ISO 9001 Certification for University

Training, completed training, competance

Question

How should I proceed to get my university ISO 9001 certified? There are nine campuses and a quality manual already exists.

Answer

If I may, let me answer this from my own experience. I worked with an organization that was geographically dispersed. In the US, there was the corporate headquarters, which had top management, sales and marketing, and design. There was also a manufacturing plant in another state. There was a manufacturing plant in Brazil and one in France.

It was decided that top management would own organization-wide processes. This included Internal Audit, which was outsourced. Top management was responsible for strategy, interested parties (also addressed on a local basis), overall quality objectives, risk and opportunity, the process for documented information on a macro level (for example, your quality manual), organizational knowledge, data analysis and management review (each quarter held in a different facility).

The plants did their own purchasing and supplier development, process risk and opportunity, hiring and training, operational control, local control of specific documented information and data reporting. The three manufacturing plants responded well to local autonomy and centralized reporting. Management Review was very rigorous with the CEO and functional vice presidents at each review. Progress toward objectives, monitoring of interested parties, risk and opportunity was stressed.  If an objective was lagging, plant managers had to present their corrective action with root cause analysis.

Considering the geographical spread, three languages and different cultures and labor laws, the system was very effective, in large part due to the commitment of the CEO.

The 3rd party auditors, while from the same certification body, were local to the facilities. The lead auditor amassed audit data and presented that to top management with a detailed report.

With applications such as Zoom, considerable travel time and expenses can be saved.

Regards,

George Hummel

For more on this topic, please visit ASQ’s website.

Scope Statement

Employees, Training, Working, Learning, Duties, Tasks, DFSS, Innovation, Audit, Auditing

Question

My company is late to transition from ISO 9001: 2008 to 2015 and we are just starting. I am already stumped. I need to answer “What is our your scope statement?  This should succinctly summarize your products and/or services. A single sentence is all that is required, as this will be shown your ISO 9001:2015 certificate.”

We are a commercial printing and bindery. Is the scope from receipt of order through final acceptance by the customer? I don’t know what this means.

Answer

Scope is a difficult concept for many. Accuracy is important; however, you encounter two types of scope that may confuse you.  The first is the Scope of the Standard.  It’s in the “introduction,” in clause 01.  It’s informational and is not auditable.  The second is clause 4.3.  Scope is the outcome of the work in 4.1 & 4.2.  There can be a number of ways to address scope: your range of products and services (XYZ company provides design and printing services); different sites (XYZ designs art work in its Chicago studio and our Cleveland plant does commercial printing) – each of these sites addresses their activities; outsourced services (XYZ company coordinates outsourced design and printing services for our customers).  You can slice and dice scope for a single plant (having others in the company), specific sections (within XYZ company, implantable medical devices are manufactured).

In your case, “XYZ provides commercial printing and bindery” is sufficient.

The scope must be documented and will be verified by your third party certification body.

Thanks for your question.

George Hummel

For more information on this topic, please visit ASQ’s website.

ISO Certification without Quality Dept?

Suppliers, supplier management

Question

There were some changes recently in the company where I work. Now, a quality manager or quality function does not exist in the our company; however, we do maintain the ISO certification.  Our ISO certification applies to our corporate office and it applies also to the manufacturing facility located in a different city.

Is acceptable to have an ISO certification and not have a quality function?

Answer

There is no requirement for a quality function in ISO 9001:2015. I believe that this can be a positive move for your organization as it puts the job of quality upon the process owners, especially top management.  This is where it should be.

It can be a little messy as these responsibilities are passed back to the process owners; but, it’s right!

George Hummel

For more on this topic, please visit ASQ’s website.

Making Management Review Meaningful

Training, completed training, competance

Question

I’m looking for assistance with Management Review requirement of ISO 9001:2015. We’ve been following an agenda that covers 9.3.2 a-f, but Senior Management believes that they cover much of this information in other meetings.

I found a few articles through the ASQ website, but wanted to see if there are suggestions for other resources to help make the Reviews relevant and useful rather than just checking off a box.

