Approved Supplier List

Mr. Pareto Head and Supply Chain comic strip


I would like to know how supplier status in the Approved Supplier List (ASL) should be managed so that there is complete traceabilty.  For instance, a vendor status is changed from approved to not approved in the ASL for reasons other than substandard performance which is documented in an audit report, how should QA document such change to ensure that these changes are tracked. Could QA make changes in the ASL without notifying the Purchasing Department and without any documentation?


Thanks for contacting ASQ’s Ask the Experts program.  Concerning your questions, about supplier status traceability, and ASL management, the following response is provided.

Dependent on the number of suppliers involved and the availability resources, an organization may choose to utilize a single or combination of methods to monitor supplier performance and supplier status.  These methods may range from using an MS Word or Excel spreadsheet, Access database to a multi-user database.

As you are aware, ISO 9001:2008, Clause 7.4.1, requires the organization to establish criteria for selection, evaluation and re-evaluation of suppliers.  This clause also requires records of results of evaluations to be maintained.  This includes any necessary actions taken as a consequence of the evaluations conducted, such as the removal of a supplier from the ASL or changed approval status.

ISO 9001:2008 does not limit a company’s ability to remove a supplier from the ASL.  This is an internal decision based on the company’s established criteria.  So there could be various reasons for removing a supplier from the ASL.  Likewise, with changing a supplier’s status from pending, approved to not approved.  As mentioned, ISO 9001:2008, Clause 7.4.1, requires records of supplier evaluations to be maintained, and any actions taken as a result of the evaluation to be retained.

The a primary purpose of the ASL is to ensure the placement of purchase orders or contracts are limited to those suppliers that meet the company’s established criteria for supplier selection, evaluation, and re-evaluation.  For this reason, Purchasing must be included in any changes made that may affect their use of the ASL.

Generally speaking, Purchasing is responsible for maintaining and updating the ASL, which includes ensuring the current status of suppliers of products and services are identified.   The company’s internal audit process is typically used to assess Purchasing’s conformance with established criteria for supply chain management.

In summary, I would not recommend that changes be made to any QMS process without the involvement of the QMS process owner and management as applicable.  ISO 9001:2008, Clause 5.4.2, sub b., requires top management to ensure that the integrity of the QMS is maintained when changes are planned and implemented.  If changes are made to the ASL, Purchasing should certainly be involved.

I hope this helps.

Best regards,


Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Office: (281) 359-ATCS (2827) or Toll Free: (888) 968-9891

For more on this topic, please visit ASQ’s website.

ISO 17025 Certified Testing Lab Not Required to Provide Raw Testing Data?

ISO/IEC 17025:2017 General requirements for the competence of testing and calibration laboratories


I have sent a sample for testing to a lab which is ISO certified, they have provided me with the test results, however, when I asked them for the Raw Data to support the testing performed as well as to keep it on record for the future investigational use, the testing lab refuses to provide the raw data, stating that we are not a GMP lab and as an ISO certified lab, we are not obliged to provide the raw data. They say the raw data could be shown to the regulatory authorities. Is this true?

The contract testing lab we mentioned is certified to ISO 17025.


Since the laboratory is “accredited” to ISO/IEC 17025, it will be useful to review a few relevant passages from that standard (note that the term “certified” or “registered” is usually used for organizations registered or certified to ISO 9001 quality management systems).

ISO/IEC 17025 Clause states:

“The laboratory shall retain records of original observations, derived data and sufficient information to establish an audit trail, calibration records, staff records and a copy of each test report or calibration certificate issued, for a defined period. The records for each test or calibration shall contain sufficient information to facilitate, if possible, identification of factors affecting the uncertainty and to enable the test or calibration to be repeated under conditions as close as possible to the original. The records shall include the identity of personnel responsible for the sampling, performance of each test and/or calibration and checking of results.”

