ISO 9001: 2015 Clauses 4.1 and 4.2

Inventory, Inspection, Review, Suppliers, Supplies

Question

Let’s start with clause 4.2. What level of detail is required here? Is “supplier” or “customer” sufficient, or is it required to drill down from there to specific suppliers or customers? We have hundreds of suppliers and many more customers. Regarding 4.1, thinking about working this from the bottom up. Each Leader (supervisor, manager, director) will review processes under their control and identify issues related to those processes. Those processes can have internal and externally related issues. It’s the hope (plan) that this approach will cover all relevant issues (internal & external) that would impact our ability to meet the needs of the QMS -and- meet the needs of the interested parties (we are adding a column that identifies which interested party would be affected by the issue). As a side note, we’ll also do our risk analysis on all of the noted issues and roll the top items into the CAR/CI process. I feel I may be missing something with this approach, but it seems to mostly meet the requirements of 4.1 and 4.2.

Answer

4.2:  What level of detail?  The standard states, “the organization shall determine:

  1. the interested parties that are relevant to the quality management system;
  2. the requirements of these interested parties that are relevant to the quality management system. The organization shall monitor and review information about these interested parties and their relevant requirements.  [emphasis added]

Is “supplier” or “customer” sufficient?  It would be if all had the same requirements.  Assuming that they do not, you are required to “drill down.”  Customer satisfaction cannot be achieved unless you understand the individual requirements and monitor and review those requirements (which are an input to Management Review).

Furthermore, the list of interested parties goes beyond “customers & suppliers.”  Owners, employees, regulatory agencies, financial institutions, etc. to name a few have requirements as interested parties. These need to be addressed, as well.

“We are adding a column that identifies which interested party would be affected by the issue.” This is a good approach if the requirement is also addressed and you go beyond customer and supplier.

“Regarding 4.1, thinking about working this from the bottom up.” Once again, the standard states, “The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction…”

The key in this requirement is “strategic direction.”  If from working from the bottom up, you ultimately tie these external and internal issues to the organization’s strategic direction, there should not be a problem.

Be aware that your approach will not be familiar to your auditor.  In that case, you will need to fully explain your approach.

George Hummel

Here’s more information about this standard.

EHS Procedures and ISO 14001

ISO 14004, Environmental Management System, EMS

Question

Do EHS procedure have to be managed under ISO 9001:2008 if the company is not ISO 14001 certified?

Answer

It depends – are the EHS procedures part of the QMS of the organization. If so, yes. Otherwise no.

Charles Cianfrani

Here’s more information about ISO 14001.

 

ISO 9001 Certification and Moving

Certification, ISO 9001

Question 

My small company is considering ISO certification because some of our customers are asking for it. My concern is that if we continue growing at our current rate, we may be moving in 12-18 months. Is ISO certification site specific – i.e. if we obtain certification and then move, do we need to undergo a whole new certification?

Answer

After the certification audit your company will get a certificate for three years, and you will be adhered to a surveillance audit each year during the mentioned duration. There is no problem in moving if your moving did not lead to changes in your processes, activities, services or products which were included in your Quality Management System’s scope during the first certification audit, but it was just moving to another address. 

Ibrahim Moussa
Founder and Managing Director, at VOICE OF QUALITY for Training and Consulting Services
ibrahim@voiceofquality-eg.com

For more on this topic, please visit ASQ’s website.

Transitioning to ISO 9001: 2015

Analysis, Statistics, Control Charts, Statistical Methods, Audit, Auditing

Question

ISO 9001: 2015 has a 3 year implementation period. I recertified in 2014 and need to recertify in 2017. At this point I have a little under one year to transition instead of the 3 years identified. What alternatives are there that I might take advantage of so I have a longer transition period? My 3rd party registrar has been no help.

Answer

I would suggest that this individual approach their registrar/auditor and reason with them. I have heard of 3rd party auditors who are willing to help organizations with their transitions in numerous ways, including finding a comfortable way to transition without losing investment made in the current standard.

Second, the requirement to transition over to the new standard is not demanding that people wait until their current certificate runs out.  This company can begin a gradual transition right away. Stretching it over a couple years gives a company plenty of time to ‘learn’ and transition. Therefore, 2017 would be a possible time for a smooth change over to the new standard.

