Employee Qualification Audit

 

Reviewing confidential files, training records, human resources files

Question

I am a Quality Assurance GxP Auditor and I am being told that I cannot perform employee qualification audit.  I am being told that CV/resumes, job descriptions, and training records are confidential and my viewing them would violate an employee’s privacy.  If this is true, how to I prove to my client that the company has qualified personnel?

On the same note, is this also true of an internal or 1st party employee qualification audit where my own company would want me to verify the qualifications of our employees to ensure they meet international FDA/ICH guidelines?

Response

Thanks for contacting ASQ’s Ask the Experts program.

With regard to your question, maintaining confidentiality can be a major concern for the employee, organization and the Auditor.  For this reason, the review of employee files containing private data such as social security numbers, banking, personal contact or other sensitive information should be avoided if possible.

This not only maintains employee privacy, but also reduces the Auditor’s level of exposure to potential liabilities.

So now the question is; how can the Auditor verify employee qualifications and experience? Remember that there is no requirement for an Auditor to review job applications, CV/resumes, or other confidential information.

It’s the organization’s responsibility provide the Auditor with objective evidence that they have established job descriptions for employees performing work activities that affect the quality of the product or services to be provided to the customer (ISO 9001:2008, clause 6.2.1).  This includes providing evidence that the employee’s qualifications, skills, education and any applicable certifications have been verified to meet job description requirements or the need for training has been established to ensure job description requirements are met (ISO 9001:2008, clause 6.2.2, sub., a. b and c).

As you are aware, a job description may be considered as proprietary, but they are seldom considered as private since they don’t contain any personal information.  Some organization’s may require that a nondisclosure agreement (NDA) be signed to protect propriety information such as engineering data, drawings or other methods related to product realization processes.

A record of an organization’s review and verification of employee qualifications should be readily available.  Likewise, training and applicable certification records should be available to provide objective evidence that qualification and/or competency requirements have been met (ISO 9001:2008, clause 6.2.2, sub., e).

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
http://www.astontechconsult.com

Lead Auditor Qualification

Audit, audit by exception

Question

My manager and I have a question about internal lead auditor and auditor qualification. As stated in section 8.2.2 of ISO 9001:2008, “the organization shall conduct internal audits at planned intervals to determine whether the quality management system…”

Our question is do internal lead auditors and auditors have to be certified by an organization or trained by a certified lead auditor? May a person read ISO 19011:2011 and with his/her experiences in his/her field then perform audit tasks as stated in section 8.2.2 of ISO9001:2008? If yes, would an ISO registrar consider it to be a non-conformance finding?

Thank you in advance for taking time to answer our question.

Response

Thanks for contacting ASQ’s Ask the Experts program.  With regard to your question, it is important to know that ISO 9001:2008 does not prescribe any specific requirements for the qualifications of persons conducting QMS audits.  ISO 19011:2011, provides guidance not mandatory requirements for determining Auditor qualifications.  As you are aware, an internal audit is one of the most valuable tools that an organization has to determine the effectiveness of its quality management system as well as to identify opportunities for improvement.

For this reason, it is essential that the personnel or consultants used to conduct audit activities, have the qualifications and experienced needed to provide these services.  As a minimum, I would suggest that your internal audit personnel  attend Auditor classroom training accredited by ASQ, RABQSA or IRCA.  This training should be supported by arranging for their participation in future audits as an audit team member.  This audit should preferably be conducted by an individual who has a current certification as an ASQ CQA or an RABQSA or IRCA Lead Auditor.

Another consideration is to ensure that the Lead Auditor can provide an audit log as evidence of his/her past audit experience.  The Lead Auditor should also provide evidence of their continued training to maintain their competency as an Auditor.  Another key point, is to ensure that the Lead Auditor has a working knowledge of your organization’s product line, processes or services.  The importance of using trained and experienced Auditors can’t be overstated.

I hope this helps.

Best regards,
Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

ISO 9001 Cost of Implementation

Question:

What are the estimated costs of implementing ISO 9001?

We are a company of five divisions, Contract Manufacturing, Structural Fabrication (AISC & ASME cert), Steel Service Ctr, Rebar (CRSI vert) & Metal Castings. We employ approximately 200 people and operate out of two facilities. Our Metal Casting division is a separate location from our other operations. I am trying to generate an ROI and a time frame of implementation.