Answer

Management Review does not have to happen in one session but can be addressed over several meetings.  It is required that all the inputs and outputs (not addressed in your question) are recorded and accessible.

It is important that the inputs/outputs are not “checking off a box.” Management Review should be seen as “due diligence.”  For example, it is not designed to say, “internal audits were performed on xx/xx/2019.” Here is the opportunity for top management to review the audit results for improvement opportunities and determine how risks uncovered can be mitigated.

Note that the standard does not say “a meeting.” You may wish to gather the materials into one document and send it back to top management for review and approval.  This would also allow you to determine if there are any gaps to be addressed.

Try to ensure that top management notes changes in the QMS or needed. For example, does the QMS still support the strategic directions of the organization, have the requirements of interested parties changed, has corrective action found the root cause of problems, have complaints been adequately addressed and, have there been any changes in statutory requirements?

Following the review of the information, it would be my advise to publish the results to communicate these to the entire organization.

George Hummel

Nonconformance Disposition

Chart, graph, sampling, plan, calculation, z1.4

Question

Should the person writing a non-conformance also be the person who dispositions the same non-conformance?

Answers

From John Surak:

This question is interesting.  In addition, there may be a lack of information to properly answer the question.  There is nothing in ISO 9001:2015 that prohibits the person who wrote the non-conformance from ensuring that non-conformance is addressed in an effective manner.  However, several questions remain.  Why did an individual write a non-conformance on one’s self?  Why did the person just take actions to eliminate the non-conformance without having to implement a correction or corrective action process?  This issue would be an interesting discussion during an audit, and it may lead to an audit trail that discusses leadership and commitment.

John G. Surak, PhD

From George Hummel:

This answer depends upon how you define “dispositions.”  If you mean take the corrective action, then no.  If you mean determines the effectiveness and evaluates the results, then yes.

For more on this topic, please visit ASQ’s website.

ISO 9001: 2015 Clause 8.3.4 and Product Design

PLCs, programmable logic controllers

Question

My company is implementing ISO 9001:2015 and my question is regarding Clause 8.3.4 d. Our company designs product for only 20% of our customer base. We do not have a validation process. We do send a prototype to the customer to test the part for a period of time to approve the design. In determining the scope of our organization, can we exclude the validation process and still become ISO 9001:2015 certified?

Answers

From John Surak:

This organization is involved in product design.  Therefore, the product design cannot be excluded.  However, the organization needs to review the validation clause.  8.3.4d states the following:   “validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use.”  It should be noted that neither 8.4.3d not the validation refences in ISO 9001 do not prescribe a method on how to conduct validation.  It would appear that the company has some sort of process they use to develop the prototypes.  This process should be codified or documented so that it is done in a consistent manner and in a way to ensure that the customer needs are met.

John G. Surak, PhD

From George Hummel:

Basically, you are outsourcing validation.  Therefore, you need to control that process per 8.4. I would not accept the exclusion. In the future, you may have a customer that requires you to do the validation. However, the final answer would be provided by your certification body.

Click here for more resources about ISO 9001: 2015.

ISO 9001: 2015 Clause 8.4.3

Mr. Pareto Head and Supply Chain comic strip

Question

It’s not clear to me who an external provider may be. Could it be an electrical contractor, a lunch truck, a caterer, or other similar? That thinking is tremendously different than just the traditional “supplier” which is what this company has using been for many years. So there’s that concern. Also, advising our external providers what equipment to use, how to use it and how to train their people? Is that really what’s said here? That would require tremendous knowledge in our organization that most likely is not here. What exactly is being said here? I’m a little confused how to address this requirement. Finally, section (e): we must communicate to the external provider how we are going to measure them? Can it be done through email, or phone, or what is a common method for meeting the requirement? Thanks much.

Answer

Who is an external provider?

