Nonconformance Disposition

Chart, graph, sampling, plan, calculation, z1.4

Question

Should the person writing a non-conformance also be the person who dispositions the same non-conformance?

Answers

From John Surak:

This question is interesting.  In addition, there may be a lack of information to properly answer the question.  There is nothing in ISO 9001:2015 that prohibits the person who wrote the non-conformance from ensuring that non-conformance is addressed in an effective manner.  However, several questions remain.  Why did an individual write a non-conformance on one’s self?  Why did the person just take actions to eliminate the non-conformance without having to implement a correction or corrective action process?  This issue would be an interesting discussion during an audit, and it may lead to an audit trail that discusses leadership and commitment.

John G. Surak, PhD

From George Hummel:

This answer depends upon how you define “dispositions.”  If you mean take the corrective action, then no.  If you mean determines the effectiveness and evaluates the results, then yes.

Click here for more resources about nonconformances.

 

ISO 9001: 2015 Clause 8.3.4 and Product Design

 

PLCs, programmable logic controllers

Question

My company is implementing ISO 9001:2015 and my question is regarding Clause 8.3.4 d. Our company designs product for only 20% of our customer base. We do not have a validation process. We do send a prototype to the customer to test the part for a period of time to approve the design. In determining the scope of our organization, can we exclude the validation process and still become ISO 9001:2015 certified?

Answers

From John Surak:

This organization is involved in product design.  Therefore, the product design cannot be excluded.  However, the organization needs to review the validation clause.  8.3.4d states the following:   “validation activities are conducted to ensure that the resulting products and services meet the requirements for the specified application or intended use.”  It should be noted that neither 8.4.3d not the validation refences in ISO 9001 do not prescribe a method on how to conduct validation.  It would appear that the company has some sort of process they use to develop the prototypes.  This process should be codified or documented so that it is done in a consistent manner and in a way to ensure that the customer needs are met.

John G. Surak, PhD

From George Hummel:

Basically, you are outsourcing validation.  Therefore, you need to control that process per 8.4. I would not accept the exclusion. In the future, you may have a customer that requires you to do the validation. However, the final answer would be provided by your certification body.

Click here for more resources about ISO 9001: 2015.

 

 

 

ISO 9001: 2015 Clause 8.4.3

Mr. Pareto Head and Supply Chain comic strip

Question

It’s not clear to me who an external provider may be. Could it be an electrical contractor, a lunch truck, a caterer, or other similar? That thinking is tremendously different than just the traditional “supplier” which is what this company has using been for many years. So there’s that concern. Also, advising our external providers what equipment to use, how to use it and how to train their people? Is that really what’s said here? That would require tremendous knowledge in our organization that most likely is not here. What exactly is being said here? I’m a little confused how to address this requirement. Finally, section (e): we must communicate to the external provider how we are going to measure them? Can it be done through email, or phone, or what is a common method for meeting the requirement? Thanks much.

Answer

Who is an external provider?

ISO 9001:2015, 8.4.1 states, the organization shall determine the controls to be applied to externally provided processes, products and services when:

  1. products and services from external providers are intended for incorporation into the organization’s own products and services;
  2. products and services are provided directly to the customer(s) by external providers on behalf of the organization;
  3. a process, or part of a process, is provided by an external provider as a result of a decision by the organization.
    1. Refers to a product that becomes part of your product; for example, a bolt incorporated into a seat assembly. You purchase these.
    2. Refers to a product that is “dropped shipped” to a customer. Think of an Amazon purchase where the product comes from a second party under the Amazon logo.
    3. Refers to a process that is outsourced as a result of the organization’s decision to have the process managed externally. For example, the heat treating of a part where the part needs to be heat treated but the organization does not have that process internally.

Therefore, an electrical contractor, a lunch truck, etc. are not included since they are outside the scope of the QMS.

Secondly, “advising our external providers,” refers to the type and extent of control.  Will you perform 100% incoming verification, or require material certifications, or require certification to a quality management standard? In certain instances, you may want to specify the equipment or training an external provider must implement.  For example, for outsourced welding, your requirement might be that welders are certified by the American Welding Society or your calibration company be accredited to ISO 17025.

How will you measure an external provider?  It can be on-time delivery, responsiveness to requests, PPM targets.  Communicating the measurement (8.4.3 e) is related to 8.4.1, “retain documented information of these activities and any necessary actions arising from the evaluations”.  Therefore, a record must be retained.

George Hummel

ISO 9001: 2015 Clauses 4.1 and 4.2

Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2:  What level of detail?  The standard states, “the organization shall determine:

  1. the interested parties that are relevant to the quality management system;
  2. the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.  [emphasis added]

Is “supplier” or “customer” sufficient?  It would be if all had the same requirements.  Assuming that they do not, you are required to “drill down.”  Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.”  Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.

“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”

The key in this requirement is “strategic direction.”  If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.

Be aware that your approach will not be familiar to your auditor.  In that case, you will need to fully explain your approach.