Answer:

The effect of ISO 9000 certification on financial perfomance

Thank you for contacting ASQ’s Ask for Experts program.  This is an excellent question and one that is often asked by companies that are considering ISO 9001:2008 certification.  In order to accurately estimate those costs that will be associated with obtaining ISO 9001 certification, the following approach should be considered:

The first step should include contacting a Registrar to identify the following:

  1. Cost of application fee.
  2. Cost associated with conducting required stage 1 and stage 2 audits for ISO 9001 certification.
  3. Hourly and per day rates charged for offsite and onsite audit activities.
  4. Administrative fees, if any.
  5. Travel time costs (minimum and maximum daily charges).
  6. Other associated costs for airfare, hotel, meals and car rental.
  7. Frequency and cost for surveillance audits to maintain certification.
  8. Cost for quality management system re-certification.

Discuss your company’s plans and timeline with the Registrar to obtain QMS certifications at separate locations.  There may be an opportunity to share or save costs.  As an example, consider establishing a single corporate quality manual and QMS procedures that will be common to both facilities.  Also discuss the availability and location of potential Auditors that the Registrar may assign to your facilities, usually the closer they are, the better.

In addition to determining the Registrar’s costs, it is equally important to determine the Registrar’s certification requirements.  Some require that at least four (4) months of records be available to provide evidence of conformance and implementation of the QMS. Consider contacting a couple of Registrars, and compare their costs and requirements. Another important point is to select a Registrar that is familiar with your industry or business sector.  Be picky and ensure that the Registrar can assign an Auditor that has past experience that relates to your QMS processes or product line.

Step number two is to determine the availability of in-house expertise that will be required to develop and implement a quality management system for certification.  If these activities are going to be outsourced, contact an experienced QMS consultant and request that a quote for a gap analysis be provided.  Do your homework before selecting a QMS Consultant!  Contact a few QMS Consultants, compare their rates and request contact information for past clients, or other references, to verify their experience and reliability. Again, select a Consultant who has past experience with your industry, processes and/or product line.

Confirm that the results of the gap analysis will document all areas that meet certification requirements as well as those that do not, preferably by clause number.  The results of this gap analysis will be used by the Consultant to estimate the number of the man-hours that will be required to develop and assist with the implementation of the QMS for certification.

The bottom line is that the cost to obtain ISO 9001 QMS certification cannot be effectively estimated without knowing these four (4) items:

  1. The Registrar’s cost for ISO 9001 registration.
  2. The company’s current level of conformance with ISO 9001 requirements.
  3. The amount of resources that the company will dedicate to this project for development and implementation.
  4. The amount of support that will be required from a Consultant and the associated costs.

The following link to a flow chart provides a general overview of the ISO 9001:2008 QMS certification process.

ISO9001.2008.Cert.Process

I hope this helps.

Best regards,

Bill Aston, Managing Director
Aston Technical Consulting Services,
Kingwood, TX
Website: http://www.astontechconsult.com
email: quality@astontechconsult.com

Gap Analysis Vs. Pre-assessment for a Standards Audit

Audit, audit by exception

Question:
Can you clarify the difference between a gap analysis and a pre-assessment in relation to an activity that takes place prior to the full compliance audit? It is my understanding that a gap analysis compares something against a set performance level or standard requirement and an assessment is the collection and analysis of information to determine the projected compliance of an organization to a standard. Both provide the answer of what is missing, but the gap analysis also provides information on where an organization wants to be without going so far as to telling the organization how to get there (consulting).

Response:
Thanks for contacting ASQ’s Ask the Experts program. With regard to your question, the primary difference between a gap analysis and a pre-assessment is that a gap analysis applies to management systems such as ISO 9001:2008, ISO TS29001 or others. A gap analysis is typically the initial step in the QMS certification process. It is used to identify areas within a quality management system that do not meet defined requirements for certification. This can include processes, persons or product. The results of the gap analysis are based upon objective evidence, such as records reviewed, interviews conducted and observations made, to evaluate an Auditee’s conformance with requirements.
A pre-assessment is usually the initial phase of the accreditation process. A pre-assessment, or a practice assessment, is conducted prior to a conformity assessment to identify areas that must be improved or corrected before accreditation can be obtained. Unlike a compliance audit where the Auditor verifies conformance based upon objective evidence as mentioned earlier, an Assessor is also focused on assessing an organization’s competencies and performance of required tasks, such as measurement of uncertainty (MU), metrological traceability and proficiency testing (PT) as defined by ISO 17025:2005 and referred to by some as the “big three”.
A commonality shared by a gap analysis and a pre-assessment is that they both identify nonconformities or gaps between what exists and what is required by the standard or other defined criteria.
As you are aware, “gap analysis” and “pre-assessment” are not interchangeable terms. A gap analysis is associated with QMS certification or registration as issued by a Registrar and pre-assessment or practice assessment is associated with an activity performed prior to conducting a conformance assessment for accreditation. ISO 9000:2005 and ISO 17000:2004 provide vocabulary and terms for ISO 9001:2008 and ISO 17025:2005 quality management systems, respectively. Additional vocabulary and terms, as applicable to ISO 17025:2005, are provided in ISO/IEC Guide 99:2007, International Vocabulary of Metrology.

