Tag: ISO 9001

Can We Require ISO 9001 Certification?

Suppliers, supplier management

Q: My company has bought another company in Canada and we are outsourcing to them. They are not certified to ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements.  Do we have the legal right to require them to get certified since we are?

A: Thank you for contacting the ASQ Ask the Experts Program.  With regard to your question, there is no requirement in ISO 9001 that requires any organization or their suppliers to be certified by a third-party. Certification is only needed if it’s required by a customer contract/purchase order, or if an organization has opted to be ISO 9001 certified.

However, as an ISO 9001 certified organization, your quality management system must include controls to maintain control over outsourced processes. This requirement is stated in clause 4.1. The control over outsourced processes may include all or any of the following:

1.    Use of an approved suppliers list (see clause 7.4.1)

2.    An onsite supplier quality audit (see clause 7.4.3)

3.    Review and approval of equipment, processes, procedures, methods, and personnel qualifications for processes that require validation such as welding, nondestructive testing, heat treatment or others (see clause 7.5.2).

In summary, ISO 9001 certification is a management decision and not a requirement.  Organizations that follow the ISO 9001 requirements and have outsourced processes should have controls in place to manage those processes.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

“As Found” Calibration Data – Available for a Fee?

Automotive inspection, TS 16949, IATF 16949

Q: I have been an auditor of ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements since 1992 and recently began consulting hospitals who seek ISO 9001 certification.

My experience with auditing to ISO 9001 is mostly in the manufacturing sector. When I audited against ISO 9001 clause 7.6 control of monitoring and measuring equipment, I routinely included questions regarding the process for assessing the validity of previous measurement results when equipment did not conform to established limits. I found no real issues with this until lately.

Now, clients say that calibration service providers do not routinely provide “as found” data in the report that’s sent to clients/customers. I have been told that “as found” data only becomes available to the client/customer for an additional charge (and it’s not cheap).

Obviously, organizations cannot comply with the ISO 9001 requirement to perform the aforementioned assessment without this data. Since this has only come to my attention recently, I am wondering about the ethics and legality of withholding specific information in the calibration report – unless an additional fee is paid.

Could you please provide some insight or justification for this business practice?

A: It is always a good idea to evaluate one’s suppliers. This requirement is in ISO 9001 clause 7.4 purchasing. The May 2010 Quality Progress Measure for Measure column, “Supplier Demand,” provides guidance on evaluating and selecting calibration providers accredited to ISO/IEC 17025-2005: General requirements for the competence of testing and calibration laboratories. In addition, the ILAC-P14:12/2010 policy document requires ISO/IEC 17025 accredited laboratories to provide measurement uncertainty data with the measurement results as of December 1, 2011.

The customer should specify their requirements in their purchasing documents for calibration. ISO/IEC 17025 has contract review requirements that accredited laboratories must meet in order to to comply with clause 4.4 of ISO/IEC 17025.

In order for the laboratory to make an out of tolerance decision, it has to measure “as found” data. Even if the laboratory does not report it, it is required to retain it per ISO/IEC 17025 clause 5.10.4.2, second paragraph:

“When a statement of compliance with a specification is made omitting the measurement results and associated uncertainties, the laboratory shall record those results and maintain them for possible future reference.”

So, for a start, it is a good idea to use ISO/IEC 17025 accredited calibration providers and specify the customer’s requirements. Some provide “as found – as left” data routinely. Others may charge because they may claim that it takes extra time. But, if a competing laboratory provides it as part of the service, the other laboratories will follow suit or lose market share.

If the ISO/IEC 17025 accredited providers have to make a compliance decision on an item being calibrated, why would they not record the data? Even if it’s not provided, they are required to retain it for future reference in case of an inquiry. Calibration providers (whether accredited or not) that do not provide “as found – as left” data should probably be avoided. One does not know if they provided a legitimate calibration or they “stickered” the calibrated item and produced a generic certificate.

Other laboratories complying with ANSI Z540-1 or ANSI Z540.3 requirements are also required to provide “as found – as left” data. Otherwise, they are not fully complying with Z540 requirements.

The September 2010 Quality Progress Measure for Measure column, “Calibration Evaluation,” discusses evaluating non-accredited calibration providers and what to look for when assessing them.

Dilip A Shah
ASQ CQE, CQA, CCT
President, E = mc3 Solutions
Chair, ASQ Measurement Quality Division (2012-2013)
Secretary and Member of the A2LA Board of Directors (2006-2014)
Medina, Ohio
http://www.emc3solutions.com

For more on this topic, please visit ASQ’s website.

