Tag: ISO 9001

ISO 9001 Clause 7.4.1, Supplier Control

Mr. Pareto Head and Supply Chain comic strip

Q: My interpretation of  ISO 9001:2008 Quality management systems–Requirements regarding supplier control as addressed in clause 7.4.1 Purchasing process is that suppliers who would require evaluation, selection and registry, would be those who supply products (or services) which affect subsequent product realization, or the final product.

Excellent examples for our organization would be vendors providing raw material, tool/dies, surface preparation or calibration services.

I also believe that the “extent of control” exercised by the organization, could, in fact, mean that certain suppliers are not controlled (evaluated, selected and registered), due to their lack of impact on product realization.

Good examples here would be stationery or sanitation supplies.

After conferring with several colleagues, we are all puzzled to see freight companies (UPS, FedEx) included as controlled suppliers and nonconformance reports written for failure to comply with the standard if they are not included on our approved suppliers list.

I understand the standard is written to provide a framework, and not examples, however I find this interpretation to be too broad for the intended purpose.

A: Thank you for contacting ASQ’s Ask the Experts program.  The intent of ISO 9001:2008, clause 7.4.1 is to ensure suppliers are selected based upon their ability to meet the organization’s requirements, which generally include quality and delivery of product or service intended for the customer.

As you mentioned, suppliers of office supplies such as paper, printer toner and etc. are not usually included on an approved suppliers list since they have zero impact on the organization’s ability to meet customer requirements.

However, some registrars may consider trucking firms or delivery services such as UPS and FedEx as suppliers of services that could impact an organization’s  ability to meet requirements, such as on time delivery and the delivery of product in an acceptable condition to the customer.

Most registrars welcome rebuttals from their clients regarding audit findings.  This could be an excellent opportunity for your company state its position to the registrar and to understand their rationale as to why they believe UPS and FedEx must be on the approved suppliers list.

The bottom line is that your registrar determines how its auditors interpret audit criteria such as clause 7.4.1.

If it is decided to add these companies to the approved supplier list, it should be a painless process since your company probably already has an established performance history for them.

I hope this helps!

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Does ISO 9001 Clause 7 Apply to Processes?

Manufacturing, inspection, exclusions

Q: Does clause 7 Product Realization in ISO 9001:2008 Quality management systems–Requirements apply to the design and development of manufacturing processes?

We have four facilities that are ISO 9001 certified under one certificate. One location designs the product, and the other facilities manufacture it. In the “design facility” we follow the requirements of clause 7. In the manufacturing facilities, we currently do not apply clause 7 for the process of developing the manufacturing processes.

A: ISO 9001 clause 7.3 is applicable to the design and development characteristics of a product.

ISO 9001:2008 clause 7.1 (Planning of Product Realization) and its reference to clause 4.1 (General Requirements) is more specific to product planning to ensure that the product quality objectives and the processes/resources are available to produce a product that will meet defined quality requirements as specified during design and development in clause 7.3.

Clause 7.1 requires that the planning process include identification of the inter-related processes (i.e., monitoring, inspection, product quality objectives, testing, records of conformity needed to verify the product requirements have been achieved.

The bottom line:  the product characteristics, quality objectives and inter-related processes must be documented.  If this is not fully achieved in the design and development process (clause 7.3), it must be included in the product planning process (clause 7.1). Please see clause 4.1.

Please keep in mind that your company’s ISO registrar will require evidence of conformity (records/documentation) to verify the requirements of clauses 4.1, 7.1 and 7.3 have been met.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

ISO 17025 Certified Facility

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories

Q: We have a specification that states test reports shall be from an facility certified to ISO 9001:2008 Quality management systems–Requirements. Our test reports are from a facility certified to ISO/IEC 17025-2005: General requirements for the competence of testing and calibration laboratories.

Isn’t ISO 17025:2005 under the ISO 9001:2008 umbrella?

A: Your interpretation is, indeed, correct. Actually, for a testing lab, accreditation to ISO/IEC 17025 is superior to registration to ISO 9001! As you know, your accreditation agency actually observed your personnel performing tests. They had to demonstrate competency. This was in addition to the verification that you had a working management system in place (that’s why they call it accreditation and not registration. We won’t even get into the misuse of the word certification).

To make sure your customer gets the assurance they want, I recommend you contact your accreditation agency. Ask them for a letter that states this equivalency. That will probably blow your customer away – or at least amaze them! Unless you can show the text you provided to ASQ was from one of the ISO or ANSI standards-writing committees, as an official interpretation, it probably holds little weight.

