ISO 9001: 2015 Clause 8.3.4 and Product Design

 

PLCs, programmable logic controllers

Question

My company is implementing ISO 9001:2015 and my question is regarding Clause 8.3.4 d. Our company designs product for only 20% of our customer base. We do not have a validation process. We do send a prototype to the customer to test the part for a period of time to approve the design. In determining the scope of our organization, can we exclude the validation process and still become ISO 9001:2015 certified?

Answers

From John Surak:

This organization is involved in product design.  Therefore, the product design cannot be excluded.  However, the organization needs to review the validation clause.  8.3.4d states the following:   “validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use.”  It should be noted that neither 8.4.3d not the validation refences in ISO 9001 do not prescribe a method on how to conduct validation.  It would appear that the company has some sort of process they use to develop the prototypes.  This process should be codified or documented so that it is done in a consistent manner and in a way to ensure that the customer needs are met.

John G. Surak, PhD

From George Hummel:

Basically, you are outsourcing validation.  Therefore, you need to control that process per 8.4. I would not accept the exclusion. In the future, you may have a customer that requires you to do the validation. However, the final answer would be provided by your certification body.

Click here for more resources about ISO 9001: 2015.

 

 

 

Calibration Questions

Automotive inspection, TS 16949, IATF 16949

Question

I work at a hydraulic cylinder manufacturer. The company has homemade thread and ring gages in house that we are using for production that are not sent out for calibration but have a homemade master that is used to check them with once a year which does not get sent out either. I have been here 6 months and am thinking these gages and masters are a violation of ISO. Am I correct?

Answer

The short answer is yes. The intent of ISO 9001:2015’s subclause 7.1.5 is to ensure that your company determines and provides suitable resources to ensure valid and reliable monitoring and measuring results, when evaluating the conformity of your products; and 7.1.5.2’s that is to ensure that your company provides measurement traceability when it is a requirement or when your company determines it to be necessary to have confidence in the validity of the measurement results. It seems that your practice for controlling the homemade thread and ring gages cannot fully fulfill those purposes. This is how I would address the situation:

  1. Assign a unique identifier to each homemade thread and ring gage. Maybe you can do that through your Document Control process.
  2. Ensure that those gages are protected from deterioration or damage when they are not in use.
  3. Have the homemade master measured by a service able to provide you with reliable certified measurements. That will make that gauge traceable to national or international standards. It will also allow you to demonstrate that the piece is fit for its intended purpose.  That means, you will be able to use this piece as the standard during the in-house calibration of the rest of the gages.
  4. Conduct an “in-house calibration” of each gage you use in production. You will need to issue an in-house calibration certificate for each one of those pieces, indicating on those documents how you achieve traceability to NIST or equivalent. If possible, identify the error for each one of those individual measurements you perform during calibration. Do not forget to include a statement indicating that the gauge was found suitable/unsuitable for use. That will demonstrate that each gage is fit for its intended purpose.
  5. Include ALL the gages in your calibration program. Make them subject to all the applicable provisions of your Quality System.

This approach will allow you to demonstrate that your thread and ring gages are properly controlled and maintained. If controlling those gages has not been an issue in the past, there is no guarantee that the situation will remain the same in the future. That is managing risk 😉

Aura Stewart

For more information about calibration, please see the resources here.

ISO Requirements or Good Documentation Practices?

 

Calibration

Question

Are these standard for ISO or just good documentation practices?

1. All entries, except IPQA, should be made with blue ball pen in clear and legible handwriting.
2. IPQA entries shall be done in black ball pen.
Answer

I can sense what it is happening at the place where this question originated. In the past, I saw a company where the person in charge of the Quality System was saying “this is a ISO requirement” to enforce what in this person’s opinion was a best practice. Nobody questioned those statements because “it is an ISO requirement”. So, the answer to the question is, those are best practices, not ISO requirements. Please see below the ISO 9001:2015’s clause pertaining to this question.

7.5.3 Control of documented information

7.5.3.1 Documented information required by the quality management system and by this International Standard shall be controlled to ensure:

  1. a)       it is available and suitable for use, where and when it is needed;
  2. b)       it is adequately protected (e.g. from loss of confidentiality, improper use, or loss of integrity).

7.5.3.2 For the control of documented information, the organization shall address the following activities, as applicable:

  1. a)       distribution, access, retrieval and use;
  2. b)       storage and preservation, including preservation of legibility;
  3. c)       control of changes (e.g. version control);
  4. d)       retention and disposition.

Documented information of external origin determined by the organization to be necessary for the planning and operation of the quality management system shall be identified as appropriate, and be controlled.

Documented information retained as evidence of conformity shall be protected from unintended alterations.

NOTE  Access can imply a decision regarding the permission to view the documented information only, or the permission and authority to view and change the documented information.

As you can see, no reference to any ink color whatsoever. Legal documentation tends to be completed by using blue ink to differentiate originals from Xerox copies. However, today’s technology allows us to have color copies.