I hope this helps.

Best regards,

Bill

Bill Aston, Managing Director
Aston Technical Consulting Services, LLC
Kingwood, TX 77339
Website: www.astontechconsult.com

Can We Require ISO 9001 Certification?

Suppliers, supplier management

Q: My company has bought another company in Canada and we are outsourcing to them. They are not certified to ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements.  Do we have the legal right to require them to get certified since we are?

A: Thank you for contacting the ASQ Ask the Experts Program.  With regard to your question, there is no requirement in ISO 9001 that requires any organization or their suppliers to be certified by a third-party. Certification is only needed if it’s required by a customer contract/purchase order, or if an organization has opted to be ISO 9001 certified.

However, as an ISO 9001 certified organization, your quality management system must include controls to maintain control over outsourced processes. This requirement is stated in clause 4.1. The control over outsourced processes may include all or any of the following:

1.    Use of an approved suppliers list (see clause 7.4.1)

2.    An onsite supplier quality audit (see clause 7.4.3)

3.    Review and approval of equipment, processes, procedures, methods, and personnel qualifications for processes that require validation such as welding, nondestructive testing, heat treatment or others (see clause 7.5.2).

In summary, ISO 9001 certification is a management decision and not a requirement.  Organizations that follow the ISO 9001 requirements and have outsourced processes should have controls in place to manage those processes.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Related Content:

Imaging Core Lab Takes Quality Beyond Regulatory Requirements With ISO 9001, ASQ Knowledge Center case study, open access

Medical Metrics Inc. (MMI), had an existing quality management system structured to meet FDA regulations, but it was missing a framework to help drive organizationwide improvement. MMI worked with an external consultant to create an integrated management system—a fusion of regulatory requirements with the ISO 9001 framework—and received certification to the standard in less than seven months. Read More.

Sarbanes-Oxley And ISO 9000, Quality Progress, open access

Critics say ISO 9000 doesn’t compare favorably to quality programs such as the Baldrige criteria, lean and Six Sigma. But ISO 9001’s emphasis on documentation is a major asset from a legal perspective. Quality professionals can help companies comply with Sarbanes-Oxley while enhancing their organizational status. Read More.

Explore the ASQ Knowledge Center for more case studies, articles, benchmarking reports, and more.

Browse articles from ASQ magazines and journals here.

Rescheduling an ISO 9001 Surveillance Audit

Schedule, calendar, timeline

Q: Our organization had its last external (third party) audit in December 2011 for ISO 9001:2008 — Quality management systems — Requirements. We planned to have our next audit the week of November 26, 2012, but the auditor has become ill and cannot come at that time.

Do we need to have our surveillance audit within one year of the last audit? I am considering rescheduling for the first quarter of 2013.

A: Thank you for contacting ASQ’s Ask the Experts.  With regard to your inquiry, surveillance audits are usually conducted by most registrars on an annual basis.  Your registrar has complete responsibility for ensuring the availability of their audit staff to conduct these audits as they are required.

In the event that no other auditors can be provided by your registrar, it would be their responsibility to ensure the audit is rescheduled to another mutually agreed upon date and, if necessary, extend your organization’s ISO 9001:2008 certification status as appropriate.

Your organization’s ability to maintain to an active QMS certification status should not be dependent upon the availability of the registrar’s auditor.  I recommend that you contact your registrar to confirm the next date for your surveillance audit.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Related Content:

ISO 9000 and Organizational Effectiveness: A Systematic Review, Quality Management Journal, open access

The authors conduct a systematic review of empirical studies of the ISO 9000 standard’s impact. Most of the reviewed studies focused on positive impacts. This review highlights the need for more critical and diversified approaches to examining ISO 9000. It also reveals some of the practical implications of ISO 9000 for managers. Read more.