Registrars are our helpers; not some strangers lurking in the dark. They should be approachable and willing to help.

Also ASQ, as well as other sources, offer various forms of transition training and information.  The new standard can seem a bit intimidating at first glance but once thoroughly examined, it is actually more simple in several areas.

Atychiphobia – a persistent fear of failure can lead us to see stumbling blocks ahead of us. You can turn those stumbling blocks into stepping stones with some support from your registrar and a positive attitude.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

Internal Audits

Reporting, best practices, non-compliance reporting

Question

If 2nd or 3rd party performs full system audit on my QMS, can it be used as to satisfy requirement for Internal Audit of that year?

Answer

Thank you for sending your question to ASQ’s Ask The Experts program.

My first response to your question would simply be, no you cannot use a 2nd or 3rd party audit to satisfy the requirement for Internal Audits.

The thing to consider is, who will the final Audit Report go to? That is, who is the customer?  An Internal Audit is conducted to your QMS and to your criteria. The final report would generally be directed to senior management.

A second or third party audit is most often performed by a customer or by a registrar. They would be guided by different criteria. A customer audit would not be of your entire QMS or give evidence of its overall efficacy. It would be inspired by what would be pertinent to the product or service you provide to them. A registrar audit would be to verify your facility’s compliance to standards but not necessarily the entire QMS.

You can see how this would be leading down a path one wouldn’t want to follow.  Therefore, Internal Audits should remain . . . internal.

Bud Salsbury, CQT, CQI

For more on this topic, please visit ASQ’s website.

Use of Correction Fluid to Modify ISO 9001 QMS Documents

ISO documentation practices, requirements

Q: During a recent audit, I discovered that my supplier was using correction fluid and scrubbing out the training records of its employees with no control over the documents. I said that would be a major finding, but they state that there is nothing in ISO/ANSI/ASQ 9001:2008 Quality management systems–Requirements specifically telling them that they can’t correct records on the fly without any control.  Can you clarify this practice for me? I can’t find anything definitive in the standard.

A: This is an interesting question. Sometimes, people complicate standards rather than recognize them for the friendly guides they can be. It is true, as written in clause 6.2.2 of ISO 9001:2008,  that records for education, training, skills and experience need to be maintained per clause 4.2.2. However, the standard does not designate a specific process for this.

Clause 4.2.4 expresses a requirement to establish a documented procedure, and also states that the records should be legible. While the practice of using correction fluid or scrubbing out training records is probably not the best and most professional way of handling things, it’s not a cause for a finding of nonconformance.

Records which have a direct affect on customer products would definitely need better controls. However, I think in this case, you might find it wise to work with the supplier to find a better way of recording employee training. The records must remain legible, readily identifiable and retrievable. If that is what they are doing and product quality is not affected, there should be no major finding. A recommendation for continual improvement would be appropriate.

I hope this helps.

Bud Salsbury
ASQ Senior Member, CQT, CQI

ISO 9001 Electronic Records

Reviewing confidential files, training records, human resources files
Q: I have a few questions about employee training records.  My company is certified to ISO 9001:2008 Quality management systems–Requirements, and we are considering transitioning to electronic records. However, we don’t know what the requirements are from an ISO perspective. Specifically, we want to know:1. Do we need to retain hardcopy originals, or can we just keep the scanned electronic copies?

2. Does a record need to be in each individual’s file, or can there be a spreadsheet, cross reference-type matrix?

3. How long do they need to be retained?

4. Are there different requirements for environmental and safety type training records?

A: Thank you for contacting the ASQ Ask the Experts Program. Responses to your specific inquiries follow:

1.You may retain records in any format or media you desire.  You do not need both hardcopy and electronic.

2. You may use a spreadsheet matrix.

3. Retention times are your determination. Consult with the corporate attorney as to any requirements from the U.S. Equal Employment Opportunity Commission to protect yourself if there is a lawsuit (assuming your organization is located in the United States).

4. Check with the U.S. Occupational Safety and Health Administration (OSHA) and the U.S. Environmental Protection Agency (EPA) regarding requirements for these records.  These are outside the scope of ISO 9001.

