ISO 17025 and Business Changes

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratoriesQuestion

My organization has just been recently accredited to ISO/IEC 17025:2005. Shortly thereafter, changes were made to the organization’s structure and business operations.  I would like to know:

1) When should these changes be reflected in the Quality Manual?

2) Do I need to advise the local registrar about the changes?

3) Are these changes time-sensitive that need to be reported to the certifying body to maintain certification or, should I just wait for the next surveillance audit coming in about six (6) months?

Answer

Thank you for your question.  Updates to your Quality Management System and Quality Manual should be made as soon as they are implemented.  I would suggest notifying your CB of the changes now and let them plan for auditing these changes.  They will likely want to roll that into your next surveillance and not make a special visit.  That decision, of course, would be up to them.

Denis.

Denis J. Devos, P.Eng
A Fellow of the American Society for Quality
Devos Associates Inc.
(519) 476-8951
www.DevosAssociates.com

Internal Audits

Reporting, best practices, non-compliance reporting

Question

If 2nd or 3rd party performs full system audit on my QMS, can it be used as to satisfy requirement for Internal Audit of that year?

Answer

Thank you for sending your question to ASQ’s Ask The Experts program.

My first response to your question would simply be, no you cannot use a 2nd or 3rd party audit to satisfy the requirement for Internal Audits.

The thing to consider is, who will the final Audit Report go to? That is, who is the customer?  An Internal Audit is conducted to your QMS and to your criteria. The final report would generally be directed to senior management.

A second or third party audit is most often performed by a customer or by a registrar. They would be guided by different criteria. A customer audit would not be of your entire QMS or give evidence of its overall efficacy. It would be inspired by what would be pertinent to the product or service you provide to them. A registrar audit would be to verify your facility’s compliance to standards but not necessarily the entire QMS.

You can see how this would be leading down a path one wouldn’t want to follow.  Therefore, Internal Audits should remain . . . internal.

Bud Salsbury, CQT, CQI

 

Internal Audits

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing

Question

Can the Management Representative be part of the internal auditor team?

Answer

Thank you for contacting ASQ’s Ask the Experts program.  Concerning your question, ISO 9001:2008, clause 8.2.2, only prohibits persons from auditing their own work.  So provided that the Management representative is assigned to audit processes that are outside his/her work responsibilities, there is no other restriction in with regard.   ISO 19011:2011,clause 4.0, “Principals of auditing” as well as clause 6.3.3, “Assigning work to the audit team”, should be reviewed for additional insight and understanding.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891
Website: www.astontechconsult.com

Find more information about auditing here.

Auditor’s Responsibilities

Root cause analysis figure

Question

Is it an auditor’s responsibility to seek the “root cause” while conducting an audit?

Answer

An auditor should not seek the root cause for an audit finding. An auditor’s responsibility is to verify compliance with a requirement (e.g. ISO 9001 standard) and determine if there is compliance with the requirement or not. In doing so, there is objectivity in making that assessment.

If an auditor determines the root cause, it introduces subjectivity and potential conflict of interest to the audit process and in correcting an issue. In addition, the auditor may not have the full information about the issue thus the “root cause determined by the auditor” may not correct the non-compliance to the requirement.

Best Regards,

Dilip

Dilip A. Shah ASQ Fellow, ASQ-CQE, CQA, CCT,
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services
Past Chair, ASQ Measurement Quality Division (2012-2013)
Past Member of the A2LA Board of Directors (2006-2014)
Tel: 330-328-4400
Fax: 1-888-226-9533
E-mail: emc3solu@aol.com

ISO 9001 Internal Audit and TQM

Audit, audit by exception

Question

In ISO 9001 internal audit process, can we include the TQM function? If so, then which clause of ISO 9001 refers to it?

Answer

With regard to the ISO 9001:2008 internal audit process and its relationship to total quality management (TQM), it should be noted that TQM was a concept used by many companies worldwide prior to the existence of ISO 9000 quality management systems.