Your customer is right to monitor your performance this way. Recent food safety issues, prominent in the news, have a common element to them — insufficient attention to supplier performance. Expect to see more of this as the manufacturers and distributors pay more attention to their supply chain. I expect you are or will be doing the same for your critical sub-suppliers. Remember too, there are many ways to monitor supplier performance. Registration/accreditation is one of the ways.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

For more on this topic, please visit ASQ’s website.

Framework to Integrate ISO Standards and Non-ISO Standards

Reviewing confidential files, training records, human resources files

Q: I have a few questions about integrating standards for one of the experts:

1) Will registrars (in addition to BSI, who wrote it) accept a documented quality management system organized around the framework suggested in PAS 99:2006 – Specification of common management system requirements as a framework for integration, given there is adequate audit evidence that the requirements of both of the integrated standards have been addressed and have been implemented?

2) Is PAS 99 only for ISO-related standards, e.g.,  ISO 9001:2008 Quality management systems–Requirements and  ISO 14001-2004: Environmental management systems – Requirements with guidance for use, or can other combinations be made – e.g., ISO 9001 and American Institute of Steel Construction-Bridge and Highway AISCQC028?

AISCQC028 is not an ISO or ISO sector-specific standard, although the framework and structure is very similar. The AISC has its own certification body (registrar) and would insist that their auditors conduct a certification audit even though an organization has been previously ISO registered. AISC does not object to an integrated system that integrates/combines ISO 9001 with one of their certification standards as long as AISC certification requirements have been addressed.

The integration of ISO 9001 and 14001 is becoming common place and I’m fairly certain that PAS 99 is an acceptable format in those cases. I’m more interested in other industry standards and requirements not generally considered ISO-related that are being demanded by certain customer segments and integrating them in a system that must also be acceptable to ISO registrars because of other customer segments who are demanding ISO registration by their suppliers.

A: This is an excellent, and timely, question.

More and more organizations are developing integrated management systems based on multiple specification standards – such as ISO 9001, ISO 14001 and OHSAS 18001.   In addition, there are more and more management system standards being developed.  This includes both ISO standards and non-ISO standards – such as OHSAS 18001, Responsible Recycling (R2) and, based on your question, AISCQC028.

It is not even clear how many different management system specification standards there are. What one individual considers a guidance document; someone else insists is a specification standard suitable for certification.

So when you are developing documentation for an integrated management system, how should it be organized?

There are several options:

•    One option is to choose one of the standards as the primary high-level structure – say, ISO 9001:2008 – and address the requirements of the other standards within that structure.

•    PAS 99:2006 offers a different option for a high-level framework for organizing the management system documentation for an integrated management system.  (As you correctly point out in your question, PAS 99 cannot be used as a replacement specification standard for any of the discipline-specific management system standards.)

•    Another option is to establish a high-level structure that makes sense for your organization.

There is no required framework for organizing management system documentation.  You can use whichever overall structure and numbering scheme works for your organization.

ISO has recognized that having different high-level structures for its various management system standards may be problematic for organizations that are implementing integrated management systems that are intended to meet the requirements of multiple specification standards.  As a result, in February 2012, the ISO Technical Management Board (TMB) approved a guide for ISO standard writers that specifies a common structure and definitions to be used for all new and future revisions of ISO management system standards.  This was circulated as ISO Guide 83. This action by ISO highlights the primary issue with using PAS 99:2006.  It is out-of-date.

First, the normative references listed in PAS 99:2006 are not the current versions for some of the standards (notably ISO 9001 and OHSAS 18001).  Second, the high-level structure set out in PAS 99:2006 is not consistent with the common structure recently approved by ISO.

The key to establishing an integrated management is NOT the use of a particular organizing framework or high-level structure.  How you organize your management system documentation needs to fit the needs of your organization – not the desires of a particular registration auditor.

What is important is being able to clearly explain how your management system meets the requirements of each of the specification standards to which you want to become certified.  This requires clearly written documentation that defines the links to the requirements you are addressing within your management system.  It may also require discussion with your registrar and/or the use of reference tables – similar to those set out in the Annexes of ISO 9001, ISO 14001, OHSAS 18001 – and PAS 99:2006.

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
Thea’s Blogs:
http://www.OHSAS18001expert.com
http://www.managementsystemexpert.com

ISO 9001 7.1 Product Realization

Suppliers, supplier management

Q: Our company, certified to ISO 9001:2008 Quality management systems–Requirements, is experiencing quite a bit of supplier non-conformance.

An option we are interested in is to have a set of manufacturing drawings for our suppliers and a set of inspection drawings. Either the manufacturing set would require tighter tolerance than the inspection set, or the inspection set would have looser tolerances than the manufacturing set.

What would the criteria be to introduce this theory into our procedures?