George Hummel
Voting member of the U.S. TAG to ISO/TC 176 – Quality Management and Quality Assurance
Managing Partner
Global Certification-USA
www.globalcert-usa.com/
Dayton, OH

For more on this topic, please visit ASQ’s website.

ISO 9001:2008 and Reasons to Obtain Third-Party Certification

Reviewing confidential files, training records, human resources files

Q: I have a question regarding an excerpt about ISO 9001:2008 — Quality management systems –Requirements, from the ISO webpage, which is below:

“…Although certification is not a requirement of the standard, the quality management systems of about one million organizations have been audited and certified by independent certification bodies (also known in some countries as registration bodies)…”

Our ISO 9001 quality management system (QMS) has been registered through third-party audits since 1994. But according to this statement, we should be able to represent ourselves as an ISO 9001 organization by simply meeting the requirements of the standard. These requirements, of course, don’t require third-party certification.

Is this the case? If not, isn’t the statement on the website misleading, in as much as certification is an implicit requirement of the standard?

A: I am a U.S. Technical Expert for ISO 9001 and associated QMS standards, have been involved with QMS standards since 1975 and am a published Quality Press author.

You are correct when you state, “we should be able to represent ourselves as an ISO 9001 organization by simply meeting the requirements of the standard. These requirements, of course, don’t require third party certification.” Many organizations use ISO 9001 as the basis for their quality management system without engaging in third-party audits. If you want to claim certification, I guess you could claim that you are “self-certified,” but I am not sure this would mean anything to anybody.

There are a variety of reasons for incurring the cost associated with obtaining an ISO 9001 certification:

  • Internal use: Many do this based on a perception of market advantage and use the certificates in advertisements promoting their goods and services. Some organizations use third party audits and certification to verify for their own management the adequacy of their quality management system.
  • Supplier qualification: The historical use for a quality management system standard is as a basis for qualifying the quality management system of suppliers. Development of quality management system standards dates to the 1950s. One of the early standards of this type was MIL-Q-9858A used by the Department of Defense for use in qualifying some of their suppliers.

Today, ISO 9001 is widely used as a qualification requirement for suppliers in many different product and service sectors. The automotive, aerospace, telecommunications and other industries have sector specific versions of ISO 9001 that are used with suppliers. These all require third-party certification.

  • Regulatory requirement: The European Union, FDA, Japan, Australia, Canada and many other countries use ISO 9001 as the quality management system for meeting certain regulatory requirements. Some regulatory bodies require third-party certification, others conduct their own audits (second-party audits) to verify compliance.

Bottom line: you should determine for yourself if you have a need for certification to ISO 9001 and act accordingly.

Joseph Tsiakals
Voting member of the U.S. TAG to ISO/TC 176 on Quality Management and Quality Assurance (ASQ)
Voting member of the U.S. TAG to ISO/TC 210 Quality Management and Corresponding General Aspects for Medical Devices (AAMI)

For more on this topic, please visit ASQ’s website.

Restructuring an Internal Auditing Program

Reporting, best practices, non-compliance reporting

Q: For the last 15 years, my company has employed a small cadre of full-time, dedicated safety management system auditors.

A current proposal in our company is to recast those auditors as HES Superintendents under the supervision of an operations or safety manager who has significant management responsibility within the safety management system.  This change will give HES Superintendents (persons performing audits) additional, non-audit tasks for performance on the premises of the auditee immediately before, during or after the audits.  Those non-audit tasks could include workforce training, management mentoring and evaluation, facility inspection, etc. In addition, this change will reduce about 50% of the number of audits performed per person in a given time period.

My concerns are as follows:

•  Supervision of the HES Superintendents (especially assignment, evaluation and compensation determination) by an operations manager, safety manager, or someone under their supervision, could constitute auditee control of the audit program, and a thwarting of the principle of auditor independence.

•  The addition of non-audit tasks to auditors’ work seems to open possibilities for audit conflicts of interest. Since HES Superintendents will participate materially in the ongoing safety management of the company, their independence and impartiality as safety management system auditors would be subject to question.

•  The 50% reduction in number of audits per auditor would result in dilution of auditors’ audit experience and therefore their expertise, leading to attenuation of the company’s capability to audit expertly.