ISO/IEC 17025 Clause 5.10.1 paragraph 3 states:

“In the case of tests or calibrations performed for internal customers, or in the case of a written agreement with the customer, the results may be reported in a simplified way. Any information listed in 5.10.2 to 5.10.4 which is not reported to the customer shall be readily available in the laboratory which carried out the tests and/or calibrations.”

Further, ISO/IEC 17025 Clause paragraph 2 states:

“When a statement of compliance with a specification is made omitting the measurement results and associated uncertainties, the laboratory shall record those results and maintain them for possible future reference.”

The ISO/IEC 17025 accredited laboratories are required to retain test results when they do not report the results on the test certificate (or report) to the customer. A word of caution: The laboratory may have a record retention policy (it should be documented in their quality system per ISO/IEC 17025 Clause Ensure that future record requests are made within the record retention policy period!

In the future, it would be best to specify in the purchase requisition what test data the customer requires from the test laboratory. This forms the basis for a contractual requirement and can be contested legally if the laboratory does not fulfill the customer’s requirements if it accepted the purchase requisition (This would apply to both ISO 9001 registered and ISO/IEC 17025 accredited laboratories).

The laboratory’s other argument about “GMP lab and as an ISO certified lab, they are not obliged to provide the raw data” is not consistent with the requirements of ISO/IEC 17025. The customer should file the refusal to provide data as a complaint to the laboratory under the clauses cited and ask the laboratory for corrective action under ISO/IEC 17025 Clause 4.8 (complaints) and 4.11 (corrective action).

If an ISO/IEC 17025 accredited laboratory refutes to provide corrective action under the requirements stated in this article, it is possible to escalate this complaint to their accrediting body.

Dilip A Shah
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

For more about this topic, please visit ASQ’s website.

Postponement of Surveillance Audit Due to Force Majeure Event

Force majeure


If a Force Majeure event effects the company during the time that the annual Surveillance Audit was to be done, can the Surveillance Audit be postponed until after the conclusion of the Force Majeure period without losing ISO 9001 certification?  Will the impact be 1.) Merely a certificate lapse rectified with passing the re-scheduled Surveillance Audit loss, 2.) Loss of certification requiring the next audit to be a Certification Audit instead of a Surveillance Audit, or 3.) Is it up to the Registrar? In this case, assume the Surveillance schedule delay is only 3 months or less, and the company has an excellent ISO audit track record. Thank you.


Thanks for Contacting ASQ’s Ask the Experts program.  With regard to the frequency of surveillance audits as well as deferral of an audit as a result of force majeure, it’s important know that all reputable Registrars or certification bodies (CBs) are accredited by an accreditation body (AB) as such ANAB.  This is intended to ensure a consistent approach for issuance of certifications by CBs.  To maintain certification the CB may conduct periodic surveillance audits.  Registered or certified organizations must be re-certified every 3 years or prior to the expiration date listed on their certification certificate.

Surveillance audits are conducted by the Registrar to verify the organization’s continued implementation as well as the improvement of the effectiveness of their QMS.  Registrars may increase or decrease the frequency of surveillance audits based upon the maturity level of the organization’s QMS.  For this reason, the frequencies that surveillance audits are conducted may vary, but are usually scheduled annually or every 12 months.  Other situations that may affect actual frequency of surveillance audits may be the availability of Auditors or possibly, unusual situations being experienced by the Auditee or organization.

As already mentioned, re-certification audits are required to be conducted every 3 years.  A Registrar typically does not have the authority to extend any organization’s ISO 9001 certification beyond the expiration date as shown on the certification certificate.  I would suggest that the certification contract agreement between your organization and the Registrar be reviewed to determine how conditions of force majeure are to be addressed.  This review should be followed up with a discussion with the Registrar to ensure there will be no impact on your organization’s existing QMS certification.  For more information about surveillance audits and other information regarding certification bodies (CBs) review IAF guidance document “Application of ISO/IEC Guide 65:1996, Issue 3 (IAF GD 2006).  A copy of this document can be downloaded at

I hope this helps.