ISO Survey Reveals Increase in QMS Certifications, Journal for Quality and Participation, open access

According to the ISO Survey of Certifications, the numbers of ISO 9001:2008, ISO/TS 16949:2009, and ISO 13485:2003 certifications all increased in 2010. Over 1.1 million ISO 9001:2008 certifications had been awarded by the end of 2010, representing a four percent increase over 2009. Central and South America saw an 11 percent increase in ISO 9001 certifications, while 18 percent of certifications in Africa and West Asia were lost in 2010. The Far East represented the largest share of the increase in ISO/TS 16949 certifications, and Africa and West Africa saw the largest percentage increase in ISO 13485 certifications. ISO 13485 was also the only certification that saw growth in North America; North American certifications for the other two standards declined in 2010. Read more.

 

Restructuring an Internal Auditing Program

Reporting, best practices, non-compliance reporting

Q: For the last 15 years, my company has employed a small cadre of full-time, dedicated safety management system auditors.

A current proposal in our company is to recast those auditors as HES Superintendents under the supervision of an operations or safety manager who has significant management responsibility within the safety management system.  This change will give HES Superintendents (persons performing audits) additional, non-audit tasks for performance on the premises of the auditee immediately before, during or after the audits.  Those non-audit tasks could include workforce training, management mentoring and evaluation, facility inspection, etc. In addition, this change will reduce about 50% of the number of audits performed per person in a given time period.

My concerns are as follows:

•  Supervision of the HES Superintendents (especially assignment, evaluation and compensation determination) by an operations manager, safety manager, or someone under their supervision, could constitute auditee control of the audit program, and a thwarting of the principle of auditor independence.

•  The addition of non-audit tasks to auditors’ work seems to open possibilities for audit conflicts of interest. Since HES Superintendents will participate materially in the ongoing safety management of the company, their independence and impartiality as safety management system auditors would be subject to question.

•  The 50% reduction in number of audits per auditor would result in dilution of auditors’ audit experience and therefore their expertise, leading to attenuation of the company’s capability to audit expertly.

In terms of the principles of management system auditing, are my concerns valid?

Do you know of other instances of this part-time-auditor approach being used in high-risk industries?

Any comment on the wisdom of this proposal?

Occasionally, mutiple experts offer their expertise and viewpoints to assist quality practicioners. Add your voice by commenting on posts!

Bill Aston’s take:

A: You’ve mentioned valid concerns that should be assessed by top management prior to restructuring their organization’s audit program.  As I understand your concerns, they include two primary items:

1.    To ensure that the restructure of the audit program continues to provide auditors with independence, objectivity and impartiality from the processes and process owners to be audited.

2.    Potential result of a 50% reduction of the number of audits conducted per auditor diluting auditor experience and expertise.

With regard to the first item, this is a matter that top management should thoroughly evaluate to ensure that the requirements of ISO 9001:2008 — Quality management systems — Requirements, clause 8.2.2b internal audit, continue to be met.  This clause requires that The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.  Auditors shall not audit their own work.

In addition, although the requirements in ISO 19011:2011– Guidelines for auditing management systems are not auditable requirements, section 3.1, Terms and Definitions, (note 1), does mention the need for ensuring internal auditor independence.

The key point is that your organization’s registrar will most likely look very closely at how the audit program has been restructured to ensure that auditor independence, objectivity and impartiality have been maintained.

Regarding item number two, although maintaining an auditor’s level of expertise and experience are important, the primary purpose of internal audits is to assess the effectiveness and continual improvement of the quality management system and its processes.  If maintaining auditor expertise and experience becomes an issue due to the reduction in the number of available audit assignments, management should consider adjusting the number of auditors needed to meet the actual workload.

As you’re aware, ISO 9001:2008 requires internal audits to be conducted at planned intervals, but it does not prescribe any frequency for performing audits.  So this area is strictly a decision that must be made by each organization to meet their own specific requirements to ensure the continual improvement of the quality management system (QMS).

In summary, ISO 9001:2008, clause 5.4.2b Quality management system planning, requires top management to ensure that the integrity of the quality management system is maintained when changes are planned and implemented.  This includes the restructuring of processes such as the audit program.  Internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement of their quality management system.   Therefore, it’s essential that the personnel performing these audits are trained, experienced and independent of the area being audited.

