Tag: bud salsbury

Transitioning to ISO 9001: 2015

Analysis, Statistics, Control Charts, Statistical Methods, Audit, Auditing

Question

ISO 9001: 2015 has a 3 year implementation period. I recertified in 2014 and need to recertify in 2017. At this point I have a little under one year to transition instead of the 3 years identified. What alternatives are there that I might take advantage of so I have a longer transition period? My 3rd party registrar has been no help.

Answer

I would suggest that this individual approach their registrar/auditor and reason with them. I have heard of 3rd party auditors who are willing to help organizations with their transitions in numerous ways, including finding a comfortable way to transition without losing investment made in the current standard.

Second, the requirement to transition over to the new standard is not demanding that people wait until their current certificate runs out.  This company can begin a gradual transition right away. Stretching it over a couple years gives a company plenty of time to ‘learn’ and transition. Therefore, 2017 would be a possible time for a smooth change over to the new standard.

Registrars are our helpers; not some strangers lurking in the dark. They should be approachable and willing to help.

Also ASQ, as well as other sources, offer various forms of transition training and information.  The new standard can seem a bit intimidating at first glance but once thoroughly examined, it is actually more simple in several areas.

Atychiphobia – a persistent fear of failure can lead us to see stumbling blocks ahead of us. You can turn those stumbling blocks into stepping stones with some support from your registrar and a positive attitude.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

ISO 9001:2015 Documented Information Requirements

ISO documentation practices, requirements

Question

I am trying to ascertain if I need to write a Quality Manual to comply with ISO 9001:2015. I see some clauses require ‘documented information’. Do I just address those or the entire document?

Answer

Thank you for the question.

To begin with, the new ISO 9001:2015 standard does not present a requirement for a Quality Manual. Those requirements are now part of Clause 4.3 and 4.4 of the new standard. That information “shall” be maintained as documented information.

You would be wise to 1] Acquire a copy of the 9001:2015 standard if you haven’t already done so. 2] Check in ASQ.org for information explaining the new terminology related to the standard. 3] Consider pursuing the services of a quality consultant for thorough guidance.

Respectfully,

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

ISO 9001: 2015 Deliverables and Processes

About ASQ's Ask the Standards Expert program and blog

Question

Under the revised ISO 9001: 2015 standard, what do you see as the key deliverables and processes owned by the Quality manager or QA department?

Answer

A project or process is made up of primary components aimed toward successful completion of the project/process objectives.  Those individual components are the deliverables.

In other words; you have Inputs and Outputs. An Output is a deliverable resulting from the process (Input).

The old aphorism “Everyone is responsible for quality” is strongly encouraged throughout ISO 9001:2015. Therefore, with the adage of Risk Based Thinking to the new standard, the Quality manager and the QA department would be responsible for the deliverables of their department and its processes. They would also be responsible for discerning any risks to the company’s goals and objectives.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’S website

Internal Audits

Reporting, best practices, non-compliance reporting

Question

If 2nd or 3rd party performs full system audit on my QMS, can it be used as to satisfy requirement for Internal Audit of that year?

Answer

Thank you for sending your question to ASQ’s Ask The Experts program.

My first response to your question would simply be, no you cannot use a 2nd or 3rd party audit to satisfy the requirement for Internal Audits.

The thing to consider is, who will the final Audit Report go to? That is, who is the customer?  An Internal Audit is conducted to your QMS and to your criteria. The final report would generally be directed to senior management.

A second or third party audit is most often performed by a customer or by a registrar. They would be guided by different criteria. A customer audit would not be of your entire QMS or give evidence of its overall efficacy. It would be inspired by what would be pertinent to the product or service you provide to them. A registrar audit would be to verify your facility’s compliance to standards but not necessarily the entire QMS.