A few of the commonalities that are shared between TQM and ISO 9001:2008 include their focus on:

  • Reducing costs
  • Increasing profits
  • Leadership’s involvement
  • Ensuring customer satisfaction
  • Ensuring employee competency and involvement
  • Resource management
  • Quality system planning
  • Development of mutually beneficial supplier relationships
  • Accomplishment of objectives that support the organization’s mission (i.e., quality policy)

The primary difference that sets ISO 9001:2008 apart from TQM is that ISO 9001 has defined requirements for the establishment of documented procedures and records to provide evidence of conformance.  The concepts of TQM permeate quality systems that are based upon ISO 9001:2008 requirements.  In my opinion, if your internal audit criteria is ISO 9001, you’re also verifying that TQM concepts are being utilized within the quality system.  More information regarding TQM is provided in Juran’s Quality Handbook, 5th Edition.  Also consider reviewing the eight (8) quality management principles provided in ISO 9000:2005, Introduction, subclause 0.2.  These principles are applicable to all ISO 9000 family of quality management system standards.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
800 Rockmead, Suite 170, Kingwood, TX 77339
Office: (281) 359-ATCS (2827)
Website: www.astontechconsult.com

For more information about TQM, please visit the Knowledge Center’s TQM page: http://asq.org/learn-about-quality/total-quality-management/overview/overview.html

Find out more information about ISO 9000 here: http://asq.org/learn-about-quality/iso-9000/overview/overview.html

Using White Out on Controlled Documents

ISO documentation practices, requirements

Question

During our certification for AS9100C the auditor found some documents with correction liquid that we have used for years. We have prohibited the use of any type of correction on all processes company wide.

It is common that during the prototype stage we performed dozens of changes due to the differences between the calculating/design program (electrical) and what happens in real life. During those adjustments we change manually circuits, values, etc. from the original version, with white-out tapes (before was liquid paper) once the prototype works those changes are incorporated as “Initial release” in the package that goes out for manufacturing. Do you guys see any problem using white out tape / correction tape on the controlled copies during prototype stage? My point is that the original values are recorded on the originals that will be obsoleted and the new ones on the initial release, keeping the controlled copies marked as records of the prototype.

Response

Thanks for contacting ASQ’s Ask the Experts program.

With regard to your inquiry, changing the documented results of inspection or test activities should be avoided or at least strictly controlled.  This is of special importance if these records are intended to provide evidence of product or process conformance.

However, prototype test results which may be subject to frequent changes during preliminary inspection or test activities, doesn’t require the same level of control.  These results are usually intended for informational purposes only and not for final acceptance of a process or product.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
http://www.astontechconsult.com

Employee Qualification Audit

 

Reviewing confidential files, training records, human resources files

Question

I am a Quality Assurance GxP Auditor and I am being told that I cannot perform employee qualification audit.  I am being told that CV/resumes, job descriptions, and training records are confidential and my viewing them would violate an employee’s privacy.  If this is true, how to I prove to my client that the company has qualified personnel?

On the same note, is this also true of an internal or 1st party employee qualification audit where my own company would want me to verify the qualifications of our employees to ensure they meet international FDA/ICH guidelines?

Response

Thanks for contacting ASQ’s Ask the Experts program.

With regard to your question, maintaining confidentiality can be a major concern for the employee, organization and the Auditor.  For this reason, the review of employee files containing private data such as social security numbers, banking, personal contact or other sensitive information should be avoided if possible.

This not only maintains employee privacy, but also reduces the Auditor’s level of exposure to potential liabilities.

So now the question is; how can the Auditor verify employee qualifications and experience? Remember that there is no requirement for an Auditor to review job applications, CV/resumes, or other confidential information.

