have to be your whole product line, and not just your automotive products.

The answer to your second question is again related to the scope of your registration.   If you are not design-responsible for the automotive side of your business there is a risk that your TS 16949 audits (internal and external) do not include your design function.    If you want your design activity in scope, work with your registrar to roll it into your scope of registration.  Understand that if you do it that way, your non-automotive design would be subject to all of the additional 7.3 controls listed in TS 16949.  Although you should be able to cover it under one registration, It will be up to them if they want you to split it out into a separate ISO 9001 registration.  The impact of that difference should be minimal.

Please let us know if you have any follow-up questions related to this answer.

Denis

Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951
www.DevosAssociates.com

For more on this topic, please visit ASQ’s website.

TS 16949 Layouts

Automotive inspection, TS 16949, IATF 16949

Question

On layout inspection, if the customer doesn’t specify, what will be the minimum required for TS 16949? What is the frequency of this layout inspection for TS 16949?

Answer

Thank you for your question.  ISO/TS 16949:2009 does not require an annual layout, but Clause 8.2.4.1 states that annual layouts will be performed in accordance with the Control Plan.    If the Customer requires an annual layout, you will flow that requirement down into your Control Plan and conduct the layouts.  If none of your customers require an annual layout, you are not required to do them (but you can if you choose to do so).

I hope you found this answer helpful.

Denis

Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951
www.DevosAssociates.com

For more on this topic, please visit ASQ’s website.

ISO 9001 Internal Audit and TQM

Audit, audit by exception

Question

In ISO 9001 internal audit process, can we include the TQM function? If so, then which clause of ISO 9001 refers to it?

Answer

With regard to the ISO 9001:2008 internal audit process and its relationship to total quality management (TQM), it should be noted that TQM was a concept used by many companies worldwide prior to the existence of ISO 9000 quality management systems.

A few of the commonalities that are shared between TQM and ISO 9001:2008 include their focus on:

  • Reducing costs
  • Increasing profits
  • Leadership’s involvement
  • Ensuring customer satisfaction
  • Ensuring employee competency and involvement
  • Resource management
  • Quality system planning
  • Development of mutually beneficial supplier relationships
  • Accomplishment of objectives that support the organization’s mission (i.e., quality policy)

The primary difference that sets ISO 9001:2008 apart from TQM is that ISO 9001 has defined requirements for the establishment of documented procedures and records to provide evidence of conformance.  The concepts of TQM permeate quality systems that are based upon ISO 9001:2008 requirements.  In my opinion, if your internal audit criteria is ISO 9001, you’re also verifying that TQM concepts are being utilized within the quality system.  More information regarding TQM is provided in Juran’s Quality Handbook, 5th Edition.  Also consider reviewing the eight (8) quality management principles provided in ISO 9000:2005, Introduction, subclause 0.2.  These principles are applicable to all ISO 9000 family of quality management system standards.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
800 Rockmead, Suite 170, Kingwood, TX 77339
Office: (281) 359-ATCS (2827)
Website: www.astontechconsult.com

For more information on this topic, please visit ASQ’s website.

ISO 17025 Certified Testing Lab Not Required to Provide Raw Testing Data?

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories

Question

I have sent a sample for testing to a lab which is ISO certified, they have provided me with the test results, however, when I asked them for the Raw Data to support the testing performed as well as to keep it on record for the future investigational use, the testing lab refuses to provide the raw data, stating that we are not a GMP lab and as an ISO certified lab, we are not obliged to provide the raw data. They say the raw data could be shown to the regulatory authorities. Is this true?

The contract testing lab we mentioned is certified to ISO 17025.

Answer

Since the laboratory is “accredited” to ISO/IEC 17025, it will be useful to review a few relevant passages from that standard (note that the term “certified” or “registered” is usually used for organizations registered or certified to ISO 9001 quality management systems).

ISO/IEC 17025 Clause 4.13.2.1 states:

“The laboratory shall retain records of original observations, derived data and sufficient information to establish an audit trail, calibration records, staff records and a copy of each test report or calibration certificate issued, for a defined period. The records for each test or calibration shall contain sufficient information to facilitate, if possible, identification of factors affecting the uncertainty and to enable the test or calibration to be repeated under conditions as close as possible to the original. The records shall include the identity of personnel responsible for the sampling, performance of each test and/or calibration and checking of results.”

ISO/IEC 17025 Clause 5.10.1 paragraph 3 states:

“In the case of tests or calibrations performed for internal customers, or in the case of a written agreement with the customer, the results may be reported in a simplified way. Any information listed in 5.10.2 to 5.10.4 which is not reported to the customer shall be readily available in the laboratory which carried out the tests and/or calibrations.”

Further, ISO/IEC 17025 Clause 5.10.4.2 paragraph 2 states:

“When a statement of compliance with a specification is made omitting the measurement results and associated uncertainties, the laboratory shall record those results and maintain them for possible future reference.”

The ISO/IEC 17025 accredited laboratories are required to retain test results when they do not report the results on the test certificate (or report) to the customer. A word of caution: The laboratory may have a record retention policy (it should be documented in their quality system per ISO/IEC 17025 Clause 4.13.1.2). Ensure that future record requests are made within the record retention policy period!

In the future, it would be best to specify in the purchase requisition what test data the customer requires from the test laboratory. This forms the basis for a contractual requirement and can be contested legally if the laboratory does not fulfill the customer’s requirements if it accepted the purchase requisition (This would apply to both ISO 9001 registered and ISO/IEC 17025 accredited laboratories).