You can see how this would be leading down a path one wouldn’t want to follow.  Therefore, Internal Audits should remain . . . internal.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

Nonconformance Versus CAPA Requests

CAPA process, CAPA requests

Question:

I need advice on the use of Nonconformance versus Corrective Action/Preventive Action (CAPA) Requests. I understand and have tried to communicate the low risk and high risk definitions to staff with some understanding. In reporting nonconformance’s some evolve into a root cause analysis which is a positive direction but thought to be a requirement of a Corrective/ Preventative Action. Nonconformance’s are logged on a report and reviewed periodically. CAPA Requests are more elaborate; logged and reported on a metrics with continuous review.

Response:

My answer may seem lengthy but I feel defining things is important. First, here is part of a memo I put together for one company.

ISO terminology and definitions – Corrective action/Preventive action

Some people experience confusion over the differences between corrective and preventive action.

We know that corrective actions are taken to remove the causes of existing nonconformities.

If the nonconformity is detected during production, immediate corrective action is taken to eliminate the problem. In other words, we fix what went wrong. We take preventive action to ensure the same problem does not happen again. However, this is still corrective action because it is based on solving a problem that has already happened.

We might use documents or electronic forms to report/record such actions. Here, caution is advised. For example, if a machinist turns a part undersize, immediate corrective action is taken to fix the mistake and further action is taken so it doesn’t reoccur on subsequent parts. If the original “bad” part was scrap and we record that as a non-conformance in our documentation, with the corrective action noted, we might then close that record. We might then request a follow up with preventive action. That would be a mistake.

Note: Not every problem or non-conformance requires a corrective action. This is determined on a case by case basis, usually by a manager. Each case is different.

Example: A welder accidentally causes weld spatter to fly into a tapped hole. The welder cleans out the B-B’s, re-taps the hole and moves on. Generating a non-conformance form should not be necessary in this case as no product was scrapped or made nonconforming.

Now, let’s say an employee sees a potential problem.

Example: The employee notices the jaws of a turning center are showing very obvious/significant run-out.

This could potentially result in nonconforming product. This is a good case for preventive action. A change request could be generated and when the action is taken, it can be followed up on (verified) and recorded in the appropriate format. In most cases, over an entire year a company will record very few Preventive Action Requests (PAR’s). However, that same organization will register numerous Corrective Action Requests (CAR’s). This is the normal rhythm of things and is what we strive for.

Here are a few definitions for your files. The following Terms and Definitions are taken from ISO 9000:2005:

3.6.4
Preventive action: Action to eliminate the cause of potential nonconformity or other undesirable potential situation.

NOTE 1 There can be more than one cause for a potential nonconformity.
NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action (3.6.5) is taken to prevent recurrence.

3.6.5
Corrective action: Action to eliminate the cause of a detected nonconformity or other undesirable situation.

NOTE 1 There can be more than one cause for a nonconformity.
NOTE 2 Corrective action is taken to prevent recurrence whereas preventive action (3.6.4) is taken to prevent occurrence.
NOTE 3 There is a distinction between correction (3.6.6) and corrective action.

3.6.6
Correction: Action to eliminate a detected nonconformity.

NOTE 1 A correction can be made in conjunction with a corrective action (3.6.5).
NOTE 2 A correction can be, for example, rework.

I hope this has been helpful.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Additional ASQ Resources:

Form by Design
Using flowcharting techniques for robust form design
by Lance B. Coleman

Corrective Action Challenge
How to construct a robust problem-solving process
by R. Dan Reid

CAPA for the FDA-Regulated Industry (book)
Abstract: Medical devices, biopharmaceutical, and traditional drug manufacturing companies devote an important part of their resources to dealing with incidents, investigations, and corrective and preventive actions. The corrective and preventive action system is known as the CAPA system. It is second to none in terms of frequency and criticality of its deviations, and most of the regulatory actions taken by the FDA and foreign regulators are linked to inadequate CAPA systems. This guidance book provides useful and up-to-date information about this critical topic to thousands of engineers, scientists, and manufacturing and quality personnel across the life sciences industries.