Remote Auditing

 

Audit, audit by exception

Q: I am a consultant and I have helped a dozen of companies receive certification to ISO 9001-2015: Quality management systems–Requirements. A recent client requested a specific registrar that is different than the one I have used before. That registrar states that per ANAB, the stage 1 audit must be conducted on site at the company being certified. My prior registrar claims that they do not know of this requirement. After a review of the documents and records sent to them, they conduct the stage 1 in a teleconference. Who is right?

A: No one can speak for ANAB and the requirements they have for certification bodies (CBs) for each standard except ANAB. For some standards, ANAB documents specifically state that stage 1 audits can be conducted on-site or remotely. However, in some cases, ANAB requires CBs to apply for accreditation to use Computer Assisted Auditing Techniques (CAAT).

I would recommend that a representative of the organization seeking certification formally ask for an explanation as to why remote auditing techniques cannot be used to conduct a stage 1 audit for conformity to ISO 9001:2015.

For more information about remote auditing techniques for internal and external audits you may want to consider reviewing material in the book eAuditing Fundamentals: Virtual Communication and Remote Auditing published by ASQ Quality Press.

J.P. Russell
ASQ Fellow, ASQ CQA
ASQ Quality Press Author
Member of the U.S. TAG to ISO/TC 176 on Quality Management and Quality Assurance
Quality WBT Center for Education/J.P. Russell and Associates
www.jp-russell.com

Related Content:

Find more about remote auditing on ASQ’s website.

Making Remote Work
Quality Progress

10 Auditing Rules
Quality Progress

Is it Legal to Require Certification to an ISO Standard?

Contract, requirement, legal, standard

Q: Can a contract include a requirement stating that the manufacturer of the materials to be installed as part of the job must be ISO 9001 and ISO 14000 listed? My question is in reference to a contract I received that is requiring this.

A: In general, contracts between business entities are enforceable unless they violate laws or are contrary to public policy. Private businesses entering into commercial contracts have a great deal of freedom in establishing contract terms.

One of the common uses of ISO standards is to clearly delineate requirements in commercial contracts.   This can, and often does, include requirements for third-party certification of suppliers to ISO 9001-2008: Quality management systems–Requirements and/or ISO 14001-2004: Environmental management systems – Requirements with guidance for use.

This requirement is usually met by providing a copy of the certificate issued by a third-party certification body (registrar) that lists the name of the organization certified and the scope of the certification.

Based on the information provided along with your question, it appears that the question actually relates to a material specification that was included as part of a request for proposal (RFP) from a governmental entity. Note: the contract has not been included with this post to protect the anonymity of the questioner and the governmental entity.

The authority of governmental contracting officers is more limited.  They must comply with applicable purchasing statutes and regulations.  Whether or not a requirement for certification to ISO 9001 and/or ISO 14001 is permissible would be determined by reviewing these contracting rules.  These rules also often provide mechanisms for contesting the award of a contract if it is believed to be unfair.

There are often opportunities to request clarification of information included in a government-issued RFP. This may be something to consider in this situation since the requirements in this RFP appear to be unclear, such as:

  •  There is no comprehensive “list” of certified companies so there is no mechanism for a manufacturer to be listed.
  • There is no ISO 14000 standard.  There are over 20 different standards in the ISO 14000 family – each with a different number.  I assume the RFP is referring to ISO 14001.
  • It is not clear which of the materials specified in the contract must be manufactured by an organization that is certified to the ISO 9001 and ISO 14001 standards.

(Note: the contract has not been included with this post to protect the anonymity of the questioner and the governmental entity).

I hope this helps.

Thea Dunmire, JD, CIH, CSP
Chair, ASC Z1-Audit Subcommittee
ENLAR Compliance Services, Inc.
Largo, FL
www.enlar.com

For more on this topic, please visit ASQ’s website.

ISO 9001 Electronic Records

Reviewing confidential files, training records, human resources files
Q: I have a few questions about employee training records.  My company is certified to ISO 9001:2008 Quality management systems–Requirements, and we are considering transitioning to electronic records. However, we don’t know what the requirements are from an ISO perspective. Specifically, we want to know:1. Do we need to retain hardcopy originals, or can we just keep the scanned electronic copies?

2. Does a record need to be in each individual’s file, or can there be a spreadsheet, cross reference-type matrix?

3. How long do they need to be retained?

4. Are there different requirements for environmental and safety type training records?

A: Thank you for contacting the ASQ Ask the Experts Program. Responses to your specific inquiries follow:

1.You may retain records in any format or media you desire.  You do not need both hardcopy and electronic.

2. You may use a spreadsheet matrix.

3. Retention times are your determination. Consult with the corporate attorney as to any requirements from the U.S. Equal Employment Opportunity Commission to protect yourself if there is a lawsuit (assuming your organization is located in the United States).