It’s the organization’s responsibility provide the Auditor with objective evidence that they have established job descriptions for employees performing work activities that affect the quality of the product or services to be provided to the customer (ISO 9001:2008, clause 6.2.1).  This includes providing evidence that the employee’s qualifications, skills, education and any applicable certifications have been verified to meet job description requirements or the need for training has been established to ensure job description requirements are met (ISO 9001:2008, clause 6.2.2, sub., a. b and c).

As you are aware, a job description may be considered as proprietary, but they are seldom considered as private since they don’t contain any personal information.  Some organization’s may require that a nondisclosure agreement (NDA) be signed to protect propriety information such as engineering data, drawings or other methods related to product realization processes.

A record of an organization’s review and verification of employee qualifications should be readily available.  Likewise, training and applicable certification records should be available to provide objective evidence that qualification and/or competency requirements have been met (ISO 9001:2008, clause 6.2.2, sub., e).

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

AS9100 Audit

Training, completed training, competance

Question:

I have recently started work at a company that is registered to AS9100. My previous employer was registered to ISO 9001 and I was trained as an internal auditor.

What additional training is required to audit to AS9100? (other than learning the standard).

Does my previous training in internal quality auditing qualify me to audit to the AS9100 standard?

Are the standards for auditor different for AS9100 than ISO 9001?

Response:

The ISO 9001 and AS9100 requirement for internal auditors are the same; that the auditor be competent. The organization determines the competence requirements for its internal auditors. Typically, the competence includes both knowledge of the standard and internal audit methodology.

Buddy Cressionnie
International Aerospace Quality Group Americas AS9100 Lead
Voting member of the U.S. TAG to ISO/TC 176
Southlake, TX

Additional ASQ Resources

AS9100 Keeps Bosch Communications Flying High in Aerospace Industry
by Janet Jacobsen
Abstract: In 2006, the Bosch Corporation acquired Minnesota-based Telex Communications, Inc., a supplier to the aerospace industry. This business became known as Bosch Communications Systems. Boeing, a key customer for Bosch Communications’ aviation headsets, issued a requirement for all suppliers to become certified to AS9100, the international quality management system standard for the aerospace industry. To satisfy Boeing’s requirement, Bosch Communications launched an ambitious initiative to achieve dual AS9100/ISO 9001 certification in less than one year. Bosch contracted with ASQ to provide AS9100 lead auditor and internal auditor training to educate a cross-functional team about the standard and prepare them for the auditing process. In October 2008, just 11 months after launching its certification effort, Bosch earned both AS9100 and ISO 9001 certification.

Road to Revision- The path ahead for updating the AS9100 series of standards
by Buddy Cressionnie
Abstract: The flagship aviation, space and defense quality management system (QMS) standard has started revision activities. AS9100—Quality management systems—requirements for aviation, space and defense organizations is the foundation standard of the International Aerospace Quality Group (IAQG).

The AS9100C, AS9110, and AS9120 Handbook (ebook)
by James Culliton
Abstract: AS9100, AS9110, and AS9120, the quality management system (QMS) standards for the aerospace industry, are written in the most ambiguous language possible. Indeed, they don’t outline how they should be implemented. Those decisions are left to the organization implementing their requirements or, in some cases, to a consultant.

Although some consultant firms for aerospace systems are excellent, there are many that purport to be experts yet proffer systems and processes that are either in contravention to the standards’ requirements or so unwieldy that they render the process impotent.

In an effort to simplify these issues, this book proposes practices that have been described as opportunities for improvement or best practices by registration auditors in the past. It includes a discussion of each of the three standards’ clauses, suggests best practices to comply with them, outlines common findings associated with them, and provides an overview of the changes to AS9100C from AS9100B.

Lead Auditor Qualification

Audit, audit by exception

Question

My manager and I have a question about internal lead auditor and auditor qualification. As stated in section 8.2.2 of ISO 9001:2008, “the organization shall conduct internal audits at planned intervals to determine whether the quality management system…”

Our question is do internal lead auditors and auditors have to be certified by an organization or trained by a certified lead auditor? May a person read ISO 19011:2011 and with his/her experiences in his/her field then perform audit tasks as stated in section 8.2.2 of ISO9001:2008? If yes, would an ISO registrar consider it to be a non-conformance finding?