Understanding and improving the CAPA system as a whole is the focal point of this book, the first of its kind dealing exclusively with this critical system within this highly regulated industry. By helping those in this industry improve their CAPA systems, it will be a crucial aid in their mission of producing safe and effective products.

ISO/TS Exclusions

Manufacturing, inspection, exclusions

Question:

I have a question regarding exclusions from the ISO/TS standards.

The majority of our business is the design and manufacture of enclosure hardware.  Recently though, a small portion of our business has become the sole North American Distributor for an Italian company. Their product lines are similar to ours. However, we procure their products and simply resell/distribute to their customers stateside, to Canada and Mexico. We do not have Design or Process Control for these items; they are pass-through product.

Therefore, my question is related to permissible exclusions from the ISO standard. Should we seek exclusions regarding certain clauses of Clause 7 of the standard, for this certain “supplier”, and/or for certain product groups that are sold on their behalf?

Response (Answered by Bud Salsbury):

At first, your question seemed relatively uncomplicated and I am inclined to say that you can simply sell or provide the products in question with a disclaimer or something identifying the fact that your company is not the designer/manufacturer of the product.  My company occasionally has purchased parts inserted into or added to the products made. Like bushings or threaded inserts, etc. We don’t have to add anything to our QMS for those as long as those items meet regulatory and statutory requirements.

However, I should mention, the standards make it clear that exclusions are permissible if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.”

Therefore, stepping away from the initial ‘simple’ answer, I would say that such exclusions would not be permissible. This is due to the fact that your organization is ultimately responsible for meeting customer requirements. Although you do not design or manufacture that specific product, you provide, and are responsible for what the customer requests.

You are also responsible for seeing to it that the OEM is meeting customer as well as any statutory or regulatory requirements. This would be of particular importance if these are electrical enclosures or intended for hazardous services, such as NEMA 7 (explosion proof enclosures).

Since you already design and manufacture your own products and have the Clause 7 included in your QMS, it would be counterproductive to add more documentation to exclude what you have mentioned. It would be wise to notify customers up-front, in the sales/purchase order process, that the product you are distributing is from a separate company.

Thanks much for this good question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Follow Up Questions:

• IF there were permissible exclusions allowed, WHO would need to ‘approve’ these or ‘allow’ them to be exclusions?  Would that be the registrar or someone else?

• IF there were permissible exclusions, would it be stated/depicted on the actual Certificate as such or only noted in the quality manual, for example?

• IF there were permissible exclusions, would it be an exclusion of the ISO CLAUSE?  And/or PRODUCT?  And/or  SUPPLIER?

• Currently we list “the design and manufacture…” in our scope.  Would we need to revise the scope to include ‘distribution’?

Response (Answered by Denis Devos):

Thank you very much for your question and your follow up.

In further response to your original question – if you are in the automotive industry, you will still be obligated to provide a Level 3 PPAP (as a default) to your customer for the product you are purchasing and reselling; whether you are design and process responsible or not.

Permissible exclusions are only granted for Clause 7.3 Product Design.  Per TS 16949, you cannot be excluded from the requirements of Clause 6.3 related to process design.    You can declare this exclusion yourself in your Quality Manual and your registrar will validate your claim during your registration audit.   The exclusion will appear on your registration certificate.  You can only be excluded from Clause 7.3 Product Design, (not process design).

Under TS 16949, you cannot exclude products from your registration if they are being sold to the automotive industry.   Sometimes, a registrar will permit only a portion of your business to be registered and that would be reflected in the scope on your certificate:  Check with your registrar.   You cannot be exempted from any requirements related to supplier management, such as Clause 7.4.

Yes, you will likely have to include “distribution” in the scope of your registration; check with your registrar.

I hope this sufficiently answers your follow-up questions and you find this advice helpful.  If you need anything further, please don’t hesitate to contact us.