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX  77339

For more on this topic, please visit ASQ’s website.

The Role of an Observer During an Audit

Audit, audit by exception


A customer of ours wants to participate as an observer in an upcoming audit. I’ve not been able to find much information about the role of observer – what they can and cannot do.

For instance, I assume that they cannot ask questions during the audit interview process. Does anyone have an appropriate checklist for an observation – list of dos and don’ts?


The auditors should be notified of a presence of the observer in advance. There are times where this may not be allowed depending on the type of the audit.

The customer should sign a confidentiality agreement on not disclosing any information outside the audit process. The rules should be established as part of this confidentiality agreement.

An observer (customer) may not engage in any part of the audit.

The observer may not interfere in any aspect of the audit (may not inject, provide opinions, argue a finding, speak for or against a finding, use the audit information for a future punitive measure).

If questioned during the audit, the observer should explain the role as observer. Ideally this should be brought to the attention of the auditor in advance.

These basic rules ensure that the audit is not compromised in any way and the customer’s request to witness the audit is conducted in a professional manner.

Dilip A Shah
President, E = mc3 Solutions,
Technical Director, Sapphire Proficiency Testing Services.
Past Chair, ASQ Measurement Quality Division (2012-2013)
Former Member of the A2LA Board of Directors (2006-2014)

For more on this topic, visit ASQ’s website.

Switch from ANSI/ASQ Z1.9 to ANSI/ASQ Z1.4?

PLCs, programmable logic controllers



We are using ANSI Z1.9 for a dimension test of packaging components. As dimension is under variable, can we switch to ANSI Z1.4? The reason for this is to align with our supplier who is using ANSI Z1.4.

Can you please advise if this switching is acceptable. If yes, what should be taken into consideration like AQL, etc.?


The ANSI/ASQ Z1.4 standard is for incoming inspection of attribute characteristics.  As your measurement is a variable measurement, it is appropriate to use ANSI/ASQ Z1.9.  Both plans are indexed by AQL, but have different sample size requirements based on the level of protection you are looking to maintain.  I assume your real question is can you switch from a variable plan (Z1.9) to an attribute plan (Z1.4) for your inspection to align with your supplier’s use of Z1.4.   Though I do not believe harmonizing with the supplier’s use of Z1.4 for your acceptance testing is necessary, it is possible to use Z1.4 by redefining the variable measurements as either good or no-good.  Choosing to move to Z1.4 from Z1.9 will increase your sample size for the same level of protection and same lot size.  For example, a lot size of 5000 would have a sample size of 75 in Z1.4 and 200 for Z1.4 for a General Inspection Level II plan.  Both plans give approximately the same AQL and LTPD, though the Z1.4 will require 2.67x more samples.

Steven Walfish
Chair Z1, U.S. TAG to ISO/TC 69
Staff Statistician, BD

For more about this topic, please visit ASQ’s website.

“As Received/As Found” Condition Requirement in ISO/TS 16949?

Automotive inspection, TS 16949, IATF 16949


It’s been mentioned to me by several people that TS 16949 requires that the “as found” (sometimes known as the “as received”) condition is required to be documented on calibration certificates. However, I’ve read 7.6.2 several times and I can’t find where it requires that.

Can you point me to the section that is being understood to mean the “as found” must be included?


Thank you for your question.

Although recording the as-received readings over the range of calibration is a best practice, it is not required by ISO/TS 16949.  Clause 7.6.2 – Calibration/Verification Records requires only that “records……shall include, any out-of-specification readings as received for calibration/verification.” Therefore, “as found” readings are only required to be recorded if they are out of specification. If they are within specification, they are not.

Denis J. Devos, P.Eng
Fellow of the American Society for Quality
Devos Associates Inc.
Advisors to the Automotive Industry

For more on this topic, please visit ASQ’s website.