A: I suggest that you consider the point of ISO 9001:2008 Quality management systems–Requirements, clause 7.1, regarding the development of product objectives. Your planned approach is similar to what is intended by this clause.

The organization should set its product requirements during the product planning stage. Product requirements should be based upon design inputs, outputs, verifications and validations. This provides the essential measurements (tolerances) required for the product to function as designed or intended.

The requirements sent to suppliers, or to the shop floor, should be within the design tolerances or criteria, but not necessarily the same. However, in the event that inspection or a supplier identifies/provides a product that is outside the drawing requirements, it would be up to the engineer or the designer to decide if the product still meets the design criteria. If so, the product would be disposition “accept as is” and would still function as planned.

If repetitious non-conformance is encountered and the product is still within the design criteria, then changes to the supplier and inspection criteria should be considered to prevent continued non-conformance. If the non-conformance does not meet the product requirement or the design criteria, corrective action should be taken with the supplier.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, please visit ASQ’s website.

Standard Vs. Specification and Guidance Documents

ISO documentation practices, requirements, records

Question

What is the difference between a standard and a specification?

Answer

There is no single or simple answer to your question. The answer depends upon the context of the question. Relative to the ANSI/ISO/ASQ Q9000 Series: Quality management standards, I direct you to ANSI/ISO/ASQ Q9000:2005 Quality management systems – Fundamentals and vocabulary.

ISO 9000:2005 defines specification as a document that states requirements. A specification can be related to activities (e.g. procedure document, process specification and test specification), or products (e.g. product specification, performance specification and drawing).

ISO 9000:2005 does not define “standard”. The first part of the ISO 9000:2005 introduction reads:

“The ISO 9000 family of standards listed below has been developed to assist organizations, of all types and sizes, to implement and operate effective quality management systems.

ISO 9000 describes fundamentals of quality management systems and specifies the terminology for quality management systems.

ISO 9001 specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide products that fulfill customer and applicable regulatory requirements and aims to enhance customer satisfaction.

ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the quality management system. The aim of this standard is improvement of the performance of the organization and satisfaction of customers and other interested parties.

ISO 19011 provides guidance on auditing quality and environmental management systems.

Together they form a coherent set of quality management system standards facilitating mutual understanding in national and international trade.”

In other words…

ISO 9000 is a standard that describes fundamentals and specifies the terminology.

ISO 9001 is a standard that specifies requirements.

ISO 9004 is a standard that provides guidelines.

ISO 19011 is a standard that provides guidance.

This implies that a standard is a formal document that establishes uniform criteria, methods, processes and practices — which may or may not be requirements.

ISO 9000:2005 also makes a distinction between quality management system requirements and requirements for products using the terms “specifications” and “standards.” It states:

“The ISO 9000 family distinguishes between requirements for quality management systems and requirements for products.

Requirements for quality management systems are specified in ISO 9001. Requirements for quality management systems are generic and applicable to organizations in any industry or economic sector regardless of the offered product category. ISO 9001 itself does not establish requirements for products.

Requirements for products can be specified by customers or by the organization in anticipation of customer requirements, or by regulation. The requirements for products and in some cases associated processes can be contained in, for example, technical specifications, product standards, process standards, contractual agreements and regulatory requirements.”

Joe Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 (AAMI)

ISO 9001 Corrective Action Time Window

Schedule, calendar, timeline

Q: We will be audited by a different firm soon to ISO 9001:2008 Quality management systems–Requirements, and I am noticing differences compared to our former auditors.

At the closing of an annual surveillance audit for a three-year certificate if a non-conformance is issued at the closing meeting, what is the expectation of response for:

1. Minor non-conformances

2. Major non-conformances

How many days are expected for the initial response for each?

How many times during the next 12 months should we expect the auditor to come back to the site to verify corrective action for each?

A: Regarding your question about response times for corrective actions, please note the following.

ISO 9001:2008 clause 8.2, Internal audits, does not specify or prescribe any time limits. ISO 9001:2008, clause 8.2.2, only requires the management for the responsible area (process owner) to take corrective action without undue delay. No time limit is identified.

With regard to audit follow up visits — this is strictly dependent upon the registrar or other auditing body. Some auditing bodies will follow up on closed CARs during their next scheduled surveillance audit. This allows enough time to past to evaluate the effectiveness of the corrective action taken.

In most cases, the auditee is required to complete the CAR identifying the root cause and the corrective actions taken to prevent a reoccurrence.

This information is assessed by the auditing body to confirm that a root cause was identified and that action taken match the root cause. This is normally done in the form of a desk review.