It has been my experience that there are few organizations that maintain a staff of fulltime QMS auditors.  Most organizations utilize staff personnel who are familiar with the processes to be audited and have been trained and are experienced as auditors.  Although they perform audits, this is usually not their only responsibility.  However, in some cases, large organizations may have one or two fulltime auditors who function corporate-wide and are supported by trained and experienced staff personnel on an as needed basis.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Thea Dunmire’s take:

A: Given that this question involves audits of a safety management system rather than a quality management system, the more applicable standard would likely be OHSAS 18001:2007 Occupational health and safety management systems – not ISO 9001:2008.  However, OHSAS 18001 also specifically states – “Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.”  Although OHSAS 18001 does not include the statement – “Auditors should not audit their own work,” that is definitely true.   As a general rule, auditors should not audit activities for which they are responsible or accountable.

It is common for organizations to utilize individuals as internal auditors who have other staff responsibilities.  Few organizations have dedicated environmental, health and safety management system auditors.  Most internal environmental health and safety (EHS) auditors have other responsibilities.  In addition, based on surveys conducted by the Auditing Roundtable, the overall management of the EHS audit program is often located within the EHS department, not in a separate internal audit function.  This can make ensuring the independence of the EHS audit program very challenging.

The important question isn’t whether specific individuals are auditing full or part time. Instead, it is whether all of the auditors utilized within the audit program have the appropriate independence, competence and resources to conduct the audits they have been assigned.  Independence I have discussed above.  By competence, I mean the general knowledge and skills needed for management system auditing (as set out in clause 7.2.3 Possess appropriate knowledge and skills of ISO 19011) as well as technical expertise appropriate for their audit assignments.  By resources, I mean that there is sufficient support, including adequate time, to conduct the individual audits needed to meet the objectives established for the audit program.

Identifying the resources needed for the audit program is one of the key responsibilities of the person assigned the role of audit program manager (as set out in clauses 5.3.1 Perform audit program management tasks and 5.3.6 Identify program resource requirements  of ISO 19011:2011).  Lack of adequate resources is a common weakness of many internal audit programs.  Often, internal audit programs have very broad and expansively-stated objectives, but lack the resources needed to achieve these objectives.  It is the audit program manager’s responsibility to point out this disparity to top management.  The solution is for top management to either adjust the objectives of the audit program, taking into account the policy commitments made by the organization, or provide more resources for the internal audit program.

A key requirement of a safety management system is identifying the organization’s legal and other requirements to which it subscribes.   These identified requirements must be taken into account when establishing management system programs and procedures.  This includes any legal obligations associated with establishing and maintaining internal audit programs.  For example, for organizations subject to the BOEMRE regulations (offshore oil and gas), the Safety Environmental Management System  (SEMS) regulations require that auditors be qualified and independent (see 30 CFR 250.1926).  Legal requirements, as well as the commitments made by the organization in its occupational health and safety policy (or its sustainability reports), must also be taken into account when identifying the resources needed for the EHS audit program.

Internal audits are one of the important ways of assessing the effectiveness of a management system.  The audit program itself should be reviewed to determine its effectiveness in accomplishing this task.  Changes can, and should, be made to internal audit programs but the potential impacts of proposed changes need to be fully assessed in light of the organization’s policy commitments and its legal obligations.

Here is a link to the Auditing Roundtable survey results I mentioned: AR Member Survey Results – Organizational Location of the EHS Audit Program

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Jim Werner’s take:

A: This is indeed a unique question.  I read and re-read this question over and over, and I have come up with the same opinion – “it depends.”  I am assuming “audit” is referring to an independent review of the quality system.  Some places use the term “audit” to mean an inspection activity.  If the past audits have consistently demonstrated the effectiveness of the quality system, then it is appropriate to reduce the number and frequency of the audits.

As far as the re-organization of the staffing of the auditing function – this is a management decision.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

Read more open access content about auditing from the ASQ Knowledge Center archive:

ISO 9001 & Time to Retrieve Records

Q: I am looking for an interpretation for ISO 9001:2008 Quality management systems–Requirements, clause 4.2.4 Control of records: “Records shall remain legible, readily identifiable and retrievable.”

What is considered readily retrievable (i.e., 24 hrs, 48 hrs, 8 hrs, 1 hr)? I have a customer who thinks traceability records should be available within an hour of a request. I interpret readily as 24 hrs. The current ISO and TS specifications do not indicate a time, so a reasonable time to me is 24 hrs to pull the information together.

In addition, the customer’s supplier requirements also do not have any specified time for document retrieval. I did contact our third party registrar auditor and he indicated that 24 hrs would be considered readily retrievable as long as there were no customer specific requirements.

A: There appears to be some confusion between records being “readily retrievable” vs. a customer’s request for the delivery of copies of records.  These are two separate issues.