Using White Out on Controlled Documents

ISO documentation practices, requirements


During our certification for AS9100C the auditor found some documents with correction liquid that we have used for years. We have prohibited the use of any type of correction on all processes company wide.

It is common that during the prototype stage we performed dozens of changes due to the differences between the calculating/design program (electrical) and what happens in real life. During those adjustments we change manually circuits, values, etc. from the original version, with white-out tapes (before was liquid paper) once the prototype works those changes are incorporated as “Initial release” in the package that goes out for manufacturing. Do you guys see any problem using white out tape / correction tape on the controlled copies during prototype stage? My point is that the original values are recorded on the originals that will be obsoleted and the new ones on the initial release, keeping the controlled copies marked as records of the prototype.


Thanks for contacting ASQ’s Ask the Experts program.

With regard to your inquiry, changing the documented results of inspection or test activities should be avoided or at least strictly controlled.  This is of special importance if these records are intended to provide evidence of product or process conformance.

However, prototype test results which may be subject to frequent changes during preliminary inspection or test activities, doesn’t require the same level of control.  These results are usually intended for informational purposes only and not for final acceptance of a process or product.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX

Nonconformance Versus CAPA Requests

CAPA process, CAPA requests


I need advice on the use of Nonconformance versus Corrective Action/Preventive Action (CAPA) Requests. I understand and have tried to communicate the low risk and high risk definitions to staff with some understanding. In reporting nonconformance’s some evolve into a root cause analysis which is a positive direction but thought to be a requirement of a Corrective/ Preventative Action. Nonconformance’s are logged on a report and reviewed periodically. CAPA Requests are more elaborate; logged and reported on a metrics with continuous review.


My answer may seem lengthy but I feel defining things is important. First, here is part of a memo I put together for one company.

ISO terminology and definitions – Corrective action/Preventive action

Some people experience confusion over the differences between corrective and preventive action.

We know that corrective actions are taken to remove the causes of existing nonconformities.

If the nonconformity is detected during production, immediate corrective action is taken to eliminate the problem. In other words, we fix what went wrong. We take preventive action to ensure the same problem does not happen again. However, this is still corrective action because it is based on solving a problem that has already happened.

We might use documents or electronic forms to report/record such actions. Here, caution is advised. For example, if a machinist turns a part undersize, immediate corrective action is taken to fix the mistake and further action is taken so it doesn’t reoccur on subsequent parts. If the original “bad” part was scrap and we record that as a non-conformance in our documentation, with the corrective action noted, we might then close that record. We might then request a follow up with preventive action. That would be a mistake.

Note: Not every problem or non-conformance requires a corrective action. This is determined on a case by case basis, usually by a manager. Each case is different.

Example: A welder accidentally causes weld spatter to fly into a tapped hole. The welder cleans out the B-B’s, re-taps the hole and moves on. Generating a non-conformance form should not be necessary in this case as no product was scrapped or made nonconforming.

Now, let’s say an employee sees a potential problem.

Example: The employee notices the jaws of a turning center are showing very obvious/significant run-out.

This could potentially result in nonconforming product. This is a good case for preventive action. A change request could be generated and when the action is taken, it can be followed up on (verified) and recorded in the appropriate format. In most cases, over an entire year a company will record very few Preventive Action Requests (PAR’s). However, that same organization will register numerous Corrective Action Requests (CAR’s). This is the normal rhythm of things and is what we strive for.

Here are a few definitions for your files. The following Terms and Definitions are taken from ISO 9000:2005:

Preventive action: Action to eliminate the cause of potential nonconformity or other undesirable potential situation.

NOTE 1 There can be more than one cause for a potential nonconformity.
NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action (3.6.5) is taken to prevent recurrence.

Corrective action: Action to eliminate the cause of a detected nonconformity or other undesirable situation.