ISO 9001:2015, 8.4.1 states, the organization shall determine the controls to be applied to externally provided processes, products and services when:

  1. products and services from external providers are intended for incorporation into the organization’s own products and services;
  2. products and services are provided directly to the customer(s) by external providers on behalf of the organization;
  3. a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
    1. Refers to a product that becomes part of your product; for example, a bolt incorporated into a seat assembly. You purchase these.
    2. Refers to a product that is “dropped shipped” to a customer. Think of an Amazon purchase where the product comes from a second party under the Amazon logo.
    3. Refers to a process that is outsourced as a result of the organization’s decision to have the process managed externally. For example, the heat treating of a part where the part needs to be heat treated but the organization does not have that process internally.

Therefore, an electrical contractor, a lunch truck, etc. are not included since they are outside the scope of the QMS.

Secondly, “advising our external providers,” refers to the type and extent of control.  Will you perform 100% incoming verification, or require material certifications, or require certification to a quality management standard? In certain instances, you may want to specify the equipment or training an external provider must implement.  For example, for outsourced welding, your requirement might be that welders are certified by the American Welding Society or your calibration company be accredited to ISO 17025.

How will you measure an external provider?  It can be on-time delivery, responsiveness to requests, PPM targets.  Communicating the measurement (8.4.3 e) is related to 8.4.1, “retain documented information of these activities and any necessary actions arising from the evaluations”.  Therefore, a record must be retained.

George Hummel

For more on this topic, please visit ASQ’s website.

ISO 9001: 2015 Clauses 4.1 and 4.2

Inventory, Inspection, Review, Suppliers, Supplies

Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2:  What level of detail?  The standard states, “the organization shall determine:

  1. the interested parties that are relevant to the quality management system;
  2. the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.  [emphasis added]

Is “supplier” or “customer” sufficient?  It would be if all had the same requirements.  Assuming that they do not, you are required to “drill down.”  Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.”  Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.

“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”

The key in this requirement is “strategic direction.”  If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.

Be aware that your approach will not be familiar to your auditor.  In that case, you will need to fully explain your approach.

George Hummel

Here’s more information about this standard.

Special Process NCRs During Audit

Welding, Weld, Processes, Automation

Question

Recently one of our business units had an ISO 9001: 2008 audit and during the audit they received a couple NCRs on welding as a special process.
One of the NCRs was “Some welders are not qualified prior to welding on product.”

As a matter of fact, our company has developed its own qualification program based on the our needs consisting of the following steps:
– The minimum requirement of least 2 years or more experience as a welder before starting the job.
– In class training for weld specifications, blue print reading, equipment, weld supplies, visual acceptance/ rejection criteria and equipment TPM program conducted by our QE.
– Hands on exam – the result of this test is reviewed by a QE and weld supervisor without performing any bend test, pull test or other types of DT.
– Annual recertification program based on a written exam and weld coupons visual inspection results.

The CB auditor is asking us to send the coupons out to a certified lab for bend testing or having all the welders certified by AWS. Is that required per ISO 9001? As a side note, every time we design and develop a new model we conduct all types of crash tests, FEA and durability testing in design validation phase.

Answers

From George Hummel:

I would not accept the auditor’s comments.  He/she is consulting.

From Charles Cianfrani:

No. It appears that the CB auditor is adding requirements. The organization has a process, and if it is effectively implemented that should be satisfactory evidence of conformity.

For more on this topic, please visit ASQ’s website.

Document Revision Criteria

ISO documentation practices, requirements

Question

Is there any criteria available for the frequency of document revision in ISO 9001 or ISO 13485?  Some organization don’t revise the documents for a period of more than 2-3 years.  The reason provided by the organization is that there were no changes during this period. Do ISO standards mandate the revision of documents within a certain time frame? Can we treat this as non-compliance, if the documents are not revised over a period of 2-3 years ?
Answer

There are no criteria nor a requirement for document revision in ISO 9001:2015, 7.5.

ISO 13485:2016, 4.2.4, states, “review, update as necessary and re-approve documents.” This leave the review to the discretion of the organization.

Thus, there is no mandatory review frequency and no non-conformance if documents are not revised within a determined time frame.  ISO 13485 does require a review, however. But, the frequency of the review is not mandated.

George Hummel