Best Regards,

Denis J. Devos, P.Eng
ASQ Fellow
Devos Associates Inc.
London Ontario
www.DevosAssociates.com

For more on this topic, please visit ASQ’s website.

Use of Correction Fluid to Modify ISO 9001 QMS Documents

ISO documentation practices, requirements

Q: During a recent audit, I discovered that my supplier was using correction fluid and scrubbing out the training records of its employees with no control over the documents. I said that would be a major finding, but they state that there is nothing in ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements specifically telling them that they can’t correct records on the fly without any control.  Can you clarify this practice for me? I can’t find anything definitive in the standard.

A: This is an interesting question. Sometimes, people complicate standards rather than recognize them for the friendly guides they can be. It is true, as written in clause 6.2.2 of ISO 9001:2008,  that records for education, training, skills and experience need to be maintained per clause 4.2.2. However, the standard does not designate a specific process for this.

Clause 4.2.4 expresses a requirement to establish a documented procedure, and also states that the records should be legible. While the practice of using correction fluid or scrubbing out training records is probably not the best and most professional way of handling things, it’s not a cause for a finding of nonconformance.

Records which have a direct affect on customer products would definitely need better controls. However, I think in this case, you might find it wise to work with the supplier to find a better way of recording employee training. The records must remain legible, readily identifiable and retrievable. If that is what they are doing and product quality is not affected, there should be no major finding. A recommendation for continual improvement would be appropriate.

I hope this helps.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Dock to Stock

Suppliers, supplier management

Q: I have been tasked with implementing a dock to stock policy. Does an expert have any advice or information to share towards forming a dock to stock policy?

A: To begin, here is a brief definition of dock to stock (DTS):

Dock to stock is a receiving method whereby materials are delivered directly to point of use (storage or manufacturing), skipping the normal receiving inspection.

For most organizations, parts which are given a DTS status are those which have been “proven” to be compliant. It is common practice to perform a receiving inspection on the parts for a minimum of five deliveries (some companies choose 10).

After a supplier has proven to deliver a compliant product five times, that individual item/part number is given DTS status. It is then general practice for production/assembly departments or line personnel to verify compliance as needed. If a product is found to be noncompliant, it is put on a contingency list and must prove its validity again — usually through five to 10 compliant shipments before it is returned to DTS status.

Keep in mind that the DTS process is rarely used in some industries/companies. For example, a company certified to ISO 13485 (medical devices) would not use DTS due to FDA regulations — here’s an excerpt from 21 CFR 820.80 (b):

“Receiving Acceptance Activities: Incoming product shall be inspected, tested or otherwise verified as conforming to specified requirements.”

In short, determining how many acceptable shipments to qualify a supplier for DTS status is up to the company. Requesting a certificate of compliance with each shipment can tend to encourage a supplier to ensure their own quality, as does a yearly audit of the supplier’s facilities (if appropriate).

I hope using the guidelines above will help lead you toward your goal.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Related Content:

Chinese OEM Reduces Returns With Improved Product Testing, ASQ case study

Cost-Effectiveness Based Performance Evaluation for Suppliers and Operations, Quality Management Journal

ISO 9001 Certification to Meet Customer Requirements

Training, completed training, competance

Q: My company is a small manufacturer that makes one product that I designed and engineered. We have a contract to produce the part for a much larger company. The larger company wants us to become certified to ISO 9001:2008 Quality management systems — Requirements. The company has sent its auditor/Six Sigma black belt to our plant for the third time and stated that our operators (three employees, myself included) are not trained because the training matrix is not filled out.

The auditor also stated that our work instructions are not adequate, that our process flow charts are not good enough, and that our forms (all five forms we use in-house) are not compliant because they lack a form number printed on them. Is there a clear definition of what is required by ISO on any of these items?

We currently have a 2.5 percent nonconformance rate on our parts. These are identified at our 100 percent inspection points – at three, four, or five. Out of the 2.5 percent nonconformance, the 2 percent are able to be reworked and the 0.5 percent is scrapped.

