ISO/TS Standards Exclusions

Checklist, Conformity, Go/No Go


I have a question regarding exclusions from the ISO/TS standards.

The majority of our business is the design and manufacture of enclosure hardware. Recently though, a small portion of our business has become the sole North American Distributor for an Italian company. Their product lines are similar to ours. However, we procure their products and simply resell/distribute to their customers stateside, to Canada and Mexico. We do not have Design or Process Control for these items; they are pass-through product.

Therefore, my question is related to permissible exclusions from the ISO standard. Should we seek exclusions regarding certain clauses of Clause 7 of the standard, for this certain “supplier”, and/or for certain product groups that are sold on their behalf?

Any assistance you could provide would be helpful.



At first, your question seemed relatively uncomplicated and I am inclined to say that you can simply sell or provide the products in question with a disclaimer or something identifying the fact that your company is not the designer/manufacturer of the product. My company occasionally has purchased parts inserted into or added to the products made (like bushings or threaded inserts, etc). We don’t have to add anything to our QMS for those as long as those items meet regulatory and statutory requirements.

However, I should mention, the standards make it clear that exclusions are permissible if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.”

Therefore, stepping away from the initial ‘simple’ answer, I would say that such exclusions would not be permissible. This is due to the fact that your organization is ultimately responsible for meeting customer requirements. Although you do not design or manufacture that specific product, you provide, and are responsible for what the customer requests.

You are also responsible for seeing to it that the OEM is meeting customer as well as any statutory or regulatory requirements. This would be of particular importance if these are electrical enclosures or intended for hazardous services, such as NEMA 7 (explosion proof enclosures).

Since you already design and manufacture your own products and have the Clause 7 included in your QMS, it would be counterproductive to add more documentation to exclude what you have mentioned. It would be wise to notify customers up-front, in the sales/purchase order process, that the product you are distributing is from a separate company.

Thanks much for this good question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

For more on this topic, please visit ASQ’s website.

Audit by Exception

Audit, audit by exception


I would like information regarding the use of the internal auditing method referred to as “audit by exception”. While this method sounds like it may provide a much more efficient use of my time and my Manager’s/employees time, I have no idea how this is accomplished in a manner that can still be compliant and what proof would be deemed acceptable when going through my external RAB certified audit. I am referring specifically to ISO 9001:2008 in regards to auditing. I currently audit every process/process owner every 6 months in a calendar year and it is a full week of audit time each audit. Thank you.


Thanks for contacting ASQ’s Ask the Expert program. With regard to your inquiry, I suggest that you continue to use an audit methodology that best serves your organization’s requirements. As you are aware, “auditing by exception”, is a practice that is utilized in the financial sector. The terminology “audit exception” in this case, has the same meaning as an “audit finding”. Since internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement their quality management system, auditing by exception may not provide the level of information needed to keep your organization’s top management and it’s process owners adequately informed.
In my opinion, an effective internal audit will focus as much on identifying opportunities for improvement (OFI) as documenting audit findings. A robust internal audit report will identify nonconformances, but will equally focus on areas that can be improved or that have improved. To sustain continual improvement of a new or a matured QMS, the process owners and employees must be kept informed and engaged. One of the ways to accomplish this, is to share audit results that report on findings, OFI and the status of objectives or targets that have been established. Auditing by exception, usually will not provide this level of reporting.

Please note, ISO 9001:2008, clause 8.2.2, does not prescribe any particular audit methods to be used for 1st, 2nd or 3rd party audits. Each organization is expected to select audit techniques that best suit the scope and objective of the audit to be conducted.

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services
Kingwood, Texas

ISO 9001:2008 Requirement for Control and Monitoring of Measurement Equipment

Chemistry, micro testing, chemical analysis, sampling


I am trying to clearly understand the  ISO 9001:2008 requirement for Control and Monitoring of Measurement Equipment.  My question:

If a measurement equipment like a Karl Fisher Titrator or pH meter which is calibrated by the user with a known standard traceable to an international standard, then does the unit itself require to be periodically sent to a third party for calibration?  It is not clear to me.  In the past I have received a finding for not doing so.  As I read the standard it is not clear.  Can you provide exactly the clause and reference statement that would indicate and clarify its meaning.


Your question leads me to believe there was a valid reason for the finding you received. Calibration of a Karl Fischer Electrometric Titration unit is more of a validation and adjustment. That is, in one common practice, you use sodium tartrate dehydrate in a very fine powder form, along with other substances and follow all the steps of calibration.  However, (this is why sending your unit to a third party becomes necessary), you cannot be certain your unit is reading accurately if it hasn’t had a certified calibration by a third party. Example: Is the water equivalent (WE) of the titrant (Karl Fischer reagent or titrating solution) based on accurate calculations?