The laboratory’s other argument about “GMP lab and as an ISO certified lab, they are not obliged to provide the raw data” is not consistent with the requirements of ISO/IEC 17025. The customer should file the refusal to provide data as a complaint to the laboratory under the clauses cited and ask the laboratory for corrective action under ISO/IEC 17025 Clause 4.8 (complaints) and 4.11 (corrective action).

If an ISO/IEC 17025 accredited laboratory refutes to provide corrective action under the requirements stated in this article, it is possible to escalate this complaint to their accrediting body.

Dilip A Shah
ASQ Fellow, ASQ CQE, CQA, CCT
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

For more about this topic, please visit ASQ’s website.

Postponement of Surveillance Audit Due to Force Majeure Event

Force majeure

Question

If a Force Majeure event effects the company during the time that the annual Surveillance Audit was to be done, can the Surveillance Audit be postponed until after the conclusion of the Force Majeure period without losing ISO 9001 certification?  Will the impact be 1.) Merely a certificate lapse rectified with passing the re-scheduled Surveillance Audit loss, 2.) Loss of certification requiring the next audit to be a Certification Audit instead of a Surveillance Audit, or 3.) Is it up to the Registrar? In this case, assume the Surveillance schedule delay is only 3 months or less, and the company has an excellent ISO audit track record. Thank you.

Answer

Thanks for Contacting ASQ’s Ask the Experts program.  With regard to the frequency of surveillance audits as well as deferral of an audit as a result of force majeure, it’s important know that all reputable Registrars or certification bodies (CBs) are accredited by an accreditation body (AB) as such ANAB.  This is intended to ensure a consistent approach for issuance of certifications by CBs.  To maintain certification the CB may conduct periodic surveillance audits.  Registered or certified organizations must be re-certified every 3 years or prior to the expiration date listed on their certification certificate.

Surveillance audits are conducted by the Registrar to verify the organization’s continued implementation as well as the improvement of the effectiveness of their QMS.  Registrars may increase or decrease the frequency of surveillance audits based upon the maturity level of the organization’s QMS.  For this reason, the frequencies that surveillance audits are conducted may vary, but are usually scheduled annually or every 12 months.  Other situations that may affect actual frequency of surveillance audits may be the availability of Auditors or possibly, unusual situations being experienced by the Auditee or organization.

As already mentioned, re-certification audits are required to be conducted every 3 years.  A Registrar typically does not have the authority to extend any organization’s ISO 9001 certification beyond the expiration date as shown on the certification certificate.  I would suggest that the certification contract agreement between your organization and the Registrar be reviewed to determine how conditions of force majeure are to be addressed.  This review should be followed up with a discussion with the Registrar to ensure there will be no impact on your organization’s existing QMS certification.  For more information about surveillance audits and other information regarding certification bodies (CBs) review IAF guidance document “Application of ISO/IEC Guide 65:1996, Issue 3 (IAF GD 2006).  A copy of this document can be downloaded at www.iaf.nu.

I hope this helps.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
www.astontechconsult.com
Kingwood, TX  77339

For more on this topic, please visit ASQ’s website.

The Role of an Observer During an Audit

Audit, audit by exception

Question

A customer of ours wants to participate as an observer in an upcoming audit. I’ve not been able to find much information about the role of observer – what they can and cannot do.

For instance, I assume that they cannot ask questions during the audit interview process. Does anyone have an appropriate checklist for an observation – list of dos and don’ts?

Answer

The auditors should be notified of a presence of the observer in advance. There are times where this may not be allowed depending on the type of the audit.

The customer should sign a confidentiality agreement on not disclosing any information outside the audit process. The rules should be established as part of this confidentiality agreement.

An observer (customer) may not engage in any part of the audit.

The observer may not interfere in any aspect of the audit (may not inject, provide opinions, argue a finding, speak for or against a finding, use the audit information for a future punitive measure).

If questioned during the audit, the observer should explain the role as observer. Ideally this should be brought to the attention of the auditor in advance.

These basic rules ensure that the audit is not compromised in any way and the customer’s request to witness the audit is conducted in a professional manner.

Dilip A Shah
ASQ Fellow, ASQ CQE, CQA, CCT
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

For more on this topic, visit ASQ’s website.

Switch from ANSI/ASQ Z1.9 to ANSI/ASQ Z1.4?

PLCs, programmable logic controllers

Question

Hi,

We are using ANSI Z1.9 for a dimension test of packaging components. As dimension is under variable, can we switch to ANSI Z1.4? The reason for this is to align with our supplier who is using ANSI Z1.4.

Can you please advise if this switching is acceptable. If yes, what should be taken into consideration like AQL, etc.?

Answer

The ANSI/ASQ Z1.4 standard is for incoming inspection of attribute characteristics.  As your measurement is a variable measurement, it is appropriate to use ANSI/ASQ Z1.9.  Both plans are indexed by AQL, but have different sample size requirements based on the level of protection you are looking to maintain.  I assume your real question is can you switch from a variable plan (Z1.9) to an attribute plan (Z1.4) for your inspection to align with your supplier’s use of Z1.4.   Though I do not believe harmonizing with the supplier’s use of Z1.4 for your acceptance testing is necessary, it is possible to use Z1.4 by redefining the variable measurements as either good or no-good.  Choosing to move to Z1.4 from Z1.9 will increase your sample size for the same level of protection and same lot size.  For example, a lot size of 5000 would have a sample size of 75 in Z1.4 and 200 for Z1.4 for a General Inspection Level II plan.  Both plans give approximately the same AQL and LTPD, though the Z1.4 will require 2.67x more samples.

Steven Walfish
Chair Z1, U.S. TAG to ISO/TC 69
ASQ CQE
Staff Statistician, BD

For more about this topic, please visit ASQ’s website.