4. Check with the U.S. Occupational Safety and Health Administration (OSHA) and the U.S. Environmental Protection Agency (EPA) regarding requirements for these records.  These are outside the scope of ISO 9001.

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner
Global Certification-USA
www.globalcert-usa.com/
Dayton, OH

For more on this topic, please visit ASQ’s website.

ISO 9001 Certification to Meet Customer Requirements

Training, completed training, competance

Q: My company is a small manufacturer that makes one product that I designed and engineered. We have a contract to produce the part for a much larger company. The larger company wants us to become certified to ISO 9001:2008 Quality management systems — Requirements. The company has sent its auditor/Six Sigma black belt to our plant for the third time and stated that our operators (three employees, myself included) are not trained because the training matrix is not filled out.

The auditor also stated that our work instructions are not adequate, that our process flow charts are not good enough, and that our forms (all five forms we use in-house) are not compliant because they lack a form number printed on them. Is there a clear definition of what is required by ISO on any of these items?

We currently have a 2.5 percent nonconformance rate on our parts. These are identified at our 100 percent inspection points – at three, four, or five. Out of the 2.5 percent nonconformance, the 2 percent are able to be reworked and the 0.5 percent is scrapped.

A: Your question has several layers so I will try to offer what answers I think will help.

To begin with, I have to assume that you have a copy of the ISO 9001 standard. If you do not have a copy, you must get one.

At the same time, it would benefit you to acquire the services of a consultant or you can purchase one of the many books that are available which would help you along the way.

Now, in ISO 9001:2008, clause 6.2.2 states that you “shall” do five things with regard to competence, training and awareness.

In ISO documentation, the word “shall” indicates a requirement.  Basically, you are required to identify (document) the training requirements of those whose work can affect conformity to product requirements. There is nothing in the standard that says you must have a “matrix.”

You must have a record showing the training has been completed and of its effectiveness. You must also verify each employee’s competence in doing his/her job on their own. Competence is important. Keep that in mind.

You mentioned in your inquiry that your customer states your work instructions are not adequate, that the process flow charts are not good enough, and that your forms are not compliant because they lack a form number printed on them.

To begin, the standard requires just six documented procedures.

  • Clause 4.2.3 Control of documents
  • Clause 4.2.4 Control of records
  • Clause 8.2.2 Internal quality audits
  • Clause 8.3 Control of nonconforming product
  • Clause 8.5.2 Corrective action
  • Clause 8.5.3 Preventive action

Your written procedures need to be compliant with the standard they are for. (By the way, Most companies have more than just six documented procedures, as it helps their Quality Management System to operate more efficiently)

As for process flow charts I am thinking you are referring to work instructions. The 9001:2008 standard says that work instructions should be available “as necessary.” If you have work instructions written and they are readily available, the auditor should have no cause for concern there.

In addressing your mention of “flow charts,” in all fairness, I cannot respond completely without actually seeing the flow charts in question.  If you mean the process flow charts which often accompany a documented procedure to show a “map” of the process, then you should read clause 4.1 of the standard. You would find that you are required to show “interactions” of the processes. There are no actual ISO requirements for flow charts, but many companies use that format to show the interactions, often in their quality manual. You would need to determine if flow charts are needed to ensure consistent quality.

Finally, let’s talk about forms. How you control your forms or the format should be mentioned in your document control procedure (4.2.3).

Each type of form would need a title, a revision number or letter, and a revision date.  Having a record of these makes it easy to identify which version of a document you are using and if it is the correct revision.

I know that approaching ISO compliance can seem like a bigger than life challenge at first. However, for every step you take, you will realize that standards are beneficial and not nearly as complicated as they might first appear to be.  As noted above, you might want to consider a consultant and/or acquire some reference material. Your customer’s auditor can become a friendly associate.

As a senior member of ASQ, I salute you for running a business dedicated to quality.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

Rescheduling an ISO 9001 Surveillance Audit

Schedule, calendar, timeline

Q: Our organization had its last external (third party) audit in December 2011 for ISO 9001:2008 — Quality management systems — Requirements. We planned to have our next audit the week of November 26, 2012, but the auditor has become ill and cannot come at that time.

Do we need to have our surveillance audit within one year of the last audit? I am considering rescheduling for the first quarter of 2013.

A: Thank you for contacting ASQ’s Ask the Experts.  With regard to your inquiry, surveillance audits are usually conducted by most registrars on an annual basis.  Your registrar has complete responsibility for ensuring the availability of their audit staff to conduct these audits as they are required.

In the event that no other auditors can be provided by your registrar, it would be their responsibility to ensure the audit is rescheduled to another mutually agreed upon date and, if necessary, extend your organization’s ISO 9001:2008 certification status as appropriate.