George Hummel

Special Process NCRs During Audit

Question

Recently one of our business units had an ISO 9001: 2008 audit and during the audit they received a couple NCRs on welding as a special process.
One of the NCRs was “Some welders are not qualified prior to welding on product.”
As a matter of fact, our company has developed its own qualification program based on the our needs consisting of the following steps:
– The minimum requirement of least 2 years or more experience as a welder before starting the job.
– In class training for weld specifications, blue print reading, equipment, weld supplies, visual acceptance/ rejection criteria and equipotent TPM program conducted by our QE.
– Hands on exam – the result of this test is reviewed by a QE and weld supervisor without performing any bend test, pull test or other types of DT.
– Annual recert. program based on a written exam and weld coupons visual inspection results.

The CB auditor is asking us to send the coupons out to a certified lab for bend testing or having all the welders certified by AWS. Is that required per ISO 9001? As a side note, every time we design and develop a new model we conduct all types of crash tests, FEA and durability testing in design validation phase.
Answers

From George Hummel:

I would not accept the auditor’s comments.  He/she is consulting.

From Charles Cianfrani:

No. It appears that the CB auditor is adding requirements. The organization has a process, and if it is effectively implemented that should be satisfactory evidence of conformity.

Document Revision Criteria

ISO documentation practices, requirements

Question

Is there any criteria available for the frequency of document revision in ISO 9001 or ISO 13485?  Some organization don’t revise the documents for a period of more than 2-3 years.  The reason provided by the organization is that there were no changes during this period. Do ISO standards mandate the revision of documents within a certain time frame? Can we treat this as non-compliance, if the documents are not revised over a period of 2-3 years ?
Answer

There are no criteria nor a requirement for document revision in ISO 9001:2015, 7.5.

ISO 13485:2016, 4.2.4, states, “review, update as necessary and re-approve documents.” This leave the review to the discretion of the organization.

Thus, there is no mandatory review frequency and no non-conformance if documents are not revised within a determined time frame.  ISO 13485 does require a review, however. But, the frequency of the review is not mandated.

George Hummel

Audit Timeline

Question

What is the ASQ recommended time frame between an auditee receiving a final audit plan and the audit commencing at the auditee’s site?

Answers

From Charlie Cianfrani:

ASQ does not have a recommendation!

From George Hummel:

This is not an ASQ requirement.  A CB generally sends an audit schedule/plan three weeks before the audit.

From Jim Werner:

Typically, the final audit plan has been agreed to by both the auditor and the auditee and it includes the date(s) the audit is to take place. This means that the audit plan includes the audit schedule in one document.  There are many books written, with examples, on this topic.  The ASQ Audit Division is a good source.

Is Certification Revocable?

Question

If a company is ISO 9001: 2015 certified, is it revocable?

Answers

From Jim Werner:

A company can indeed have its certification revoked.  Being certified means the company has established a qualify management system that meets the requirements of ISO9001:2015.  The failure of the company to continue to meet those requirements can result in de-certification.

From George Hummel:

Most CBs will revoke a certificate if the client does not answer an audit non-conformance.  Their contract may define other instances.  The questioner should review his or her organization’s contract.

From Charles Cianfrani:

Certified companies receive surveillance audits periodically. If the company fails to maintain compliance with ISO 9001:2015 requirements, eventually (after a series of intermediary steps related to resolution of nonconformity have been unsatisfactorily pursued) their certification can be voided.

Clauses vs. Elements in ISO Standards

Training, completed training, competance

Question

What, if any, is the difference between the words “clause” and “element” in ISO standards?
Specifically, “customer shall conduct an internal audit addressing all elements of the management system.”  And, at what level is this in the standard, eg, 4 or 4.1 or 4.2.1

Answer

1) The difference between the words “clause” and “element” in ISO standards? – No difference.

2)”Customer shall conduct an internal audit addressing all elements of the management system”. –  Customers do not perform internal audits on suppliers.  If this person means that  customer requires a full QMS audit, so does the standard.  “All elements” probably means all QMS processes.

3) At what level is this in the standard, eg, 4 or 4.1 or 4.2.1 – 4 is the clause/element; 4.1.& 4.2 are “sub-clauses”

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner
Global Certification-USA
www.globalcert-usa.com/
Dayton, OH

ISO 9001: 2015 Design and Development Clause

Prepare for ISO 9001: 2015

Question

We are service providers in NDT and inspection field. I want to know how to implement the design and development clause from ISO 9001: 2015.

Answer

There are two ways to approach this:

One is to use the process developed in ISO 9001:2008, 7.1 where you probably have a “quality plan” for the execution of the service delivery (ISO 9001:2015, 8.1).

The second approach is to design the process itself (ISO 9001:2015, 8.3).  That involves these activities:

INPUT
• Development of a design plan
Who will do what when with what?
Necessary control points
• Identification of customer requirements as inputs, along with inputs from similar previous service offerings
• Identify any special service characteristics, such as safety issues, regulatory compliance
Consequences of failure
• Identify products/services to be purchased/outsourced
THROUGHPUT
• Documentation of these inputs
• Preparation of an output in a format appropriate to the organization
OUTPUT
• A comparison of the outputs with the input requirements and an approval, if required
Outputs should include process monitoring and measuring requirements
• Outputs can include verification, design review and validation*
• A mechanism to handle process design changes

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner
Global Certification-USA
www.globalcert-usa.com/
Dayton, OH