Thank you in advance for taking time to answer our question.

Response

Thanks for contacting ASQ’s Ask the Experts program.  With regard to your question, it is important to know that ISO 9001:2008 does not prescribe any specific requirements for the qualifications of persons conducting QMS audits.  ISO 19011:2011, provides guidance not mandatory requirements for determining Auditor qualifications.  As you are aware, an internal audit is one of the most valuable tools that an organization has to determine the effectiveness of its quality management system as well as to identify opportunities for improvement.

For this reason, it is essential that the personnel or consultants used to conduct audit activities, have the qualifications and experienced needed to provide these services.  As a minimum, I would suggest that your internal audit personnel  attend Auditor classroom training accredited by ASQ, RABQSA or IRCA.  This training should be supported by arranging for their participation in future audits as an audit team member.  This audit should preferably be conducted by an individual who has a current certification as an ASQ CQA or an RABQSA or IRCA Lead Auditor.

Another consideration is to ensure that the Lead Auditor can provide an audit log as evidence of his/her past audit experience.  The Lead Auditor should also provide evidence of their continued training to maintain their competency as an Auditor.  Another key point, is to ensure that the Lead Auditor has a working knowledge of your organization’s product line, processes or services.  The importance of using trained and experienced Auditors can’t be overstated.

I hope this helps.

Best regards,
Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Internal Lead Auditor/Auditor Qualifications

Audit, audit by exception

Question:

Dear ASQ Associate,

My manager and I have a question about internal lead auditor and auditor qualification. As stated in section 8.2.2 of ISO9001:2008, “the organization shall conduct internal audits at planned intervals to determine whether the quality management system ….”

Our question is this; does the internal lead auditor and auditor have to be certified by an organization, or trained by a certified lead auditor? May a person read ISO19011:2011 and with his/her experiences in his/her field then perform audit tasks as stated in section 8.2.2 of ISO9001:2008? If yes, would an ISO registrar consider it to be a non-conformance finding?

Thank you in advance for taking time to answer our question.

Response:

Thanks for contacting ASQ’s Ask the Experts program.  With regard to your question, it is important to know that ISO 9001:2008 does not prescribe any specific requirements for the qualifications of persons conducting QMS audits.  ISO 19011:2011, provides guidance; not mandatory requirements for determining Auditor qualifications.  As you are aware, an internal audit is one of the most valuable tools that an organization has to determine the effectiveness of its quality management system as well as to identify opportunities for improvement.

For this reason, it is essential that the personnel or consultants used to conduct audit activities, have the qualifications and experienced needed to provide these services.  As a minimum, I would suggest that your internal audit personnel  attend Auditor classroom training accredited by ASQ, RABQSA or IRCA.  This training should be supported by arranging for their participation in future audits as an audit team member.  This audit should preferably be conducted by an individual who has a current certification as an ASQ CQA or an RABQSA or IRCA Lead Auditor.  Another consideration is to ensure that the Lead Auditor can provide an audit log as evidence of his/her past audit experience.  The Lead Auditor should also provide evidence of their continued training to maintain their competency as an Auditor.  Another key point is to ensure that the Lead Auditor has a working knowledge of your organization’s product line, processes or services.  The importance of using trained and experienced Auditors can’t be overstated.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

For more on this topic, check out these ASQ Resources.

Books:

How to Audit the Process-Based QMS, Second Edition, by Dennis R. Arter, Charles A. Cianfrani, and John E. “Jack” West

The ASQ Auditing Handbook, Fourth Edition, edited by J.P. Russell

The Internal Auditing Pocket Guide, by J.P. Russell

Articles:

Pointed in the Right Direction, by Thea Dunmire

Improving the Internal Audit Experience, by Theresa Wasche