Your organization’s ability to maintain to an active QMS certification status should not be dependent upon the availability of the registrar’s auditor.  I recommend that you contact your registrar to confirm the next date for your surveillance audit.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more information on this topic, please visit ASQ’s website.

ISO 9001 Statutory and Regulatory Requirements

About ASQ's Ask the Standards Expert program and blog

Q: I manage the quality management program at my company according to ISO 9001:2008 — Quality management systems –Requirements.  I was hoping to find some assistance in the area of statutory and regulatory requirements.  Can you provide me with some help in regards to what this means in terms of the standard?

A: Statutory and regulatory requirements are product related.  They may be federal, state or local.  They would depend upon your industrial classification.  Once you have that, you can cross check the classification with the Code of Federal Regulations (CFR).  Since the CFR are subject to change, someone in your organization should be charged with the responsibility for researching updates (there are organizations that provide this service). As far as international is concerned, the country of destination would need to be researched.  Often, a customs broker can be of assistance here.

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner, Global Certification-USA
www.globalcert-usa.com/
Dayton, OH

For more on this topic, please visit ASQ’s website.

ISO 9001, Control of Monitoring and Measuring Equipment

Audit, audit by exception

Q: In ANSI/ISO/ASQ Q9001-2008 Quality management systems — Requirements, clause 7.6,  there is a requirement which states: “When used in the monitoring and measurement of specified measurements, the ability of computer software to satisfy the intended application shall be confirmed.”

Do you have any guidance on how this can be established in an analytical laboratory?

A: To answer your question, I would first refer you to the note at the end of 7.6.  It reads:

“NOTE:  Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use.”

Now, that can sound confusing to some folks. So, let me offer you some direction.  To “confirm” (verify) your software’s abilities, you need a known standard.  I’m not referring to a standard that is traceable to national standards.  I’m referring to data you know should be revealed as a failure by your software.

For example: You have samples from 10 subgroups and, you know that one sample, when analyzed, will be found to be nonconforming.  You can use a separate source to determine what the Cpk is, or you can simply identify which sample is out of tolerance and by how much.  When you use this known standard to test your analytical software, the results will tell you if it is suitable for use.

Most software is designed with some sort of pass/fail testing option.  Nonetheless, using a proven standard to verify your software brings it down to earth and more applicable to your needs.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

ISO 9001: Product Development and Customer Satisfaction

Manufacturing, inspection, exclusions

Q: Does a company certified to ANSI/ISO/ASQ Q9001-2008 Quality management systems — Requirements that produces raw materials for a customer according to their written specification also, as a raw material supplier, have a responsibility under ISO 9001 to meet the customer’s needs for their design intent and intended and known use?

In simple language, I sell a raw material to a customer who takes my raw material and then designs a product and sells it to a customer who uses it in the field. I wonder where does the ISO standard application stop for the raw material supplier?  How can a raw material supplier under ISO 9001 meet the needs of a customer’s trade secret designs, or further down the intended use of the product where the raw material supplier has no control over how it will be used or maintained?

A: Your question is more a legal one than a quality one. You are offering a product to a customer. This is your finished product and their raw material. When both parties agree to the terms and conditions (payment, form, fit, function, shipping, etc.) a contract exists. We call this a purchase order (PO) and part of that PO is the specification for your product. If they place an order to your spec, you have done the design work under ISO 9001 and they are accepting your design. END OF YOUR RESPONSIBILITY for future application and use. If you accept an order to their spec, they have done the design work and you are obligated to make sure your product meets the stated (and often implied) form/fit/function requirements. We call this quality control and you do this by testing in the lab prior to shipment.

Most firms address the issue of application by stating quite clearly in the contract terms that you are selling your product as-is and you do not warrant the product as fit for ultimate use. This is the kind of thing the lawyers require.

Having said all this, there is a requirement in ISO 9001 for you to measure customer satisfaction. You must state in your manual the concept (strategies) for doing this and have some defined processes – usually called procedures – to carry it out. Of course, part of this is the regular management review. Quality, marketing, and sales all provide input on how well the customer needs are being met. Your registrar should be examining how you do this.

If there is a trend showing that customers are unhappy with how the stuff performs under end-use conditions, ISO says you should address those issues. (Ignoring them is an option, if it is deliberate). Mature firms will work on building customer-supplier partnerships, getting their engineers to talk to your engineers. Although this is technically outside of the quality function, it is still part of your overall quality management system.

Charlie Cianfrani
Consulting Engineer
Green Lane Quality Management Services
Green Lane, PA
ASQ Fellow; ASQ CQE, CRE, CQA, RABQSA Certified QMS-Auditor (Q3558)
ASQ Quality Press Author

For more on this topic, please visit ASQ’s website.