NOTE 1 There can be more than one cause for a nonconformity.
NOTE 2 Corrective action is taken to prevent recurrence whereas preventive action (3.6.4) is taken to prevent occurrence.
NOTE 3 There is a distinction between correction (3.6.6) and corrective action.

Correction: Action to eliminate a detected nonconformity.

NOTE 1 A correction can be made in conjunction with a corrective action (3.6.5).
NOTE 2 A correction can be, for example, rework.

I hope this has been helpful.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Additional ASQ Resources:

Form by Design
Using flowcharting techniques for robust form design
by Lance B. Coleman

Corrective Action Challenge
How to construct a robust problem-solving process
by R. Dan Reid

CAPA for the FDA-Regulated Industry (book)
Abstract: Medical devices, biopharmaceutical, and traditional drug manufacturing companies devote an important part of their resources to dealing with incidents, investigations, and corrective and preventive actions. The corrective and preventive action system is known as the CAPA system. It is second to none in terms of frequency and criticality of its deviations, and most of the regulatory actions taken by the FDA and foreign regulators are linked to inadequate CAPA systems. This guidance book provides useful and up-to-date information about this critical topic to thousands of engineers, scientists, and manufacturing and quality personnel across the life sciences industries.

Understanding and improving the CAPA system as a whole is the focal point of this book, the first of its kind dealing exclusively with this critical system within this highly regulated industry. By helping those in this industry improve their CAPA systems, it will be a crucial aid in their mission of producing safe and effective products.

ISO/TS Exclusions

Manufacturing, inspection, exclusions


I have a question regarding exclusions from the ISO/TS standards.

The majority of our business is the design and manufacture of enclosure hardware.  Recently though, a small portion of our business has become the sole North American Distributor for an Italian company. Their product lines are similar to ours. However, we procure their products and simply resell/distribute to their customers stateside, to Canada and Mexico. We do not have Design or Process Control for these items; they are pass-through product.

Therefore, my question is related to permissible exclusions from the ISO standard. Should we seek exclusions regarding certain clauses of Clause 7 of the standard, for this certain “supplier”, and/or for certain product groups that are sold on their behalf?

Response (Answered by Bud Salsbury):

At first, your question seemed relatively uncomplicated and I am inclined to say that you can simply sell or provide the products in question with a disclaimer or something identifying the fact that your company is not the designer/manufacturer of the product.  My company occasionally has purchased parts inserted into or added to the products made. Like bushings or threaded inserts, etc. We don’t have to add anything to our QMS for those as long as those items meet regulatory and statutory requirements.

However, I should mention, the standards make it clear that exclusions are permissible if “such exclusions do not affect the organization’s ability or responsibility to consistently provide product that meets customer and applicable statutory and regulatory requirements.”

Therefore, stepping away from the initial ‘simple’ answer, I would say that such exclusions would not be permissible. This is due to the fact that your organization is ultimately responsible for meeting customer requirements. Although you do not design or manufacture that specific product, you provide, and are responsible for what the customer requests.

You are also responsible for seeing to it that the OEM is meeting customer as well as any statutory or regulatory requirements. This would be of particular importance if these are electrical enclosures or intended for hazardous services, such as NEMA 7 (explosion proof enclosures).

Since you already design and manufacture your own products and have the Clause 7 included in your QMS, it would be counterproductive to add more documentation to exclude what you have mentioned. It would be wise to notify customers up-front, in the sales/purchase order process, that the product you are distributing is from a separate company.

Thanks much for this good question.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Follow Up Questions:

• IF there were permissible exclusions allowed, WHO would need to ‘approve’ these or ‘allow’ them to be exclusions?  Would that be the registrar or someone else?

• IF there were permissible exclusions, would it be stated/depicted on the actual Certificate as such or only noted in the quality manual, for example?

• IF there were permissible exclusions, would it be an exclusion of the ISO CLAUSE?  And/or PRODUCT?  And/or  SUPPLIER?

• Currently we list “the design and manufacture…” in our scope.  Would we need to revise the scope to include ‘distribution’?