In terms of the principles of management system auditing, are my concerns valid?

Do you know of other instances of this part-time-auditor approach being used in high-risk industries?

Any comment on the wisdom of this proposal?

Occasionally, multiple experts offer their expertise and viewpoints to assist quality practitioners. Add your voice by commenting on posts!

Bill Aston’s take:

A: You’ve mentioned valid concerns that should be assessed by top management prior to restructuring their organization’s audit program.  As I understand your concerns, they include two primary items:

1.    To ensure that the restructure of the audit program continues to provide auditors with independence, objectivity and impartiality from the processes and process owners to be audited.

2.    Potential result of a 50% reduction of the number of audits conducted per auditor diluting auditor experience and expertise.

With regard to the first item, this is a matter that top management should thoroughly evaluate to ensure that the requirements of ISO 9001:2008 — Quality management systems — Requirements, clause 8.2.2b internal audit, continue to be met.  This clause requires that The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process.  Auditors shall not audit their own work.

In addition, although the requirements in ISO 19011:2011– Guidelines for auditing management systems are not auditable requirements, section 3.1, Terms and Definitions, (note 1), does mention the need for ensuring internal auditor independence.

The key point is that your organization’s registrar will most likely look very closely at how the audit program has been restructured to ensure that auditor independence, objectivity and impartiality have been maintained.

Regarding item number two, although maintaining an auditor’s level of expertise and experience are important, the primary purpose of internal audits is to assess the effectiveness and continual improvement of the quality management system and its processes.  If maintaining auditor expertise and experience becomes an issue due to the reduction in the number of available audit assignments, management should consider adjusting the number of auditors needed to meet the actual workload.

As you’re aware, ISO 9001:2008 requires internal audits to be conducted at planned intervals, but it does not prescribe any frequency for performing audits.  So this area is strictly a decision that must be made by each organization to meet their own specific requirements to ensure the continual improvement of the quality management system (QMS).

In summary, ISO 9001:2008, clause 5.4.2b Quality management system planning, requires top management to ensure that the integrity of the quality management system is maintained when changes are planned and implemented.  This includes the restructuring of processes such as the audit program.  Internal audits are one of the most important tools that an organization has to assess the effectiveness and continual improvement of their quality management system.   Therefore, it’s essential that the personnel performing these audits are trained, experienced and independent of the area being audited.

It has been my experience that there are few organizations that maintain a staff of fulltime QMS auditors.  Most organizations utilize staff personnel who are familiar with the processes to be audited and have been trained and are experienced as auditors.  Although they perform audits, this is usually not their only responsibility.  However, in some cases, large organizations may have one or two fulltime auditors who function corporate-wide and are supported by trained and experienced staff personnel on an as needed basis.

I hope this helps.

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com

Thea Dunmire’s take:

A: Given that this question involves audits of a safety management system rather than a quality management system, the more applicable standard would likely be OHSAS 18001:2007 Occupational health and safety management systems – not ISO 9001:2008.  However, OHSAS 18001 also specifically states – “Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process.”  Although OHSAS 18001 does not include the statement – “Auditors should not audit their own work,” that is definitely true.   As a general rule, auditors should not audit activities for which they are responsible or accountable.

It is common for organizations to utilize individuals as internal auditors who have other staff responsibilities.  Few organizations have dedicated environmental, health and safety management system auditors.  Most internal environmental health and safety (EHS) auditors have other responsibilities.  In addition, based on surveys conducted by the Auditing Roundtable, the overall management of the EHS audit program is often located within the EHS department, not in a separate internal audit function.  This can make ensuring the independence of the EHS audit program very challenging.

The important question isn’t whether specific individuals are auditing full or part time. Instead, it is whether all of the auditors utilized within the audit program have the appropriate independence, competence and resources to conduct the audits they have been assigned.  Independence I have discussed above.  By competence, I mean the general knowledge and skills needed for management system auditing (as set out in clause 7.2.3 Possess appropriate knowledge and skills of ISO 19011) as well as technical expertise appropriate for their audit assignments.  By resources, I mean that there is sufficient support, including adequate time, to conduct the individual audits needed to meet the objectives established for the audit program.