If you have a known standard which is traceable to national standards which you can use as a comparator, you might be able to set your recalibration periods fairly far apart. This would of course save you money. Nonetheless, unless you can show traceability of your Karl Fischer system, you are not compliant with the standard.

That was a good question and I hope this will help.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

Measurement System Analysis

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories


Is there ever an exception to the rule about needing full Measurement System Analysis for any instrument placed in the Evaluation / Measurement Technique column on the Control Plan?  If an instrument is listed on the control plan, does it HAVE to have GRRs done, in addition to having to prove stability?  Please base off of ISO 9001 and TS 16949 requirements, and if there is a difference between them for this requirement.   


Thank you for this interesting question. Clause 7.6 of ISO 9001: 2008 makes most of this fairly clear. Any monitoring and measuring equipment used to verify conformity of product must “be calibrated or verified, or both, at specified intervals, or prior to use. . .” Notice I made ‘at specified intervals’ bold. This is just to bring to light the importance of calibration cycles. You/your organization can determine what those cycles will be based on the stability of the measuring tool, frequency of use, working conditions, etc. For example, if you were using a micrometer to check close tolerance parts and, you found it a good process to measure the parts frequently, this would be a contributing factor to the decision process. Then, if the working conditions included a lot of cutting fluids or perhaps a good deal of metal dust, another factor is added to the decision process. What I am driving at is this; once you have determined that the product conformity which you are checking is good and/or consistent and that your sample frequency is satisfactory, you would have no definite requirement for GRR’s on the measuring equipment. The calibrations and or verifications you do must be with equipment which is traceable to international or national measurement standards. If you use working standards as gages to check measuring equipment throughout production and those standards are traceable, then you are doing fine. The processes you use to verify the tools and any in-process measuring practices should be documented in Work Instructions or even with the use of photographs or flow charts.

In the second part of your question, you ask if there is a difference between 9001 and TS 16949. I reference section 7.6.1 of TS 16949. Here it is put straight forward:

7.6.1  Measurement System Analysis 

Conduct statistical studies to analyze variation present in the results of each type of MMD that is referenced in the Control Plan.

Use analytical methods & acceptance criteria that: 

Conform to methods and criteria in customer reference (MSA) manuals Or use other methods, if approved by the customer 

This is an automotive sector specific QMS standard. Herein it is necessary to consider safety and liability in everything you do. So, Gage R&R’s are a common practice. Nonetheless, the necessity for these is dictated by individual processes. Some may need them, some may not.

So, if an instrument is listed on YOUR control plan, GRR’s will become a requirement based on all the criteria I’ve noted above. A gage which has proven stability is most often safe from that requirement under 9001 but TS16949 has more extensive requirements.

Bud Salsbury, CQT, CQI

For more about this topic, please visit ASQ’s website.


Airplane, aerospace, AS9100


Question: AS9100C, which is an expansion of the ISO 9001:2008, states that a “process” based system is being promoted as is shown in 0.2 of the Introduction.  Why are 3rd party auditors being required to use the AS9101 Quality Management Systems Audit Requirements for Aviation, Space and Defense Organizations checklists for their audits?  These check lists are not “process” based and go back to the old procedure systems of the 1994 standard.

Each of our core processes consists of a flow chart of the process, process turtle and PEAR.  If you were doing a true process audit you would take these documents and perform the audit and not limit the auditor to being “boxed in” by a check list.  If the QMS has been developed correctly the process approach audit will allow you to cross other processes when being performed.


Thanks for the question.  The IAQG AS9101 team does firmly believe in promoting the process approach which you will see reflected with the next AS9101 revision.  I agree that auditors should follow the process while performing all auditing (including 3rd party audits), yet it is also important to ensure that all the AS9100 requirements are satisfied.  That is why AS9100 auditors are trained to audit the process and then complete the Objective Evidence Record to ensure all AS9100 requirements are fulfilled.

Buddy Cressionnie
Americas 9100 Lead

For more on this topic, please visit ASQ’s website.


ISO 13485, medical devices, medical device manufacturing


I’m working on a green belt certification and I have a question about SIPOC.  What would be the examples of inputs for hospital test facility?  The supplier is physician and patient is the customer?



Here’s an approach to consider:


Input= blood sample, urine sample, sample swab

Process =DNA, microbiology, HVLC

Output =test results

Customer =patient

For more on this topic, please visit ASQ’s website.