The first issue:  What is meant by “readily retrievable?”  ISO 9001 does not prescribe any specific timeline or define the term “readily retrievable.”  However, the intent of this requirement is to ensure that objective evidence is available to provide proof of conformance or evidence that requirements have been met.  If the organization is unable to provide records upon request during an audit, the auditor will very likely document this as a nonconforming condition. Records must be available upon demand.

The second issue is response time to customer requests for records.  Although records or evidence of conformance may be “readily retrievable” within the organization,  the response time needed for an organization to provide copies of records to a customer may vary based upon the organization’s work load and availability of resources.   So, it may take an organization an hour, a day or a week to deliver copies of records to a customer.  In the event that the timely delivery of records is critical, requirements for the delivery of records should be stated in a contract or in a PO to provide a timeline or a delivery schedule.  The delivery of copies of records or documents to customers is not addressed in ISO 9001, clause 4.2.4.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

ISO 9001 and CMMI Certifications

 

Manufacturing, inspection, exclusions

Question

Our company is working toward certification to ISO 9001:2008 Quality management systems–Requirements and Capability Maturity Model Integration (CMMI) certifications.

I have studied  ISO 9001 and mapped it to CMMI goals and practices. It appears to me that some sections of ISO point to CMMI level 3 process areas and practices, e.g.:

  • Clause 5.6.1 Management review – General relates to organizational process areas
  • Clause 7.2.1 Determination of requirements related to the product is relative to requirements development, which is a level 3 process area
  • A large part of clause 7.3 Design and development maps to CMMI level 3 process areas

My question is:

Does an organization need to be at CMMI level 3 in order to be ISO 9001:2008 certified? I am not saying certified CMMI level 3, but capable of performing at CMMI level 3?

Thank you so much.

Answer

Although the guidelines contained in CMMI may help to prepare an organization toward ISO 9001 certification,  there are several major differences between CMMI and ISO 9001.

ISO 9001 is an internationally recognized standard for quality management systems.  While CMMI is a Carnegie Mellon University registered trade mark.

ISO 9001 has specific requirements for documented procedures for the control of documents, control of records, control of nonconforming products, internal audits, corrective actions and preventive actions.  In addition, a quality policy, measurable objectives, and management reviews are required.

CMMI is focused on process improvement, while ISO 9001 focuses on customer satisfaction, process improvement, product conformity and the continual improvement of the quality management system.  An organization could be CMMI certified or “capable” as mentioned in the inquiry, but still be some distance way from readiness for ISO 9001 certification.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Here’s more information about ISO 9001.

ISO 9001 Clause 7.4.1, Supplier Control

Mr. Pareto Head and Supply Chain comic strip

Q: My interpretation of  ISO 9001:2008 Quality management systems–Requirements regarding supplier control as addressed in clause 7.4.1 Purchasing process is that suppliers who would require evaluation, selection and registry, would be those who supply products (or services) which affect subsequent product realization, or the final product.

Excellent examples for our organization would be vendors providing raw material, tool/dies, surface preparation or calibration services.

I also believe that the “extent of control” exercised by the organization, could, in fact, mean that certain suppliers are not controlled (evaluated, selected and registered), due to their lack of impact on product realization.

Good examples here would be stationery or sanitation supplies.

After conferring with several colleagues, we are all puzzled to see freight companies (UPS, FedEx) included as controlled suppliers and nonconformance reports written for failure to comply with the standard if they are not included on our approved suppliers list.

I understand the standard is written to provide a framework, and not examples, however I find this interpretation to be too broad for the intended purpose.

A: Thank you for contacting ASQ’s Ask the Experts program.  The intent of ISO 9001:2008, clause 7.4.1 is to ensure suppliers are selected based upon their ability to meet the organization’s requirements, which generally include quality and delivery of product or service intended for the customer.

As you mentioned, suppliers of office supplies such as paper, printer toner and etc. are not usually included on an approved suppliers list since they have zero impact on the organization’s ability to meet customer requirements.

However, some registrars may consider trucking firms or delivery services such as UPS and FedEx as suppliers of services that could impact an organization’s  ability to meet requirements, such as on time delivery and the delivery of product in an acceptable condition to the customer.

Most registrars welcome rebuttals from their clients regarding audit findings.  This could be an excellent opportunity for your company state its position to the registrar and to understand their rationale as to why they believe UPS and FedEx must be on the approved suppliers list.

The bottom line is that your registrar determines how its auditors interpret audit criteria such as clause 7.4.1.

If it is decided to add these companies to the approved supplier list, it should be a painless process since your company probably already has an established performance history for them.

I hope this helps!

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com