Identifying the resources needed for the audit program is one of the key responsibilities of the person assigned the role of audit program manager (as set out in clauses 5.3.1 Perform audit program management tasks and 5.3.6 Identify program resource requirements  of ISO 19011:2011).  Lack of adequate resources is a common weakness of many internal audit programs.  Often, internal audit programs have very broad and expansively-stated objectives, but lack the resources needed to achieve these objectives.  It is the audit program manager’s responsibility to point out this disparity to top management.  The solution is for top management to either adjust the objectives of the audit program, taking into account the policy commitments made by the organization, or provide more resources for the internal audit program.

A key requirement of a safety management system is identifying the organization’s legal and other requirements to which it subscribes.   These identified requirements must be taken into account when establishing management system programs and procedures.  This includes any legal obligations associated with establishing and maintaining internal audit programs.  For example, for organizations subject to the BOEMRE regulations (offshore oil and gas), the Safety Environmental Management System  (SEMS) regulations require that auditors be qualified and independent (see 30 CFR 250.1926).  Legal requirements, as well as the commitments made by the organization in its occupational health and safety policy (or its sustainability reports), must also be taken into account when identifying the resources needed for the EHS audit program.

Internal audits are one of the important ways of assessing the effectiveness of a management system.  The audit program itself should be reviewed to determine its effectiveness in accomplishing this task.  Changes can, and should, be made to internal audit programs but the potential impacts of proposed changes need to be fully assessed in light of the organization’s policy commitments and its legal obligations.

Here is a link to the Auditing Roundtable survey results I mentioned: AR Member Survey Results – Organizational Location of the EHS Audit Program

Thea Dunmire, JD, CIH, CSP
ENLAR Compliance Services, Inc.
http://www.enlar.com/
Largo, FL

Jim Werner’s take:

A: This is indeed a unique question.  I read and re-read this question over and over, and I have come up with the same opinion – “it depends.”  I am assuming “audit” is referring to an independent review of the quality system.  Some places use the term “audit” to mean an inspection activity.  If the past audits have consistently demonstrated the effectiveness of the quality system, then it is appropriate to reduce the number and frequency of the audits.

As far as the re-organization of the staffing of the auditing function – this is a management decision.

Jim Werner
Voting member to the U.S. TAG to ISO TC 176
Medical Device Quality Compliance (MDQC), LLC.
ASQ Senior Member
ASQ CQE, CQA, RABQSA Lead QMS Assessor

For more on this topic, please visit ASQ’s website.

Value and Benefits of ISO 9001

Q: My company is struggling with the decision to spend any more money on the ISO 9001:2008 Quality management systems–Requirements registration.  How many of our peers believe that the continuation of this certification is worth the cost? I have been trying to find statistics on the number of revised certifications that have been accomplished since the release of the 2008 version and am finding that there is little to no information available.  This leads me to think that the whole agenda has been identified as not a worthwhile cost effective exercise and companies are dropping out of the program.

Does ASQ have any relevant information regarding the “added value” of certification?  I have proposed to my management that the money spent on certification and all the wasted effort to make some auditor happy is not in the best interest of the company and would like your feedback on this position.  I watch as we struggle for 1.5 months before the dreaded audit to make it look like we are compliant, watch the auditor fumble around looking for some minor discrepancies that will make it look like he was worth having in for tea and crumpets and then watch the organization sigh a big relief when we get away with the lack of compliance or caring about compliance for the next two years, as the real task is making money and not wasting time meeting perceived compliance to perceived “requirements”.

The Toyota debacle makes it hard for me to even stand in front of my peers and preach this as useful.  It is clear that the bottom line is dollars and the need to support compliance to some document is merely wasteful effort that has been passed over like all the other historical (hysterical) quality programs—zero defects, statistical process control, total quality management. What do you say?

A: I would like to answer your questions in three part harmony. First of all, I’ll mention a brief history of ISO. Much of this you will be familiar with but it helps to reaffirm the legitimacy of ISO as an international organization rather than just an abbreviation for a place to throw your money. Second, I will express a few of the many benefits of ISO certification. Finally, I will share my own perceptions. Things I have personally witnessed resulting from ISO certification.

History-benefits-perceptions are a three-part harmony which can improve organizations and strengthen communities.