Response (Answered by Denis Devos):

Thank you very much for your question and your follow up.

In further response to your original question – if you are in the automotive industry, you will still be obligated to provide a Level 3 PPAP (as a default) to your customer for the product you are purchasing and reselling; whether you are design and process responsible or not.

Permissible exclusions are only granted for Clause 7.3 Product Design.  Per TS 16949, you cannot be excluded from the requirements of Clause 6.3 related to process design.    You can declare this exclusion yourself in your Quality Manual and your registrar will validate your claim during your registration audit.   The exclusion will appear on your registration certificate.  You can only be excluded from Clause 7.3 Product Design, (not process design).

Under TS 16949, you cannot exclude products from your registration if they are being sold to the automotive industry.   Sometimes, a registrar will permit only a portion of your business to be registered and that would be reflected in the scope on your certificate:  Check with your registrar.   You cannot be exempted from any requirements related to supplier management, such as Clause 7.4.

Yes, you will likely have to include “distribution” in the scope of your registration; check with your registrar.

I hope this sufficiently answers your follow-up questions and you find this advice helpful.  If you need anything further, please don’t hesitate to contact us.

Best Regards,

Denis J. Devos, P.Eng
ASQ Fellow
Devos Associates Inc.
London Ontario

For more on this topic, please visit ASQ’s website.

Method of Using Gauge Pins


We recently received a complaint from a customer who claims a diameter hole is oversize. The method of gauging the diameter is with minus gauge pins.  The part is a plastic molded part (the material used is PBT). The diameter is .150 +.004 /-.002.

The method question is we do not force the maximum pin in the part, we use the weight of the pin to fall into the opening using no hand force pressure except to guide the pin over the opening.

Our customer is using a method of hand pressure to force the maximum pin in the diameter opening.  If the gauge pin begins to enter they continue to try and force the pin and record the hole as oversize.

Are there any instructions on the proper method for using gauge pins in regards to hand pressure, force entry, and gauge pin weight?

Thank you.


This is a question that comes up often.  To begin with, let me say that a gauge pin should never be forced into a machined hole.  The largest pin that can be fully inserted and extracted using only light finger grip on the sides of the gauge is what will determine the hole size.

Most gauge pins used in industry today are Class Z. These can be either “Plus” or “Minus” pins.  Those most commonly used are the Minus pins.  They are tolerance up to -.0002”. Therefore a .9998 gauge pin might be actual size but it is generally referred to as a 1.000” pin (The size shown on the pin).

It is common practice in American industry to use a GO/NOGO pin set up.  The size you mentioned, .150 +.004/-.002 would require a GO pin of .152 and a NOGO pin of .154.  If NOGO pin will not fit but, the Go pin can be fully inserted without interference, the part is acceptable on the low end of the tolerance.  If the NOGO pin fits without interference, then the hole is oversize and the part should be rejected.  To touch on that just a little further, keep in mind, if you have a 1.000 hole, a 1.000 pin cannot be inserted into it. That would be a size-on-size interference fit.  However, a 1.000 Minus pin might slip in without difficulty.Pages from gage-inspection-mil-std-120

One other thing to keep in mind is the surface finish of the holes.  A hole that is out-of round could also introduce fit problems.

The Machinery’s Handbook shows the American National Standard Tolerances for Plain Cylindrical Gauges.  However, there really is no documented standard (that I am aware of) which tells you how tight or how loose a gauge pin should fit.  The common practices noted above should help you there.

You mentioned that “if the gauge pin begins to enter they continue to try and force the pin”.  It is not uncommon for the beginning of a machined hole, or a hole in an injection molded product to be slightly larger near the surface.  Various machining and/or molding practices would eliminate that.  Yet, it is the ‘full’ insertion and extraction of a pin, without forcing, that determine acceptance criteria.

Thank you for the good question.

Bud Salsbury, CQT, CQI