Regards,

Aura Stewart

ISO 9001: 2015 Clause 8.4.3

Mr. Pareto Head and Supply Chain comic strip

Question

It’s not clear to me who an external provider may be. Could it be an electrical contractor, a lunch truck, a caterer, or other similar? That thinking is tremendously different than just the traditional “supplier” which is what this company has using been for many years. So there’s that concern. Also, advising our external providers what equipment to use, how to use it and how to train their people? Is that really what’s said here? That would require tremendous knowledge in our organization that most likely is not here. What exactly is being said here? I’m a little confused how to address this requirement. Finally, section (e): we must communicate to the external provider how we are going to measure them? Can it be done through email, or phone, or what is a common method for meeting the requirement? Thanks much.

Answer

Who is an external provider?

ISO 9001:2015, 8.4.1 states, the organization shall determine the controls to be applied to externally provided processes, products and services when:

  1. products and services from external providers are intended for incorporation into the organization’s own products and services;
  2. products and services are provided directly to the customer(s) by external providers on behalf of the organization;
  3. a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
    1. Refers to a product that becomes part of your product; for example, a bolt incorporated into a seat assembly. You purchase these.
    2. Refers to a product that is “dropped shipped” to a customer. Think of an Amazon purchase where the product comes from a second party under the Amazon logo.
    3. Refers to a process that is outsourced as a result of the organization’s decision to have the process managed externally. For example, the heat treating of a part where the part needs to be heat treated but the organization does not have that process internally.

Therefore, an electrical contractor, a lunch truck, etc. are not included since they are outside the scope of the QMS.

Secondly, “advising our external providers,” refers to the type and extent of control.  Will you perform 100% incoming verification, or require material certifications, or require certification to a quality management standard? In certain instances, you may want to specify the equipment or training an external provider must implement.  For example, for outsourced welding, your requirement might be that welders are certified by the American Welding Society or your calibration company be accredited to ISO 17025.

How will you measure an external provider?  It can be on-time delivery, responsiveness to requests, PPM targets.  Communicating the measurement (8.4.3 e) is related to 8.4.1, “retain documented information of these activities and any necessary actions arising from the evaluations”.  Therefore, a record must be retained.

George Hummel

ISO 9001: 2015 Clauses 4.1 and 4.2

Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2:  What level of detail?  The standard states, “the organization shall determine:

  1. the interested parties that are relevant to the quality management system;
  2. the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.  [emphasis added]

Is “supplier” or “customer” sufficient?  It would be if all had the same requirements.  Assuming that they do not, you are required to “drill down.”  Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.”  Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.

“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”

The key in this requirement is “strategic direction.”  If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.

Be aware that your approach will not be familiar to your auditor.  In that case, you will need to fully explain your approach.

George Hummel

Relocation Requires Audit?

Question

One of my contract manufacturers who is ISO 9001: 2008 certified, submitted a Supplier Change Notice to relocate their factory to a new site/location. This will trigger many activities including re-qualification, etc. My question is, for their ISO 9001 certificate, do they simply refresh their company location / address in their ISO 9001 certificate with the Notified Body or they actually need to go through a full scale quality system audit by the NB?

Answer

Yes. They do need to have a full scale audit. The reason is very simple, a business is a system. When you change the environment, you alter that system. A full audit will be an adequate representation of the scope and magnitude of the change, and will indicate if this supplier is still a reliable manufacturer. Think about your most recent home move, the family is the same, your belongings are the same; however, everything is different at the same time.

Aura Stewart

Quality Progress’ Standard Issues Column

ASQ Members: please find Quality Progress’ latest Standard Issues column here about ISO 9001: 2015 and top management. You must be logged in to view the column.

And at this link, ASQ members may find additional articles published in Quality Progress about this updated standard.

Not an ASQ member? Consider joining.

Customer ISO Status In Jeopardy?

Question

My customer wants to get ISO 9001:2015 certified. He refuses to create a first-article, in-process, and final-inspection report. He has a router sheet that has a tiny space for final inspection brief information and the operator’s initials; no inspection data is available.
In his quality manual and processes he addresses “Time Studies” and “Statistical Process Control” but he refuses to record his inspection data because this “complicates and delays” his production. I told him this is a weakness in his QMS but he says it’s not. Will this issue jeopardize his ISO certification?

Answer

I would ask how the organization could present objective evidence with the requirements of Clause 8.5.1 including  – ‘shall implement production and service provision under controlled conditions.’

Charlies Cianfrani

Special Process NCRs During Audit

Question

Recently one of our business units had an ISO 9001: 2008 audit and during the audit they received a couple NCRs on welding as a special process.
One of the NCRs was “Some welders are not qualified prior to welding on product.”
As a matter of fact, our company has developed its own qualification program based on the our needs consisting of the following steps:
– The minimum requirement of least 2 years or more experience as a welder before starting the job.
– In class training for weld specifications, blue print reading, equipment, weld supplies, visual acceptance/ rejection criteria and equipotent TPM program conducted by our QE.
– Hands on exam – the result of this test is reviewed by a QE and weld supervisor without performing any bend test, pull test or other types of DT.
– Annual recert. program based on a written exam and weld coupons visual inspection results.

The CB auditor is asking us to send the coupons out to a certified lab for bend testing or having all the welders certified by AWS. Is that required per ISO 9001? As a side note, every time we design and develop a new model we conduct all types of crash tests, FEA and durability testing in design validation phase.
Answers

From George Hummel:

I would not accept the auditor’s comments.  He/she is consulting.

From Charles Cianfrani:

No. It appears that the CB auditor is adding requirements. The organization has a process, and if it is effectively implemented that should be satisfactory evidence of conformity.