A: Your question has several layers so I will try to offer what answers I think will help.

To begin with, I have to assume that you have a copy of the ISO 9001 standard. If you do not have a copy, you must get one.

At the same time, it would benefit you to acquire the services of a consultant or you can purchase one of the many books that are available which would help you along the way.

Now, in ISO 9001:2008, clause 6.2.2 states that you “shall” do five things with regard to competence, training and awareness.

In ISO documentation, the word “shall” indicates a requirement.  Basically, you are required to identify (document) the training requirements of those whose work can affect conformity to product requirements. There is nothing in the standard that says you must have a “matrix.”

You must have a record showing the training has been completed and of its effectiveness. You must also verify each employee’s competence in doing his/her job on their own. Competence is important. Keep that in mind.

You mentioned in your inquiry that your customer states your work instructions are not adequate, that the process flow charts are not good enough, and that your forms are not compliant because they lack a form number printed on them.

To begin, the standard requires just six documented procedures.

  • Clause 4.2.3 Control of documents
  • Clause 4.2.4 Control of records
  • Clause 8.2.2 Internal quality audits
  • Clause 8.3 Control of nonconforming product
  • Clause 8.5.2 Corrective action
  • Clause 8.5.3 Preventive action

Your written procedures need to be compliant with the standard they are for. (By the way, Most companies have more than just six documented procedures, as it helps their Quality Management System to operate more efficiently)

As for process flow charts I am thinking you are referring to work instructions. The 9001:2008 standard says that work instructions should be available “as necessary.” If you have work instructions written and they are readily available, the auditor should have no cause for concern there.

In addressing your mention of “flow charts,” in all fairness, I cannot respond completely without actually seeing the flow charts in question.  If you mean the process flow charts which often accompany a documented procedure to show a “map” of the process, then you should read clause 4.1 of the standard. You would find that you are required to show “interactions” of the processes. There are no actual ISO requirements for flow charts, but many companies use that format to show the interactions, often in their quality manual. You would need to determine if flow charts are needed to ensure consistent quality.

Finally, let’s talk about forms. How you control your forms or the format should be mentioned in your document control procedure (4.2.3).

Each type of form would need a title, a revision number or letter, and a revision date.  Having a record of these makes it easy to identify which version of a document you are using and if it is the correct revision.

I know that approaching ISO compliance can seem like a bigger than life challenge at first. However, for every step you take, you will realize that standards are beneficial and not nearly as complicated as they might first appear to be.  As noted above, you might want to consider a consultant and/or acquire some reference material. Your customer’s auditor can become a friendly associate.

As a senior member of ASQ, I salute you for running a business dedicated to quality.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

ISO 9001, Control of Monitoring and Measuring Equipment

Audit, audit by exception

Q: In ANSI/ISO/ASQ Q9001-2008 Quality management systems — Requirements, clause 7.6,  there is a requirement which states: “When used in the monitoring and measurement of specified measurements, the ability of computer software to satisfy the intended application shall be confirmed.”

Do you have any guidance on how this can be established in an analytical laboratory?

A: To answer your question, I would first refer you to the note at the end of 7.6.  It reads:

“NOTE:  Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.”

Now, that can sound confusing to some folks. So, let me offer you some direction.  To “confirm” (verify) your software’s abilities, you need a known standard.  I’m not referring to a standard that is traceable to national standards.  I’m referring to data you know should be revealed as a failure by your software.

For example: You have samples from 10 subgroups and, you know that one sample, when analyzed, will be found to be nonconforming.  You can use a separate source to determine what the Cpk is, or you can simply identify which sample is out of tolerance and by how much.  When you use this known standard to test your analytical software, the results will tell you if it is suitable for use.

Most software is designed with some sort of pass/fail testing option.  Nonetheless, using a proven standard to verify your software brings it down to earth and more applicable to your needs.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.