Due to the costs involved and other logistics, rarely will any auditing body want to come out to verify each corrective action taken. This is usually something for the internal audit staff to perform as a part of their audit activities.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more information on this topic, please visit ASQ’s website.

ISO Standard Audit and Confidential Information

Reviewing confidential files, training records, human resources files

Q: During an external audit, what records are we allowed to keep confidential – e.g. human resources records? Certain records pertaining to new business leads or accounting matters? Specifically, my question is related to audits to the ISO 9001:2008 Quality management systems–Requirements and ISO 13485:2003: Medical devices — Quality management systems — Requirements for regulatory purposes standards.

 A: The “scope” of any audit is the quality management system (QMS) as found in the ISO standard for quality management. Areas such as finance, marketing plans, sales goals, and other business related topics are not part of a QMS audit.

It should be understood that during the audit, potential areas of conflict between the auditor and auditee might exist. The most common is when the auditor wants to see training records and the auditee claims them to be a confidential part of HR records. The auditor need to be a diplomat here and explain that only the training record is needed and not the entire HR record.

Also, it is not uncommon for the auditee to require the auditor to sign a non-disclosure agreement stating that the auditor(s) will keep everything observed during the audit confidential between the parties.

Again, the scope of the audit, usually agreed to ahead of time, is the QMS — not any business related matters.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

What is ANSI/ISO/ASQ Q9001:2008?

ISO documentation practices, requirements

Question

Is there any difference between ANSI/ISO/ASQ Q9001:2008 and ISO 9001:2008? Is it just semantic, or is it ASQ’s take on ISO 9001:2008 Quality management systems–Requirements?

Answer

The ANSI designation shows it has been adopted as an American National Standard (ANS), and that U.S. experts believe the standard is a good one and should be followed by the U.S. Since ASQ is the administrator of the group (known as a Technical Advisory Group/TAG in the standards development world) that develops ISO 9001, we are the only organization allowed to put its name in the designation. ASQ is a member of ANSI and is accredited by them to be a standards-developing organization.

For more about this topic, please visit ASQ’s website.

ISO Documentation Practices; Difference Between Record and Document

 

ISO documentation practices, requirements

Q: Is there a published ISO standard for good documentation practices (e.g., crossing out an error with a single line and initialing and dating; striking through a blank space)?

Thank you.

A: Your question has two parts:

1) Is there a standard?

2) Does it cover the specific practice you cited?

The answers are “yes” and “no.”   🙂

About a decade ago, the ISO Technical Committee (TC) 176 on Quality Management and Quality Assurance started work on a documentation standard. There was (and still is) much confusion in the world about what kind of documents were expected and what should go into them. Of course, most didn’t want to take the time and energy to understand the purpose of documents, much less describe their practices in a site-specific manual. How sad. The output of the ISO/TC 176 work was a Technical Report: ISO/TR 10013:2001 – Guidelines for quality management system documentation. Frankly, however, I do not think it will address your question.

First of all, documents and records are often confused. Even though the ISO terms and definitions standard (ANSI/ISO/ASQ 9000:2005 Quality management systems — Fundamentals and vocabulary) parks them both under the word document, it is good practice to always think document=before, and record=after.

In other words, a document tells us what to do. A record tells us what was done. Many people, not understanding this principle, have actually tried to place records under configuration control!

The record-keeping practices you cited — crossing out an error and marking in a blank space — have their origin in the early military practices of the 1950s! Back then, there were no computers, internet or even ISO standards. There was also much more falsification of information back then, as we treated the workers with little or no respect.

The practices you cite were attempts to make sure that the data entered on a record wasn’t changed. Those practices just kind of hung on for half a century. In my 40 years in the quality profession, I have never seen these “rules” written down in an external document, like a regulation or standard or policy. Sure, individual organizations have required these practices through their local Standard Operating Procedures, but I am pretty sure they are not published in higher-level documents.

With automation and networking, records are becoming much more virtual. Paper records are becoming a thing of the past. Security and protection of those electronic records is a much bigger problem than when they were all on dead trees.

Follow-up from expert: Doing some further research (for an upcoming class), I discovered that ISO/IEC 17025:2005 General requirements for the competence of testing and calibration laboratories, contains a clause about records correction, 4.13.2.3. In general, the clause says all alterations must be visible (not erased, blacked out, or deleted), and all changes must be signed or initialed by the person making the change. Equivalent measures should be taken in the case of electronic records.

I don’t know why I didn’t think of this standard earlier, however, my earlier remarks about this coming from the 1950s practices B.C. (before computers) still stand.

Dennis Arter
ASQ Fellow
The Audit Guy
Columbia Audit Resources
Kennewick, WA
http://auditguy.net

For more about this topic, please visit ASQ’s website.