I would like to share a bit about ISO – What it is, as well as what it is not.

So what is ISO?

First of all, let’s consider the letters “ISO.” Because the “International Organization for Standardization” would have different abbreviations in different languages (Like IOS in English, or OIN in French for Organisation International de Normalization), it was decided at the beginning to use a word derived from the Greek isos, meaning “equal.” Therefore, whatever the country, whatever the language, the short form of the organization’s name is always ISO.

ISO is a network of the international standards institutes of 162 nations with a Central Secretariat in Geneva, Switzerland that coordinates the system. The ISO organization officially began in February 1947. ISO is not a governmental organization. It is not like the United Nations System with delegations of national governments. So, although many of ISO’s members are part of the government structure of their countries the members have their roots in industry and the private sector.

Also, ISO is not a quality standard. That is, ISO isn’t a tolerance level we must make parts to. It is not a high quality standard we must meet just to stay in business.

ISO 9001 refers to a type of ISO standard. ISO 9001 is concerned with “quality management.” This means what the organization does to enhance customer satisfaction by meeting customer and any regulatory requirements and to continually improve its performance in this regard.

ISO implementation in any organization introduces the many values of team work as well. I realize those bits of history can seem a bit lengthy but it is of extreme importance to recognize the time and combined efforts put in by so many individuals from so many nations. It is that dedication which helps to make the ISO Standards as useful and beneficial as they have become.

With regard to benefits, the positive reports are almost endless. I will share just a few of which come from reliable sources such as Dun and Bradstreet, Dallas Business Journal, manufacturingnews.com and others.

Simply noted, ISO certified companies reap:

The effect of ISO 9000 certification on financial perfomance

-Improved consistency of service and product performance
-Higher customer satisfaction levels
-Improved customer perception
-Improved productivity and efficiency
-Cost reductions
-Improved communications, morale and job satisfaction
-Competitive advantage and increased marketing and sales

D&B notes:

-85% of registered firms report external benefits
-Higher perceived quality
-Greater customer demand
-95% report internal benefits
-Greater employee awareness
-Increased operational efficiency
-Reduced scrap expense

Other reports note:

-30% reduction in customer claims
-95% improvement in delivery time
-Reduced defects from 3% to 0.5%
-40% reduction in product cycle time
-International acceptance and recognition
-Estimated return on Investment for companies with consistent compliance have been reported +30% to +600%

I could go on with statistics but I am sure you can research and find many more such positive reports. Therefore I will turn now to third member of the harmony I mentioned. That is perception.

The various feedbacks noted above show all of the remarkable “exterior” perceptions. Increased business, customer satisfaction, less downtime, etc. So I will take a moment to mention some things about “internal” perceptions.

It is said that changing a culture can take from several years. Introducing ISO into an organization is indeed introducing a new culture. Individuals are encouraged to do some things they did not and to change some of the habits they have formed.

It has been my experience, with several companies, that the culture change associated with ISO implementation is multilayered. The first and most obvious benefit is quality awareness. The most experienced machinists, fabricators, administrators, all employees suddenly take acquire an appreciation for quality which they did not have, no matter how good they may have been. This quality awareness does not fade away easily. Even those who offer strong resistance to change learn to respect and very much appreciate all the practical value in a good quality management system.

ISO certification does not ensure success. It does not ensure profit. Nonetheless, I have seen companies with little to no quality system grow to be world class quality organizations with the guidance of a strong ISO based QMS.

If failure is experienced, it can be due to lack of understanding on the part of management. They may have failed to act or provide preventive actions when needed. People are often interested in quick and simple solutions and are not willing to practice even simple self-dicipline. Most often, the greater portion of their interests are in getting a certificate to hang on the wall of their office and an addition to their letter head.

I firmly believe, and have witnessed with my own eyes, that following the ISO Standards in implementing a quality management system results in satisfied customers, repeat business, increased profits, satisfied employees and continual improvement. That three part harmony, history-benefits-perceptions, when joined with top management commitment can lead to another benefit not yet mentioned. That is pride.

Bud Salsbury
ASQ Senior Member, CQT,CQI

For more information on this topic, visit ASQ’s website.

Ask A Librarian